Discussion:
idp cluster setup
Jacquet, Frederic
2009-06-10 15:39:53 UTC
Permalink
Hello



I am reading the wiki for idp cluster setup and ask myself if
terracotta 2.7.3 was still mandatory.

Could I replace this by jboss cluster ?



Thanks in advance

fred





________________________________

Frederic Jacquet- Unix Administrator
Tel: +41 21 618 02 31

frederic.jacquet-ixGsXn+***@public.gmane.org <mailto:frederic.jacquet-ixGsXn+***@public.gmane.org>



IMD
Ch. de Bellerive 23, P.O. Box 915
CH - 1001 Lausanne, Switzerland
www.imd.ch <http://www.imd.ch>
Timothy Mori
2009-06-10 20:15:34 UTC
Permalink
I've looked over as many example configurations as I can find, but there's a point in each of them that boils down to "send this information to your IDP provider". Well, what if I am the IDP provider?

I'm trying to set up a local authentication system using a database lookup and it works, but getting it integrated with ezproxy isn't too clear.

The documentation on the ezproxy site has a number of required parameters.

There's an EZProxyEntityID, so I have this set to my ezproxy server, e.g. https://myhost.domain.edu:2433/
The file for the metadata, which I edited to include the entityID is in the ezproxy install directory.

The major issue I'm having is that ezproxy doesn't appear to know where to obtain the SSO service. The documentation states to use your IDPEntityID, which I have tried, https://myhost.domain.edu/idp/shibboleth, and variations.

Each time ezproxy reports the following error:

2009-06-10 15:57:17 Unable to locate SSO Location for https://myhost.domain.edu/idp/Shibboleth/SSO
2009-06-10 15:57:17 Shibboleth IDP20 entity not found: https://shibdev.lib.ncsu.edu/idp/Shibboleth/SSO

Another part of the documentation has to do with the Assertion Consumer Service URLs that are created by EZproxy. There seems to be something you need to do with these and then recreate a metadata file for EZproxy, but I can't find any thing about this.

If anyone has any ideas, I'd appreciate hearing them.

Thanks,


Timothy S. Mori
Systems Librarian for Enterprise Operations
IT Department
North Carolina State University Libraries
Campus Box 7111
Raleigh, NC 27695-7111
Scott Cantor
2009-06-10 23:12:53 UTC
Permalink
Post by Timothy Mori
I've looked over as many example configurations as I can find, but there's
a
Post by Timothy Mori
point in each of them that boils down to "send this information to your
IDP
Post by Timothy Mori
provider". Well, what if I am the IDP provider?
That doesn't change the statement. For this to work, you have to exchange
SAML metadata. If you don't know what that entails, you'd have to look at
examples and/or read specs because that's all we have at the moment.
Post by Timothy Mori
The documentation on the ezproxy site has a number of required parameters.
There's an EZProxyEntityID, so I have this set to my ezproxy server,
e.g. https://myhost.domain.edu:2433/ The file for the metadata, which I
edited to include the entityID is in the ezproxy install directory.
Stylistically, that's not a great ID to use, but ultimately it doesn't
matter. I suggest you read this, though:

https://spaces.internet2.edu/display/SHIB2/EntityNaming
Post by Timothy Mori
The major issue I'm having is that ezproxy doesn't appear to know where
to obtain the SSO service.
2009-06-10 15:57:17 Unable to locate SSO Location for
https://myhost.domain.edu/idp/Shibboleth/SSO 2009-06-10 15:57:17
https://shibdev.lib.ncsu.edu/idp/Shibboleth/SSO
Presumably you failed to give it your IdP's metadata. Beyond that, its
documentation needs to describe how to supply it with metadata, or the
decomposed equivalent if it doesn't support the metadata spec in some
fashion.
Post by Timothy Mori
Another part of the documentation has to do with the Assertion Consumer
Service URLs that are created by EZproxy. There seems to be something you
need to do with these and then recreate a metadata file for EZproxy, but I
can't find any thing about this.
That's part of what's in the SP's metadata (in this case Ezproxy) and that's
what you have to supply to the IdP to prevent failures at that end.

-- Scott
Timothy Mori
2009-06-11 13:23:12 UTC
Permalink
Scott,

Thanks for the info. In what has become an annoying trend, I figured this out about 10 minutes after sending this message. I must have been misinterpreting the documentation with respect to the metadata files.

I acquired my IdP metadata and referenced that in the EZProxy configuration and then it started working. My only point about being the IdP provider is that there's very little documentation on how to configure the IdP side of things. I had to add relying party information and configure the ezproxy metadata, but this was kind of a shot in the dark.

I'll check out the info on entity naming as well. Most examples seem to have a registered name.

