Home

FAME-PERMIS Project Output The FAME System User Guide

1. loa value for the user while the second stores the expiration time for the current loa value which is equal to the duration of an SSO session The prefix nist in the attribute name is used to denote that the LoA definition used here is from the NIST E Authentication Guideline The Shibboleth IdP is subsequently configured to pick up the nist loa attribute from the LDAP store and pass it over to the requesting SP The nist loaExpires attribute is currently not passed to the SP but is included in the LDAP store for potential future use The famePerson object class and the nist loa and nist loaExpires attributes are defined in the LDAP schema file called fame schema which can be found n the FAME installation kit File fame schema FAME LDAP schema The attribute types and object class in this schema include the specifications of the loa and loaExpires attributes and the specification of the famePerson object class The famePerson object class is an extension of the general purpose inetOrgPerson object class and additionally contains the two newly defined attributes loa ana loakxplres LOA attribute definition attributeType 1 2 826 0 1 3344810 1 1 104 NAME nist loa DESC The Level of Authentication Assurance conforming to the NIST E Authentication Guideline EQUALITY integerMatch ORDERING integerOrderingMatch NIST Special Publication 800 63 E Authentication Guideline availa
2. This parameter specifies the relative url of the Fame Login Server F LS and corresponds to the second lt Location gt block specified in the httpd conf above This directive tells the F SSO where to redirect the user if he she has not been authenticated yet detected by the absence of the sso cookie Default value fame login server FameLogoutHandler This parameter specifies the relative url of the Fame Logout Handler It is used to enable the users to logout and clear all FAME set cookies 1 e to reset the current SSO session Default value fame logout FameAuthTimeout This parameter specifies the duration measured in minutes during which a user is allowed to complete the authentication successfully It is the time elapse from the moment when an auth control cookie is created by F LS to the moment when the auth reply token 1s received by the F LS from the Authentication Server If this timeout is expired before the user completes her his authentication the user will be forced to re logon i e re authenticate Default value 1 minute FameSSOTimeout This parameter specifies the duration measured in minutes before the sso cookie is considered expired In other words it is the duration of a user s SSO session upon successful authentication If this timeout is expired the user will be forced to re authenticate Default value 480 minutes 8 hours FameDB This parameter specifies the url string for the
3. urd PRINCIPAL gt ceonerolh earen Cope UBTREE OPET returningObjects false gt a lt Eroperty name java Mamimg factory imieidal value com sun jndi ldap LdapCtxFactory gt lt Property name java naming provider url value ldap rpc56 cs man ac uk dc rpc56 dc cs deman dc ac dc uk gt lt JNDIDirectoryDataConnector gt This DataConnector element has an id directory connects to an LDAP directory defined by the url rpc56 cs man ac uk and the LDAP directory root dce rpce5o dce cs dcman dC ac dc uk and uses a search filter uid PRINCIPAL to search for the users when searching for the sPRINCIPAL3 S 1 e user s attributes Modify the lt Property gt element to correspond to your LDAP server s settings Configure Shibboleth IdP s Attribute Release Policy The Shibboleth s ARP Attribute Release Policy determines which of the defined attributes finally gets released to which requesting SPs It acts as a filter for the attributes stored in the LDAP directory ARPs can only be used to release the attributes that are already stored in the LDAP directory and defined in resolver xml it can be used to limit what information gets released to whom On the other hand the attribute must be both defined in resolver xml and specified n the site s ARP n order for it to be passed to a requesting SP via Shibboleth The simplest configuration for the oa attribute is to define a site policy in
4. arp site xml file Policies stored in this file apply for the whole IdP s site 1 e for every user for whom this IdP retrieves releases information In order to configure a simple policy to release the loa attribute to every requesting SP the arp site xml should look like the following File usr local shibboleth idp etc arps arp site xml lt xml version 1 07 eneoding ZUrE 877 gt lt AttributeReleasePolicy xmins xsi http www w3 org 2001 XMLSchema instance xmins Urnhsmece shibboleth aro 1 0 xsi schemaLocation urn mace shibboleth arp 1 0 shibboleth arp 1 0 22 00 lt Description gt Simplest possible ARP lt Description gt lt Rule gt kerg lt AnyTarget gt lt Target lt E a o oo 18 FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 lt Attrib te name urn o1d 1 2 828 0 1 3344810 1 1 102 gt lt AnyValue release permit gt SR ee lt Rule gt lt AttributeReleasePolicy gt 19
