Check cybozu.com's SAML authentication from python (pysaml2)

0. Introduction

Let's check the SAML authentication of cybozu.com from python (pysaml2).

1. 1. Create an EC2 instance for Amazon Linux

1. From the E2 console page, select the Amazon Linux AMI and create an EC2 instance.
   • AMI ID :
     • amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2 (ami-923d12f5)
   • Instance Type :
     • t2.micro
   • Security Groups :
     • SSH
     • HTTPS
       
       
2. Then assign an Elastic IP.

2. Set initial settings and security settings

1. Make general initial settings and security settings.

• Setting the root user password
• Change host name * /etc/sysconfig/network * /etc/hosts * hostname
• Japanese setting * /etc/sysconfig/i18n
• Time zone setting * /etc/cloud/cloud.cfg * /etc/sysconfig/clock * /etc/localtime
• SSH settings
• iptables settings * SSH * HTTPS

3. 3. Install pysaml2

1. Download the zip file from the link below.

   • rohe/pysaml2: Python implementation of SAML2

   wget https://github.com/rohe/pysaml2/archive/master.zip
   

```bash
unzip master.zip
cd ./pysaml2-master
```

```bash
sudo pip install --upgrade pip
sudo pip install repoze.who
sudo yum install libffi libffi-devel
sudo yum install gcc
sudo python setup.py install
```

4. Start the sample program

1. Change to the sample program directory.

   cd ./pysaml2-master/example
   

```bash
sudo pip install mako
sudo pip install "cherrypy==7.1.0"
sudo yum install xmlsec1 xmlsec1-openssl
sudo pip install pycryptodomex
```

```bash
./all.sh start
```

If you see the following message, maybe OK

```bash
$ SP listening on localhost:8087
$ IDP listening on localhost:8088
```

Exit the sample program.

```bash
./all.sh stop
```

5. Make settings for external connection

1. Add the following settings to iptables.

   -A INPUT -p tcp -m tcp --dport 8087 -j ACCEPT
   -A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT
   

   sudo service iptables restart
   

```bash
./create_key.sh

Generating a new test key and certificate.  To change the defaults offered
by openssl, edit your openssl.cnf, such as /etc/ssl/openssl.cnf

Generating RSA private key, 1024 bit long modulus
..................++++++
...........++++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:[Prefectures]
Locality Name (eg, city) [Default City]:[Municipality]
Organization Name (eg, company) [Default Company Ltd]:[Company name]
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server s hostname) []:[FQDN]
Email Address []:[mail address]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[password]
An optional company name []:[Company name]
Signature ok
subject=/C=JP/ST=[Prefectures]/L=[Municipality]/O=[Company name]/CN=[FQDN]/emailAddress=[mail address]
Getting Private key

Now to enable these new keys, do:

    cp server.key idp2/pki/mykey.pem
    cp server.crt idp2/pki/mycert.pem

    cp server.key sp-wsgi/pki/mykey.pem
    cp server.crt sp-wsgi/pki/mycert.pem
```

Copy the certificate you created.

```bash
cp server.key idp2/pki/mykey.pem
cp server.crt idp2/pki/mycert.pem

cp server.key sp-wsgi/pki/mykey.pem
cp server.crt sp-wsgi/pki/mycert.pem
```

```bash
29c29
< HOST = 'localhost'
---
> HOST = '0.0.0.0'
35c35
<     BASE = "https://%s:%s" % (HOST, PORT)
---
>     BASE = "https://%s:%s" % ("[FQDN]", PORT)
37c37
<     BASE = "http://%s:%s" % (HOST, PORT)
---
>     BASE = "http://%s:%s" % ("[FQDN]", PORT)
40,41c40,41
< SERVER_CERT = "pki/mycert.pem"
< SERVER_KEY = "pki/mykey.pem"
---
> SERVER_CERT = "[Relative path to the public key of the server certificate]"
> SERVER_KEY = "[Relative path to the private key of the server certificate]"
```
* ./pysaml2-master/example/sp-wsgi/service_conf.py

```bash
4c4
< HOST = 'localhost'
---
> HOST = '0.0.0.0'
20,21c20,21
< SERVER_CERT = "pki/mycert.pem"
< SERVER_KEY = "pki/mykey.pem"
---
> SERVER_CERT = "[Relative path to the public key of the server certificate]"
> SERVER_KEY = "[Relative path to the private key of the server certificate]"
```
* ./pysaml2-master/example/sp-wsgi/sp_conf.py

```bash
18c18
< BASE = "http://localhost:8087"
---
> BASE = "http://[FQDN]:8087"
21c21
<     "entityid": "%s/%ssp.xml" % (BASE, ""),
---
>     "entityid": "%s/%sp.xml" % (BASE, ""),
```

```bash
./all.sh start
```

![FireShot Capture 46 - IDP test login_ - https___pysaml2.genbacloud.com_8088_sso_redirect.png](https://qiita-image-store.s3.amazonaws.com/0/161939/ca8fae4f-c025-b648-f536-fd5afbd0c1a9.png)

