entrouvert
/
idpc
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity
This repository has been archived on 2023-02-21. You can view files and clone it, but cannot push or open issues or pull requests.
idpc/doc/manual.txt

202 lines
4.9 KiB
Plaintext
Raw Blame History

===========
IdPC Manual
===========
:Author: Frederic Peters
:Contact: fpeters@entrouvert.com
:date: $Date$
:revision: $Revision$
:copyright: Copyright © 2004 Entr'ouvert
.. contents:: Table of Contents
.. section-numbering::
Introduction
============
IdPC is an implementation of a `Liberty Alliance`_ Identity Provider in the form
of several CGI C programs.
It supports the following IDFF-1.2 profiles:
- Single Sign-On and Federation (Liberty Artifact and Liberty-Enabled Client
and Proxy)
- Single Logout (SOAP, initiated by SP)
- Federation Termination (SOAP, initiated by SP)
It will complete existing profiles and implement other core profiles in the
future.
IdPC can authenticate users through several means including HTTP authentication
and client certificates.
Download
========
IdPC releases can be downloaded from
http://labs.libre-entreprise.org/project/showfiles.php?group_id=55
Development code is available using CVS::
export CVSROOT=:pserver:anonymous@cvs.labs.libre-entreprise.org:/cvsroot/idpc
cvs login # press enter
cvs -z3 checkout idpc
.. _INSTALL:
.. include:: ../INSTALL
IdPC Configuration
==================
IdPC needs a configuration file to work; its location depends of compilation
options; IdPC will tell you the correct path if you call one of the CGI with
the ``--help`` argument::
$ /usr/lib/cgi-bin/idpc/soapEndpoint --help
This is IdPC; it is meant to be used as a CGI
Config file should be installed as:
/etc/idpc/config.xml
The configuration file must be a valid XML file and its root element should be
named "idpc" and placed in the following namespace
``http://www.entrouvert.org/namespaces/idpc``.
metadataFilePath:
path to the Liberty Alliance IdP metadata file
idpPublicKey:
path to the IdP public key (PEM encoded)
idpPrivateKey:
path to the IdP private key (PEM encoded)
idpCertificate:
path to the IdP certificate (PEM encoded) (?)
serviceProvider:
element that should contains three other elements; metadataFilePath,
spPublicKey and spCaCertificate. You can of course have more than one
<serviceProvider> element.
authenticationMethod:
authentication method to use, detailed below
reauthenticationDelay:
The time at, or after which the service provider must reauthenticate
the user against the IdP. (in seconds) (default is 7200, 2 hours)
dbhost:
hostname where the IdPC database is installed (optional)
dbport:
port where the IdPC database is listening (optional)
dbname:
name of the IdPC database
dblogin:
login to connect to the IdPC database
dbpassword:
password to connect to the IdPC database
ocspUrl:
URL to the OCSP service for certificate validation (optional)
ocspIssuer:
path to the OCSP issuer certificate (PEM encoded)
Authentication Methods
----------------------
HTTP authentication
```````````````````
Keyword: ``http``
HTTP authentication is handled by the web server; it should pass a REMOTE_USER
environment variable to the CGI. Apache allows many sources for HTTP
authentication including LDAP directory and PostgreSQL and MySQL databases.
The REMOTE_USER will be used as key to identify users in the database.
Certificate authentication
``````````````````````````
Keyword: ``certificate``
This authentication relies on Apache ``mod_ssl`` to set several environment
variables; your Apache configuration must contains a ``SSLVerifyClient``
option with ``optional`` or ``require`` as value.
The certificate serial will be used as key to identify users in the database.
.. note:: (this is subject to change)
Additionally if you have set OCSP options in the configuration file, a OCSP
connection will be made to check certificate validity.
Apache Configuration
====================
Imagine ``soapEndPoint`` has been installed in ``/usr/lib/cgi-bin/idpc/`` and
``singleSignOn`` in ``/usr/lib/cgi-bin/idpc/auth/``. Apache configuration will
look as follow::
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory /usr/lib/cgi-bin/>
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
<Directory /usr/lib/cgi-bin/idpc/auth>
AuthType Basic
AuthName "IdPc"
AuthUserFile /etc/apache/passwd
Require valid-user
</Directory>
Database configuration
======================
PostgreSQL
----------
.. include:: ../create-db.sql
Be sure it is possible to connect using TCP/IP to the database; somethink like
the next line will do (you may have to disable ``ident`` authentication first)::
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
host idpc idpc 127.0.0.1 255.255.255.255 password
MySQL
-----
.. note:: Support not yet implemented.
Copyright and License
=====================
IdPC (both code and documentation) is copyright © 2004 Entr'ouvert and released
under the `GNU General Public License`_.
.. _Liberty Alliance: http://www.projectliberty.org
.. _GNU General Public License: http://www.gnu.org/copyleft/gpl.html
View Git Blame Copy Permalink