SAML PROOF OF CONCEPT – IAMaaS

by | May 25, 2017

Last year I wrote a series of posts going through a working example of getting SAML working with a group of components consisting of Qlik Sense Enterprise, Apache HTTP Server, Shibboleh and GLUU. Recently I had an opportunity to test a natural progression in this design. Replace GLUU IDP with a managed cloud offering also know as IAMaaS.
I’ve chosen to use OneLogin. There are many providers out there offer this service and the selection of one would be a blog in itself. I’ll skip past my selection process and concentrate on a working through an example. In particular Apache HTTP Server with Shibboleth using with OneLogin as the IDP. If you need to see how to get Qlik working with OneLogin Qlik provide a comprehensive video of the process which is easy to follow.

Prerequisites for this are:

  • AWS EC2 with Ubuntu installed on a T2.nano or greater.
    • The AMI was Ubuntu Version 16.04 at the time of writing this blog
  • A OneLogin Developer Account.
    • You can sign up here, it’s free and ensure you choose Developer Tools and API for the type of account to get access to SAML functionality.

End to end instructions:

SSH to your new web server and then perform the following commands to install Apache, Shibboleth, and self-signed SSL certificates. I use sp.yourdomain.com in many places in my example code. You can replace this with your FDQN or the server IP Address.
[code language=”bash”] sudo su
apt-get update
apt-get install apache2
apt-get install libapache2-mod-shib2
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/sp.yourdomain.com.key -out /etc/ssl/certs/sp.yourdomain.com.crt
[/code] Here are some values I used when generating the temporary SSL certificate:

 Country Name (2 letter code) [AU]:NZ
 State or Province Name (full name) [Some-State]:
 Locality Name (eg, city) []:Wellington
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:
 Organizational Unit Name (eg, section) []:
 Common Name (e.g. server FQDN or YOUR name) []:sp.yourdomain.com
 Email Address []:test@sp.yourdomain.com

Create the following file /etc/apache2/sites-available/sp.yourdomain.com.conf and insert the following text
[code language=”XML”] <VirtualHost *:443>
ServerName sp.yourdomain.com
ServerAdmin youractual@email.address
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/sp.yourdomain.com.crt
SSLCertificateKeyFile /etc/ssl/private/sp.yourdomain.com.key
</VirtualHost> [/code] Next, run the following commands
[code language=”bash”] a2enmod ssl
a2ensite sp.yourdomain.com
service apache2 restart
mkdir /var/www/html/auth
echo "<html><body>logged in</body></html>" > /var/www/html/auth/index.html
[/code] Test your website works at this time https://<webserver IP address>/auth/ you should get to a page that says “logged in”. You will get certificate warnings from your browser as these are self-signed certs. You can follow my blog on using LetsEncrypt certs if you don’t want to see these errors.
Next, run the following command
[code language=”bash”] shib-keygen
[/code] At this point, you will need to setup an App in OneLogin

  1. Log into OneLogin
  2. Then select Apps -> Add Apps from the top menu
  3. Search for SAML Test Connector (IdP w/attr)
  4. Click on the single result that comes back
  5. Then click save
  6. Download the metadata file save as onelogin_metadata.xml and upload to the Ubuntu Server to the location /etc/shibboleth/
  7. Next copy the Issuer URL from the SSO section as you will need this later

 
Now back to your SSH session.
Edit the file /etc/shibboleth/shibboleth2.xml
Change the line
[code language=”XML”] &lt;ApplicationDefaults entityID="https://sp.yourdomain.com/shibboleth" [/code] to (IP address/domain name of your web server). Take a copy this entity ID parameter as it is later used in the OneLogin configuration the Audience Parameter.
[code language=”XML”] &lt;ApplicationDefaults entityID="https://REPLACE_Web_Server_Name_or_IP_Address/shibboleth" [/code] In the same file change
[code language=”XML”] &lt;SSO entityID="https://idp.example.org/idp/shibboleth"
discoveryProtocol="SAMLDS"discoveryURL="https://ds.example.org/DS/WAYF"&gt;
SAML2 SAML1
&lt;/SSO&gt;
[/code] to the below. Use the Issuer URL that you copied from OneLogin.
[code language=”XML”] &lt;SSO entityID="REPLACE_with_OneLogin_Issuer_URL"&gt;
SAML2 SAML1
&lt;/SSO&gt;
[/code] In the same file find the following line
[code language=”XML”] &lt;ApplicationDefaults&gt;
[/code] Before that tag add
[code language=”XML”]&lt;MetadataProvider type="XML" file="onelogin_metadata.xml"/&gt;[/code] Save your changes
Edit /etc/apache2/sites-available/sp.yourdomain.com.conf
Add the following above the </VirtualHost> line
[code language=”XML”] &lt;Location /Shibboleth.sso&gt;
SetHandler shib
&lt;/Location&gt;[/code] Save your changes
Edit /etc/apache2/sites-available/sp.yourdomain.com.conf
Add the following above the </VirtualHost> line
[code language=”XML”] &lt;Location /Shibboleth.sso&gt;
SetHandler shib
&lt;/Location&gt;
&lt;Location /auth&gt;
AuthType shibboleth
ShibRequireSession On
require valid-user
&lt;/Location&gt;
[/code] Next restart Apache and Shibboleth services.

[code language=”bash”] service shibd restart
service apache2 restart
[/code] If things are working you should be able to the following URL  https://<Server Name/IP>/Shibboleth.sso/Metadata and be prompted to save a file download

Open this file in a text editor and take a copy this Location parameter in the md:AssertionConsumerService tag
[code language=”XML”]&lt;md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.yourdomain.com/Shibboleth.sso/SAML2/POST" index="1"&gt;[/code] Now go back to OneLogin and edit the App you created previously and edit the configuration.
We will assume that the Entity ID is https://sp.yourdomain.com/shibboleth and Location is https://sp.yourdomain.com/Shibboleth.sso/SAML2/POST from the parameters you previously recorded so I can give you example values what to enter in the configuration. Note that ACS (Consumer) URL Validator is a regular expression version of Location wrapped in ^ and $.
Audience: https://sp.yourdomain.com/shibboleth
Recipient: https://sp.yourdomain.com/Shibboleth.sso/SAML2/POST
ACS (Consumer) URL Validator:  ^https://sp.yourdomain.com/Shibboleth.sso/SAML2/POST$
ACS (Consumer) URL:  https://sp.yourdomain.com/Shibboleth.sso/SAML2/POST
Save these changes and we are almost there.
Create a user and add the application to the user’s applications.
Now launch a browser and go to https://<webserver IP address>/auth/
You should be redirected to OneLogin.

Enter your user credentials and you will be greeted with a familiar web page:

That’s it, looks simple but to be honest it took me a lot longer to get working than anticipated as there is almost no documentation on Shibboleth and OneLogin integration.
All the code, all the fun – Ben
 
Ben writes blogs about the technical side of BI the code, all the code and not much other than the code.
Want to read more? Try … SAML for this dummy or more from Ben
We run regular business intelligence courses in both Wellington and Auckland.
 

0 Comments
Submit a Comment

Your email address will not be published. Required fields are marked *