5. attributes 0 FAME Prerequisites and Installation Kit The configuration installation instructions described in this document are given with reference to the Linux Unix environment Before you start to install and configure FAME the following gives a detailed list of the required prerequisite components 1 Apache Web Server version 2 0 available from http apache org 2 Perl interpreter version 5 8 6 was used for the development of FAME available from http www perl com 3 mod_perl an Apache module for providing a persistent Perl interpreter embedded in the Web Server for creating Apache Perl modules available from http apache perl org 4 The following Apache Perl modules are required for the correct functioning of FAME Apache2 Request Apache2 RequestRec Apache2 RequestlO Apache2 RequestUtil Apache2 ServerRec Apache2 ServerUtil Apache2 Connection Apache2 Log Apache2 Const Apache2 Cookie APR Table APR Const ModPerl Registry ModPerl Util Crypt CBC Crypt R jndael Crypt Random Digest MD5 MIME Base64 IO F le DBI Net LDAP All these modules are available from http www cpan org 5 Mysql database version 4 1 or above or a similar relational database system We have used Shibboleth IdP version 1 3 when developing the FAME system which is available from http shibboleth internet2 edu The FAME installation kit comprises the following items 1 The source code Fame pm
6. configure the FAME module the following three blocks should be created and configured through the use of various FAME directives in the Apache s configuration file httpd conf The first block specifies the F SSO FAME s Single Sign On checker as the access control handler for the location i e url of the Shibboleth s HS Handle Service By doing so F SSO is set up to protect the url of the Shibboleth s HS and AuthType the authentication type for this location 1s set to Fame The following gives an exemplar setting of this block The block specifies that the Apache2 Fame pm module s sso _checker routine is responsible for user authentication before the users are allowed to access the Shibboleth HS s url tied to location shibboleth dp SSO The routine will intercept all the requests for accessing the Shibboleth HS and redirect any request that does not already contain an SSO cookie to the F LS FAME Login Server ee a a a a nn ee 4 Location of the Shibboleth s HS z lt Eoeation shlbboleth 105 7 gt 0 gt AuthType Fame AuthName Fame Authentication Service PorlAUtiemianciler Apaches Te Fates ose Checker require valid user lt kocatlon gt The second block specifies the location and settings for the F LS FAME Login Server F LS will direct a user s request to his her chosen authentication server and upon the successful authentication generates an SSO cookie for the request session The conte
7. lt Location gt in your httpd conf that is tied to our AS pm script and protected by Kerberos Such a section in your httpd conf may look something like the following File etc apache2 httpd conf t Location protected by Kerberos Location kero zuch SoLOptions SsLricte Require SSLRequireSSL PerlResponseHandler MyApache2 AS AuthType KerberosV gt 5 AuthName Kerberos Login KRerpaucenkeeime Co MAN AC UR Krb5Keytab etc apache2 apache2 Kerb keytab KrbMethodK5SPasswd on KrbServiceName HTTP Kr bVeriryRDC on require valid user lt Location gt The above code defines a lt Location gt within your Apache Web server served by the script AS pm As indicated by https lt your_server gt kerb auth the location is only accessible by a user using a Web browser upon a successfully authentication using the Kerberos AS over an SSL protected connection The lt Location gt kerb auth plays the actual role of your AS The AS pm script serving this lt Location gt will receive requests from the F LS but only if the user has been authenticated by the defined AS perform the necessary tasks and redirect the user back to the F LS The AS pm script can be reused for any other authentication system and not just Kerberos The only thing that needs to be configured inside the script is the path to the file containing the Base64 encoded secret key shared between the F LS and AS look for variable KEY FH in the source code of AS pm scr
