Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / shibboleth / a0148f6e169b2553ca4a96a8b5a8dc2bd937efde / . / README.rst
blob: 93879b85f4ac0ca8479f083642f4af667d367afe [file] [log] [blame]
Alexander Noskov747be502017-01-12 14:53:55 +0400[diff] [blame]1=======================
Alexander Noskovd0e69af2016-12-07 13:19:14 +0400[diff] [blame]2salt-formula-shibboleth
Alexander Noskov747be502017-01-12 14:53:55 +0400[diff] [blame]3=======================
4
5Shibboleth is among the world's most widely deployed federated identity solutions, connecting users to applications both within and between organizations.
6
7Sample pillars
8==============
9
10.. code-block:: yaml
11
12 shibboleth:
13 server:
14 enabled: true
Aleksieiev, Oleksiieca3f2a2018-05-17 13:21:01 -0700[diff] [blame]15 app:
16 entity_id: http://${_param:proxy_vip_address_public}:5000
Oleksii Chupryna4e5dc72018-10-25 14:33:38 +0300[diff] [blame]17 signing: "false"
18 encryption: "false"
Alexander Noskov747be502017-01-12 14:53:55 +0400[diff] [blame]19 idp_url: "https://saml.example.com/oam/fed"
20 idp_metadata_url: "https://saml.example.com/oamfed/idp/metadata"
21 attributes:
22 - name: test
23 id: test
24 name_format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Oleksii Chupryna4e5dc72018-10-25 14:33:38 +0300[diff] [blame]25 - name: test1
26 id: test1
Alexander Noskov747be502017-01-12 14:53:55 +0400[diff] [blame]27 key: |
28 -----BEGIN PRIVATE KEY-----
29 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDmM1NIxgQ3Y70Q
30 GXoFQQnJ7nliaRtJR2xHAW47InyALQ+M3/VCtdFnNI0d2CHoytQ6mVg6BzOtdvT2
31 ocEl0+LNkskSZsc6Nh59XooTQncL5PA7hXmo/nxCEgURH4oika5CC14K4hagwZca
32 CQZvW1m9KwfVaNc0Va0KepH2lGI+VdxyZgRMifTMl9qDLYr++ftyFTNn5uit0Yh8
33 9QFU4HLVvT0rHSQUTcFbvYE=
34 -----END PRIVATE KEY-----
35 certificate: |
36 -----BEGIN CERTIFICATE-----
37 MIIDDzCCAfegAwIBAgIJAOvxYAMLVkHZMA0GCSqGSIb3DQEBBQUAMCMxITAfBgNV
38 BAMTGGN0bC0wMS5qcGUyLmppb2Nsb3VkLmNvbTAeFw0xNzAxMTIxMDIwMTRaFw0y
39 k3u0PIEqysz9sOpmuSmlY4FKRobYQ3viviTIMTTuqjoCAFKIApI3tZWOqj+zShje
40 Xr4ue39/lvQLj2jXV+Q2TOovQA==
41 -----END CERTIFICATE-----
42 idp_certificate: |
43 -----BEGIN CERTIFICATE-----
44 BAMTGGN0bC0wMS5qcGUyLmppb2Nsb3VkLmNvbTAeFw0xNzAxMTIxMDIwMTRaFw0y
45 CcnueWJpG0lHbEcBbjsifIAtD4zf9UK10Wc0jR3YIejK1DqZWDoHM6129PZ8kx5k
46 aN5DvAdir7oYCpHwD5/WvHahUgsrtcz9s+pzRfiStvICVwqCsGquThZHe8YAgGpZ
47 04UU/56ncPbsHf5asS3DvfVGw==
48 -----END CERTIFICATE-----
lmercl4f7f6fd2018-03-12 17:39:56 +0100[diff] [blame]49
50
51Shibboleth through HTTP proxy
52==============
53Sometimes there is needed to connect to IdP through HTTP proxy. This has to be done via adding TransportOption to MetadataProvider in Shibboleth2.xml configuration file.
54
55.. code-block:: yaml
56
57 shibboleth:
58 server:
59 enabled: true
Aleksieiev, Oleksiieca3f2a2018-05-17 13:21:01 -0700[diff] [blame]60 proxy: http://10.10.10.12:8888
61
62
Oleksii Chupryna4e5dc72018-10-25 14:33:38 +0300[diff] [blame]63Shibboleth with Transaction logging
64==============
65
66.. code-block:: yaml
67
68 shibboleth:
69 server:
70 enabled: true
71 logging:
72 message_decoder: DEBUG
73 outofprocess:
Oleksii Chupryna0148f62018-11-05 14:45:11 +0200[diff] [blame^]74 tranlogformat: "%u|%a|%s|%SP|%IDP|%t|%b|%ac|%attr|%E|%e|%S|%SS|%SM|%URI|%URL|%UA|%app|%p|%n|%D|%d|%I|%II"
Oleksii Chupryna4e5dc72018-10-25 14:33:38 +0300[diff] [blame]75
76
Aleksieiev, Oleksiieca3f2a2018-05-17 13:21:01 -0700[diff] [blame]77Override IdP metadata from file
78==============
79Sometimes the metadata is not publicly aviailable from IPD. You can define the metadata in pillar. In this case the idp_metadata_url parameter will be ignored.
