This page describes how you can use pyFF to automatically generate a discovery page for your Service Provider.
pyFF is a metadata aggregator that generates a discovery page. It is created by Leif Johansson and is available on https://github.com/leifj/pyFF/.
Step 1: Install pyFF
Installation of pyFF can be performed with the instructions found on: http://pythonhosted.org/pyFF/install.html
Step 2: Configuration
To use the built-in web server and start pyFF upon boot use the following steps:
- Create directory: /var/www/pyff
- Create directory: /etc/pyff
- Create a signing key + certificate:
openssl req -newkey rsa:2048 -nodes -keyout /etc/pyff/sign.key -x509 -days 3650 -out /etc/pyff/sign.crt- Place the eduGAIN signing certificate (see below) in the file: /etc/pyff/edugain-signer.crt
-----BEGIN CERTIFICATE-----
MIIC1DCCAbygAwIBAgIETCJV1DANBgkqhkiG9w0BAQUFADAsMQ4wDAYDVQQKEwVHRUFOVDEaMBgG
A1UEAxMRZWR1R0FJTiBTaWduZXIgQ0EwHhcNMTAwNjIzMTg0MzMyWhcNMTQwODAxMTg0MzMyWjAs
MQ4wDAYDVQQKEwVHRUFOVDEaMBgGA1UEAxMRZWR1R0FJTiBTaWduZXIgQ0EwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCRfl1zhkaFveJvJtS03bRIO3k77q2s5m+c6sQ83j71rIad+vGC
O29S4JHBXHI/U57yNbNLgoKzl0MI4WQrs4KT/y+LPMFB9M0lNrALQd/op6PNc7CWKMN1yV8V/L74
/vapRlb90gPVJABHmoAfQmjyMXLW38KLwzK1qEpKUIxPBfQMBawmh0gC2T5ndZndcMPpgsMXyG2A
Z4QGSOt4tgpspjTSRY++X+gi9WUuWzsEHHdFhCR9UYQ6+1glMVheJjVmoD0b9V/KQ0BF/1zry2jf
WlchFeILlWbWgiWsIBA4BPNHqFW42qGgUr9DI3FzRLHXqF2N2f592tzcTeDZ11ejAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAGC8iCKBUzmNIhikaCImp8WIMoI9VMYf/iBGcovaujRW85BmVfE0qj2y
G2BfuA8RkxX7wayvb6znA7HSuQHpdVoI6poPbaW5ynZy35G3pzKs7dyZo6oGivE1Cj7PqJHXLICJ
in3pKWGfHLkkYa64B32pXy7t42Rlvn2uog5MEYCgo4jnfhxnw0iPFJTHEy3x/PJ5Yxe5o/fDIUXt
bIb0R0Z6Tym34YsUQQvmT11vfPPsFVc6Nkda0xo2DBxaPfw3ieTojimmnToPLFJL9DEEWKSSrIZQ
YYrop0ftnQRhkFiu2TMYXiIiwKgLXKz7VybtcIMjt/tClNsDWTlIxwwFnNo=
-----END CERTIFICATE-----
- Place the following pyFF_configuration file in /etc/pyff/mdx.fd and replace <YOUR_SP_ENTITY_ID> with the EntityID of your SP
(See SURFconext documentation - Use your own WAYF for more information on this specific SURFconext metadata end-point)
- when update:
- load:
- http://mds.edugain.org /etc/pyff/edugain-signer.crt
- https://engine.surfconext.nl/authentication/proxy/idps-metadata?sp-entity-id=<YOUR_SP_ENTITY_ID>
- select
- when request:
- select
- pipe:
- when accept application/xml:
- xslt:
stylesheet: tidy.xsl
- first
- finalize:
cacheDuration: PT5H
validUntil: P10D
- sign:
key: /etc/pyff/sign.key
cert: /etc/pyff/sign.crt
- emit application/xml
- break
- when accept application/json:
- xslt:
stylesheet: discojson.xsl
- emit application/json:
