federation-web
Component description
Contrail package contrail-federation-web brings the web interface for the federation.
It is important that https://google.contrail-idp.contrail.eu and https://federation.contrail-idp.contrail.eu resolves to the interface onto which we bound the installation of the contrail-federation-id-prov-support package. This enables the web portal to contact Contrail IdP if installed locally (or some other address) and enabled in the portal's configuration file. But remember, default installation is bound that *.contrail.eu addresses are resolved as installation of Contrail. If installing on machine with ip 10.1.0.127 , we should add these into /etc/hosts file:
10.1.0.127 google.contrail-idp.contrail.eu
10.1.0.127 contrail-federation-web.contrail.eu
Important: when linking Service Provider (SP, in our case contrail-federation-web ) with this IdP ( contrail-federation-id-prov-support ), the SP should also resolve these hostnames, e.g.:
10.1.0.127 google.contrail-idp.contrail.eu
10.1.0.127 contrail-federation-web.contrail.eu
Of course, metadata file can be changed with different names, but when doing that SP's metadata should also change accordingly.
Configuration Files
Configuration files reside under
The structure under the directory should be:
/etc/hosts
By default, these lines are appended to your /etc/hosts file after the installation of the contrail-federation-web package:
127.0.0.1 google.contrail-idp.contrail.eu
127.0.0.1 contrail-federation-web.contrail.eu
This is necessary because remote_metadata.xml has this information already embedded. It is important that hostnames are the same as expected in certificates of the contrail-federation-id-prov service.
/etc/contrail/contrail-federation-web/federation-web.conf
FEDERATION_API_URL = 'http://localhost:8080/federation-api'
SLA_EXTRACTOR_BASE = 'http://localhost:8080/rest-monitoring/sla/slaextractor'
MONITORING_BASE = 'http://localhost:8080/rest-monitoring/monitoring'
ZOOKEEPER_BASE = '127.0.0.1:2181'
ONLINE_CA_USE=False
ONLINE_CA_URI='https://one-test.contrail.rl.ac.uk:8443/ca/portaluser'
FEDERATION_WEB='http://contrail-federation-web.contrail.eu'
FEDERATION_WEB_LOCAL_METADATA='/usr/lib/contrail/federation-web/extra/remote_metadata.xml'
FEDERATION_WEB_CERT='/usr/lib/contrail/federation-web/extra/contrail-federation-web.cert'
FEDERATION_WEB_KEY='/usr/lib/contrail/federation-web/extra/contrail-federation-web.key'
FEDERATION_WEB_CA_FILE='/usr/lib/contrail/federation-web/extra/ca.crt'
TRUSTSTORE_DIR = '/etc/contrail/truststore'
SSL_USE_DELEGATED_USER_CERT=False
FEDERATION_IDP_GOOGLE='https://google.contrail-idp.contrail.eu'
FEDERATION_IDP_FEDERATION='https://federation.contrail-idp.contrail.eu'
FEDERATION_WEB_CERT and FEDERATION_WEB_KEY link to host certificate and private host key, respectively, of the contrail-federation-web service. These certificates are already included in the installation and we can use these for testing purposes for communication with federation-api. In case of public deployment, these should be changed.
FEDERATION_WEB_CA_FILE also points to test CA certificate for communication with federation-api. In order to use SSL between Federation-web and Federation-api, federation-api needs to be set to work in secure mode. If the service is located at https://contrail-federation-api.contrail.eu:8443/federation-api , Federation Web automatically detects that it needs SSL. It uses FEDERATION_WEB_CERT, _KEY and _CA_FILE attributes.
When SSL_USE_DELEGATED_USER_CERT attribute is set to True, user's delegated certificate is used to communicate with federation-api instead of federation-web's host certificate. If set to False , host certificate is used automatically.
