This repository has been archived by the owner on Jan 14, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
109 lines (72 loc) · 3.42 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
moonshot
========
A python module usable in a Moonshot environment to allow a freeradius server
to fetch information about a user from a SAML2 Attribute Authority (AA) or
Identity Provider (IdP).
There are some things you have to do disregarding how you want the SP to
talk to the IdP/AA. So I take those first.
Dependency
----------
This package is dependent on pySAML2.
You should get PySAML2 from Launchpad, the version that is at PyPI is not
enough up-to-date.
bzr co bzr+ssh://bazaar.launchpad.net/%2Bbranch/pysaml2/
should get you the latest version.
Basic Installing
----------
A couple of changes to the freeradius configuration are necessary.
This is one way of doing it. How you chose to do it depends on your local
preferences.
1) create raddb/modules/python
You can use one of the provided 'template/modules_python_aa' or
'template/modules_python_ecp' files as they are. Which one depends of your
choice of using ECP or AA. Rename of copy the one you want to use to
'template/modules_python' and copy it to raddb/modules.
Regarding the configuration of outer/inner tunnel this is still a bit
undecided. The extension module can be use in either.
2) Edit raddb/sites-available/default
To the 'post-auth' section add one line referencing the python module.
You can see how it can be done in
'template/sites-available_default".
3) Edit raddb/sites-available/inner-tunnel.
To the 'post-auth' section add one line referencing the python module.
You can see how it can be done in
'template/sites-available_inner-tunnel".
Now, you should have the basic freeradius setup.
To get it working you have to do a couple of more things:
I) Get the SAML2 metadata for the AA or IDP you want to use. Rename it to
metadata.xml and place it in the 'etc' directory.
II) Chose one of the configuration files for the extension you want to use.
There are two choices (etc/aa_config.py and etc/ecp_config.py).
Rename (or copy) the one you want to use to config.py and edit it.
You must change the value of ATTRIBUTE_AUTHORITY/IDP_ENTITYID so it is the
identifier (entityID) of the SAML2 AA/IdP you want to use.
III) Change the pysaml2 configuration file 'etc/pysaml_config.py'.
A couple of things:
BASE : This is the identifier of the SP (=this module) you are running.
organization: Information about the organization running this service
contact_person: Information about a person people can contact to ask about
this service
xmlsec_binary: where the xmlsec1 binaries are located. This is only needed if
these binaries are somewhere outside the normal PATH.
IV) Create your own key pair.
A key and certificate can be created using the openssl tool:
$ openssl genrsa 1024 > ssl.key
$ openssl req -new -x509 -nodes -sha1 -days 365 -key ssl.key > ssl.cert
$ sudo mv ssl.key ssl.cert /usr/local/etc/moonshot/pki
If you chose other names for you key and cert you have to change
pysaml_config.py accordingly.
V)
Now you can install the package:
python setup.py install
should place everything in it's place.
One thing that might happen is that a new directory is created.
/usr/local/etc/moonshot
You may have to change the premissions on this directory to make it possible
for the freeradius extension to access the information in the directory.
VI) Create the metadata file for your SP.
$ cd etc
$ make_metadata.py pysaml_config.py > sp.xml
This file you have to give to the person/organization that runs the AA/IdP you
want to get information from.
!!! That should be it !!!