divendres, 6 de desembre del 2019

SAML MELLON POC

Introduction

the Poc consist on VM installed used Vagrant.Git with the scripts and the configuration. Apache httpd , mellon and Tomcat with small application.

Vagrant

The installation has been done by vagrant in Centos7

you can do it without vagrant but it is needed to has NAT ports forward enables 8888 and 8180.

Port 80 is not recomended because Windows use ti internally.

Once the vagrant is done go to git and clone the

repository.

Install begin

execute ./installbegin.sh. This install basic softwarebase along sets up the heroes.org in the hosts file.

It also disable SELinux and reboot.

Install Mellon and Apahce httpd

execute ./installmellon.sh

it will copy the heroes.org.conf virtual host apache and create mellon section and it crate the XML SP metadata.

Listen 8888
<VirtualHost *:8888>
    ServerName heroes.org
    ServerAlias heroes.org
    DocumentRoot /var/www/heroes.org/public_html

<Location / >
    AuthType Mellon
    MellonEnable auth
    Require valid-user
    MellonEndpointPath /mellon/
    MellonSPMetadataFile /etc/httpd/saml2/http_heroes.org_8888.xml
    MellonSPPrivateKeyFile /etc/httpd/saml2/http_heroes.org_8888.key
    MellonSPCertFile /etc/httpd/saml2/http_heroes.org_8888.cert
    MellonIdPMetadataFile /etc/httpd/saml2/meta_idp.xml

    MellonUser "NAME_ID"
    MellonSetEnv "display_name" "displayName"
    MellonSamlResponseDump On
    ProxyPassInterpolateEnv On
 RequestHeader set X-WEBAUTH-USER "%{MELLON_NAME_ID}e"
 #RequestHeader set X-WEBAUTH-DUMP "%{MELLON_SAML_RESPONSE}e"


</Location>

   #Pass most connections to backend app, once it has been secured.
    ProxyPass / http://localhost:8080/mellon
    ProxyPassReverse / http://localhost:8080/mellon

</VirtualHost>

Install keyclaock

execute ./installkeycloack the web administration console is there.

http://localhost:8180/auth

you later must to create a realm called heroes, create a client impoting the SP.xml file configuration create by mellon http_heroes.org_8888.xml

you can log into http://heroes.org:8180/auth/ with user admin and pwd admin

Once imported go to the heroes client configuration is useful to disable encryption fo the saml assertion and pass the username as user Id.

  • Encrypt Assertions Off

  • Name ID Format username

the realm is exported as realm-export.json althought it has not been tested the import

Create a user and its pwd in the Users section.

Once the client and user is done you must to install metadata in mellon

ssh into the guest and execute

curl http://localhost:8180/auth/realms/heroes/protocol/saml/descriptor > meta-idp.xml

sudo cp meta_idp.xml /etc/httpd/saml2

Install Tomcat and small end point appliation

execute install_app_tomcat.sh thies goes to saml2/mellon and execute

mvn package

This install mvn tomcat and build a deploy small application into locally in the guest.

curl http://heroes.org:8080/mellon

TEST

execute

http://heroes.org

it willl forward to keycloack IDP put user jordi and pwd jordi and you will see a output like this

Hola Mundo (1)
host=localhost:8080
user-agent=Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language=es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding=gzip, deflate
referer=http://heroes.org:8180/
cookie=mellon-cookie=6e83894907480c27921539d940ba6f74
dnt=1
upgrade-insecure-requests=1
x-webauth-user=jordi (2)
1 Servlet System.out
2 User Id.

the User Id comes in the SAML assertion in the subcject element of the XML. if you want a code like jordi is when you must to change Idp Client configuration .

Below de default Id, to change it go to keycloack and change the Name Id format.

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">G-e535ce9b-5b55-4896-92a6-0e7777f9aa5c</saml:NameID>

TroubleShooting

SELinux enable or disable.

SELinux /etc/selinus/config to enable or disable SElinux

Apache

The logs are in /etc/httpd/logs Check status $httpd -d Check config $httpd -t

Dump SAML assertion in header

Tomcat Logs $journalctl -u tomcat

increase headers in /etc/tomcat/server.xml

In heroes.org.conf enable the dump to header #RequestHeader set X-WEBAUTH-DUMP "%{MELLON_SAML_RESPONSE}e"

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
maxHttpHeaderSize="65536"
redirectPort="8443" />

Others

Install Spring sample

Follow

https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-quick-start.html

jordi@LAPTOP-ELFAQNCG MINGW64 /c/Program Files/Java/jdk1.8.0_181/bin
$ jrunscript.exe -e 'print (javax.crypto.Cipher.getMaxAllowedKeyLength("RC5") >= 256);'
true

Saml with OpenSAML v2

http://www.capcourse.com/Library/OpenSAML/index.html

https://github.com/rasmusson/webprofile-ref-project

source code https://github.com/danpal/OpenSAML/blob/master/pom.xml

spring old iwth saml https://github.com/alleveenstra/spring-security-opensaml

https://github.com/zeigeist/opensaml

SAML certificates vorkflow

  • Create a new key pair for signing and/or encryption together with the respective X.509 certificate

  • Configure your SP to support the new key pair

  • Add a new KeyDescriptor to your SAML metadata

  • Support decrypting SAML messages using your new key

  • Send your metadata (or just the X.509 certificate) to the IdP(s). They must:

  • Switch the encryption certificate to the new one

  • Trust in your new signing certificate, without stop trusting in the old one

  • Wait for the IdP(s) to update its configurations

  • Do not start to use the new key for signing your messages until the IdP(s) confirm they are supporting your new certificate

  • Configure your SP to start using the new key for signing messages

  • The old keys may be completely removed

  • The IdP(s) can now untrust your old signing certificat

Cap comentari:
Subscriure's a: Missatges (Atom)