„VidyoPortal SSP” változatai közötti eltérés
(autosave) |
a (→Configure the SP part) |
||
| (4 közbenső módosítás ugyanattól a szerkesztőtől nincs mutatva) | |||
| 2. sor: | 2. sor: | ||
At the time of writing, SAML is supported for a single tenant, ie. one single Identity Provider can be configured in VidyoPortal. This means that in order to make Vidyo as a federated service, a SAML gateway should be configured to provide access for institutional users. In this guide, SimpleSAMLphp will be used as a gateway. | At the time of writing, SAML is supported for a single tenant, ie. one single Identity Provider can be configured in VidyoPortal. This means that in order to make Vidyo as a federated service, a SAML gateway should be configured to provide access for institutional users. In this guide, SimpleSAMLphp will be used as a gateway. | ||
| + | |||
== Install SimpleSAMLphp == | == Install SimpleSAMLphp == | ||
| 8. sor: | 9. sor: | ||
You will need to configure SSP both as an IdP (in the direction of VidyoPortal) and an SP (for the federation). | You will need to configure SSP both as an IdP (in the direction of VidyoPortal) and an SP (for the federation). | ||
| − | == Configure | + | == Configure the IdP part == |
| + | Your proxy will be an IdP from the point of view of the VideoPortal. The IdP will use the SP part for authentication, thus you can login to the proxy by the federation. | ||
Enable SAML2 IdP functionality in <code>config/config.php</code>: | Enable SAML2 IdP functionality in <code>config/config.php</code>: | ||
| 17. sor: | 19. sor: | ||
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out idp.crt -keyout idp.pem | openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out idp.crt -keyout idp.pem | ||
| − | + | Edit ''metadata/saml20-idp-hosted.php'' as the following: | |
'auth' => 'default-sp', | 'auth' => 'default-sp', | ||
'privatekey' => 'idp.key', | 'privatekey' => 'idp.key', | ||
| 24. sor: | 26. sor: | ||
200 => array('class' => 'core:AttributeMap', 'oid2name'), | 200 => array('class' => 'core:AttributeMap', 'oid2name'), | ||
), | ), | ||
| + | |||
| + | It is recommended to configure VidyoPortal by using friendly attribute names (you don't want to write OIDs), therefore use the built-in <code>oid2name</code> ''AttributeMap'' for the transformation of attribute names. | ||
Retrieve VidyoPortal metadata from the portal administration interface and save it as ''metadata/vidyo-sp.xml''. It needs to be referenced from ''config/config.php'': | Retrieve VidyoPortal metadata from the portal administration interface and save it as ''metadata/vidyo-sp.xml''. It needs to be referenced from ''config/config.php'': | ||
| 36. sor: | 40. sor: | ||
* IdP Metadata XML: you can retrieve it from https://path.to.simplesaml.tld/saml2/idp/metadata.php | * IdP Metadata XML: you can retrieve it from https://path.to.simplesaml.tld/saml2/idp/metadata.php | ||
* SAML Provision type: '''SAML''' (automatic provisioning) | * SAML Provision type: '''SAML''' (automatic provisioning) | ||
| + | [[File:VidyoAdmin1.png]] | ||
| − | + | === Set Vidyo user parameters === | |
| − | + | Click on ''Edit IdP Attribute Mapping...'' for mapping the IdP attributes to Vidyo user parameters | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | The interface is pretty self-explanatory. You can edit which SAML IdP attributes can be mapped to certain Vidyo parameters. | |
| − | |||
| + | [[File:VidyoAdmin2.png]] | ||
| − | + | For some attributes it is possible to define value mapping as well. It might be useful for group and type information. You can define static string matches here. | |
| − | + | [[File:VidyoAdmin3.png]] | |
| + | == Configure the SP part == | ||
| − | + | In the IdP configuration, you have referenced an authsource called ''default-sp''. If you configure a SimpleSAMLphp SP with this identifier, the IdP settings above will direct your users to their home IdP. | |
| − | + | For SP configuration, please follow your federation's guides or use [https://simplesamlphp.org/docs/stable/simplesamlphp-sp SimpleSAMLphp documentation] as a reference. Basically you will need to perform the following: | |
| − | + | * generate a key and a certificate for the proxy (SP) and configure SSP to use them; | |
| − | + | * register the proxy in your federation: | |
| − | + | ** you will need to use the SP certificate here; | |
| − | + | ** your attribute requirements depend on what attributes you have configured in Vidyo previously; | |
| − | + | * configure the SP to refresh federation (or eduGAIN) metadata regularly by using ''[https://simplesamlphp.org/docs/stable/simplesamlphp-automated_metadata metarefresh]'' | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | '' | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
A lap jelenlegi, 2015. november 4., 10:54-kori változata
Since version 3.0, Vidyo has enabled support for SAML in VidyoPortal. They do not rely on existing SAML middleware (such as Shibboleth or SimpleSAMLphp) but they manage SAML directly.
