From 36feb5062d301811a9820b149cac9de2d6fdfb67 Mon Sep 17 00:00:00 2001 From: 3wc <3wc.git@doesthisthing.work> Date: Sat, 5 Sep 2020 14:18:00 +0200 Subject: [PATCH] First stab at SimpleSAMLPHP Main issue is how to customise the virtual host configuration of the Mediawiki container to pass /simplesamlphp/ through to the right directory (or reverse proxy to the `simplesamlphp` container) --- compose.yml | 28 ++++++++++ metadata/saml20-idp-hosted.php | 93 ++++++++++++++++++++++++++++++++ metadata/saml20-idp-remote.php | 60 +++++++++++++++++++++ metadata/saml20-sp-remote.php | 96 ++++++++++++++++++++++++++++++++++ 4 files changed, 277 insertions(+) create mode 100644 metadata/saml20-idp-hosted.php create mode 100644 metadata/saml20-idp-remote.php create mode 100644 metadata/saml20-sp-remote.php diff --git a/compose.yml b/compose.yml index 3374392..c8aaa2d 100644 --- a/compose.yml +++ b/compose.yml @@ -34,6 +34,7 @@ services: volumes: - 'mediawiki_images:/var/www/html/images' - 'parsoid:/usr/lib/parsoid' + - 'simplesaml:/var/www/html/simplesamlphp' configs: - source: LocalSettings_conf target: /var/www/html/LocalSettings.php @@ -60,11 +61,38 @@ services: - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" entrypoint: /docker-entrypoint2.sh + simplesamlphp: + image: venatorfox/simplesamlphp:latest + environment: + - CONFIG_BASEURLPATH=${DOMAIN}/simplesamlphp + - CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw== + - CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy + - CONFIG_TECHNICALCONTACT_NAME=Adam W Zheng + - CONFIG_TECHNICALCONTACT_EMAIL=helo@autonomic.zone + - CONFIG_SHOWERRORS=true + - CONFIG_ERRORREPORTING=true + - CONFIG_ADMINPROTECTINDEXPAGE=true + - CONFIG_LOGGINGLEVEL=INFO + - CONFIG_ENABLESAML20IDP=true + #- CONFIG_STORETYPE=memcache + #- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp + #- CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'some-memcacheda01'],\n ['hostname' => 'some-memcacheda02'],\n ],\n [\n ['hostname' => 'some-memcachedb01'],\n ['hostname' => 'some-memcachedb02'],\n ], + - OPENLDAP_TLS_REQCERT=allow + - MTA_NULLCLIENT=false + - POSTFIX_MYHOSTNAME=${DOMAIN} + - POSTFIX_MYORIGIN=$$mydomain + - POSTFIX_INETINTERFACES=loopback-only + - DOCKER_REDIRECTLOGS=true + volumes: + - simplesaml:/var/simplesamlphp/ + networks: + - internal volumes: mariadb: mediawiki_images: parsoid: + simplesaml: networks: proxy: diff --git a/metadata/saml20-idp-hosted.php b/metadata/saml20-idp-hosted.php new file mode 100644 index 0000000..51da8ec --- /dev/null +++ b/metadata/saml20-idp-hosted.php @@ -0,0 +1,93 @@ + 'wisera.auth.dev.iww.org.uk', + + // X.509 key and certificate. Relative to the cert directory. + 'privatekey' => 'saml.pem', + 'certificate' => 'saml.crt', + + /* + * Authentication source to use. Must be one that is configured in + * 'config/authsources.php'. + */ + 'auth' => 'live', + + /* + * WARNING: SHA-1 is disallowed starting January the 1st, 2014. + * + * Uncomment the following option to start using SHA-256 for your signatures. + * Currently, SimpleSAMLphp defaults to SHA-1, which has been deprecated since + * 2011, and will be disallowed by NIST as of 2014. Please refer to the following + * document for more information: + * + * http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf + * + * If you are uncertain about service providers supporting SHA-256 or other + * algorithms of the SHA-2 family, you can configure it individually in the + * SP-remote metadata set for those that support it. Once you are certain that + * all your configured SPs support SHA-2, you can safely remove the configuration + * options in the SP-remote metadata set and uncomment the following option. + * + * Please refer to the IdP hosted reference for more information. + */ + 'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', + + /* Uncomment the following to use the uri NameFormat on attributes. */ + /* + 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', + 'authproc' => array( + // Convert LDAP names to oids. + 100 => array('class' => 'core:AttributeMap', 'name2oid'), + ), + */ + + /* + * Uncomment the following to specify the registration information in the + * exported metadata. Refer to: + * http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html + * for more information. + */ + /* + 'RegistrationInfo' => array( + 'authority' => 'urn:mace:example.org', + 'instant' => '2008-01-17T11:28:03Z', + 'policies' => array( + 'en' => 'http://example.org/policy', + 'es' => 'http://example.org/politica', + ), + ), + */ +); + +$metadata['__DYNAMIC:2__'] = array( + 'host' => 'nara.auth.dev.iww.org.uk', + + 'privatekey' => 'saml.pem', + 'certificate' => 'saml.crt', + + 'auth' => 'redcard', + + 'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', +); + +$metadata['__DYNAMIC:3__'] = array( + 'host' => 'auth.dev.iww.org.uk', + + 'privatekey' => 'saml.pem', + 'certificate' => 'saml.crt', + + 'auth' => 'default-sp', + + 'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', +); diff --git a/metadata/saml20-idp-remote.php b/metadata/saml20-idp-remote.php new file mode 100644 index 0000000..9e65511 --- /dev/null +++ b/metadata/saml20-idp-remote.php @@ -0,0 +1,60 @@ + array( +// 'en' => 'WISE-RA (production)', +// ), +// 'description' => 'Log in using your WISE-RA members area user name.', +// 'SingleSignOnService' => 'https://service.iww.org.uk/simplesaml/saml2/idp/SSOService.php', +// 'SingleLogoutService' => 'https://service.