Check cybozu.com's SAML authentication from python (pysaml2)

0. Introduction

Let's check the SAML authentication of cybozu.com from python (pysaml2).

1. 1. Create an EC2 instance for Amazon Linux

  1. From the E2 console page, select the Amazon Linux AMI and create an EC2 instance.
    • AMI ID :
      • amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2 (ami-923d12f5)
    • Instance Type :
      • t2.micro
    • Security Groups :
      • SSH
      • HTTPS

  2. Then assign an Elastic IP.

2. Set initial settings and security settings

  1. Make general initial settings and security settings.

3. 3. Install pysaml2

  1. Download the zip file from the link below.

    wget https://github.com/rohe/pysaml2/archive/master.zip
    

1. Unzip the downloaded zip file and change to the unzipped directory.
```bash
unzip master.zip
cd ./pysaml2-master
```

1. Install pysaml2.
```bash
sudo pip install --upgrade pip
sudo pip install repoze.who
sudo yum install libffi libffi-devel
sudo yum install gcc
sudo python setup.py install
```

4. Start the sample program

  1. Change to the sample program directory.

    cd ./pysaml2-master/example
    

1. Install the required libraries.
```bash
sudo pip install mako
sudo pip install "cherrypy==7.1.0"
sudo yum install xmlsec1 xmlsec1-openssl
sudo pip install pycryptodomex
```

1. Run the sample program.
```bash
./all.sh start
```

If you see the following message, maybe OK

```bash
$ SP listening on localhost:8087
$ IDP listening on localhost:8088
```

Exit the sample program.

```bash
./all.sh stop
```

5. Make settings for external connection

  1. Add the following settings to iptables.

    -A INPUT -p tcp -m tcp --dport 8087 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT
    
    sudo service iptables restart
    

1. Add the following settings to the security group. * TCP 8087 0.0.0.0/0 * TCP 8088 0.0.0.0/0

1. Store the server certificate file (public key, private key) in a suitable location for HTTPS connection. * Public key of server certificate: * .cert * Server certificate private key: * .key

1. Create a new certificate for authentication.
```bash
./create_key.sh

Generating a new test key and certificate.  To change the defaults offered
by openssl, edit your openssl.cnf, such as /etc/ssl/openssl.cnf

Generating RSA private key, 1024 bit long modulus
..................++++++
...........++++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:[Prefectures]
Locality Name (eg, city) [Default City]:[Municipality]
Organization Name (eg, company) [Default Company Ltd]:[Company name]
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server s hostname) []:[FQDN]
Email Address []:[mail address]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[password]
An optional company name []:[Company name]
Signature ok
subject=/C=JP/ST=[Prefectures]/L=[Municipality]/O=[Company name]/CN=[FQDN]/emailAddress=[mail address]
Getting Private key

Now to enable these new keys, do:

    cp server.key idp2/pki/mykey.pem
    cp server.crt idp2/pki/mycert.pem

    cp server.key sp-wsgi/pki/mykey.pem
    cp server.crt sp-wsgi/pki/mycert.pem
```

Copy the certificate you created.

```bash
cp server.key idp2/pki/mykey.pem
cp server.crt idp2/pki/mycert.pem

cp server.key sp-wsgi/pki/mykey.pem
cp server.crt sp-wsgi/pki/mycert.pem
```

1. Modify the sample program.
* ./pysaml2-master/example/idp2/idp_conf.py
```bash
29c29
< HOST = 'localhost'
---
> HOST = '0.0.0.0'
35c35
<     BASE = "https://%s:%s" % (HOST, PORT)
---
>     BASE = "https://%s:%s" % ("[FQDN]", PORT)
37c37
<     BASE = "http://%s:%s" % (HOST, PORT)
---
>     BASE = "http://%s:%s" % ("[FQDN]", PORT)
40,41c40,41
< SERVER_CERT = "pki/mycert.pem"
< SERVER_KEY = "pki/mykey.pem"
---
> SERVER_CERT = "[Relative path to the public key of the server certificate]"
> SERVER_KEY = "[Relative path to the private key of the server certificate]"
```
* ./pysaml2-master/example/sp-wsgi/service_conf.py

```bash
4c4
< HOST = 'localhost'
---
> HOST = '0.0.0.0'
20,21c20,21
< SERVER_CERT = "pki/mycert.pem"
< SERVER_KEY = "pki/mykey.pem"
---
> SERVER_CERT = "[Relative path to the public key of the server certificate]"
> SERVER_KEY = "[Relative path to the private key of the server certificate]"
```
* ./pysaml2-master/example/sp-wsgi/sp_conf.py

```bash
18c18
< BASE = "http://localhost:8087"
---
> BASE = "http://[FQDN]:8087"
21c21
<     "entityid": "%s/%ssp.xml" % (BASE, ""),
---
>     "entityid": "%s/%sp.xml" % (BASE, ""),
```

