Skip to content

Commit

Permalink
Remove the Saml2 plugin.
Browse files Browse the repository at this point in the history 
Unfortunately, that approach is too limited.
  • Loading branch information
@drgrice1
drgrice1 committed Aug 26, 2024
1 parent d30d346 commit e5e0fd8
Show file tree
Hide file tree
Showing 14 changed files with 351 additions and 507 deletions.
103 changes: 103 additions & 0 deletions conf/authen_saml2.conf.dist
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
#!perl
################################################################################
# Configuration for using Saml2 authentication.
# To enable this Saml2 authentication, copy this file to conf/authen_saml2.conf
# and uncomment the appropriate lines in localOverrides.conf. The Saml2
# authentication module uses the Net::SAML2 library. The library claims to be
# compatible with a wide range of SAML2 implementations, including Shibboleth.
################################################################################

# Set Saml2 as the authentication module to use.
# Comment out 'WeBWorK::Authen::Basic_TheLastOption' if bypassing Saml2
# authentication is not allowed (see $saml2{bypass_query} below).
$authen{user_module} = [
'WeBWorK::Authen::Saml2',
'WeBWorK::Authen::Basic_TheLastOption'
];

# List of authentication modules that may be used to enter the admin course.
# This is used instead of $authen{user_module} when logging into the admin
# course. Since the admin course provides overall power to add/delete courses,
# access to this course should be protected by the best possible authentication
# you have available to you.
$authen{admin_module} = [
'WeBWorK::Authen::Saml2'
];

# Note that Saml2 authentication can be used in conjunction with webwork's two
# factor authentication. If the identity provider does not provide two factor
# authentication, then it is recommended that you do use webwork's two factor
# authentication. If the identity provider does provide two factor
# authentication, then you would not want your users need to perform two factor
# authentication twice, so you should disable webwork's two factor
# authentication. The two factor authentication settings are set in
# localOverrides.conf.

# This URL query parameter can be added to the end of a course url to skip the
# saml2 authentication module and go to the next one, for example,
# http://your.school.edu/webwork2/courseID?bypassSaml2=1. Comment out the next
# line to disable this feature.
$saml2{bypass_query} = 'bypassSaml2';

# If $external_auth is 1, and the authentication sequence reaches
# Basic_TheLastOption, then the webwork login screen will show a message
# directing the user to use the external authentication system to login. This
# prevents users from attempting to login in to WeBWorK directly.
$external_auth = 0;

# Set this to the URL that serves the SAML2 metadata xml for the identity
# provider. Webwork will request the identity provider's metadata from this URL
# during the authentication process.
$saml2{idp}{metadata_url} = 'http://idp/simplesaml/module.php/saml/idp/metadata';

# This the id for the webwork2 service provider. This is usually the application
# root URL plus the base path to the service provider.
$saml2{sp}{entity_id} = 'http://localhost:8080/webwork2/saml2';

# This is the organization metadata information for the webwork2 service
# provider. The Saml2 authentication module will generate xml metadata that can
# be obtained by the identity provider for configuration from the
# /webwork2/saml2/metadata URL if Saml2 authentication is enabled site wide.
# However, Saml2 authentication can be enabled for individual courses as well by
# setting the options in this file in a course's course.conf file. In that case
# the identity provider will need to be configured to obtain the metadata from
# the webwork2/courseID/saml2/metadata URL instead. Note that if Saml2
# authentication is not enabled site wide and multiple courses use the same
# identity provider, then pick the courseID of one of the courses that is
# configured for that identity provider to use for the metadata URL. All of the
# other courses share the same metedata.
$saml2{sp}{org} = {
contact => 'webwork@example.edu',
name => 'webwork',
url => 'https://localhost:8080/',
display_name => 'WeBWorK'
};

# The following list of attributes will be checked in the given order for a
# matching user in the webwork2 course. If no attributes are given, then
# webwork2 will default to the NameID. It is recommended that you use the
# attribute's OID.
$saml2{sp}{attributes} = ['urn:oid:0.9.2342.19200300.100.1.1'];

# The following settings are the locations of the files that contain the private
# certificate and public key for the webwork2 service provider. A certificate
# and key can be generated using openssl. For example,
# openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
# The files saml.crt and saml.pem that are generated contain the private
# "certificate" and the "public_key", respectively.
# Note that if the files are placed within the root webwork2 app directory, then
# the paths may be given relative to the the root webwork2 app directory.
# Otherwise the absolute path must be given. Make sure that the webwork2 app has
# read permissions for those files.
$saml2{sp}{certificate_file} = 'docker-config/idp/certs/saml.crt';
$saml2{sp}{public_key_file} = 'docker-config/idp/certs/saml.pem';

##############################################################################
# SECURITY WARNING
# For production, you MUST provide your own unique 'certificate' and
# 'public_key' files. The files referred to in the default settings above are
# only intended to be used in development, and are publicly exposed. Hence,
# they provide NO SECURITY.
##############################################################################

1;
77 changes: 0 additions & 77 deletions conf/authen_saml2.dist.yml
View file

This file was deleted.