8. their identities used with the Shibboleth LDAP directory in the Shibboleth LDAP directory the users current LoA values are stored which will be picked up later by Shibboleth IdP Each row has three columns 1 the user s LDAP id 2 the name of the LDAP attribute that this id refers to such as wid or cn and 3 the user s alternative id with an Authentication Server set up by the IdP This table is configured via parameter FameUsersTable and can be created as follows Example CREATE TABLE fameusers ldap ad warchar 255 NOT NULL default 7 ldap attribute varchar 100 NOT MULE defradlt alternative 1d varohar 237 NOT NULL derzule 7 I The fame sql script found in the installation kit can be used to automatically create the FAME database called fls and the default database user flsuser password flspassword If you want to use a different username password for the database user or different names for the database table or column names other than those used n _12 FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 the script modify the script to reflect th s and make sure that you pass the correct values to the FAME module v a the corresponding configuration parameters To execute the fame sq script go to the directory where your fame sq script is located and type n the following command S mysql u root pe rane ogl Enter password To verify that fame databa
9. J S The Joint Information Systems Committee FAME PERMIS Project Output WORKPACKAGE 7 Deliverable D10 The FAME System User Guide Aleksandra Nenadic Ning Zhang School of Computer Science University of Manchester March 2007 School of Computer Science University of Manchester e Manchester M13 9PL FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 The FAME System User Guide Configuration and Installation Table of Contents 0 FAME Prerequisites and Installation Kit 00000000000000000000000000000 3 1 Configuring FAME and Apache ss220022200eeeessnnnenneeneeeeenennn 4 Eocauns tie Module aaa 4 LoadnsibemoWll ae leon ede cane R 6 SEOBHSUTAUONAITEEIVES euere 6 2 FAME Database Configuration sccsscccccssssssssssssssccccssscessssssssccoeees 11 DCE ablesen leise 11 FAME Users Toble nalen 11 Authentication Servers Table cccccccccccccccceeeeseeeesssseseeees 12 3 Authentication Server s Configuration ccccccccsssssssssscccccsssssssssseees 14 4 FAME and Shibboleth Integration ccccccsssssssssssccccccccssssessssscecs 16 Extending the Shibboleths LDAP Directory Schema 16 Configuring Attribute Definitions and JNDI Data Connectors 17 Configure Shibboleth IdP s Attribute Release Policy 18 FAME PERMIS project outp
10. Perl DBI DataBase Interface to use when connecting to the FAME database FAME has been developed using Mysql database but a number of other database systems can be used with Perl DBI see http dbi perl org for details and configured to work with FAME 8 FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 Format lt perl database_inteface gt lt database_type gt database lt database_name gt host lt host name gt port lt port_ number gt Default value dbi mysql database fls host localhost port 3306 If the host is localhost and the port is 3306 they can be omitted from the FameDB string FameDBUser This parameter specifies the username of the user who 1s allowed to connect the FAME to the FAME database above The specified user must have read privileges for the FAME database Default value flsuser FameDBPassword This parameter specifies the password for the FameDBUser to use when making the connection to the FAME database Default value flspassword FameSecretsTable This parameter specifies the name of a table containing secret keys used by F LS and F SSO as well as the names of the two columns of this table one 1s used for the secret key itself and the other indicates the secret key version Typically a timestamp is used as a secret key version number when the key 1s inserted n the database Format lt table _name gt lt secret key column _name gt
11. SetVar Per lSetVar PerlSetVar PerlSetVar PerlSetVar PerlSetVar PerlSetVar PerlSetVar PerlSetVar PerlSetVar Famehoginserver fame login server FameLogoutHandler fame logout FPameDB dbismysql database f ls host localhost port 3306 FameAuthTimeout 1 FameSSOTimeout 480 FameDBuser flsuser FameDBPassword flspassword PAaMeseChous lable secreus Secreu e dar time Pamcho lable Faulnser ever ur lau Lyeo loa secrer Key Bamel er eta lS fameucers ideo odds sure oul e al eeraa Ey ia FameShibLDAPServer localhost FameShibLDAPPort 389 FameShibLDAPDN cn Manager dc example dc com Fame hIbEPAPDA wDrd your secre FameShibLDAPBaseDN ou shib users dc example dc com FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 Whichever of the two configuration methods you select to use i e configuration via the configure procedure in startup pl or via the PerlSetVar directives in httpd conf note that the following precedence rules apply O O If a directive is specified in both httpd conf and the start up script startup pl the value from the httpd conf will be used and will override any other value If a directive is neither specified in httpd conf nor in startup pl the default value will be used provided that the parameter has a default value Otherwise the module will report an error The following gives a detailed explanation of the FAME module s valid configuration parameters FameLoginServer
