unity-idm-discuss

[Unity-idm-discuss] Eudat SAML - Federated authentication

[Gonçalo B. <gon...@fc...>]

Hi

 

Im trying to implement the federated authentication (EDUGAIN), like in the
documentation, but I’m struggling for days.

>From what I understand I know I need to do this through SAML HTTP-POST and
HTTP-Redirect bindings.. And I know I must have 2 files (SAML Endpoint, SAML
Authenticator ), and I know I must enable this on unityServer.conf. Can
someone point me to the right direction? 

 



 

Best Regards Gonçalo Barata 



Fundação para a Ciência e a Tecnologia Unidade FCCN – Computação Científica
Nacional

Av. do Brasil, 101

1700-066 Lisboa | Portugal

Email:  <mailto:gon...@fc...> gon...@fc... 

 <http://www.fccn.pt/> http://www.fccn.pt 

Aviso de Confidencialidade

 

Esta mensagem é exclusivamente destinada ao seu destinatário, podendo conter
informação CONFIDENCIAL, cuja divulgação está expressamente vedada nos
termos da lei. Caso tenha recepcionado indevidamente esta mensagem,
solicitamos-lhe que nos comunique esse mesmo facto por esta via ou para o
telefone +351 218440100 devendo apagar o seu conteúdo de imediato.

 

Re: [Unity-idm-discuss] Eudat SAML - Federated authentication

[Sander A. <sa....@fz...>]

Hi Goncalo,
We configured eduGain with an Metadata URL. We got the Metadata URL
from our NREN where we requested the eduGain membership as SP. Our
configuration in remoteSamlAuth.properties looks like this:
unity.saml.requester.metadataSource.edugain.url=METADATAURLunity.saml.r
equester.metadataSource.edugain.perMetadataTranslationProfile=YOUR_TRAN
SLATION_PROFILEunity.saml.requester.metadataSource.edugain.signaturVeri
fication=requireunity.saml.requester.metadataSource.edugain.signatureVe
rificationCertificate=YOUR_CERT_FROM_PKI_PROPERTIESunity.saml.requester
.metadataSource.edugain.perMetadataRegistrationForm=YOUR_REGISTRATION_F
ORM
Best regards,Sander
P.S. I'm going to close your EUDAT ticket and refer to this mailing
list.
Am Dienstag, den 30.05.2017, 11:58 +0100 schrieb Gonçalo Barata:
> Hi
>  
> Im trying to implement the federated authentication (EDUGAIN), like
> in the documentation, but I’m struggling for days.
> From what I understand I know I need to do this through SAML HTTP-
> POST and HTTP-Redirect bindings.. And I know I must have 2 files
> (SAML Endpoint, SAML Authenticator ), and I know I must enable this
> on unityServer.conf. Can someone point me to the right direction?
>  
> 
>  
> Best Regards Gonçalo Barata
> 
> Fundação para a Ciência e a Tecnologia Unidade FCCN – Computação
> Científica Nacional
> Av. do Brasil, 101
> 1700-066 Lisboa | Portugal
> Email: gon...@fc...
> http://www.fccn.pt 
> Aviso de Confidencialidade
>  
> Esta mensagem é exclusivamente destinada ao seu destinatário, podendo
> conter informação CONFIDENCIAL, cuja divulgação está expressamente
> vedada nos termos da lei. Caso tenha recepcionado indevidamente esta
> mensagem, solicitamos-lhe que nos comunique esse mesmo facto por esta
> via ou para o telefone +351 218440100 devendo apagar o seu conteúdo
> de imediato.
>  
> -------------------------------------------------------------------
> -----------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Eudat SAML - Federated authentication

[Krzysztof B. <kb...@un...>]

Hi Goncalo,

W dniu 31.05.2017 o 07:26, Sander Apweiler pisze:
> Hi Goncalo,
>
> We configured eduGain with an Metadata URL. We got the Metadata URL from
> our NREN where we requested the eduGain membership as SP. Our
> configuration in remoteSamlAuth.properties looks like this:
>
> unity.saml.requester.metadataSource.edugain.url=METADATAURL
> unity.saml.requester.metadataSource.edugain.perMetadataTranslationProfile=YOUR_TRANSLATION_PROFILE
> unity.saml.requester.metadataSource.edugain.signaturVerification=require
> unity.saml.requester.metadataSource.edugain.signatureVerificationCertificate=YOUR_CERT_FROM_PKI_PROPERTIES
> unity.saml.requester.metadataSource.edugain.perMetadataRegistrationForm=YOUR_REGISTRATION_FORM
>

A small supplement to what Sander wrote:
-) regarding endpoint: at first you can add the saml authenticator to 
any of internal Unity endpoints, so its access will be protected by 
federated login. So you can test the Unity->eduGAIN part alone and the 
above example config covers this aprt.

After you have this done, you can work on configuring your own SP(s) to 
authenticate using Unity. Then you will need an edpoint or endpoints in 
Unity to enable remote authN SP->Unity. Here you won't be forced to use 
SAML, you can also use OAuth.

-) translation profile configures your mapping of data coming from 
edugain IdPs to your desired format (you can filter, modify values, 
names of attributes etc). Typically this is the most difficult part of 
configuration and most often changed.

Best,
Krzysztof