10 changes: 10 additions & 0 deletions conf/localOverrides.conf.dist
View file
Original file line number Diff line number Diff line change
Expand Up @@ -527,6 +527,16 @@ $mail{feedbackRecipients} = [

#include("conf/authen_ldap.conf");

################################################################################
# Saml2 Authentication
################################################################################
# Uncomment the following line to enable authentication via a Saml2 identity
# provider. You will also need to copy the file authen_saml2.conf.dist to
# authen_saml2.conf, and then edit that file to fill in the settings for your
# installation.

#include("conf/authen_saml2.conf");

################################################################################
# Session Management
################################################################################
Expand Down
13 changes: 7 additions & 6 deletions docker-config/docker-compose.dist.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -251,19 +251,20 @@ services:
#ports:
# - "6311:6311"

# Saml2 development use only. This is a separate profile from the other services so it doesn't
# start in normal usage. Use "docker compose --profile saml2dev up" to start.
# SimpleSAMLphp Saml2 identity provider for development use only. This is a separate profile from the other services
# so it doesn't start in normal usage. Use "docker compose --profile saml2dev up" to start, and "docker compose
# --profile saml2dev down" to stop.
idp:
build:
context: ./docker-config/idp/ # SimpleSAMLphp based IDP
context: ./docker-config/idp/
profiles:
- saml2dev
ports:
- '8180:80'
environment:
SP_METADATA_URL: 'http://app:8080/saml2/metadata'
# The healthcheck url is simplesamlphp's url for triggering cron jobs. The
# cron job it will trigger will automatically grab webwork sp's metadata.
SP_METADATA_URL: 'http://app:8080/webwork2/saml2/metadata'
# The healthcheck url is SimpleSAMLphp's url for triggering cron jobs. The cron job it will trigger will
# automatically fetch the webwork2 service provider's metadata.
healthcheck:
test: ['CMD', 'curl', '-f', 'http://localhost/simplesaml/module.php/cron/run/metarefresh/webwork2']
start_period: 1m
Expand Down
84 changes: 84 additions & 0 deletions docker-config/idp/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# Development identity provider test instance for SAML2 authentication

A development SAML2 identity provider is provided that uses SimpleSAMLphp.
Instructions for utilizing this instance follow.

## Development IdP test instance with docker

A docker service the implements a SAML2 identity provider is provided in the
docker-compose.yml.dist file. To start this identity provider along with the
rest of webwork2, add the '--profile saml2dev' argument to docker compose as in
the following exmaple.

```bash
docker compose --profile saml2dev up
```

Without the profile argument, the identity provider services do not start.

Stop the docker services with

```bash
docker compose --profile saml2dev down
```

## Development IdP test instance without docker

Effective development is not done in a docker container. So it is usually more
useful to set up an identity provider without docker.

TODO: Add these instructions.

## Setup

The default `conf/authen_saml2.conf.dist` is configured to use the docker
identity provider. Copy it to `conf/authen_saml2.conf` and it should work.

TODO: Add instructions for setting up without docker.

## Identity provider administration

The identity provider has an admin interface. You can login to the docker
instance with the password 'admin' at
`http://localhost:8180/simplesaml/module.php/admin/federation`
or without docker at
`http://localhost/simplesaml/module.php/admin/federation`.

The admin interface lets you check if the identity provider has properly
registered the webwork2 service provider under the 'Federation' tab, it should
be listed under the "Trusted entities" section.

You can also test login with the user accounts listed below in the "Test" tab
under the "example-userpass" authentication source.

## Single sign-on users

The following single sign-on accounts are preconfigured:

- Username: student01, Password: student01
- Username: instructor01, Password: instructor01
- Username: staff01, Password: staff01

You can add more accounts to the `docker-config/idp/config/authsources.php` file
in the `example-userpass` section. If using docker the identity provider, the
image will need to be rebuilt for the changes to take effect.

## Troubleshooting

### "Error retrieving metadata"

This error message indicates that the Saml2 authentication module wasn't able to
fetch the metadata from the identity provider metadata URL. Make sure the
identity provider is accessible to webwork2.

### User not found in course

The user was verified by the identity provider but did not have a corresponding
user account in the Webwork course. The Webwork user account needs to be created
separately as the Saml2 autentication module does not do user provisioning.

### The WeBWorK service provider does not appear in the service provider Federation tab

This can occur when using the docker identity provider service because Webwork's
first startup can be slow enough that the IdP wasn't able to successfully fetch
metadata from the webwork2 metadata URL. Restarting everything should fix this.
Loading

0 comments on commit e5e0fd8

Please sign in to comment.