12. ap aLeribuue alvernarive 1d FameShibLDAPServer gt localhost FameShibLDAPPort gt 389 FameShibLDAPDN gt cn Manager Je rp050 90C e2 0c man dc ac de ik FameShibLDAPPassword gt lm s7a 56 FameShibLDAPBaseDN gt ou shilb sers dJe rpese Jde es dO man de ae ac ur ne l FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 Finally copy the fame directory from the installation kit containing folders images and css to your Apache Web Server s document root on our system it is var www localhost htdocs It is important to copy these directories in your Web Server s document root as they have to be visible from the Web they will be used by the FAME module for generating its HTML pages Loading the module In order to configure the FAME module Fame pm for it to work with the Apache Web Server the module must first be uploaded before using any of the directives explained below If you have not uploaded the module in startup pl as previously explained then do so in Apache s configuration file httpd conf That is Fma m m m m m mm mE mE mE m mm Mm m m m m Mm mi m m m MM mi m m m Mm A mim m MM m mi m m Mm m mi m m mm mi mi m m mM m mi mm Mm m m mm mm mm mm mM mm mm mM m m m m mM mm m m mm m mi m m mm m m m m mm m m mm m mm me m mm mm m mm m m mug CH Load FAME module before configuring it use MyApache2 Fame Configuration directives In order to
13. ble at http csrc nist gov publications nistpubs 800 63 SP800 63V1_ 0 2 pdf 16 FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 SYNTAX 6 ee IIo dl SINGLE VALUE LOA S Expiration date attribute definition ateributrerype Lev 326 0 1 38440 00 1 106 NAME hast loakxpiires DESC Expiration date for the current LoA attribute EQUALITY caseExac Match ORDERING caseExactOrderingMatch SYNTAX 1 Ol L 1Ace 115 121 SINGLE VALUE famePerson object class definifion ob vectClass 1 2 820 0 1 244310 1 0 24 NAME TramePperson DESC Person that uses FAME for authentication SUP inetOrgPerson MAY niot loa s mist lochxpinres To add this new attr bute and object definitions to the IdP s LDAP directory fame schema has to be copied into the schema directory of the LDAP installation on our system it is etc openldap schema where other LDAP schemas are stored as well Then the copied schema has to be included in the LDAP s configuration by inserting the line 4 as shown below in the IdP LDAP Server s configuration file typically etc openldap slapd conf File etc openldap slapd conf include etc openldap core schema include etc openldap cosine schema include etc openldap inetorgperson schema include etc openldap fame schema Configure Attribute Definitions and JNDI Data Connectors The Shibboleth IdP acquires all the attributes it sends to an SP by using a specia
14. ct output FAME System User Guide Deliverable D10 March 2007 Authentication Servers table The Authentication Servers table stores information about configured supported Authentication Server s Each row of the table has five columns 1 the url at which the AS s running 2 the authentication type exemplar settings are Username password Kerberos Browser certificate Smart card certificate that are shown on the main FAME page as an option for the user to choose 3 the authentication method identifier reserved for use by future versions of the SAML protocol 4 the LoA provided by the AS 5 the secret key shared between the AS and the F LS which s used for encryption and decryption of the auth request and auth reply tokens and 6 an optional timestamp The last i e timestamp column in the table is optional as it s not used by the FAME module This table is configured via parameter FameASTable and can be created as follows Create Authentication Servers table CREATE TABLE authservers url varchar 100 NOT NULL default auth type Vaerciar 100 NOT NULL default 7 sam auch 1d varchar r00 NOT NUCL default NUCL lod smallint 0 NOT NULL default Tht secret Key tert NOT NULL date tine arerame NOT NUL derali 0000 00 00 00 00700 PRIMARY KEY wr FAME Users table The FAME Users table stores the mappings between the various identities that FAME users hold with different Authentication Servers and
