Versions Compared

Old Version 11

changes.mady.by.user Vladimir Mencl

Saved on

compared with

New Version Current

changes.mady.by.user Vladimir Mencl

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: drop flatfile metadata

...

  • Edit /opt/simplesamlphp/config/authsources.php and add references to the certificate to the default-sp definition:

    No Format
        'default-sp' => array(
        'saml:SP',
        'privatekey' => 'saml.pem',
        'certificate' => 'saml.crt',


  • Make SSP issue secure cookies: in config/config.php , change session.cookie.secure value to true

    No Format
        'session.cookie.secure' => true,


Loading the federation metadata

...

  • Download the metadata signing certificate for the federation metadata into /etc/shibboleth:

    • For Tuakiri, run:

      No Format
      wget https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-cert.pem -O /opt/simplesamlphp/cert/tuakiri-metadata-cert.pem


    • or for Tuakiri-TEST, run:

      No Format
      wget https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-cert.pem -O /opt/simplesamlphp/cert/tuakiri-test-metadata-cert.pem


  • Edit config/config-metarefresh.php:
    • Replace 'kalmar' with the federation name ('tuakiri')

    • Set the download URL - either for Tuakiri Production:

      No Format
         'src' => 'https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-signed.xml',


    • Or Tuakiri-TEST:

      No Format
         'src' => 'https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml',


    • Set output directory and format (use 'serialize'format):

      No Format
                              'outputDir'     => 'metadata/metarefresh-tuakiri/',
                        'outputFormat' => 'serialize',


    • Set expiry date to 7 days to match Tuakiri

      No Format
                              'expireAfter'           => 60*60*24*7, // Maximum 7 days cache time.


    • Change the list of accepted certificates to the metadata signing certificate downloaded above (use tuakiri-test-metadata-cert.pem for Tuakiri-TEST:

      Code Block
                                              'certificates' => array(
                                                'tuakiri-metadata-cert.pem',
                                        ),


    • Remove/comment-out the validateFingerprint entry (see note below for explanation)

      Note

      Older versions of SimpleSAMLphp did not support directly referring to a certificate and instead required embedding the certificate fingerprint in the configuration.

      For historical and archival purposes, the instructions are included here - but can be ignored in favour of using the above certificates setting.

      Expand
      • Set the 'validateFingerprint' to the fingerprint value of the metadata issuing certificate
        • Tuakiri-PROD: 06:85:C5:89:2F:38:83:98:77:1B:A4:5D:58:A4:06:3A:A4:C1:CE:45
        • Tuakiri-TEST: 5E:90:2D:F9:D9:5A:5A:95:BF:58:4D:02:AD:29:35:64:CC:BF:76:45
      • To calculate the fignerprint yourself:
        • Download the metadata signing certificate (for Tuakiri-PROD and Tuakiri-TEST, they are linked from the instructions on registering an SP into Tuakiri)

        • and get the fingerprint value with:

          No Format
                openssl x509 -fingerprint -noout -in metadata-cert.pem




  • Edit config/config.php and add an extra entry into 'in metadata.sources, replace the existing 'type'=>'flatfile' entry with:

    No Format
       array('type' => 'serialize', 'directory' => 'metadata/metarefresh-tuakiri'),


...