forked from openwebwork/webwork2
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Unfortunately, that approach is too limited.
- Loading branch information
Showing
14 changed files
with
351 additions
and
507 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
#!perl | ||
################################################################################ | ||
# Configuration for using Saml2 authentication. | ||
# To enable this Saml2 authentication, copy this file to conf/authen_saml2.conf | ||
# and uncomment the appropriate lines in localOverrides.conf. The Saml2 | ||
# authentication module uses the Net::SAML2 library. The library claims to be | ||
# compatible with a wide range of SAML2 implementations, including Shibboleth. | ||
################################################################################ | ||
|
||
# Set Saml2 as the authentication module to use. | ||
# Comment out 'WeBWorK::Authen::Basic_TheLastOption' if bypassing Saml2 | ||
# authentication is not allowed (see $saml2{bypass_query} below). | ||
$authen{user_module} = [ | ||
'WeBWorK::Authen::Saml2', | ||
'WeBWorK::Authen::Basic_TheLastOption' | ||
]; | ||
|
||
# List of authentication modules that may be used to enter the admin course. | ||
# This is used instead of $authen{user_module} when logging into the admin | ||
# course. Since the admin course provides overall power to add/delete courses, | ||
# access to this course should be protected by the best possible authentication | ||
# you have available to you. | ||
$authen{admin_module} = [ | ||
'WeBWorK::Authen::Saml2' | ||
]; | ||
|
||
# Note that Saml2 authentication can be used in conjunction with webwork's two | ||
# factor authentication. If the identity provider does not provide two factor | ||
# authentication, then it is recommended that you do use webwork's two factor | ||
# authentication. If the identity provider does provide two factor | ||
# authentication, then you would not want your users need to perform two factor | ||
# authentication twice, so you should disable webwork's two factor | ||
# authentication. The two factor authentication settings are set in | ||
# localOverrides.conf. | ||
|
||
# This URL query parameter can be added to the end of a course url to skip the | ||
# saml2 authentication module and go to the next one, for example, | ||
# http://your.school.edu/webwork2/courseID?bypassSaml2=1. Comment out the next | ||
# line to disable this feature. | ||
$saml2{bypass_query} = 'bypassSaml2'; | ||
|
||
# If $external_auth is 1, and the authentication sequence reaches | ||
# Basic_TheLastOption, then the webwork login screen will show a message | ||
# directing the user to use the external authentication system to login. This | ||
# prevents users from attempting to login in to WeBWorK directly. | ||
$external_auth = 0; | ||
|
||
# Set this to the URL that serves the SAML2 metadata xml for the identity | ||
# provider. Webwork will request the identity provider's metadata from this URL | ||
# during the authentication process. | ||
$saml2{idp}{metadata_url} = 'http://idp/simplesaml/module.php/saml/idp/metadata'; | ||
|
||
# This the id for the webwork2 service provider. This is usually the application | ||
# root URL plus the base path to the service provider. | ||
$saml2{sp}{entity_id} = 'http://localhost:8080/webwork2/saml2'; | ||
|
||
# This is the organization metadata information for the webwork2 service | ||
# provider. The Saml2 authentication module will generate xml metadata that can | ||
# be obtained by the identity provider for configuration from the | ||
# /webwork2/saml2/metadata URL if Saml2 authentication is enabled site wide. | ||
# However, Saml2 authentication can be enabled for individual courses as well by | ||
# setting the options in this file in a course's course.conf file. In that case | ||
# the identity provider will need to be configured to obtain the metadata from | ||
# the webwork2/courseID/saml2/metadata URL instead. Note that if Saml2 | ||
# authentication is not enabled site wide and multiple courses use the same | ||
# identity provider, then pick the courseID of one of the courses that is | ||
# configured for that identity provider to use for the metadata URL. All of the | ||
# other courses share the same metedata. | ||
$saml2{sp}{org} = { | ||
contact => 'webwork@example.edu', | ||
name => 'webwork', | ||
url => 'https://localhost:8080/', | ||
display_name => 'WeBWorK' | ||
}; | ||
|
||
# The following list of attributes will be checked in the given order for a | ||
# matching user in the webwork2 course. If no attributes are given, then | ||
# webwork2 will default to the NameID. It is recommended that you use the | ||
# attribute's OID. | ||
$saml2{sp}{attributes} = ['urn:oid:0.9.2342.19200300.100.1.1']; | ||
|
||