Tim
Post by Timothy Mori
I've looked over as many example configurations as I can find, but there's
a
Post by Timothy Mori
point in each of them that boils down to "send this information to your
IDP
Post by Timothy Mori
provider". Well, what if I am the IDP provider?
That doesn't change the statement. For this to work, you have to exchange
SAML metadata. If you don't know what that entails, you'd have to look at
examples and/or read specs because that's all we have at the moment.
Post by Timothy Mori
The documentation on the ezproxy site has a number of required parameters.
There's an EZProxyEntityID, so I have this set to my ezproxy server,
e.g. https://myhost.domain.edu:2433/ The file for the metadata, which I
edited to include the entityID is in the ezproxy install directory.
Stylistically, that's not a great ID to use, but ultimately it doesn't
matter. I suggest you read this, though:

https://spaces.internet2.edu/display/SHIB2/EntityNaming
Post by Timothy Mori
The major issue I'm having is that ezproxy doesn't appear to know where
to obtain the SSO service.
2009-06-10 15:57:17 Unable to locate SSO Location for
https://myhost.domain.edu/idp/Shibboleth/SSO 2009-06-10 15:57:17
https://shibdev.lib.ncsu.edu/idp/Shibboleth/SSO
Presumably you failed to give it your IdP's metadata. Beyond that, its
documentation needs to describe how to supply it with metadata, or the
decomposed equivalent if it doesn't support the metadata spec in some
fashion.
Post by Timothy Mori
Another part of the documentation has to do with the Assertion Consumer
Service URLs that are created by EZproxy. There seems to be something you
need to do with these and then recreate a metadata file for EZproxy, but I
can't find any thing about this.
That's part of what's in the SP's metadata (in this case Ezproxy) and that's
what you have to supply to the IdP to prevent failures at that end.

-- Scott
Scott Cantor
2009-06-11 14:41:31 UTC
Permalink
Post by Timothy Mori
I acquired my IdP metadata and referenced that in the EZProxy
configuration
Post by Timothy Mori
and then it started working. My only point about being the IdP provider
is
Post by Timothy Mori
that there's very little documentation on how to configure the IdP side of
things. I had to add relying party information and configure the ezproxy
metadata, but this was kind of a shot in the dark.
I wouldn't expect EZProxy to document that part, but if they don't have any
examples of metadata to use, or how to come up with the metadata for it,
that would leave you without much to go on apart from
https://spaces.internet2.edu/display/SHIB2/IdPRelyingParty

Note that in general, what you add is metadata. That's it. People seem to be
constantly adding RelyingParty definitions to the IdP and that's rarely if
ever required.

-- Scott
Timothy Mori
2009-06-11 15:15:48 UTC
Permalink
Scott,

Thanks again. I think I went down the relying party path because one of the first error messages I saw, either in the browser or in the idp-process.log indicated a problem with relying party information. However, at the same time I added the relying party block, I added the metadata block, and since it worked, I assumed I needed both.

After removing the relying party info, I see it all still works. I'm trying to document this as I go along, so hopefully I can get someone at OCLC to include this side of things, even if only for informational purposes.

Tim
Post by Timothy Mori
I acquired my IdP metadata and referenced that in the EZProxy
configuration
Post by Timothy Mori
and then it started working. My only point about being the IdP provider
is
Post by Timothy Mori
that there's very little documentation on how to configure the IdP side of
things. I had to add relying party information and configure the ezproxy
metadata, but this was kind of a shot in the dark.
I wouldn't expect EZProxy to document that part, but if they don't have any
examples of metadata to use, or how to come up with the metadata for it,
that would leave you without much to go on apart from
https://spaces.internet2.edu/display/SHIB2/IdPRelyingParty

Note that in general, what you add is metadata. That's it. People seem to be
constantly adding RelyingParty definitions to the IdP and that's rarely if
ever required.

