Let's check the SAML authentication of cybozu.com from python (pysaml2).
hostname
Download the zip file from the link below.
wget https://github.com/rohe/pysaml2/archive/master.zip
```bash
unzip master.zip
cd ./pysaml2-master
```
```bash
sudo pip install --upgrade pip
sudo pip install repoze.who
sudo yum install libffi libffi-devel
sudo yum install gcc
sudo python setup.py install
```
Change to the sample program directory.
cd ./pysaml2-master/example
```bash
sudo pip install mako
sudo pip install "cherrypy==7.1.0"
sudo yum install xmlsec1 xmlsec1-openssl
sudo pip install pycryptodomex
```
```bash
./all.sh start
```
If you see the following message, maybe OK
```bash
$ SP listening on localhost:8087
$ IDP listening on localhost:8088
```
Exit the sample program.
```bash
./all.sh stop
```
Add the following settings to iptables.
-A INPUT -p tcp -m tcp --dport 8087 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT
sudo service iptables restart
```bash
./create_key.sh
Generating a new test key and certificate. To change the defaults offered
by openssl, edit your openssl.cnf, such as /etc/ssl/openssl.cnf
Generating RSA private key, 1024 bit long modulus
..................++++++
...........++++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:[Prefectures]
Locality Name (eg, city) [Default City]:[Municipality]
Organization Name (eg, company) [Default Company Ltd]:[Company name]
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server s hostname) []:[FQDN]
Email Address []:[mail address]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[password]
An optional company name []:[Company name]
Signature ok
subject=/C=JP/ST=[Prefectures]/L=[Municipality]/O=[Company name]/CN=[FQDN]/emailAddress=[mail address]
Getting Private key
Now to enable these new keys, do:
cp server.key idp2/pki/mykey.pem
cp server.crt idp2/pki/mycert.pem
cp server.key sp-wsgi/pki/mykey.pem
cp server.crt sp-wsgi/pki/mycert.pem
```
Copy the certificate you created.
```bash
cp server.key idp2/pki/mykey.pem
cp server.crt idp2/pki/mycert.pem
cp server.key sp-wsgi/pki/mykey.pem
cp server.crt sp-wsgi/pki/mycert.pem
```
```bash
29c29
< HOST = 'localhost'
---
> HOST = '0.0.0.0'
35c35
< BASE = "https://%s:%s" % (HOST, PORT)
---
> BASE = "https://%s:%s" % ("[FQDN]", PORT)
37c37
< BASE = "http://%s:%s" % (HOST, PORT)
---
> BASE = "http://%s:%s" % ("[FQDN]", PORT)
40,41c40,41
< SERVER_CERT = "pki/mycert.pem"
< SERVER_KEY = "pki/mykey.pem"
---
> SERVER_CERT = "[Relative path to the public key of the server certificate]"
> SERVER_KEY = "[Relative path to the private key of the server certificate]"
```
* ./pysaml2-master/example/sp-wsgi/service_conf.py
```bash
4c4
< HOST = 'localhost'
---
> HOST = '0.0.0.0'
20,21c20,21
< SERVER_CERT = "pki/mycert.pem"
< SERVER_KEY = "pki/mykey.pem"
---
> SERVER_CERT = "[Relative path to the public key of the server certificate]"
> SERVER_KEY = "[Relative path to the private key of the server certificate]"
```
* ./pysaml2-master/example/sp-wsgi/sp_conf.py
```bash
18c18
< BASE = "http://localhost:8087"
---
> BASE = "http://[FQDN]:8087"
21c21
< "entityid": "%s/%ssp.xml" % (BASE, ""),
---
> "entityid": "%s/%sp.xml" % (BASE, ""),
```
```bash
./all.sh start
```
![FireShot Capture 46 - IDP test login_ - https___pysaml2.genbacloud.com_8088_sso_redirect.png](https://qiita-image-store.s3.amazonaws.com/0/161939/ca8fae4f-c025-b648-f536-fd5afbd0c1a9.png)
![FireShot Capture 45 - - http___pysaml2.genbacloud.com_8087_.png](https://qiita-image-store.s3.amazonaws.com/0/161939/7739181d-b6d4-6cfb-84a0-cdf2d1c5ab5b.png)
Exit the sample program.
```bash
./all.sh stop
```
Modify the sample program.
528a538
> "[mail address]": "[password]",
37a38,60
> "[mail address]": {
> "sn": "Testsson",
> "givenName": "Test",
> "eduPersonAffiliation": "student",
> "eduPersonScopedAffiliation": "[email protected]",
> "eduPersonPrincipalName": "[email protected]",
> "uid": "[mail address]",
> "eduPersonTargetedID": "one!for!all",
> "c": "SE",
> "o": "Example Co.",
> "ou": "IT",
> "initials": "P",
> "co": "co",
> "mail": "mail",
> "noreduorgacronym": "noreduorgacronym",
> "schacHomeOrganization": "example.com",
> "email": "[mail address]",
> "displayName": "Test Testsson",
> "labeledURL": "http://www.example.com/test My homepage",
> "norEduPersonNIN": "SE199012315555",
> "postaladdress": "postaladdress",
> "cn": "cn"
> },
The settings on the cybozu.com side are described in the same way in the previous article, so refer to that.
Store the downloaded cybozu.com Service Provider metadata (spmetadata.xml) in a suitable location.
Modify the sample program.
48a49,50
> from saml2.saml import NameID
> from saml2.saml import NAMEID_FORMAT_TRANSIENT
341a344,345
> nameid = NameID(
> format=NAMEID_FORMAT_TRANSIENT, text=identity["uid"])
344a349,350
> name_id=nameid,
> sign_response=True,
117c117,124
< "local": [full_path("../sp-wsgi/sp.xml")],
---
> "local": [full_path("../sp-wsgi/sp.xml"), full_path("[cybozu.Relative path to com Service Provider metadata]")],
> #"inline":
> #"remote": [
> # {"url": "",
> # "cert": ""}],
> #"mdfile":
> #"loader":
> #"mdq":
After logging in from the pysaml2 login screen, if the cybozu.com screen is displayed, OK !!
First, install pysaml2. If you get an error, run sudo python setup.py install
, check the log, and install the necessary libraries one by one.
The same applies to the execution of the sample program. I ran ./all.sh start
to install the required libraries.
Cherrypy seems to be useless unless it is 7.1.0, so be careful.
pycryptodomex is not pycryptodome, but pycryptodomex, so be careful there as well.
So, I was most addicted to it, or what I didn't understand was "7. Set the SP of cybozu.com on the pysaml2 side".
If ./pysaml2-master/example/idp2/idp.py
is left as it is, the following error will be displayed.
If you add sign_response = True,
to the argument of create_authn_response
and deal with it ...
Then the following error is displayed
I felt like I was able to add name_id = nameid,
and work together !!
./pysaml2-master/tests/
. It took a long time because I understood the SAML specifications. When I finished, I added a few lines ...For the time being, it was good to be able to confirm. Maybe I have to study a little more to deepen my understanding of the SAML specifications ...
Recommended Posts