# The following settings are the locations of the files that contain the private | ||
# certificate and public key for the webwork2 service provider. A certificate | ||
# and key can be generated using openssl. For example, | ||
# openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem | ||
# The files saml.crt and saml.pem that are generated contain the private | ||
# "certificate" and the "public_key", respectively. | ||
# Note that if the files are placed within the root webwork2 app directory, then | ||
# the paths may be given relative to the the root webwork2 app directory. | ||
# Otherwise the absolute path must be given. Make sure that the webwork2 app has | ||
# read permissions for those files. | ||
$saml2{sp}{certificate_file} = 'docker-config/idp/certs/saml.crt'; | ||
$saml2{sp}{public_key_file} = 'docker-config/idp/certs/saml.pem'; | ||
|
||
############################################################################## | ||
# SECURITY WARNING | ||
# For production, you MUST provide your own unique 'certificate' and | ||
# 'public_key' files. The files referred to in the default settings above are | ||
# only intended to be used in development, and are publicly exposed. Hence, | ||
# they provide NO SECURITY. | ||
############################################################################## | ||
|
||
1; |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
# Development identity provider test instance for SAML2 authentication | ||
|
||
A development SAML2 identity provider is provided that uses SimpleSAMLphp. | ||
Instructions for utilizing this instance follow. | ||
|
||
## Development IdP test instance with docker | ||
|
||
A docker service the implements a SAML2 identity provider is provided in the | ||
docker-compose.yml.dist file. To start this identity provider along with the | ||
rest of webwork2, add the '--profile saml2dev' argument to docker compose as in | ||
the following exmaple. | ||
|
||
```bash | ||
docker compose --profile saml2dev up | ||
``` | ||
|
||
Without the profile argument, the identity provider services do not start. | ||
|
||
Stop the docker services with | ||
|
||
```bash | ||
docker compose --profile saml2dev down | ||
``` | ||
|
||
## Development IdP test instance without docker | ||
|
||
Effective development is not done in a docker container. So it is usually more | ||
useful to set up an identity provider without docker. | ||
|
||
TODO: Add these instructions. | ||
|
||
## Setup | ||
|
||
The default `conf/authen_saml2.conf.dist` is configured to use the docker | ||
identity provider. Copy it to `conf/authen_saml2.conf` and it should work. | ||
|
||
TODO: Add instructions for setting up without docker. | ||
|
||
## Identity provider administration | ||
|
||
The identity provider has an admin interface. You can login to the docker | ||
instance with the password 'admin' at | ||
`http://localhost:8180/simplesaml/module.php/admin/federation` | ||
or without docker at | ||
`http://localhost/simplesaml/module.php/admin/federation`. | ||
|
||
The admin interface lets you check if the identity provider has properly | ||
registered the webwork2 service provider under the 'Federation' tab, it should | ||
be listed under the "Trusted entities" section. | ||
|
||
You can also test login with the user accounts listed below in the "Test" tab | ||
under the "example-userpass" authentication source. | ||
|
||
## Single sign-on users | ||
|
||
The following single sign-on accounts are preconfigured: | ||
|
||
- Username: student01, Password: student01 | ||
- Username: instructor01, Password: instructor01 | ||
- Username: staff01, Password: staff01 | ||
|
||
You can add more accounts to the `docker-config/idp/config/authsources.php` file | ||
in the `example-userpass` section. If using docker the identity provider, the | ||
image will need to be rebuilt for the changes to take effect. | ||
|
||
## Troubleshooting | ||
|
||
### "Error retrieving metadata" | ||
|
||
This error message indicates that the Saml2 authentication module wasn't able to | ||
fetch the metadata from the identity provider metadata URL. Make sure the | ||
identity provider is accessible to webwork2. | ||
|
||
### User not found in course | ||
|
||
The user was verified by the identity provider but did not have a corresponding | ||
user account in the Webwork course. The Webwork user account needs to be created | ||
separately as the Saml2 autentication module does not do user provisioning. | ||
|
||
### The WeBWorK service provider does not appear in the service provider Federation tab | ||
|
||
This can occur when using the docker identity provider service because Webwork's | ||
first startup can be slow enough that the IdP wasn't able to successfully fetch | ||
metadata from the webwork2 metadata URL. Restarting everything should fix this. |
Oops, something went wrong.