15. eral other types of identities as used by the Authentication Servers that the user has registered with and the IdP may not use the LDAP directory to store the user s credentials In this case we need to map these different identities of the same user to the user s identity stored in the Shibboleth s LDAP directory FameUsersTable contains these mappings The table consists of three columns the user s LDAP id part of the user s LDAP DN the name of the LDAP attribute for the user s id e g uid or cn and the user s alternative id which can be the Kerberos principal name kerbuser CS MAN AC UK or the subject of the public key certificate C GB ST Lancashire L Manchester O University of Manchester OU School of Computer Science CN Alex Nenadic emailAddress anenadic cs man ac uk or any other user s alternative username depending on the Authentication Services used Format lt table name gt lt ldap id column name gt lt ldap attribute column _name gt lt alt ernative_id gt Default value fameusers ldap 10 ldap ateributetalvernarive ac Note that even if the IdP uses a LDAP for user authentication all the LDAP users must be entered into the FameUsersTable In this case the lt dap_id gt and lt alternative_id gt fields would contain the same values As mentioned before a single user may have multiple entries in this table each containing the user s identity that the user has registered with a particular A
16. essful authentication In cases where the authentication fails the AS should return an error message to the user and ask for re authentication An AS receives an authentication request from the F LS n the form of https lt address_ of the AS gt AuthRequestToken lt encrypted_ auth reques t token gt This means that the encrypted auth request token is passed to the AS as a url parameter The auth request token contains two parameters and 1s encrypted by the F LS with a secret key FLS AS KEY shared between the F LS and the AS before it is passed to the AS The AS needs to decrypt the token and extract the two parameters contained in it a random challenge RC and the return address of the F LS e the url address to which the user is re directed to upon successful authentication The two pareameters are separated by a comma The format of the auth request token is given below lt auth request token gt lt random_challenge gt lt address_of the FLS gt lt encrypted_auth request _token gt Er s as key lt auth_request token gt Upon successful authentication the AS s required to redirect the user back to the F LS and pass the auth reply token via URL which looks like the following https lt address_of the FLS gt AuthReplyToken lt encrypted auth reply token gt The Auth reply token is encrypted by the AS with the same shared symmetric key FLS AS KEY The Auth reply token contains the AS s respo
17. ipt _15 FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 4 FAME and Shibboleth Integration After installing and configuring the FAME module by following the instructions given in Sections 1 3 above the integration of the FAME module with the Shibboleth s IdP should proceed according to the following steps 1 Extend the Shibboleth LDAP directory s schema to include definitions of the two FAME defined attributes the loa attribute and its expiration time 2 Insert the lt SimpleAttributeDefinition gt element in Shibboleth s resolver xml to define the loa attribute and the corresponding lt JNDIDirectoryDataConnector gt element to tell Shibboleth how and from which source to pull the loa attribute 3 Modify the Shibboleth IdP s ARP Attribute Release Policy located in file site arp xml to specify which requesting SPs should the loa attribute be released to Extend the Shibboleth s LDAP Directory Schema The inetOrgPerson LDAP object class is widely used in LDAP directories to represents people within an organisation and has been endorsed by Shibboleth to store users attributes in ts LDAP store The FAME system has extended this object class by defining a new LDAP object class called famePerson that inherits all attributes from the inetOrgPerson class and additionally defines two new attributes nist loa and nist loaExpires The first attribute is used to store the current
18. lised attribute resolver defined in the file resolver xmi In order for an attribute to be sent to the SP it has to be converted to a SAML based XML format and included in the resolver xml file in the form of the lt SimpleAttributeDefinition gt element Then a lt JNDIDirectoryDataConnector gt element has to be defined which will be referred to by the lt SimpleAttributeDefinition gt element just created for holding the loa attribute in order to tell Shibboleth how to pull the loa attribute from a data store in our case the Shibboleth LDAP directory To define the lt SimpleAttributeDefinition gt element for the loa attribute insert the following in resolver xml File usr local shibboleth idp etc resolver xml KSiImMpleAciribueceberinition 19 Urnso1ld 1 2 828 0 1 35448310 1 12 104 sourceName nist loa gt lt DataConnectorDependency requires directory gt lt SimpleAttributeDefinition gt 17 FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 The above code defines the attribute whose unique URN like name is urn 01d 1 2 826 0 1 3344810 1 1 104 derived from the nist loa attribute s unique oid A DataConnector with an id directory is used to obtain the attribute value To define such a DataConnector insert the following in resolver xml File usr local shibboleth idp etc resolver xml lt JNDIDIreeCtoryDalLacConnector 1d directory earch filter