80
81.. code-block:: yaml
82
83 shibboleth:
84 server:
85 idp_metadata_file: |
86 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
87 <EntityDescriptor xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
88 entityID="idp_url">
89 <IDPSSODescriptor
90 WantAuthnRequestsSigned="false"
91 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
92 <KeyDescriptor use="signing">
93 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
94 <ds:X509Data>
95 <ds:X509Certificate>MIIEADi........==</ds:X509Certificate>
96 </ds:X509Data>
97 </ds:KeyInfo>
98 </KeyDescriptor>
99 <KeyDescriptor use="signing">
100 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
101 <ds:X509Data>
102 <ds:X509Certificate>MIIEADi........==</ds:X509Certificate>
103 </ds:X509Data>
104 </ds:KeyInfo>
105 </KeyDescriptor>
106 <!-- Supported Name Identifier Formats -->
107 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
108 <!-- AuthenticationRequest Consumer endpoint -->
109 <SingleSignOnService
110 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
111 Location="https://IDP_URL/SAMLLogin"
112 />
113 </IDPSSODescriptor>
114 </EntityDescriptor>
115
116
117Shibboleth session control
118==============
119Sometimes there is needed to tune session settings for the application. This has to be done via setting sessions variables Shibboleth2.xml configuration file.
120
121.. code-block:: yaml
122
123 shibboleth:
124 server:
125 sessions:
126 lifetime: 28800
127 timeout: 3600
128 relaystate: "ss:mem"
129 checkaddress: "false"
130 handlerssl: "false"
131 cookieprops: "http"
132
133
134Shibboleth attributeresolver/regex plugins support
135==============
136Sometimes there is needed to set add new attribute by extracting some information from other attributes. This has to be done loading the plugin and a adding attributeresolver with transform type in Shibboleth2.xml configuration file.
137See more detail here: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeResolver#NativeSPAttributeResolver-TransformAttributeResolver(Version2.5andAbove)
138
139.. code-block:: yaml
140
141 shibboleth:
142 server:
143 outofprocess:
144 extensions:
145 library:
146 plugin1:
147 path: plugins.so
148 fatal: "true"
149 attributeresolver:
150 transform:
151 Email:
152 mantch1:
153 match: "@.*$"
154 destination_name: "User-identifier"
155 destination: "$1"
156 mantch2:
157 match: "@.*$"
158 destination: "$2"
159Shibboleth shared session
160==============
161Sometimes there is needed to set shibd on each controller where keystone is running. To make sure sessions are accessible and shared between all of them you need to setup shared storage for sessions
162The example below shows you how to setup shared storage using memcached available on controllers:
163Please note that sessioncache requires memcached with bitmap set to true. Omitting sessioncache element will result in an in-memory plugin identified as id="mem".
164https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPStorageService
165
166.. code-block:: yaml
167
168 shibboleth:
169 server:
170 outofprocess:
171 extensions:
172 library:
173 plugin1:
174 path: "memcache-store.so"
175 fatal: "true"
176 storageservice:
177 mc:
178 type: MEMCACHE
179 buildmap: "0"
180 sendtimeout: "999999" #optional
181 recvtimeout: "999999" #optional
182 polltimeout: "1000" #optional
183 failtimeout: "5" #optional
184 retrytimeout: "30" #optional
185 prefix: "SHIBD" #optional
186 hosts: "${_param:cluster_node01_address}:11211,${_param:cluster_node02_address}:11211,${_param:cluster_node03_address}:11211
187 mc-ctx:
188 type: MEMCACHE
189 buildmap: "1"
190 sendtimeout: "999999" #optional
191 recvtimeout: "999999" #optional
192 polltimeout: "1000" #optional
193 failtimeout: "5" #optional
194 retrytimeout: "30" #optional
195 prefix: "SHIBD" #optional
196 hosts: "${_param:cluster_node01_address}:11211,${_param:cluster_node02_address}:11211,${_param:cluster_node03_address}:11211
197 sessioncache:
198 type: "StorageService"
199 cachetimeout: "900" #optional
200 storageservice: "mc-ctx"
201 storageservicelite: "mc"
202 replaycache:
203 storageservice: "mc"
204 replaycache:
205 storageservice: "mc"
206 artifactTTL: "180" #optional