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php', +// 'privatekey' => 'saml.pem', +// 'certificate' => 'saml.crt', +// ); +$metadata['https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/metadata.php'] = array( + 'name' => array( + 'en' => 'WISE-RA (dev)', + ), + 'description' => 'Log in using your WISE-RA members area user name.', + 'SingleSignOnService' => 'https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/SSOService.php', + 'SingleLogoutService' => 'https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php', + 'privatekey' => 'saml.pem', + 'certificate' => 'saml.crt', +); +$metadata['https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/metadata.php'] = array( + 'name' => array( + 'en' => 'NARA (dev)', + ), + 'description' => 'Log in using your NARA red card username.', + 'SingleSignOnService' => 'https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/SSOService.php', + 'SingleLogoutService' => 'https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php', + 'privatekey' => 'saml.pem', + 'certificate' => 'saml.crt', +); + +/* + * Guest IdP. allows users to sign up and register. Great for testing! + */ +/* +$metadata['https://openidp.feide.no'] = array( + 'name' => array( + 'en' => 'Feide OpenIdP - guest users', + 'no' => 'Feide Gjestebrukere', + ), + 'description' => 'Here you can login with your account on Feide RnD OpenID. If you do not already have an account on this identity provider, you can create a new one by following the create new account link and follow the instructions.', + + 'SingleSignOnService' => 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php', + 'SingleLogoutService' => 'https://openidp.feide.no/simplesaml/saml2/idp/SingleLogoutService.php', + 'certFingerprint' => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb' +); +*/ + diff --git a/metadata/saml20-sp-remote.php b/metadata/saml20-sp-remote.php new file mode 100644 index 0000000..c0bc787 --- /dev/null +++ b/metadata/saml20-sp-remote.php @@ -0,0 +1,96 @@ + 'https://auth.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp', + 'SingleLogoutService' => 'https://auth.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp', +); + +/* + * MediaWiki + */ +$metadata['https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array( + 'AssertionConsumerService' => 'https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp', + 'SingleLogoutService' => 'https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp', +); + +/* + * Moodle + */ +$metadata['https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array( + 'AssertionConsumerService' => 'https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp', + 'SingleLogoutService' => 'https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp', +); + +/* + * WordPress + */ + $metadata['urn:dev.iww.org.uk'] = array( + 'AssertionConsumerService' => 'https://dev.iww.org.uk/wp/wp-login.php', + 'SingleLogoutService' => 'https://dev.iww.org.uk/wp/wp-login.php', +); +$metadata['urn:shop.dev.iww.org.uk'] = array( + 'AssertionConsumerService' => 'https://shop.dev.iww.org.uk/wp/wp-login.php', + 'SingleLogoutService' => 'https://shop.dev.iww.org.uk/wp/wp-login.php', +); + +/* + * Nextcloud + */ +$metadata['https://cloud.dev.iww.org.uk/apps/user_saml/saml/metadata'] = array( + 'AssertionConsumerService' => 'https://cloud.dev.iww.org.uk/apps/user_saml/saml/acs', + 'SingleLogoutService' => 'https://cloud.dev.iww.org.uk/apps/user_saml/saml/sls', +); + +/* + * RocketChat + */ +$metadata['https://chat.dev.iww.org.uk/_saml/metadata/rc'] = array ( + 'entityid' => 'https://chat.dev.iww.org.uk/_saml/metadata/rc', + 'contacts' => array (), + 'metadata-set' => 'saml20-sp-remote', + 'AssertionConsumerService' => array ( + 0 => array ( + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + 'Location' => 'https://chat.dev.iww.org.uk/_saml/validate/rc', + 'index' => 1, + 'isDefault' => true, + ), + ), + 'SingleLogoutService' => array ( + 0 => array ( + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => 'https://chat.dev.iww.org.uk/_saml/logout/rc/', + 'ResponseLocation' => 'https://chat.dev.iww.org.uk/_saml/logout/rc/', + ), + ), + 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', +); + +/* + * Example SimpleSAMLphp SAML 2.0 SP + */ +/* $metadata['https://saml2sp.example.org'] = array( + 'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp', + 'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp', +); */ + +/* + * This example shows an example config that works with Google Apps for education. + * What is important is that you have an attribute in your IdP that maps to the local part of the email address + * at Google Apps. In example, if your google account is foo.com, and you have a user that has an email john@foo.com, then you + * must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'. + */ +/* $metadata['google.com'] = array( + 'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs', + 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', + 'simplesaml.nameidattribute' => 'uid', + 'simplesaml.attributes' => FALSE, +); */