-- Scott
Michael J. Wheeler
2009-06-11 15:34:32 UTC
Permalink
Tim,

I would be very interested in some documentation on how you made it all
work. At some point (hopefully soon), we are going to switch EZProxy from
using LDAP Authentication to using Shib with our local IdP.
--
Michael J. Wheeler
Assistant Director, Systems and Networking
Pittsburg State University
Phone: 620-235-4610
Post by Timothy Mori
Scott,
Thanks again. I think I went down the relying party path because one of the first error messages I saw, either in the browser or in the idp-process.log indicated a problem with relying party information. However, at the same time I added the relying party block, I added the metadata block, and since it worked, I assumed I needed both.
After removing the relying party info, I see it all still works. I'm trying to document this as I go along, so hopefully I can get someone at OCLC to include this side of things, even if only for informational purposes.
Tim
Post by Timothy Mori
I acquired my IdP metadata and referenced that in the EZProxy
configuration
Post by Timothy Mori
and then it started working. My only point about being the IdP provider
is
Post by Timothy Mori
that there's very little documentation on how to configure the IdP side of
things. I had to add relying party information and configure the ezproxy
metadata, but this was kind of a shot in the dark.
I wouldn't expect EZProxy to document that part, but if they don't have any
examples of metadata to use, or how to come up with the metadata for it,
that would leave you without much to go on apart from
https://spaces.internet2.edu/display/SHIB2/IdPRelyingParty
Note that in general, what you add is metadata. That's it. People seem to be
constantly adding RelyingParty definitions to the IdP and that's rarely if
ever required.
-- Scott
Peter Schober
2009-06-15 08:27:40 UTC
Permalink
Post by Michael J. Wheeler
I would be very interested in some documentation on how you made it all
work. At some point (hopefully soon), we are going to switch EZProxy from
using LDAP Authentication to using Shib with our local IdP.
I just followed the EZproxy docs (SAML2 only), it's all in there.
First active SSL:
http://www.oclc.org/support/documentation/ezproxy/cfg/ssl/default.htm
Then configure SAML/Shib support:
http://www.oclc.org/support/documentation/ezproxy/usr/shibboleth.htm
-peter
Peter Schober
2009-06-15 08:29:35 UTC
Permalink
Post by Peter Schober
I just followed the EZproxy docs (SAML2 only)
That should have been "I only tested with SAML2",
-peter
Franck Borel
2009-06-17 07:18:16 UTC
Permalink
Hi Michael,
Post by Michael J. Wheeler
I would be very interested in some documentation on how you made it
all work. At some point (hopefully soon), we are going to switch
EZProxy from using LDAP Authentication to using Shib with our local
IdP.
I just upgrade our EZProxy to let him speak SAML 2. Here is an example
how you should configure your EZProxy:

EZProxy
=======

config.txt
------------
..
# Proxy by Hostname
Interface <IP adress>
LoginPort 80
LoginPortSSL 443
Interface ANY
LoginPort 2048
Option ProxyByHostname
Option IgnoreWildcardCertificate

RunAs ezproxy:users

Option SafariCookiePatch

MaxVirtualHosts 2000
MaxLifetime 60
MaxSessions 1000
MaxConcurrentTransfers 500

LogFormat %h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"
LogFile -strftime /opt/ezproxy-5.1c/log/ezproxy%Y%W.log
LogSPU -strftime /opt/ezproxy-5.1c/log/spu%Y%W.log %h %l %u %t "%r" %s
%b "%{Referer}i" "%
{User-agent}i"

Audit Most
AuditPurge 4

ShibbolethMetadata \
-EntityID=https://example.proxy.org/shibboleth-ezproxy \
-File=YOUR-metadata.xml \
-Cert=3

Group databaseuser
..

shibuser.txt
----------------

If Any(auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.7, "urn:mace:dir:entitlement:common-lib-terms
");
Group +databaseuser

If Any(auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.7,"urn:example:admin");
Admin

user.txt
----------
::Shibboleth
IDP20 https://example.org/idp
/Shibboleth

---------


Here is an example for the metadata of the EZProxy:

<EntityDescriptor entityID="https://example.org">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>example.org</ds:KeyName>
<ds:X509Data>

<
ds:X509SubjectName
Post by Michael J. Wheeler
CN=example.org,C=US,ST=Ohio,L=Blabla,OU=Blablablub,O=Blablablubblub</
ds:X509SubjectName>
<ds:X509Certificate>
YOUR CERTIFICATE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>

<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>example.org</ds:KeyName>
<ds:X509Data>

<
ds:X509SubjectName
Post by Michael J. Wheeler
CN=example.org,C=US,ST=Ohio,L=Blabla,OU=Blablablub,O=Blablablubblub</
ds:X509SubjectName>
<ds:X509Certificate>
YOUR CERTIFICATE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
"
Location="https://example.org/Shibboleth.sso/SAML2/POST"
index="1"></AssertionConsumerService>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post
"
Location="https://example.org/Shibboleth.sso/SAML/POST"
index="2"></AssertionConsumerService>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="de">Blablablublub</
OrganizationName>
<OrganizationDisplayName xml:lang="de">blabla</
OrganizationDisplayName>
<OrganizationURL xml:lang="de">http://example.org</
OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<GivenName>Mr.</GivenName>
<SurName>Spok</SurName>
<EmailAddress>spok-***@public.gmane.org</EmailAddress>
</ContactPerson>
</EntityDescriptor>



Hope this would help.


-- Franck
Peter Schober
2009-06-17 09:51:59 UTC
Permalink
Post by Franck Borel
I just upgrade our EZProxy to let him speak SAML 2. Here is an
[...]

If you're using federation supplied metadata (describing the IdPs that
you work with) be sure to check the metadata against a signing public
key, as mentioned in the docs:

# http://www.oclc.org/us/en/support/documentation/ezproxy/usr/shibboleth.htm
ShibbolethMetadata \
-EntityID=http://ezproxy.example.edu/saml2 \
-File=federation-metadata.xml \
-Cert=1 \
-URL=https://federation.example.org/federation-metadata.xml \
-URLValidate=federation-metadata-signing.crt
EZproxy generates it's own metadata from the admin screen ("Manage
Shibboleth"), you just need to add the entityId for ezproxy to that
XML file, as per the docs.
-peter

Loading...