February 2020 - satosa-users

by xenophon＠irtnog.org

I want to again say "thanks" to Ioannis, Rainer, Scott, and everyone else for their help and instruction during the various IdentityPython and SATOSA meetings at TIIME this week. Chris Phillips and I were able to get a SATOSA 3.4.8 deployment working in Chris's idp-installer test bed. To that end I want to share my notes from the process, at the end of which an interested party could perform a basic, end-to-end test of the current SATOSA release using SAMLtest (https://samltest.id/) 1. I installed Ubuntu Server 18.04.1; run the following commands as root to install the prerequisites: ```sh apt update apt dist-upgrade -y apt install -y git python3-dev build-essential python3-pip libffi-dev libssl-dev xmlsec1 libyaml-dev libxml2-utils pip3 install --upgrade virtualenv virtualenv -p python3 /opt/satosa /opt/satosa/bin/pip install --upgrade pip setuptools /opt/satosa/bin/pip install SATOSA ``` This is essentially the Docker image build process, only it uses the current SATOSA release (etc.) on PyPI. 2. Copy https://github.com/IdentityPython/SATOSA/tree/v3.4.8/docker/attributemap s to /opt/satosa/attributemaps. I'm not sure this is strictly necessary as the built-in pysaml2 attribute maps should be used by default, but it's what the Docker image build process does. 3. Copy https://github.com/IdentityPython/SATOSA/tree/v3.4.8/example to /opt/satosa/etc. 4. SATOSA doesn't have a default configuration, so you must provide it yourself. ```sh cp /opt/satosa/etc/proxy_conf.yaml.example \ /opt/satosa/etc/proxy_conf.yaml cp /opt/satosa/etc/internal_attributes.yaml.example \ /opt/satosa/etc/internal_attributes.yaml cp /opt/satosa/etc/plugins/frontends/saml2_frontend.yaml.example \ /opt/satosa/etc/plugins/frontends/saml2_frontend.yaml cp /opt/satosa/etc/plugins/backends/saml2_backend.yaml.example \ /opt/satosa/etc/plugins/backends/saml2_backend.yaml cp /opt/satosa/etc/plugins/microservices/static_attributes.yaml.example \ /opt/satosa/etc/plugins/microservices/static_attributes.yaml ``` 5. You may change the proxy URL (the value of BASE in /opt/satosa/etc/proxy_conf.yaml), but it _must_ be a method plus hostname without any trailing slash or path components, e.g., `https://proxy.example.com`, not `https://proxy.example.com/` nor `https://proxy.example.com/satosa`. SATOSA must be hosted at the root of your web site. 6. Comment out the `idp_blacklist_file` and `disco_srv` settings in /opt/satosa/etc/plugins/backends/saml2_backend.yaml. 7. Generate IdP, SP, metadata signing, and web site keying material: ```sh for i in frontend backend metadata https; do openssl req -batch -x509 -nodes -days 3650 -newkey rsa:2048 \ -keyout /opt/satosa/etc/$i.key -out /opt/satosa/etc/$i.crt \ -subj /CN=proxy.example.com done ``` 8. Download the SAMLtest metadata. ```sh curl https://samltest.id/saml/sp > /opt/satosa/etc/sp.xml curl https://samltest.id/saml/idp > /opt/satosa/etc/idp.xml ``` 9. Generate the proxy metadata. (How you do this changes in future releases of SATOSA.) ```sh . /opt/satosa/bin/activate cd /opt/satosa/etc satosa-saml-metadata proxy_conf.yaml metadata.key metadata.crt --split-frontend --split-backend --dir /opt/satosa/etc xmllint --format /opt/satosa/etc/Saml2IDP_0.xml > /opt/satosa/etc/proxy-idp.xml xmllint --format /opt/satosa/etc/Saml2_0.xml > /opt/satosa/etc/proxy-sp.xml ``` 10. Edit the proxy metadata files to remove the `<ns1:Signature>` element, else SAMLtest will be unable to load them due to an invalid signature. 11. Upload the proxy metadata to SAMLtest (https://samltest.id/upload.php) 12. SAMLtest doesn't release the eduPerson Targeted ID attribute, so you'll need to change the last three lines of /opt/satosa/etc/internal_attributes.yaml to the following (and before anyone says anything, NEVER USE AN EMAIL ADDRESS AS AN IDENTIFIER---this is just a quick hack to get SATOSA working): ``` hash: [mail] user_id_from_attrs: [mail] user_id_to_attr: mail ``` 13. Start SATOSA: ```sh . /opt/satosa/bin/activate cd /opt/satosa/etc gunicorn -b0.0.0.0:443 --keyfile https.key --certfile https.crt satosa.wsgi:app ``` 14. At this point you should be able to perform an IdP test (https://samltest.id/start-idp-test/) by specifying the entity ID of the proxy's front end, e.g., https://example.com/Saml2IDP/proxy.xml. The SAMLtest SP will request authentication by your proxy IdP, causing your proxy SP to request authentication by the SAMLtest IdP. If everything works right, you will end up back at the SAMLtest SP: SAMLtest SP ---AuthnRequest---> SATOSA front end (IdP)/back end (SP) ---AuthnRequest---> SAMLtest IdP SAMLtest SP <---AuthnResponse--- SATOSA front end (IdP)/back end (SP) <---AuthnResponse--- SAMLtest IdP I hope this helps other adopters. If you have any questions, please reply on list so everyone can benefit from the discussion. Best wishes, Matthew -- "The lyf so short, the craft so longe to lerne."

