[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: mod_auth_saml and certificates



Beaman, Thomas J. (ARC-IO)[PEROT SYSTEMS] wrote:
> Bleh, I forgot about the various sandboxing/chrooting I was doing to the
> system from Apache.  Once I took this into account it's working just fine
> - as far as I can tell :).
>
> As for the IdP, I'm not entirely sure since I didn't set it up - might be
> the SUN One IdP or it could be a completely different beast.
>
> Attached is a trick I used to compile apachezxid for a non-standard apache
> installation on OS-X (x86), maybe it'll come in handy for somebody else.
> I figured that one out a while back and Googling for a long time.

I realize that you explicitly claim that your setup is "non-standard",
but if you possibly can generalize the fix so it could appear in
the TARGET=macosx section of the Makefile, I will include your
patch in the distribution.

> I've now updated to 0.38 and I believe the changelog states that the
> Attribute Broker has been implemented, correct?  Is there some updated
> documentation available that describes how to configure this on the ZXID
> side?

The Attribute Broker, PEP (XACML Policy Enforcement Point) and
local PDP features are extensively described in
zxid-conf.pd (http://zxid.org/html/zxid-conf.html)
section 4 ZXID Attribute Broker (ZXAB): the relevant config
directives are NEED, WANT, ATTRSRC (still a stub), INMAP, and OUTMAP;
and in section 5 ZXID XACML PEP: the relevant config directives
are LOCALPDP_ROLE_PERMIT, LOCALPDP_ROLE_DENY, LOCALPDP_IDPNID_PERMIT,
LOCALPDP_IDPNID_DENY, PEPMAP, and PDP_URL. You may want to study
the zxidconf.h for default values of NEED, WANT, and PEPMAP.

In order to not oversell the current state of the art, I must
note that the attribute "broker" is only able to get and translate (map)
the attributes from the SSO SAML Assertion (A7N). Plan is to add
local filesystem based attribute provider (database or LDAP based
local providers would be nice, contributions welcome) and some form
of web service based attribute query (ID-DAP or SAML Attribute
Requester - feedback about which is more demanded is welcome).

Cheers,
--Sampo

> -Thomas
>
> -----Original Message-----
> From: sampo@xxxxxxxxxxx [mailto:sampo@xxxxxxxxxxx]
> Sent: Thursday, October 22, 2009 1:15 PM
> To: Beaman, Thomas J. (ARC-IO)[PEROT SYSTEMS]
> Cc: zxid.user@xxxxxxxxxxxxx
> Subject: Re: mod_auth_saml and certificates
>
> Beaman, Thomas J. (ARC-IO)[PEROT SYSTEMS] wrote:
>> Hi Sampo,
>>   I've been trying to set up ZXID's mod_auth_saml on an OS X server.
>> The
>> EntityDescriptor XML doesn't seem to contain the public x.509 cert.
>
> The metadata (the URL ending in o=B) will not have certificates if
> none actually were available. Thus visualizing the metadata in
> a brower is a good way to check whether it is finding the certs. So
> it is a feature ;-)
>
>> Does mod_auth_saml use the cert from /var/zxid/pem/ssl-nopw-cert.pem?
>
> The certs for metadata live in files
>
> /var/zxid/pem/sign-nopw-cert.pem
> /var/zxid/pem/enc-nopw-cert.pem
>
> In more recent versions (current is 0.38, which version were you using?)
> ZXID will automatically generate self signed certs if the certs are
> not installed yet. However it may fail to write them to the filesystem
> due to permissions problem. You should check that the user as which
> Apache runs can indeed read from and write to /var/zxid/pem directory.
>
> If you want to use officially issued certificates, you will of course
> need to place them in the two files mentioned. Please note that the
> files should be concatenation of certificate and the private key. Due
> to this and the practise of not using password on the private keys
> you should pay attention to protecting these files with filesystem
> permissions - the caveat is that if you protect too well then
> even the apache process can't read them. Recommended permissions are
>
>   chown APACHEUSER /var/zxid/pem
>   chmod -R 02750 /var/zxid/pem
>
> where APACHEUSER is distribution dependent user account used to
> run the apache process. You can do `ps axu | grep httpd' to see
> what user apache runs as.
>
> Cheers,
> --Sampo
>
> P.S. Out of curiosity, which IdP are you using?
>
>> How do I get this to show up in the EntityDescriptor XML file?
>>
>> Thanks,
>>   Thomas
>> ______________________
>> Thomas Beaman
>> Business Systems Group
>> Perot Systems Contractor @
>> NASA Ames Research Center