Support for HTTPS certificate verification or not.

[freeradius-pysaml2.git] / README

diff --git a/README b/README
index 97e4b6f..6893860 100644 (file)
--- a/README
+++ b/README
@@ -1,52 +1,67 @@
 moonshot
 ========
 A python module usable in a Moonshot environment to allow a freeradius server
 moonshot
 ========
 A python module usable in a Moonshot environment to allow a freeradius server

-to fetch information about a user from a SAML2 Attribute Authority.
+to fetch information about a user from a SAML2 Attribute Authority (AA) or
+Identity Provider (IdP).
+There are some things you have to do disregarding how you want the SP to
+talk to the IdP/AA. So I take those first.

 
 

-Installing
+Dependency

 ----------
 
 ----------
 

-sudo python setup.py install
+This package is dependent on pySAML2.
+You should get PySAML2 from Launchpad, the version that is at PyPI is not
+enough up-to-date.

 
 

-eventually also
+bzr co bzr+ssh://bazaar.launchpad.net/%2Bbranch/pysaml2/

 
 

-sudo easy_install moonshot
+should get you the latest version.

 
 

-When the python module is installed a couple of changes to the freeradius
-configuration are necessary.
+Basic Installing
+----------
+
+A couple of changes to the freeradius configuration are necessary.
+This is one way of doing it. How you chose to do it depends on your local
+preferences.

 
 1) create raddb/modules/python
 
 
 1) create raddb/modules/python
 

-You can use the provided '/usr/local/etc/moonshot/template/modules_python' file
-as is.
+You can use one of the provided 'template/modules_python_aa' or
+'template/modules_python_ecp' files as they are. Which one depends of your
+choice of using ECP or AA. Rename of copy the one you want to use to
+'template/modules_python' and copy it to raddb/modules.
+
+Regarding the configuration of outer/inner tunnel this is still a bit
+undecided. The extension module can be use in either.

 
 2) Edit raddb/sites-available/default
 To the 'post-auth' section add one line referencing the python module.
 You can see how it can be done in
 
 2) Edit raddb/sites-available/default
 To the 'post-auth' section add one line referencing the python module.
 You can see how it can be done in

-'/usr/local/etc/moonshot/template/sites-available_default".
+'template/sites-available_default".

 
 3) Edit raddb/sites-available/inner-tunnel.
 To the 'post-auth' section add one line referencing the python module.
 You can see how it can be done in
 
 3) Edit raddb/sites-available/inner-tunnel.
 To the 'post-auth' section add one line referencing the python module.
 You can see how it can be done in

-'/usr/local/etc/moonshot/template/sites-available_inner-tunnel".
+'template/sites-available_inner-tunnel".

 
 
 
 

-Now, you should have the basic setup.
+Now, you should have the basic freeradius setup.

 To get it working you have to do a couple of more things:
 
 
 To get it working you have to do a couple of more things:
 
 

-I) Get the SAML2 metadata for the Attribute Authority (AA) you want to use.
+I) Get the SAML2 metadata for the AA or IDP you want to use. Rename it to
+metadata.xml and place it in the 'etc' directory.

 
 

-Place it in the '/usr/local/etc/moonshot/' directory

 
 

+II) Chose one of the configuration files for the extension you want to use.
+There are two choices (etc/aa_config.py and etc/ecp_config.py).
+Rename (or copy) the one you want to use to config.py and edit it.

 
 

-II) Change the configuration in /usr/local/etc/moonshot/config.py
+You must change the value of ATTRIBUTE_AUTHORITY/IDP_ENTITYID so it is the
+identifier (entityID) of the SAML2 AA/IdP you want to use.

 
 

-You must change the value of ATTRIBUTE_AUTHORITY so it is the identifier of the
-SAML2 AA you want to use.

 
 

-
-III) Change the configuration '/usr/local/etc/moonshot/pysaml_config.py'.
+III) Change the pysaml2 configuration file 'etc/pysaml_config.py'.

 A couple of things:
 
 BASE : This is the identifier of the SP (=this module) you are running.
 A couple of things:
 
 BASE : This is the identifier of the SP (=this module) you are running.


@@ -56,6 +71,8 @@ organization: Information about the organization running this service
 contact_person: Information about a person people can contact to ask about
     this service
 
 contact_person: Information about a person people can contact to ask about
     this service
 

+xmlsec_binary: where the xmlsec1 binaries are located. This is only needed if
+these binaries are somewhere outside the normal PATH.

 
 IV) Create your own key pair.
 
 
 IV) Create your own key pair.
 


@@ -64,14 +81,28 @@ $ openssl genrsa 1024 > ssl.key
 $ openssl req -new -x509 -nodes -sha1 -days 365 -key ssl.key > ssl.cert
 $ sudo mv ssl.key ssl.cert /usr/local/etc/moonshot/pki
 
 $ openssl req -new -x509 -nodes -sha1 -days 365 -key ssl.key > ssl.cert
 $ sudo mv ssl.key ssl.cert /usr/local/etc/moonshot/pki
 

-If you chose other names for you key and cert you have to change accordingly
-in pysaml_config.py .
+If you chose other names for you key and cert you have to change
+pysaml_config.py accordingly.
+
+
+V)
+
+Now you can install the package:
+
+python setup.py install
+
+should place everything in it's place.
+One thing that might happen is that a new directory is created.
+/usr/local/etc/moonshot
+You may have to change the premissions on this directory to make it possible
+for the freeradius extension to access the information in the directory.

 
 

+VI) Create the metadata file for your SP.

 
 

-V) Create the metadata file for your SP.
+$ cd etc
+$ make_metadata.py pysaml_config.py > sp.xml

 
 

-$ make_metadata.py /usr/local/etc/moonshot/pysaml_config.py > sp.xml
-This file you have to give to the person/organization that runs the AA you
+This file you have to give to the person/organization that runs the AA/IdP you

 want to get information from.
 
 !!! That should be it !!!
 want to get information from.
 
 !!! That should be it !!!