search

DMPRoadmap / roadmap

DCC/UC3 collaboration for a data management planning tool
MIT License
102 stars 109 forks source link

DCC: Install and configure Shibboleth #39

Closed briri closed 7 years ago

briri commented 7 years ago

Install the Shibboleth Service Provider on the Roadmap server and configure it to work with the appropriate federation.

References: https://www.pivotaltracker.com/story/show/131902937 and https://www.pivotaltracker.com/story/show/125268081

briri commented 7 years ago

May need to register new roadmap domain names with federation. If so create a separate ticket?

briri commented 7 years ago

Need to point service provider at the EduGain list instead of the UK federation's

alexstuart commented 7 years ago

The eduGAIN metadata aggregate is intended to be consumed by federation operators, not by individual IdPs or SPs. See https://technical.edugain.org/metadata for the policy.

The UK federation metadata aggregate includes the majority of eduGAIN entities already. You can check this by downloading the UK federation metadata aggregate and noting the number of entities that do not have a registrationAuthority="http://ukfederation.org.uk" (or search for https://dmp.cdlib.org which shows that metadata for the DMP Tool SP is already available in the UK federation).

briri commented 7 years ago

Thanks for the clarification @alexstuart

vyruss commented 7 years ago

The saga so far:

  1. In order to use the Shibboleth nginx module (nginx-shib/nginx-http-shibboleth) we need to compile it, but compilation as dynamic module against the sources of the nginx package we currently use doesn't work ("binary incompatibility") therefore we need to compile it into a fresh nginx. However we also need to compile in the Passenger nginx module (phusion/passenger/tree/release-5.1.1/src/nginx_module) which we also need.

  2. Get dependencies (as root): 

    # Get the sources
cd /usr/src
git clone https://github.com/nginx/nginx.git
git clone https://github.com/nginx-shib/nginx-http-shibboleth.git
git clone https://github.com/openresty/headers-more-nginx-module.git

    We need the Shibboleth with FastCGI support so add this to /etc/yum.repos.d/shibboleth.repo:

    [shibboleth]
name=Shibboleth James Cook University repo
baseurl=http://www.hpc.jcu.edu.au/rpm
gpgcheck=0
enabled=1
priority=1

    To get the Passenger module sources add this to /etc/yum.repos.d/passenger.repo:

    [passenger]
name=Passenger repo
baseurl=https://oss-binaries.phusionpassenger.com/yum/passenger/el/7/$basearch
enabled=1
gpgcheck=0
priority=1

    Install dependencies:

    yum install passenger-devel-5.1.1 shibboleth.x86_64 fcgi.x86_64 supervisor \
            perl-ExtUtils-Embed rpmdevtools
rpm -Uvh ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/andnagy/RedHat_RHEL-6/x86_64/checkinstall-1.6.2-20.2.x86_64.rpm

  3. Configure, compile & package RPM (as root):

    cd /usr/src/nginx
auto/configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx \
  --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log \
  --http-log-path=/var/log/nginx/access.log \
  --http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
  --http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
  --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
  --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
  --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid \
  --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio \
  --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module \
  --with-http_addition_module --with-http_xslt_module --with-http_sub_module \
  --with-http_dav_module --with-http_flv_module --with-http_mp4_module \
  --with-http_gunzip_module --with-http_gzip_static_module \
  --with-http_random_index_module --with-http_secure_link_module \
  --with-http_degradation_module --with-http_stub_status_module \
  --with-http_perl_module --with-mail --with-mail_ssl_module \
  --with-pcre --with-pcre-jit \
  --add-module=/usr/share/passenger/ngx_http_passenger_module \
  --add-module=/usr/src/nginx-http-shibboleth \
  --add-module=/usr/src/headers-more-nginx-module \
  --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' \
  --with-ld-opt='-Wl,-z,relro -Wl,-E'
make
checkinstall

  4. Install nginx package & service (as root):

    rpm -Uvh /root/rpmbuild/RPMS/x86_64/nginx-xxxxxxxx-1.x86_64.rpm

    Add this to /lib/systemd/system/nginx.service:

    [Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

  5. Configure nginx in /etc/nginx/sites-available/dmponline-test.dcc.ac.uk.conf:

    
server {
  listen *:80;

  server_name dmponline-test.dcc.ac.uk;
  index index.html index.htm index.php;
  access_log /var/log/nginx/dmponline-test.dcc.ac.uk.access.log;
  error_log /var/log/nginx/dmponline-test.dcc.ac.uk.error.log;

  location / {
    root /opt/src/dmponline_test/public;
    index index.html index.htm index.php;
  }

  passenger_enabled on;
  passenger_ruby /usr/local/rvm/gems/ruby-2.2.5@dmponline/wrappers/ruby;
  passenger_min_instances 1;
  rails_env production;

  location /healthcheck/ {
    return 200 "$hostname";
    add_header Content-Type text/plain;
    access_log off;
  }