19. lt secret key version column na me gt Default value secrets secret key date time FameASTable This parameter specifies the name for the table containing information about Authentication Servers and the names of the five columns of this table The five columns are 1 the url of the Authentication Server 2 the type of the Authentication Server i e AuthType that the Authentication Server provides 3 the unique URN for the authentication method as defined by SAML1 1 this is reserved for future extension an SP may want to know the exact authentication method used in addition to LoA 4 the LoA of the Authentication Server and 5 the secret key shared between the AS and F LS in Base64 format Format lt table _name gt lt url_column_name gt lt auth_type_column_name gt lt saml_auth_ id gt lt loa_column_name gt lt secret_key_column_name gt Default value authservers urlrauch vype saml auth idi loa secreu Key FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 FameUsersTable This parameter specifies the name of the table that contains the mappings between the user identities used by FAME and their corresponding DNs stored in the Shibboleth LDAP directory Each FAME user has a unique entry n the Shibboleth LDAP directory identified by his LDAP DN where the user s current LoA value is stored and picked up by Shibboleth However in addition each FAME user may have sev
20. nse to the random challenge received from the auth request token i e RC 1 and the username of the authenticated user which will be later passed to Shibboleth refer to Section 4 1 for information on what is considered as the username in this context delimited by a colon The auth reply token has the following format lt auth reply token gt lt random_challenge_response gt lt user_name gt lt encrypted_auth_reply_token gt Er s as xey lt auth_reply_token gt 14 FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 2 Ifan AS is a standard Apache module designed for protecting Web resources e g the Kerberos system using Apache module mod auth kerb or an LDAP based authentication system using mod auth ldap then the integration between FAME F LS and the AS s straight forward You only need to install the script AS pm provided in the FAME installation kit in order to make the FAME interoperate with the AS and no alterations to the AS are required In this case the AS pm script is used to get your AS to interoperate with the F LS component of FAME As AS pm script is within the same namespace as Fame pm module 1 e Apache2 namespace copy AS pm to the same directory where Fame pm is located in this installation guide it is etc apache2 perl MyApache2 Let us suppose you are running Kerberos Authentication Server using Apache module mod auth kerb You should create a
21. nt of this block should look similar to the following 7 I L i FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 lt Location fame login server gt secHandler perl seript Per lRecponsechancdler Apache Pama login Server lt Locat Lan The third block defines the optional FAME logout handler If for any reason the user wishes to terminate his current SSO session without closing his Web browser he may do so by clicking the logout button on the main FAME page This will redirect the user to the FAME logout handler configured below File etc apache2 httpd conf 9 nn nn mn ennenen lt Location Zr mer logout SetHandler perl script PerlResponseHandler Apache2 Fame logosut lt Location gt Fame pm can be configured via a number of configuration parameters as shown in the first two blocks above These configurations can either be done in the Apache Perl start up script startup pl as explained previously using the module s configure procedure or in Apache s configuration file httpd conf by defining each FAME parameter individually using the mod perl s PerlSetVar directive FAME s configuration parameters can be defined anywhere in the main body of httpd conf but outside the above three blocks The following lists all FAME s configuration parameters FAME s configuration parameters Perlsetvar PerlSetVar PerlSetVar PerlSetVar PerlSetVar Perl
