| Author: | Frederic Peters |
|---|---|
| Contact: | fpeters@entrouvert.com |
| Date: | 2004-09-20 |
| Revision: | 1.15 |
| Copyright: | Copyright © 2004 Entr'ouvert |
IdPC is an implementation of a Liberty Identity Provider in the form of several CGI C programs.
It supports the following IDFF-1.2 profiles:
It will complete existing profiles and implement other core profiles in the future.
IdPC can authenticate users through several means including HTTP authentication and client certificates.
IdPC releases can be downloaded from http://labs.libre-entreprise.org/download/idpc/
Development code is available using CVS (web interface):
export CVSROOT=:pserver:anonymous@cvs.labs.libre-entreprise.org:/cvsroot/idpc cvs login # press enter cvs -z3 checkout idpc
IdPC uses automake and autoconf which should make compilation and installation a breeze. Kind of.
Basic usage is:
./configure make make install
It will most likely bail out because of missing libraries. You need libxml2 (XML support, used for configuration file), neon (HTTP support, used for SOAP requests), OpenSSL (OCSP support) and Lasso (Liberty Alliance support).
| Library | URL | Debian package name |
|---|---|---|
| libxml2 | http://xmlsoft.org/ | libxml2-dev |
| neon | http://www.webdav.org/neon/ | libneon-dev |
| lasso | http://lasso.entrouvert.org/ | liblasso-dev |
| openssl | http://www.openssl.org/ | libssl-dev |
Additionaly, you will also need either PostgreSQL or MySQL for the database support. PostgreSQL is the default. It is possible to set the database engine to use that way:
./configure --with-dbengine=mysql
| Library | URL | Debian package name |
|---|---|---|
| postgresql | http://www.postgresql.org | postgresql-dev |
| mysql | http://www.mysql.org | libmysqlclient-dev |
It may also be useful to set the path to the configuration files; default is ${prefix}/etc (hence /usr/local/etc/):
./configure --sysconfdir=/etc/
It is possible to combine configure flags such as:
./configure --prefix=/usr/ --sysconfdir=/etc/ --dbengine=postgresql
Compilation is then straightforward; just type make.
Once compiled; make install won't do much since there are no standard places for CGI. You can copy them (they are the executables in src/) in your favourite place. Note that if you want to use HTTP authentication; singleSignOn should be installed in a different directory.
IdPC needs a configuration file to work; its location depends of compilation options; IdPC will tell you the correct path if you call one of the CGI with the --help argument:
$ /usr/lib/cgi-bin/idpc/soapEndpoint --help This is IdPC; it is meant to be used as a CGI Config file should be installed as: /etc/idpc/config.xml
The configuration file must be a valid XML file and its root element should be named "idpc" and placed in the following namespace http://www.entrouvert.org/namespaces/idpc.
Keyword: http
HTTP authentication is handled by the web server; it should pass a REMOTE_USER environment variable to the CGI. Apache allows many sources for HTTP authentication including LDAP directory and PostgreSQL and MySQL databases.
The REMOTE_USER will be used as key to identify users in the database.
Keyword: certificate
This authentication relies on Apache mod_ssl to set several environment variables; your Apache configuration must contains a SSLVerifyClient option with optional or require as value.
The certificate serial will be used as key to identify users in the database.
Note
(this is subject to change)Additionally if you have set ocspCheck to true in the configuration file, a OCSP connection will be made to check for certificate validity.
Imagine soapEndPoint has been installed in /usr/lib/cgi-bin/idpc/ and singleSignOn (and other service URLs) in /usr/lib/cgi-bin/idpc/auth/. Apache CGI configuration will typically look as follow:
ScriptAlias /idpc/ /usr/lib/cgi-bin/idpc/ <Directory /usr/lib/cgi-bin/idpc/> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory>
For HTTP authentication Apache must be configured to restrict access to the service URLs (singleSignOn, singleLogout, federationTermination); it may done as follow:
<Directory /usr/lib/cgi-bin/idpc/auth> AuthType Basic AuthName "IdPc" AuthUserFile /etc/apache/passwd Require valid-user </Directory>
For X.509 certificate authentication Apache must be configured with the following SSL options:
SSLOptions +ExportCertData SSLOptions +StdEnvVars SSLOptions +ExportCertData
Additionally it is necessary to cache SSL session for some versions of Microsoft Internet Explorer; this is done through the SSLSessionCache directive:
SSLSessionCache dbm:/var/log/apache/ssl-session-cache.dbm SSLSessionCacheTimeout 600
See mod_ssl FAQ for details on browser quirks.
CREATE USER idpc PASSWORD 'pass';
CREATE TABLE nameidentifiers (
name_identifier varchar(100) primary key,
user_id varchar(100)
);
CREATE TABLE users (
user_id varchar(100) primary key,
user_dump text,
session_dump text
);
CREATE TABLE assertions (
artifact varchar(100),
assertion text
);
GRANT DELETE, INSERT, SELECT, UPDATE ON nameidentifiers TO idpc;
GRANT DELETE, INSERT, SELECT, UPDATE ON users TO idpc;
GRANT DELETE, INSERT, SELECT, UPDATE ON assertions TO idpc;
Be sure it is possible to connect using TCP/IP to the database; somethink like the next line will do (you may have to disable ident authentication first):
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD host idpc idpc 127.0.0.1 255.255.255.255 password
Note
Support not yet implemented.Liberty metadata files are XML files with details about protocols implemented by the provider and their URLs. The exact URLs will depend upon the Apache configuration but here is a mapping between metadata elements and script names.
| Metadata element | Script name |
|---|---|
| SingleSignOnServiceURL | singleSignOn |
| SingleLogoutServiceURL | singleLogout |
| FederationTerminationServiceURL | federationTermination |
| SoapEndpoint | soapEndpoint |
IdPC (both code and documentation) is copyright © 2004 Entr'ouvert and released under the GNU General Public License.