At the time of writing, SAML is supported for a single tenant, ie. one single Identity Provider can be configured in VidyoPortal. This means that in order to make Vidyo as a federated service, a SAML gateway should be configured to provide access for institutional users. In this guide, SimpleSAMLphp will be used as a gateway.
Tartalomjegyzék
Install SimpleSAMLphp
The installation of SimpleSAMLphp software is covered in its documentation.
You will need to configure SSP both as an IdP (in the direction of VidyoPortal) and an SP (for the federation).
Configure the IdP part
Your proxy will be an IdP from the point of view of the VideoPortal. The IdP will use the SP part for authentication, thus you can login to the proxy by the federation.
Enable SAML2 IdP functionality in config/config.php:
'enable.saml20-idp' => true,
Generate a key and a long-living self-signed certificate for the IdP and place it in the cert directory as idp.key and idp.crt
cd cert openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out idp.crt -keyout idp.pem
Edit metadata/saml20-idp-hosted.php as the following:
'auth' => 'default-sp',
'privatekey' => 'idp.key',
'certificate' => 'idp.crt',
'authproc' => array(
200 => array('class' => 'core:AttributeMap', 'oid2name'),
),
It is recommended to configure VidyoPortal by using friendly attribute names (you don't want to write OIDs), therefore use the built-in oid2name AttributeMap for the transformation of attribute names.
Retrieve VidyoPortal metadata from the portal administration interface and save it as metadata/vidyo-sp.xml. It needs to be referenced from config/config.php:
'metadata.sources' => array(
...
array('type' => 'xml', 'file' => 'metadata/vidyo-sp.xml'), // vidyo sp
... ),
Configure VidyoPortal to use SAML
In the portal the following should be set:
- Authentication Type: SAML
- IdP Metadata XML: you can retrieve it from https://path.to.simplesaml.tld/saml2/idp/metadata.php
- SAML Provision type: SAML (automatic provisioning)
Set Vidyo user parameters
Click on Edit IdP Attribute Mapping... for mapping the IdP attributes to Vidyo user parameters
The interface is pretty self-explanatory. You can edit which SAML IdP attributes can be mapped to certain Vidyo parameters.
For some attributes it is possible to define value mapping as well. It might be useful for group and type information. You can define static string matches here.
Configure the SP part
In the IdP configuration, you have referenced an authsource called default-sp. If you configure a SimpleSAMLphp SP with this identifier, the IdP settings above will direct your users to their home IdP.
For SP configuration, please follow your federation's guides or use SimpleSAMLphp documentation as a reference. Basically you will need to perform the following:
- generate a key and a certificate for the proxy (SP) and configure SSP to use them;
- register the proxy in your federation:
- you will need to use the SP certificate here;
- your attribute requirements depend on what attributes you have configured in Vidyo previously;
- configure the SP to refresh federation (or eduGAIN) metadata regularly by using metarefresh