22. ode can be found in the Installation Kit The module is created under the MyApache2 namespace thus the full name of the FAME module is MyApache2 Fame pm Locating the module First you should create a directory where the FAME module will reside in For example you may create a directory called perl within your Web Server root directory which on our system 1s etc apache2 where you will keep all your Perl modules i e create a directory etc apache2 perl As the module is created under the MyApache2 namespace create the MyApache2 subdirectory within the perl directory The MyApache2 subdirectory is where the Fame pm module should be located Next you need to tell Apache where to look for Fame pm Apache s mod_perl can be configured to invoke a start up file typically called startup p containing a set of Perl commands each time the server is launched or restarted This 1s where we place the use lib statement that will instruct Apache where to find Fame pm You may also include configuration directives for the FAME module in startup pl after the use lib command Alternatively these configuration directives can be configured via httpd conf If you choose to configure the module in startup pl the following snap short gives an example of how this can be done the commands related to the FAME module are placed at the bottom of the snap short and highlighted n green Place startup pl in the directory containing all othe
23. of the Apache Perl FAME module FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 2 The fame folder containing two sub folders images and css which contains respectively images and a style sheet used by the FAME module for rendering HTML pages 3 The database set up script fame sql which can be used to create the FAME database 4 An exemplar Apache Perl script AS pm for setting up an Authentication Server in conjunction with the Apache Web Server 5 An LDAP schema file fame schema for integrating FAME introduced attributes with the Shibboleth s LDAP store 6 A report describing the design of the FAME system it is advised that you read this design document before starting to configure FAME 7 FAME User Guide 1 e this document In order to configure a Shibboleth IdP to use FAME the following tasks should be performed 1 Configure Apache2 Server to use the FAME module Fame pm 2 Create the FAME database 3 Set up the Authentication Server s and configure FAME to use them 4 Integrate FAME and Shibboleth The following four sections address each of the above tasks respectively 1 Configuring FAME and Apache The FAME module has been developed for and tested with Apache2 under the assumption that an Apache2 Server with a support for Perl via mod_perl has been previously installed The FAME system s implemented as an Apache Perl module called Fame pm the source c
24. r configuration files for the Apache _4 FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 modules i e files ending with conf The meanings of the FAME configuration directives used in this example will be explained shortly File etc apache2 modules d startup pl use lib qw home httpd perl use ModPerl Util for CORE GLOBAL exit use Apachez RequestRec use Apachez RequestioO use Apache2 RequestUtil use Apache2 5erverRec use Apache2 ServerUtil use Apache2 Connection use Apache2 Log 4 use APR Table use ModPerl Registry use Zpache2 2Const compile gt T common User APR lonst Compile common FAME related commands Location or the FAME module use lib etc apache2 perl Load FAME module before configuring it use MyApache2 Fame Configure FAME module Arche serverUril server gu Handlers PerlChil dina cthandler MyApache2 Fame configure FameLoginserver gt fame login server FameLogoutHandler gt fame logout FameAuthTimeout gt 480 FameSSOTimeout gt 1 FameDB gt dabi mysql database fls host localhost port 3306 FameDBUser gt flsuser FameDBPassword gt flspassword VBemie oe bets fale secreus re cnr ee key dace tine FameASTable gt Sur erver url aul bype sam ae bo lon secre ti FameUsersTable gt rameu ero ldap 1d d
25. se has been created properly connect to mysql database o mysg m root Hp Enter password Type in the administrator s password and you should receive the mysql prompt mysql gt Type in the following command to see the list of databases mysql gt show databases You should be seeing something like the following mysql gt show databaze rows in set 0 00 sec mysql gt use fls Database changed mysql gt show tables authservers fameusers secrets rows in set 0 00 sec 13 3 FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 Authentication Server s Configuration FAME is designed to interoperate and integrate with existing authentication systems with minimum modifications We here distinguish two cases of integration based on how an Authentication Server AS is implemented 1 If the AS is a custom built system then some modifications are required on the AS s side so that the AS will receive requests sent by the F LS component of the FAME system and return the requested information back to the F LS upon user authentication In this case it is necessary to understand how information may be passed between the F LS and the AS in order to make any necessary modifications to the AS In other words you need to work out how requests sent from the F LS are received by your AS and how the responses sent by the AS are received by the F LS upon a user s succ
