JA T3 Framework

Fast. Flexible. Powerful

Contact

Quick start for identity providers

IdP vmware image

In order to make it easier for institutions to get connected. We've created a vmware image that can be downloaded.

It contains an installation of Debian, with a prepacked SimpleSAMLphp installation as IdP – standard software needed for a production server is installed.

Specialized software like Backup clients, Surveliance and so on must be installed on top of the image.

You can login with two different users:

  • root/changeme
  • default/changeme

Before doing anything else read the file "setup-instructions" (updates – configuration steps) which is placed in the root catalog.

be aware of image version

The NIC configured in the image cannot be recognized of ESX installations. You'll have to remove the NIC and add a new. Debian ignores the new NIC because it has a different MAC-address. GOTO /etc/udev/rules.d/rules.d/z25_persistent-net.rules and edit this file. The new NIC is registrered as eth2. Correct the MAC address for eth0 to the new MAC address, and the image runs without problems.

A version prepared for ESX will be prepared soon.

Certificates

See documentation for How to convert pfx certificate to pem format

How to provide the correct eduPersonPrimaryAffiliation

If you are using LDAP or AD and you do not store the primary affiliation of your users, you can usually use the 'dn' or 'distinguishedName' of the user to supply the attribute.

Start by getting filter AttributeAlter and put it in "
{PATHTOSIMPLESAML}/modules/core/lib/Auth/Process/".

Usually your dn will look something like this „ou=xxx,ou=Ansat,dn=xxx,dn=xxx". You should in the "
{PATHTOSIMPLESAML}/config/config.php configure the AttributAlter filter by inserting this in the authproc.idp configuration array:

80 ? array( 'class' => 'core:AttributeAlter',
'pattern' => '/ou=Ansat/',
'replacement' => 'Staff',
'subject' => 'distinguishedName',
'%replace',),

85 ? array( 'class' => 'core:AttributeMap',
'distinguishedName' => 'eduPersonPrimaryAffiliation',),

The numbers, 80 and 85, may be different depending on the current setup. Remember to change the 'pattern' so it searches for the correct string. This depends on how your local setup is. You should set up a AttributeAlter filter for each type of user you have in your local setup, i.e. student, faculty, staff. See the eduPersonPrimaryAffiliation description for allowed values.

Go enjoy

WAYF Secretariat
2 H.C. Andersens Boulevard
DK-1553 Copenhagen V
Denmark

www.wayf.dk
sekretariat@wayf.dk

line
You are here: