Skip to content

rohe/pysfemma

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
attributemaps
attributemaps
 
 
templates
templates
 
 
tools
tools
 
 
INSTALL
INSTALL
 
 
InCommon-metadata.xml
InCommon-metadata.xml
 
 
LICENSE
LICENSE
 
 
README
README
 
 
no_working.incommon
no_working.incommon
 
 
pysfemma.py
pysfemma.py
 
 
settings.cfg
settings.cfg
 
 
swamid-2.0.xml
swamid-2.0.xml
 
 
swamid.crt
swamid.crt
 
 
update.bat
update.bat
 
 

Repository files navigation

FEderation Metadata Manager for ADFS (femma) is a script that parses a
(Shibboleth) federation metadata XML content and creates a pool
of metadata files and a powershell script in order to automatically
configure and update an Active Directory Federation Services
STS (Security Token Service).

This is the pySAML2 version.

pysFemma works on Python 2.7 and depends on pySAML2.

Installation
------------
pysFemma is intended to be used on a Windows platform where the ADFSv2
service is installed. These packages have to be installed:
- python2.7.5:
  http://www.python.org/ftp/python/2.7.5/python-2.7.5.msi
- pySAML2:
  https://github.com/rohe/pysaml2/archive/master.zip

Documentation
-------------
This script is intended to automate membership configuration of an ADFS
STS in a SAML2 based Identity Federation. In fact ADFS is not able to handle
metadata with more than one EntityDescriptor element. A workaround to this
limit is to download the metadata, split it for each member, create the
associated ruleset file and generate a powershell script to be executed
in order to import metadata and apply the associated ruleset.

First of all, customize the context-based variables at the beginning of settings.cfg:
- idpEntityID: your identity provider entityID
- myClaimType: namespace for issued claims by the custom rules
- fedNamePrefix: a short name of your federation, every Relying Party Trust in
                 ADFS will be prefixed with this string
- entityCategories: If your federation uses entity categories you should list
    them here.

Modify the shipped update.bat script to match your configuration and execute it
(as administrator). This batch file creates 2 directories, one with metadata
files, one with ruleset files and a powershell script (update_metadata_rptrust.ps1)
that use them in order to update your relying party trust configuration.
You can create a scheduled task to run it regularly to update RP trust in your
federation. If you have more than one STS you must install and configure femma
and the scheduled task on each server, the powershell script will detect if
it's running on the primary server and exit otherwise.
The temporary directory and files are cleaned after the execution of the
powershell script.

For your convenience is also included a little script (adfs2fed.py) that
converts ADFS metadata to a correct SAML2 format, it can be used by you to
submit updated metadata or by your federation technical staff to regularly
update the metadata.

Configuration file
------------------
You can customize the settings.cfg in order to inform femma about which Service Provider
entityID have to be ignored (i.e. if there are configuration problem as certificate duplication).
To do that you have to uncomment [ExcludeEntityID] section and list your blacklisted
entityID as:
key1=http://example.com
key2=http://newexample.com

Femma already skips Service Providers that that do not support SAML2 or that do not provide
AssertionConsumerService via HTTPS protocol.

With settings.cfg you may also configure custom rule for selected Service Providers.
The rule must be provided in a rule file into the 'customRules' directory, with this naming
convention:
rule_rulename1.tpl
rule_rulename2.tpl

And in settings.cfg, uncomment the [ServiceProviderAttributes] section with this syntax:
SPentityID=rulename1,rulename2

Examples:
moodle-shib.unimore.it/sp=persistent,eppn,sn,givenName,mail
vconf.garr.it/shibboleth=persistent,givenName,mail,sn,rulename1

In the template directory are already provided some of the most common rules.

Known Bugs
----------
- Only service providers are managed
- Every time the powershell script is executed all federation relying party are
  deleted and then recreated (slow if the federation has many members)
- Ruleset templates are intended for use with the Italian IDEM Federation, you need
  to customize them to your needs
- xml signature is not verified

Importing local metadata file:

./pysfemma.py -x /opt/local/bin/xmlsec1 -f swamid-2.0.xml

remote metadata

./pysfemma.py -x /opt/local/bin/xmlsec1 -u http://md.swamid.se/md/swamid-2.0.xml \
    -c swamid.crt
This file was modified by PyCharm 2.7.3 for binding GitHub repository

About

No description, website, or topics provided.

Resources

Readme

License

View license
Activity

Stars

6 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages