[WIP] BOSH Release for shibboleth
This is a WIP identity provider suitable for use as a SAML provider in CloudFoundry.
Configuring the IdP tomcat instance
By default tomcat is configured to use SSL with a self-signed certificate and will be started on port 8443.
Using your own certificate
Add the following properties to a file called
--- properties: idp: sslCertificate: | # Specifies your SSL certificate -----BEGIN CERTIFICATE----- YOUR CERT HERE -----END CERTIFICATE----- sslPrivateKey: | # Specifies your private key. The key must be a passphrase-less key. -----BEGIN RSA PRIVATE KEY----- YOUR KEY HERE -----END RSA PRIVATE KEY-----
Generating a self-signed certificate
- Generate your private key with any passphrase
openssl genrsa \ -aes256 \ -out server.key \ 1024
- Remove passphrase from key
openssl rsa \ -in server.key \ -out server.key
- Generate certificate signing request for CA
openssl req -x509 -sha256 -new -key server.key -out server.csr
- Generate self-signed certificate with 365 days expiry-time
openssl x509 \ -sha256 \ -days 365 -in server.csr \ -signkey server.key \ -out selfsigned.crt
Create the SAML Signing Key and Certificate
The main key underlying most IdPs is the digital signing key. This is a private key used to sign SAML messages. The certificate is just a convenient container for the public key. In Shibboleth, or any compliant SAML system, the content of the certificate other than the key is totally ignored.
Protect your private signing key! Make no mistake, a compromised signing key allows anybody with the key to impersonate your IdP and by extension all of its users.
- Generate your SAML signing key and certificate
openssl req -new \ -x509 \ -nodes \ -newkey rsa:2048 \ -keyout key.pem \ -days 365 \ -subj '/CN=hostname.example.org' \ -out cert.pem
Add the following properties to the
Do NOT include the
-----BEGIN RSA PRIVATE KEY-----or
-----END RSA PRIVATE KEY-----for the keys, nor
-----END CERTIFICATE-----for the certs.
--- properties: idp: signing: key: | # Specifies your private SAML signing key YOUR KEY HERE cert: | # Specifies your public SAML certificate. YOUR CERT HERE encryption: key: | # Specifies your private SAML encryption key YOUR KEY HERE cert: | # Specifies your public SAML encryption certificate. YOUR CERT HERE
You now suffix this file path to the
./templates/make_manifest warden my-secrets.yml bosh -n deploy
- The property
idp.portcan't be set to
8989because this port is used by BOSH to monitor the server.
Using the UAA database with shibboleth for authentication
For more information on how to leverage a UAA database, please see the cg-deploy-shibboleth documentation which leverages this release.
To use this bosh release, first upload it to your bosh:
bosh target <BOSH_HOST> git clone https://github.com/cloudfoundry-community/shibboleth-boshrelease.git cd shibboleth-boshrelease bosh upload release ./releases/shibboleth/shibboleth-1.yml
./templates/make_manifest warden bosh -n deploy
For AWS EC2, create a single VM:
./templates/make_manifest aws-ec2 bosh -n deploy
Override security groups
For AWS & Openstack, the default deployment assumes there is a
security group. If you wish to use a different security group(s) then you can
pass in additional configuration when running
Create a file
--- networks: - name: shibboleth1 type: dynamic cloud_properties: security_groups: - <SECURITY_GROUP_NAME>
You now suffix this file path to the
./templates/make_manifest openstack-nova my-networking.yml bosh -n deploy
As a developer of this release, create new releases and upload them:
bosh create release --force && \ bosh -n upload release
To share final releases:
bosh create release --final
By default the version number will be bumped to the next major number. You can specify alternate versions:
bosh create release --final --version 2.1