[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: mod_auth_saml and certificates



Beaman, Thomas J. (ARC-IO)[PEROT SYSTEMS] wrote:
> Since I'm not sure what really went wrong since this installation is
> non-standard, I'm at a bit of a loss as to what the issue was.  If I had
> to guess, it was the Apache package installing the library files in its
> own directory while the linker is looking elsewhere for the libraries,
> possibly trying to link against Apple's Apache libraries.  I may
> investigate further on the next compilation - there's considerable
> pressure to keep plowing along at this time though.

I understand.

> This is the first time I've tried to get SAML working and I don't really
> know the plumbing quite yet so I can't really comment on the attribute

One goal of ZXID is that you should not have to know the SAML details.

> query feature.  In our setup it seems that there's at least *some kind* of
> configuration on the IdP server for mapping LDAP attributes to application
> variables.  I'll be in contact with the IdP server guys - maybe they can
> shed some light on what's available.

I am very interested to get such "from the trenches" feedback.

Cheers,
--Sampo

> Thanks for your help!
>
> -Thomas
>
> -----Original Message-----
> From: sampo@xxxxxxxxxxx [mailto:sampo@xxxxxxxxxxx]
> Sent: Thursday, October 22, 2009 5:01 PM
> To: Beaman, Thomas J. (ARC-IO)[PEROT SYSTEMS]
> Cc: sampo@xxxxxxxxxxx; zxid.user@xxxxxxxxxxxxx
> Subject: RE: mod_auth_saml and certificates
>
> Beaman, Thomas J. (ARC-IO)[PEROT SYSTEMS] wrote:
>> Bleh, I forgot about the various sandboxing/chrooting I was doing to the
>> system from Apache.  Once I took this into account it's working just
>> fine
>> - as far as I can tell :).
>>
>> As for the IdP, I'm not entirely sure since I didn't set it up - might
>> be
>> the SUN One IdP or it could be a completely different beast.
>>
>> Attached is a trick I used to compile apachezxid for a non-standard
>> apache
>> installation on OS-X (x86), maybe it'll come in handy for somebody else.
>> I figured that one out a while back and Googling for a long time.
>
> I realize that you explicitly claim that your setup is "non-standard",
> but if you possibly can generalize the fix so it could appear in
> the TARGET=macosx section of the Makefile, I will include your
> patch in the distribution.
>
>> I've now updated to 0.38 and I believe the changelog states that the
>> Attribute Broker has been implemented, correct?  Is there some updated
>> documentation available that describes how to configure this on the ZXID
>> side?
>
> The Attribute Broker, PEP (XACML Policy Enforcement Point) and
> local PDP features are extensively described in
> zxid-conf.pd (http://zxid.org/html/zxid-conf.html)
> section 4 ZXID Attribute Broker (ZXAB): the relevant config
> directives are NEED, WANT, ATTRSRC (still a stub), INMAP, and OUTMAP;
> and in section 5 ZXID XACML PEP: the relevant config directives
> are LOCALPDP_ROLE_PERMIT, LOCALPDP_ROLE_DENY, LOCALPDP_IDPNID_PERMIT,
> LOCALPDP_IDPNID_DENY, PEPMAP, and PDP_URL. You may want to study
> the zxidconf.h for default values of NEED, WANT, and PEPMAP.
>
> In order to not oversell the current state of the art, I must
> note that the attribute "broker" is only able to get and translate (map)
> the attributes from the SSO SAML Assertion (A7N). Plan is to add
> local filesystem based attribute provider (database or LDAP based
> local providers would be nice, contributions welcome) and some form
> of web service based attribute query (ID-DAP or SAML Attribute
> Requester - feedback about which is more demanded is welcome).
>
> Cheers,
> --Sampo
>
>> -Thomas
>>
>> -----Original Message-----
>> From: sampo@xxxxxxxxxxx [mailto:sampo@xxxxxxxxxxx]
>> Sent: Thursday, October 22, 2009 1:15 PM
>> To: Beaman, Thomas J. (ARC-IO)[PEROT SYSTEMS]
>> Cc: zxid.user@xxxxxxxxxxxxx
>> Subject: Re: mod_auth_saml and certificates
>>
>> Beaman, Thomas J. (ARC-IO)[PEROT SYSTEMS] wrote:
>>> Hi Sampo,
>>>   I've been trying to set up ZXID's mod_auth_saml on an OS X server.
>>> The
>>> EntityDescriptor XML doesn't seem to contain the public x.509 cert.
>>
>> The metadata (the URL ending in o=B) will not have certificates if
>> none actually were available. Thus visualizing the metadata in
>> a brower is a good way to check whether it is finding the certs. So
>> it is a feature ;-)
>>
>>> Does mod_auth_saml use the cert from /var/zxid/pem/ssl-nopw-cert.pem?
>>
>> The certs for metadata live in files
>>
>> /var/zxid/pem/sign-nopw-cert.pem
>> /var/zxid/pem/enc-nopw-cert.pem
>>
>> In more recent versions (current is 0.38, which version were you using?)
>> ZXID will automatically generate self signed certs if the certs are
>> not installed yet. However it may fail to write them to the filesystem
>> due to permissions problem. You should check that the user as which
>> Apache runs can indeed read from and write to /var/zxid/pem directory.
>>
>> If you want to use officially issued certificates, you will of course
>> need to place them in the two files mentioned. Please note that the
>> files should be concatenation of certificate and the private key. Due
>> to this and the practise of not using password on the private keys
>> you should pay attention to protecting these files with filesystem
>> permissions - the caveat is that if you protect too well then
>> even the apache process can't read them. Recommended permissions are
>>
>>   chown APACHEUSER /var/zxid/pem
>>   chmod -R 02750 /var/zxid/pem
>>
>> where APACHEUSER is distribution dependent user account used to
>> run the apache process. You can do `ps axu | grep httpd' to see
>> what user apache runs as.
>>
>> Cheers,
>> --Sampo
>>
>> P.S. Out of curiosity, which IdP are you using?
>>
>>> How do I get this to show up in the EntityDescriptor XML file?
>>>
>>> Thanks,
>>>   Thomas
>>> ______________________
>>> Thomas Beaman
>>> Business Systems Group
>>> Perot Systems Contractor @
>>> NASA Ames Research Center