X-Git-Url: http://www.project-moonshot.org/gitweb/?p=freeradius-pysaml2.git;a=blobdiff_plain;f=README;h=68938608d5ea8837d5a42c766d9113a772c7dafe;hp=97e4b6f57d574d3cffe281e0aaa19ddda65c552f;hb=HEAD;hpb=274fce3387186b9b0988451bdbb3ccf628155cc1 diff --git a/README b/README index 97e4b6f..6893860 100644 --- a/README +++ b/README @@ -1,52 +1,67 @@ moonshot ======== A python module usable in a Moonshot environment to allow a freeradius server -to fetch information about a user from a SAML2 Attribute Authority. +to fetch information about a user from a SAML2 Attribute Authority (AA) or +Identity Provider (IdP). +There are some things you have to do disregarding how you want the SP to +talk to the IdP/AA. So I take those first. -Installing +Dependency ---------- -sudo python setup.py install +This package is dependent on pySAML2. +You should get PySAML2 from Launchpad, the version that is at PyPI is not +enough up-to-date. -eventually also +bzr co bzr+ssh://bazaar.launchpad.net/%2Bbranch/pysaml2/ -sudo easy_install moonshot +should get you the latest version. -When the python module is installed a couple of changes to the freeradius -configuration are necessary. +Basic Installing +---------- + +A couple of changes to the freeradius configuration are necessary. +This is one way of doing it. How you chose to do it depends on your local +preferences. 1) create raddb/modules/python -You can use the provided '/usr/local/etc/moonshot/template/modules_python' file -as is. +You can use one of the provided 'template/modules_python_aa' or +'template/modules_python_ecp' files as they are. Which one depends of your +choice of using ECP or AA. Rename of copy the one you want to use to +'template/modules_python' and copy it to raddb/modules. + +Regarding the configuration of outer/inner tunnel this is still a bit +undecided. The extension module can be use in either. 2) Edit raddb/sites-available/default To the 'post-auth' section add one line referencing the python module. You can see how it can be done in -'/usr/local/etc/moonshot/template/sites-available_default". +'template/sites-available_default". 3) Edit raddb/sites-available/inner-tunnel. To the 'post-auth' section add one line referencing the python module. You can see how it can be done in -'/usr/local/etc/moonshot/template/sites-available_inner-tunnel". +'template/sites-available_inner-tunnel". -Now, you should have the basic setup. +Now, you should have the basic freeradius setup. To get it working you have to do a couple of more things: -I) Get the SAML2 metadata for the Attribute Authority (AA) you want to use. +I) Get the SAML2 metadata for the AA or IDP you want to use. Rename it to +metadata.xml and place it in the 'etc' directory. -Place it in the '/usr/local/etc/moonshot/' directory +II) Chose one of the configuration files for the extension you want to use. +There are two choices (etc/aa_config.py and etc/ecp_config.py). +Rename (or copy) the one you want to use to config.py and edit it. -II) Change the configuration in /usr/local/etc/moonshot/config.py +You must change the value of ATTRIBUTE_AUTHORITY/IDP_ENTITYID so it is the +identifier (entityID) of the SAML2 AA/IdP you want to use. -You must change the value of ATTRIBUTE_AUTHORITY so it is the identifier of the -SAML2 AA you want to use. - -III) Change the configuration '/usr/local/etc/moonshot/pysaml_config.py'. +III) Change the pysaml2 configuration file 'etc/pysaml_config.py'. A couple of things: BASE : This is the identifier of the SP (=this module) you are running. @@ -56,6 +71,8 @@ organization: Information about the organization running this service contact_person: Information about a person people can contact to ask about this service +xmlsec_binary: where the xmlsec1 binaries are located. This is only needed if +these binaries are somewhere outside the normal PATH. IV) Create your own key pair. @@ -64,14 +81,28 @@ $ openssl genrsa 1024 > ssl.key $ openssl req -new -x509 -nodes -sha1 -days 365 -key ssl.key > ssl.cert $ sudo mv ssl.key ssl.cert /usr/local/etc/moonshot/pki -If you chose other names for you key and cert you have to change accordingly -in pysaml_config.py . +If you chose other names for you key and cert you have to change +pysaml_config.py accordingly. + + +V) + +Now you can install the package: + +python setup.py install + +should place everything in it's place. +One thing that might happen is that a new directory is created. +/usr/local/etc/moonshot +You may have to change the premissions on this directory to make it possible +for the freeradius extension to access the information in the directory. +VI) Create the metadata file for your SP. -V) Create the metadata file for your SP. +$ cd etc +$ make_metadata.py pysaml_config.py > sp.xml -$ make_metadata.py /usr/local/etc/moonshot/pysaml_config.py > sp.xml -This file you have to give to the person/organization that runs the AA you +This file you have to give to the person/organization that runs the AA/IdP you want to get information from. !!! That should be it !!!