![FireShot Capture 45 -  - http___pysaml2.genbacloud.com_8087_.png](https://qiita-image-store.s3.amazonaws.com/0/161939/7739181d-b6d4-6cfb-84a0-cdf2d1c5ab5b.png)

Exit the sample program.

```bash
./all.sh stop
```

6. Set up a link account on the pysaml2 side

1. Modify the sample program.
   

   • ./pysaml2-master/example/idp2/idp.py

   528a538
   >     "[mail address]": "[password]",
   

   • ./pysaml2-master/example/idp2/idp_conf.py

   37a38,60
   >     "[mail address]": {
   >         "sn": "Testsson",
   >         "givenName": "Test",
   >         "eduPersonAffiliation": "student",
   >         "eduPersonScopedAffiliation": "[email protected]",
   >         "eduPersonPrincipalName": "[email protected]",
   >         "uid": "[mail address]",
   >         "eduPersonTargetedID": "one!for!all",
   >         "c": "SE",
   >         "o": "Example Co.",
   >         "ou": "IT",
   >         "initials": "P",
   >         "co": "co",
   >         "mail": "mail",
   >         "noreduorgacronym": "noreduorgacronym",
   >         "schacHomeOrganization": "example.com",
   >         "email": "[mail address]",
   >         "displayName": "Test Testsson",
   >         "labeledURL": "http://www.example.com/test My homepage",
   >         "norEduPersonNIN": "SE199012315555",
   >         "postaladdress": "postaladdress",
   >         "cn": "cn"
   >     },
   

7. Make settings on the cybozu.com side

The settings on the cybozu.com side are described in the same way in the previous article, so refer to that.

• Check SAML authentication for OpenAM and cybozu \ .com -Qiita
  
  

1. Set up SP on cybozu.com

• Enable SAML authentication: ☑︎
• Identity Provider SSO Endpoint URL (HTTP-Redirect): https://[FQDN]:8088/sso/redirect
• URL to transition to after logging out from cybozu.com: http://[FQDN]:8087/logout?goto=http://[FQDN]:8087/
• Public key certificate used by the Identity Provider for signing: Upload the created certificate (server.crt).
• Download Service Provider metadata
• Click the link to download the file as it is required to configure the SP for pysaml2. (spmetadata.xml)
  
  

1. Add linked users to cybozu.com

• • Follow the procedure

8. Set the SP of cybozu.com on the pysaml2 side

1. Store the downloaded cybozu.com Service Provider metadata (spmetadata.xml) in a suitable location.
   
   

2. Modify the sample program.
   

   • ./pysaml2-master/example/idp2/idp.py

   48a49,50
   > from saml2.saml import NameID
   > from saml2.saml import NAMEID_FORMAT_TRANSIENT
   341a344,345
   >                 nameid = NameID(
   >                     format=NAMEID_FORMAT_TRANSIENT, text=identity["uid"])
   344a349,350
   >                     name_id=nameid,
   >                     sign_response=True,
   

   • ./pysaml2-master/example/idp2/idp_conf.py

   117c117,124
   <         "local": [full_path("../sp-wsgi/sp.xml")],
   ---
   >         "local": [full_path("../sp-wsgi/sp.xml"), full_path("[cybozu.Relative path to com Service Provider metadata]")],
   >         #"inline":
   >         #"remote": [
   >         #    {"url": "",
   >         #     "cert": ""}],
   >         #"mdfile":
   >         #"loader":
   >         #"mdq":
   

After logging in from the pysaml2 login screen, if the cybozu.com screen is displayed, OK !!

99. Addictive point

• First, install pysaml2. If you get an error, run sudo python setup.py install, check the log, and install the necessary libraries one by one.
  
  

• The same applies to the execution of the sample program. I ran ./all.sh start to install the required libraries.

• Cherrypy seems to be useless unless it is 7.1.0, so be careful.

• pycryptodomex is not pycryptodome, but pycryptodomex, so be careful there as well.
  
  

• So, I was most addicted to it, or what I didn't understand was "7. Set the SP of cybozu.com on the pysaml2 side".

• If ./pysaml2-master/example/idp2/idp.py is left as it is, the following error will be displayed.

  

If you add sign_response = True, to the argument of create_authn_response and deal with it ...

• Then the following error is displayed

  

I felt like I was able to add name_id = nameid, and work together !!

• In both cases, I first looked at the log and then fixed it while checking the test programs under ./pysaml2-master/tests/. It took a long time because I understood the SAML specifications. When I finished, I added a few lines ...
• I also referred to this site.
  • pysaml2.pdf
  • Running the pysaml2 example
• Until SAML authentication is possible -Cybozu Inside Out \ | Cybozu Engineer's Blog
• Troubleshooting SAML Authentication \ | cybozu \ .com Common Management Help

XX. Summary

For the time being, it was good to be able to confirm. Maybe I have to study a little more to deepen my understanding of the SAML specifications ...