  # SHIBBOLETH
  location /Shibboleth.sso {
    include fastcgi_params;
    include shib_fastcgi_params;
    fastcgi_pass unix:/opt/shibboleth/shibresponder.sock;
  }
  location /shibboleth-sp {
    alias /usr/share/shibboleth/;
  }
  location /shibauthorizer {
    internal;
    include fastcgi_params;
    include shib_fastcgi_params;
    fastcgi_pass unix:/opt/shibboleth/shibauthorizer.sock;
  }
}

  6. Set up Supervisord to run the Shibboleth FastCGI responder apps: Append to /etc/supervisord.conf:

    [fcgi-program:shibauthorizer]
command=/usr/lib64/shibboleth/shibauthorizer
socket=unix:///opt/shibboleth/shibauthorizer.sock
socket_owner=shibd:shibd
socket_mode=0660
user=shibd
stdout_logfile=/var/log/supervisor/shibauthorizer.log
stderr_logfile=/var/log/supervisor/shibauthorizer.error.log

[fcgi-program:shibresponder]
command=/usr/lib64/shibboleth/shibresponder
socket=unix:///opt/shibboleth/shibresponder.sock
socket_owner=shibd:shibd
socket_mode=0660
user=shibd
stdout_logfile=/var/log/supervisor/shibresponder.log
stderr_logfile=/var/log/supervisor/shibresponder.error.log

  7. Configure Shibboleth to protect /users/auth/shibboleth/callback: Insert into /etc/shibboleth/shibboleth2.xml before <ApplicationDefaults> section:

    <RequestMapper type="XML">
  <RequestMap>
    <Host name="dmponline-test.dcc.ac.uk"
            authType="shibboleth"
            requireSession="true">
        <Path name="/users/auth/shibboleth/callback" />
    </Host>
  </RequestMap>
</RequestMapper>

  8. Fix Shibboleth service: wait for proper startup time because of UK Fed metadata size. Edit /etc/sysconfig/shibd and change SHIBD_WAIT:

    # Wait period (secs) for configuration (and metadata) to load
SHIBD_WAIT=200

  9. Start Shibboleth and its FastCGI responder apps and restart nginx:

    service shibd restart  # Go grab a cup of coffee...
service supervisord restart 
service nginx restart
vyruss commented 7 years ago

UK Federation Shibboleth login succeds and we get a session from UK Fed:

DEBUG Shibboleth.SessionCache [2]: creating new session
DEBUG Shibboleth.SessionCache [2]: storing new session...
DEBUG XMLTooling.StorageService [2]: inserted record (session) in context (_1cc67610dde625f1a32a37c217fab5a3) with expiration (1492446054)
DEBUG XMLTooling.StorageService [2]: inserted record (AAlzZWNyZXQyNzeSJGorbGimC+hUeyOsV2rA+TgQqbcK4XizDtkhMkWxwjdeifO56zi6tQTIC1IuZW3bUmuJQvvbQYfR59tuecZ7FNEsgbhIRUOSz4CGZ+bEtU7dZhNm3qKSv0CklrlVJp7w5vSn+YmrySIE5BpqZlcpdv8=) in context (NameID) with expiration (1492471254)
DEBUG XMLTooling.StorageService [2]: inserted record (_3306ab08a23279a9586a1bc38a566113) in context (_1cc67610dde625f1a32a37c217fab5a3) with expiration (1492446054)
INFO Shibboleth.SessionCache [2]: new session created: ID (_1cc67610dde625f1a32a37c217fab5a3) IdP (https://idp.ed.ac.uk/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (172.16.20.21)
DEBUG Shibboleth.SSO.SAML2 [2]: ACS returning via redirect to: https://dmponline-test.dcc.ac.uk/users/auth/shibboleth/callback

But Rails' Omniauth doesn't receive this session:

INFO -- : Started GET "/users/auth/shibboleth/callback" for 172.16.20.21 at 2017-04-17 16:41:36 +0100
INFO -- omniauth: (shibboleth) Callback phase initiated.
ERROR -- omniauth: (shibboleth) Authentication failure! no_shibboleth_session encountered.
INFO -- : Processing by Users::OmniauthCallbacksController#failure as HTML
INFO -- : Redirected to http://dmponline-test.dcc.ac.uk/
INFO -- : Completed 302 Found in 1ms (ActiveRecord: 0.0ms)
sjDCC commented 7 years ago

I could link my UK access federation credentials on DMPonline test and also logout and log back in with credentials. @briri I got this error on staging staging-shib

briri commented 7 years ago

yeah, we're not hooked up yet on our end. Waiting for our roadmap hostnames to be added to one of the InCommon research groups

If its working for you guys I would say that we can close this out. We'll open a new one if CDL has issues

sjDCC commented 7 years ago

Perfect, thanks @briri