1. Run the sample program.
```bash
./all.sh start
```

1. Access the following site and log in.
* http://[FQDN]:8087/ * Login information is described in `./pysaml2-master/example/idp2/idp.py` (line 528). * Do not use `daev0001` as it will cause an error !!
![FireShot Capture 46 - IDP test login_ - https___pysaml2.genbacloud.com_8088_sso_redirect.png](https://qiita-image-store.s3.amazonaws.com/0/161939/ca8fae4f-c025-b648-f536-fd5afbd0c1a9.png)

![FireShot Capture 45 -  - http___pysaml2.genbacloud.com_8087_.png](https://qiita-image-store.s3.amazonaws.com/0/161939/7739181d-b6d4-6cfb-84a0-cdf2d1c5ab5b.png)

Exit the sample program.

```bash
./all.sh stop
```

6. Set up a link account on the pysaml2 side

  1. Modify the sample program.

    • ./pysaml2-master/example/idp2/idp.py
    528a538
    >     "[mail address]": "[password]",
    
    • ./pysaml2-master/example/idp2/idp_conf.py
    37a38,60
    >     "[mail address]": {
    >         "sn": "Testsson",
    >         "givenName": "Test",
    >         "eduPersonAffiliation": "student",
    >         "eduPersonScopedAffiliation": "[email protected]",
    >         "eduPersonPrincipalName": "[email protected]",
    >         "uid": "[mail address]",
    >         "eduPersonTargetedID": "one!for!all",
    >         "c": "SE",
    >         "o": "Example Co.",
    >         "ou": "IT",
    >         "initials": "P",
    >         "co": "co",
    >         "mail": "mail",
    >         "noreduorgacronym": "noreduorgacronym",
    >         "schacHomeOrganization": "example.com",
    >         "email": "[mail address]",
    >         "displayName": "Test Testsson",
    >         "labeledURL": "http://www.example.com/test My homepage",
    >         "norEduPersonNIN": "SE199012315555",
    >         "postaladdress": "postaladdress",
    >         "cn": "cn"
    >     },
    

1. Run the sample program and verify your login to the site.

7. Make settings on the cybozu.com side

The settings on the cybozu.com side are described in the same way in the previous article, so refer to that.

  1. Set up SP on cybozu.com
  1. Add linked users to cybozu.com

8. Set the SP of cybozu.com on the pysaml2 side

  1. Store the downloaded cybozu.com Service Provider metadata (spmetadata.xml) in a suitable location.

  2. Modify the sample program.

    • ./pysaml2-master/example/idp2/idp.py
    48a49,50
    > from saml2.saml import NameID
    > from saml2.saml import NAMEID_FORMAT_TRANSIENT
    341a344,345
    >                 nameid = NameID(
    >                     format=NAMEID_FORMAT_TRANSIENT, text=identity["uid"])
    344a349,350
    >                     name_id=nameid,
    >                     sign_response=True,
    
    • ./pysaml2-master/example/idp2/idp_conf.py
    117c117,124
    <         "local": [full_path("../sp-wsgi/sp.xml")],
    ---
    >         "local": [full_path("../sp-wsgi/sp.xml"), full_path("[cybozu.Relative path to com Service Provider metadata]")],
    >         #"inline":
    >         #"remote": [
    >         #    {"url": "",
    >         #     "cert": ""}],
    >         #"mdfile":
    >         #"loader":
    >         #"mdq":
    

1. Run the sample program, go to the cybozu.com site, and confirm your login.

After logging in from the pysaml2 login screen, if the cybozu.com screen is displayed, OK !!

99. Addictive point

If you add sign_response = True, to the argument of create_authn_response and deal with it ...

I felt like I was able to add name_id = nameid, and work together !!

XX. Summary

For the time being, it was good to be able to confirm. Maybe I have to study a little more to deepen my understanding of the SAML specifications ...

Recommended Posts

Check cybozu.com's SAML authentication from python (pysaml2)
Try IAM Database Authentication from Python
Check installed modules from Python scripts
MeCab from Python
Python Https Authentication
Use thingsspeak from python
Touch MySQL from Python 3
Operate Filemaker from Python
Use fluentd from python
Access bitcoind from python
Changes from Python 3.0 to Python 3.5
Changes from Python 2 to Python 3.0
Use MySQL from Python
Run python from excel
Install python from source
Execute command from Python
Operate neutron from Python!
Use MySQL from Python
Operate LXC from Python
Manipulate riak from python
Force Python from Fortran
Domain check with Python
Use BigQuery from python.
Execute command from python
Check Python # type identity
[Python] Read From Stdin
Check version with python
Use mecab-ipadic-neologd from python