26. tabase consists of three tables the Secrets table the Authentication Servers table and the FAME Users table A database user with read only access to this database is required for the use by the Fame module An exemplar database called fls and a database user flsuser with password flspassword can be created as follows Create FAME database CREATE DATABASE fls GRANT SELECT on fla TO tlsuser IDENTIFIED BY Llspassword gt The names used for the database for the Secrets Authentication Servers and FAME Users tables and for the database user and password can be respectively set up for the FAME module using configuration parameter FameDB FameSecretsTable FameASTable FameUsersTable FameDBUser and FameDBPassword Secrets table The Secrets table stores the secret keys used by F LS and F SSO for creation of cookies namely the sso and the request url cookies passed between the two FAME components Each key has a version number associated with it The version number is simply the timestamp when the key was inserted into the database We use this key version attribute to impose periodical updates of the secret key without invalidating current valid cookies generated with the key This table is configured via parameter FameSecretsTable as follows Create seecrere ie CREATE TABLE secrets Secret Key text NoT NULL date time Gate lane NOT NULL default OOU0S 00 gt 00 200200500 Ir 11 FAME PERMIS proje
27. ut FAME System User Guide Deliverable D10 March 2007 FAME User Guide Configuration and Installation This user guide explains how to install and configure the FAME module n an Apache2 Perl Web Server run by a Shibboleth IdP Identity Provider The FAME module integrates multiple authentication services provided by the IdP It authenticates users derives a LoA Levels of Assurance based upon the authentication service and token used n an authentication nstance and passes the derived LoA values to SPs Service Providers via the Shibboleth protocol so as to achieve LoA linked fine grained access control n the Shibboleth infrastructure The FAME module Fame pm is configured via directives placed in the Apache configuration file httpd conf So this document should be read in conjunction with the standard Apache Web Server documentation available at http httpd apache org docs 2 0 The FAME module also makes use of an external relational database to store secret cryptographic keys and information about users and Authentication Servers run at the IdP more details are given in Section 2 below It is assumed that you have already had a working installation of a Shibboleth IdP That is you have already installed an Apache Web Server Tomcat servlet container mod jk Tomcat Apache plug in that handles the communication between the Tomcat container and the Apache Web Server Shibboleth IdP and LDAP Directory that stores Shibboleth
28. uthentication Server However all these entries must be linked to the user s identity used in the Shibboleth s LDAP directory FameShibLDA PServer This parameter specifies the name or IP address of the LDAP Server Shibboleth uses for storing user attributes Default value localhost FameShibLDAPPort This parameter specifies the port number the Shibboleth LDAP Server 1s running on Default value 389 FameShibLDAPDN This mandatory parameter specifies the distinguished name of the user who manages the LoA attributes stored n the Shibboleth LDAP directory The user must have the write privileges for the loa attributes stored in the directory Example cn Manager dc example dc com 10 FAME PERMIS project output FAME System User Guide Deliverable D10 March 2007 Default value none The Fame module will attempt an anonymous binding if this item is not configured It will almost certainly fail when an update to the loa attribute is attempted later on so it is strongly advised to set up this parameter FameShibLDAPPassword This mandatory parameter specifies the password used by the FameShibLDAPDN Default value none FameShibLDAPBaseDN This mandatory parameter specifies the sub tree of the Shibboleth LDAP directory where searches for the users should start from Example ou shib users dc example dc com Default value none 2 FAME Database Configuration The FAME da

FAME-PERMIS Project Output The FAME System User Guide

Contents

Download Pdf Manuals

Related Search

Related Contents