/usr/lib/contrail/federation-web/extra/remote_metadata.xml
We do not need to change the content if we are just testing the installation. In case we are setting it in public environment, hostnames and certificates should change. Default content is bound to the usage of certificates, that are already provided by the installation procedure of contrail-federation-web and contrail-federation-id-prov-support packages. If hostname and therefore certificates of these services change, we should update the remote_metadata.xml file accordingly. The default content of remote_metadata.xml is:
<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://google.contrail-idp.contrail.eu/simplesaml/saml2/idp/metadata.php">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDfzCCAmcCAWUwDQYJKoZIhvcNAQEFBQAwejELMAkGA1UEBhMCU0kxETAPBgNVBAgMCFNsb3ZlbmlhMRIwEAYDVQQHDAlManVibGphbmExETAPBgNVBAoMCENvbnRyYWlsMQswCQYDVQQDDAJDQTEkMCIGCSqGSIb3DQEJARYVYWxlcy5jZXJuaXZlY0B4bGFiLnNpMB4XDTEyMDgyODA4MjI0OFoXDTIyMDgyNjA4MjI0OFowgZAxCzAJBgNVBAYTAlNJMREwDwYDVQQIDAhTbG92ZW5pYTESMBAGA1UEBwwJTGp1YmxqYW5hMREwDwYDVQQKDAhDb250cmFpbDEhMB8GA1UEAwwYY29udHJhaWwtaWRwLmNvbnRyYWlsLmV1MSQwIgYJKoZIhvcNAQkBFhVhbGVzLmNlcm5pdmVjQHhsYWIuc2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3Cq2sRPAMPWmH4IdgMEkexb7BJEhO194dOOmpkzYPRWbQOYkKMsNHob5a166mMC7qC4PhOz168ublVxqHAKp3MiLpLSF3IB7ewtJjWCJfjRd/zoHq/LGoeMYP5/FXFtFr8qa4Ud7xq7giRzkj3n+yRIP24AKVwHfvswjBW4kLQZrpq3qbKAV1EVa9au910ljSSzIPHT1grP1ZcoLw2pe9vrxjltUFiF1S1mfIUiiZrcpgTdtzVF0ZmftBm15IL6xRk8m07AqMZavZn6sCePH+D3ZhCEc8laOE+6+YHx2jBc27eda1Xn/tuepfBsdNxIKZa9CNMynpDyTbaP01xO1tAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAqSzBE8hFATQEwteZHIsOylh4kLiOMlZISn8pf2DETeAQ6fIe0sffJaCnK5c+khADso7t3VFHgDsqIrVHah+nhAcOgXE78TgqKK/avNierF/dbIN0XaHPzaGXtq7JHYIo5t0/5NVD4IsRho+aylZaJf44sppfpfoja0V310GMUbT8/68KBbYajbATj4X5zU59c82WsUDsLh5JISJpkXoOYHjYSrH0JhskK8CWxF08MDpAkKINZoQa6r66NKH5WfW6l3hHQ3tObQ63+eA0LnAlP35Yt+WSLYy5Oc0bQ8cWL7k+Rn75QILeb5+eXnktkroHKNCqPK1GOHSiyTvhrsRkQ=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDfzCCAmcCAWUwDQYJKoZIhvcNAQEFBQAwejELMAkGA1UEBhMCU0kxETAPBgNVBAgMCFNsb3ZlbmlhMRIwEAYDVQQHDAlManVibGphbmExETAPBgNVBAoMCENvbnRyYWlsMQswCQYDVQQDDAJDQTEkMCIGCSqGSIb3DQEJARYVYWxlcy5jZXJuaXZlY0B4bGFiLnNpMB4XDTEyMDgyODA4MjI0OFoXDTIyMDgyNjA4MjI0OFowgZAxCzAJBgNVBAYTAlNJMREwDwYDVQQIDAhTbG92ZW5pYTESMBAGA1UEBwwJTGp1YmxqYW5hMREwDwYDVQQKDAhDb250cmFpbDEhMB8GA1UEAwwYY29udHJhaWwtaWRwLmNvbnRyYWlsLmV1MSQwIgYJKoZIhvcNAQkBFhVhbGVzLmNlcm5pdmVjQHhsYWIuc2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3Cq2sRPAMPWmH4IdgMEkexb7BJEhO194dOOmpkzYPRWbQOYkKMsNHob5a166mMC7qC4PhOz168ublVxqHAKp3MiLpLSF3IB7ewtJjWCJfjRd/zoHq/LGoeMYP5/FXFtFr8qa4Ud7xq7giRzkj3n+yRIP24AKVwHfvswjBW4kLQZrpq3qbKAV1EVa9au910ljSSzIPHT1grP1ZcoLw2pe9vrxjltUFiF1S1mfIUiiZrcpgTdtzVF0ZmftBm15IL6xRk8m07AqMZavZn6sCePH+D3ZhCEc8laOE+6+YHx2jBc27eda1Xn/tuepfBsdNxIKZa9CNMynpDyTbaP01xO1tAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAqSzBE8hFATQEwteZHIsOylh4kLiOMlZISn8pf2DETeAQ6fIe0sffJaCnK5c+khADso7t3VFHgDsqIrVHah+nhAcOgXE78TgqKK/avNierF/dbIN0XaHPzaGXtq7JHYIo5t0/5NVD4IsRho+aylZaJf44sppfpfoja0V310GMUbT8/68KBbYajbATj4X5zU59c82WsUDsLh5JISJpkXoOYHjYSrH0JhskK8CWxF08MDpAkKINZoQa6r66NKH5WfW6l3hHQ3tObQ63+eA0LnAlP35Yt+WSLYy5Oc0bQ8cWL7k+Rn75QILeb5+eXnktkroHKNCqPK1GOHSiyTvhrsRkQ=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://google.contrail-idp.contrail.eu/simplesaml/saml2/idp/SingleLogoutService.php"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://google.contrail-idp.contrail.eu/simplesaml/saml2/idp/SSOService.php"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>Contrail</md:GivenName>
<md:SurName>admin</md:SurName>
<md:EmailAddress>ales.cernivec@xlab.si</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://federation.contrail-idp.contrail.eu/simplesaml/saml2/idp/metadata.php">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDfzCCAmcCAWUwDQYJKoZIhvcNAQEFBQAwejELMAkGA1UEBhMCU0kxETAPBgNVBAgMCFNsb3ZlbmlhMRIwEAYDVQQHDAlManVibGphbmExETAPBgNVBAoMCENvbnRyYWlsMQswCQYDVQQDDAJDQTEkMCIGCSqGSIb3DQEJARYVYWxlcy5jZXJuaXZlY0B4bGFiLnNpMB4XDTEyMDgyODA4MjI0OFoXDTIyMDgyNjA4MjI0OFowgZAxCzAJBgNVBAYTAlNJMREwDwYDVQQIDAhTbG92ZW5pYTESMBAGA1UEBwwJTGp1YmxqYW5hMREwDwYDVQQKDAhDb250cmFpbDEhMB8GA1UEAwwYY29udHJhaWwtaWRwLmNvbnRyYWlsLmV1MSQwIgYJKoZIhvcNAQkBFhVhbGVzLmNlcm5pdmVjQHhsYWIuc2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3Cq2sRPAMPWmH4IdgMEkexb7BJEhO194dOOmpkzYPRWbQOYkKMsNHob5a166mMC7qC4PhOz168ublVxqHAKp3MiLpLSF3IB7ewtJjWCJfjRd/zoHq/LGoeMYP5/FXFtFr8qa4Ud7xq7giRzkj3n+yRIP24AKVwHfvswjBW4kLQZrpq3qbKAV1EVa9au910ljSSzIPHT1grP1ZcoLw2pe9vrxjltUFiF1S1mfIUiiZrcpgTdtzVF0ZmftBm15IL6xRk8m07AqMZavZn6sCePH+D3ZhCEc8laOE+6+YHx2jBc27eda1Xn/tuepfBsdNxIKZa9CNMynpDyTbaP01xO1tAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAqSzBE8hFATQEwteZHIsOylh4kLiOMlZISn8pf2DETeAQ6fIe0sffJaCnK5c+khADso7t3VFHgDsqIrVHah+nhAcOgXE78TgqKK/avNierF/dbIN0XaHPzaGXtq7JHYIo5t0/5NVD4IsRho+aylZaJf44sppfpfoja0V310GMUbT8/68KBbYajbATj4X5zU59c82WsUDsLh5JISJpkXoOYHjYSrH0JhskK8CWxF08MDpAkKINZoQa6r66NKH5WfW6l3hHQ3tObQ63+eA0LnAlP35Yt+WSLYy5Oc0bQ8cWL7k+Rn75QILeb5+eXnktkroHKNCqPK1GOHSiyTvhrsRkQ=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDfzCCAmcCAWUwDQYJKoZIhvcNAQEFBQAwejELMAkGA1UEBhMCU0kxETAPBgNVBAgMCFNsb3ZlbmlhMRIwEAYDVQQHDAlManVibGphbmExETAPBgNVBAoMCENvbnRyYWlsMQswCQYDVQQDDAJDQTEkMCIGCSqGSIb3DQEJARYVYWxlcy5jZXJuaXZlY0B4bGFiLnNpMB4XDTEyMDgyODA4MjI0OFoXDTIyMDgyNjA4MjI0OFowgZAxCzAJBgNVBAYTAlNJMREwDwYDVQQIDAhTbG92ZW5pYTESMBAGA1UEBwwJTGp1YmxqYW5hMREwDwYDVQQKDAhDb250cmFpbDEhMB8GA1UEAwwYY29udHJhaWwtaWRwLmNvbnRyYWlsLmV1MSQwIgYJKoZIhvcNAQkBFhVhbGVzLmNlcm5pdmVjQHhsYWIuc2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3Cq2sRPAMPWmH4IdgMEkexb7BJEhO194dOOmpkzYPRWbQOYkKMsNHob5a166mMC7qC4PhOz168ublVxqHAKp3MiLpLSF3IB7ewtJjWCJfjRd/zoHq/LGoeMYP5/FXFtFr8qa4Ud7xq7giRzkj3n+yRIP24AKVwHfvswjBW4kLQZrpq3qbKAV1EVa9au910ljSSzIPHT1grP1ZcoLw2pe9vrxjltUFiF1S1mfIUiiZrcpgTdtzVF0ZmftBm15IL6xRk8m07AqMZavZn6sCePH+D3ZhCEc8laOE+6+YHx2jBc27eda1Xn/tuepfBsdNxIKZa9CNMynpDyTbaP01xO1tAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAqSzBE8hFATQEwteZHIsOylh4kLiOMlZISn8pf2DETeAQ6fIe0sffJaCnK5c+khADso7t3VFHgDsqIrVHah+nhAcOgXE78TgqKK/avNierF/dbIN0XaHPzaGXtq7JHYIo5t0/5NVD4IsRho+aylZaJf44sppfpfoja0V310GMUbT8/68KBbYajbATj4X5zU59c82WsUDsLh5JISJpkXoOYHjYSrH0JhskK8CWxF08MDpAkKINZoQa6r66NKH5WfW6l3hHQ3tObQ63+eA0LnAlP35Yt+WSLYy5Oc0bQ8cWL7k+Rn75QILeb5+eXnktkroHKNCqPK1GOHSiyTvhrsRkQ=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://federation.contrail-idp.contrail.eu/simplesaml/saml2/idp/SingleLogoutService.php"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://federation.contrail-idp.contrail.eu/simplesaml/saml2/idp/SSOService.php"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>Contrail</md:GivenName>
<md:SurName>admin</md:SurName>
<md:EmailAddress>ales.cernivec@xlab.si</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
</md:EntitiesDescriptor>
Federation Web As Shibboleth SP
Here we describe how to set up federation-web portal as a shibboleth Service Provider. First, you need to register SAML2 metadata with Shibboleth IdP. In this settings we will use testshib portal org, where you can easily upload your portal's metadata in order to register the portal with the IdP.
Get federation-web's metadata
Navigate to https://contrail-federation-web.contrail.eu/saml2/metadata/. Save the page as XML file, e.g. shibb.xml.
Register the metadata with IdP
Upload shibb.xml to IdP https://www.testshib.org/metadata.html.
Get IdP's metadata
Each IdP provides its metadata online. https://idp.testshib.org/idp/shibboleth is the metadata of testshib portal.
Register the IdP's metadata with federation-web
Append this metadata to federation-web's metadata of IdPs. SP's metadata is stored where FEDERATION_WEB_LOCAL_METADATA variable points. See configuration file of the federation-web. Add IdP's metadata as EntityDescriptor entry in the XML file. XML metadata is stored here:
FEDERATION_WEB_LOCAL_METADATA='/usr/lib/contrail/federation-web/extra/remote_metadata.xml'
Also, you need to add information on access point of the IdP. Edit this file: /usr/lib/contrail/federation-web/src/federweb/settings/__init__.py. Add entry for 'https://idp.testshib.org/idp/shibboleth':
...
# this block states what services we provide
'service': {
...
# in this section the list of IdPs we talk to are defined
'idp': {
...
'https://idp.testshib.org/idp/shibboleth':{
'single_sign_on_service': {
saml2.BINDING_HTTP_REDIRECT: 'https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO',
},
}
...
Test the authentication
Navigate to https://contrail-federation-web.contrail.eu and log in with the shibb IdP.