This is a WIP identity provider suitable for use as a SAML provider in CloudFoundry.
By default tomcat is configured to use SSL with a self-signed certificate and will be started on port 8443.
Add the following properties to a file called my-secrets.yml
:
---
properties:
idp:
sslCertificate: | # Specifies your SSL certificate
-----BEGIN CERTIFICATE-----
YOUR CERT HERE
-----END CERTIFICATE-----
sslPrivateKey: | # Specifies your private key. The key must be a passphrase-less key.
-----BEGIN RSA PRIVATE KEY-----
YOUR KEY HERE
-----END RSA PRIVATE KEY-----
- Generate your private key with any passphrase
openssl genrsa \
-aes256 \
-out server.key \
1024
- Remove passphrase from key
openssl rsa \
-in server.key \
-out server.key
- Generate certificate signing request for CA
openssl req -x509 -sha256 -new -key server.key -out server.csr
- Generate self-signed certificate with 365 days expiry-time
openssl x509 \
-sha256 \
-days 365
-in server.csr \
-signkey server.key \
-out selfsigned.crt
The main key underlying most IdPs is the digital signing key. This is a private key used to sign SAML messages. The certificate is just a convenient container for the public key. In Shibboleth, or any compliant SAML system, the content of the certificate other than the key is totally ignored.
Protect your private signing key! Make no mistake, a compromised signing key allows anybody with the key to impersonate your IdP and by extension all of its users.
- Generate your SAML signing key and certificate
openssl req -new \
-x509 \
-nodes \
-newkey rsa:2048 \
-keyout key.pem \
-days 365 \
-subj '/CN=hostname.example.org' \
-out cert.pem
Add the following properties to the my-secrets.yml
file:
---
properties:
idp:
signing:
key: | # Specifies your private SAML signing key
YOUR KEY HERE
cert: | # Specifies your public SAML certificate.
YOUR CERT HERE
encryption:
key: | # Specifies your private SAML encryption key
YOUR KEY HERE
cert: | # Specifies your public SAML encryption certificate.
YOUR CERT HERE
You now suffix this file path to the make_manifest
command:
./templates/make_manifest warden my-secrets.yml
bosh -n deploy
- The property
idp.port
can't be set to8989
because this port is used by BOSH to monitor the server.
For more information on how to leverage a UAA database, please see the cg-deploy-shibboleth documentation which leverages this release.
To use this bosh release, first upload it to your bosh:
bosh target <BOSH_HOST>
git clone https://github.com/cloudfoundry-community/shibboleth-boshrelease.git
cd shibboleth-boshrelease
bosh upload release ./releases/shibboleth/shibboleth-1.yml
For bosh-lite, you can quickly create a deployment manifest & deploy a cluster. Note that this requires that you have installed spruce.
./templates/make_manifest warden
bosh -n deploy
For AWS EC2, create a single VM:
./templates/make_manifest aws-ec2
bosh -n deploy
For AWS & Openstack, the default deployment assumes there is a default
security group. If you wish to use a different security group(s) then you can
pass in additional configuration when running make_manifest
above.
Create a file my-networking.yml
:
---
networks:
- name: shibboleth1
type: dynamic
cloud_properties:
security_groups:
- <SECURITY_GROUP_NAME>
You now suffix this file path to the make_manifest
command:
./templates/make_manifest openstack-nova my-networking.yml
bosh -n deploy
As a developer of this release, create new releases and upload them:
bosh create release --force && \
bosh -n upload release
To share final releases:
bosh create release --final
By default the version number will be bumped to the next major number. You can specify alternate versions:
bosh create release --final --version 2.1