2 days, 16 hours

3
3
0 0

Different discovery service for different SPs

by xenophon＠irtnog.org

Dear all, Is it possible to use a different discovery service depending on the SP that sent a SAML AuthnRequest to SATOSA, or do I have to do that in the discovery service's frontend somehow? Best wishes, Matthew -- "The lyf so short, the craft so longe to lerne."

3 months

3
3
0 0

SATOSA Single Logout Service

by ferdy.mul＠ncr.nstda.or.th

Hi SATOSA users, Currently, we are working on SSO project which is Zoom SSO service. We use SATOSA proxy in order to connect with our identity federation (one-to-many type), and we have already implemented single sign-on (SSO) service and it's working, however we still require single logout service (SLO). We couldn't find any SATOSA configuration regarding to SLO from SATOSA documentation. Without SLO, although user has already selected and clicked log out from Zoom, the session still there, otherwise user requires to clear the browser cache. Could you explain to us, how to implement SLO in SATOSA? Thank you. ---------------- Best regards, Mr. Ferdy Mulyadi Research Assistant Internet Innovation Research Team (INO - CNWRG) National Electronics and Computer Technology Center (NECTEC) National Science and Technology Department Agency (NSTDA) Thailand Science Park (TSP) - 112 Phaholyothin Rd., Khlong Nueng, Khlong Luang Pathum Thani, THAILAND ________________________________ Disclaimer: This e-mail and any files transmitted with it may contain confidential and proprietary information of the National Science and Technology Development Agency (NSTDA), Thailand. They are intended solely for the use of the addressed individuals or entities. If you are not the intended recipient, you are required to immediately delete this e-mail and its contents from your system. Any disclosure, distribution, or action based upon the contents of this e-mail is strictly prohibited. Any views or opinions presented in this e-mail are solely those of the sender and do not necessarily represent those of NSTDA. NSTDA does not accept any responsibility for the content of this message or the consequences of any actions taken on the basis of the information provided. NSTDA accepts no liability for any damage caused by any virus or malware which may be inserted in this e-mail during transmission.

5 years, 11 months

2
1
0 0

FW: SATOSA Single Logout Service

by ferdy.mul＠ncr.nstda.or.th

Resend. From: Ferdy Mulyadi <ferdy.mul at ncr.nstda.or.th> Sent: Selasa, 04 Februari 2020 10.15 To: 'satosa-users at lists.sunet.se' <satosa-users at lists.sunet.se> Subject: SATOSA Single Logout Service Hi SATOSA users, Currently, we are working on SSO project which is Zoom SSO service. We use SATOSA proxy in order to connect with our identity federation (one-to-many type), and we have already implemented single sign-on (SSO) service and it's working, however we still require single logout service (SLO). We couldn't find any SATOSA configuration regarding to SLO from SATOSA documentation. Without SLO, although user has already selected and clicked log out from Zoom, the session still there, otherwise user requires to clear the browser cache. Could you explain to us, how to implement SLO in SATOSA? Thank you. ---------------- Best regards, Mr. Ferdy Mulyadi Research Assistant Internet Innovation Research Team (INO - CNWRG) National Electronics and Computer Technology Center (NECTEC) National Science and Technology Department Agency (NSTDA) Thailand Science Park (TSP) - 112 Phaholyothin Rd., Khlong Nueng, Khlong Luang Pathum Thani, THAILAND ________________________________ Disclaimer: This e-mail and any files transmitted with it may contain confidential and proprietary information of the National Science and Technology Development Agency (NSTDA), Thailand. They are intended solely for the use of the addressed individuals or entities. If you are not the intended recipient, you are required to immediately delete this e-mail and its contents from your system. Any disclosure, distribution, or action based upon the contents of this e-mail is strictly prohibited. Any views or opinions presented in this e-mail are solely those of the sender and do not necessarily represent those of NSTDA. NSTDA does not accept any responsibility for the content of this message or the consequences of any actions taken on the basis of the information provided. NSTDA accepts no liability for any damage caused by any virus or malware which may be inserted in this e-mail during transmission.

5 years, 11 months

2
1
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

satosa-users February 2020