- break
- Create an init.d script for pyFF. File: /etc/init.d/pyffd
#!/bin/bash
#
# pyffd pyFF is a simple but reasonably complete SAML metadata
# processor. It is intended to be used by anyone who needs
# to aggregate, validate, combine, transform, sign or
# publish SAML metadata.
#
# Author: Remold Krol / remold@everett.nl
# (pyFF by: Leif Johansson/leifj@sunet.se)
#
# chkconfig: 2345 13 87
# description: pyFF is a simple but reasonably complete SAML metadata processor.
### BEGIN INIT INFO
# Provides: pyffd
# Required-Start: $syslog
# Required-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start pyFFd at boot time
# Description: pyFF is a simple but reasonably complete SAML metadata processor.
### END INIT INFO
PYFFD_HOST=127.0.0.1
PYFFD_PORT=81
PYFFD_PIDFILE=/var/run/pyffd.pid
PYFFD_DIR=/var/www/pyff
PYFFD_UPDATEFREQ=43200
PYFFD_CONF=/etc/pyff/mdx.fd
start() {
echo -n "Starting pyffd : "
if [ -f $PYFFD_PIDFILE ]; then
PID=`cat $PYFFD_PIDFILE`
echo pyffd already running: $PID
exit 2;
else
/usr/local/bin/pyffd --loglevel=INFO --log=syslog:syslog --error-log=syslog:syslog -p $PYFFD_PIDFILE --dir=$PYFFD_DIR -H $PYFFD_HOST -P $PYFFD_PORT $PYFFD_CONF
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && echo pyffd started
return $RETVAL
fi
}
stop() {
echo -n "Shutting down pyffd: "
echo
if [ -f $PYFFD_PIDFILE ]; then
PID=`cat $PYFFD_PIDFILE`
kill $PID
else
pkill pyff
rm $PYFFD_PIDFILE
fi
return 0
}status() {
if [ -f $PYFFD_PIDFILE ]; then
PID=`cat $PYFFD_PIDFILE`
echo pyffd running: $PID
else
PID=`ps auxwww | grep pyffd | grep $PYFFD_HOST | awk 'NR==1{print $2}' | cut -d' ' -f1`
if [ -z "$PID" ]; then
echo pyffd is not running
else
echo "pyffd running: $PID (no pid file '$PYFFD_PIDFILE')"
fi
fi
return 0}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
stop
sleep 2
start
;;
*)
echo "Usage: {start|stop|status|restart}"
exit 1
;;
esac
exit $?
- Instal init.d-script, run:
update-rc.d pyffd defaults
Step 3: Create Apache proxy for pyFF
(These steps are for Apache 2.2.2)
Create a new virtual host to run the pyFF Discovery Service. This virtual host will contain a proxy towards pyFF and enables SSL encryption.
- Place the following content in: /etc/apache2/sites-available/discoveryservice-ssl (Replace <SERVER_ADMIN_EMAIL> and <YOUR_DOMAIN>)
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin <SERVER_ADMIN_EMAIL>
ServerName ds.<YOUR_DOMAIN>
DocumentRoot /var/www/pyff
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:81/
ProxyPassReverse / http://localhost:81/
<Location />
Order allow,deny
Allow from all
</Location>
ErrorLog ${APACHE_LOG_DIR}/discoveryservice-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/discoveryservice_ssl_access.log combined
SSLEngine on
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/ssl/certs/cert-674347-www.openconext.org.pem
SSLCertificateKeyFile /etc/ssl/private/www.openconext.org.20150424.key
SSLCertificateChainFile /etc/ssl/certs/DigiCertCA.crt
SSLCACertificatePath /etc/ssl/certs/
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>- Create a symlink in /etc/apache2/sites-enables
cd /etc/apache2/sites-enabled; ln -s ../sites-available/discoveryservice-ssl .; cd -
Step 4: Update SimpleSAMLphp
Upgrade SimpleSAMLphp to at least version 1.13.2 (See https://simplesamlphp.org/metaprocessing for more information regarding large metadata-feeds like the eduGAIN-feed).
The following step will configure SimpleSAMLphp to use the new pyFF Discovery Service.
- Remove the idp-value and set discoURL in the authsources.php (/var/simplesamlphp/config/authsources.php)
- Section default-sp set (change <YOUR_DOMAIN> with your domain (see create apache proxy for pyFF above):
'idp' => NULL,
'discoURL' => 'https://ds.<YOUR_DOMAIN>/role/idp.ds?entity_filter=http://pyff.io/category/discoverable',
- Section default-sp set (change <YOUR_DOMAIN> with your domain (see create apache proxy for pyFF above):
Set up automatic update the SimpleSAMLphp metadata feed to use the pyFF-metadata feed.
- Follow the instructions on: https://simplesamlphp.org/docs/stable/simplesamlphp-automated_metadata with the following file contents:
- Use config-metarefresh.php:
<?php
$config = array(
'sets' => array(
'edugain' => array(
'cron' => array('daily'),
'sources' => array(
array(
'src' => 'http://localhost:81/role/idp.xml',
),
),
'expireAfter' => 60*60*24*4, // Maximum 4 days cache time.
'outputDir' => 'metadata/metarefresh-edugain/',
'outputFormat' => 'flatfile',
),
),
);
- In the main config.php file modify the
metadata.sourcesdirective:
- In the main config.php file modify the
'metadata.sources' => array(
array('type' => 'flatfile'),
array('type' => 'flatfile', 'directory' => '/var/simplesamlphp/metadata/metarefresh-edugain'),
),