Changes

Paul · 6381bfc3
--- a/system/how-to/Configuring-Shibboleth-Auth.md
+++ b/system/how-to/Configuring-Shibboleth-Auth.md
+# samltool.com
+1. Create a self-signing certificate for the RDMS application
+   * We used the service https://www.samltool.com/self_signed_certs.php
+   * Values we filled in
+     ```
+     Country name: United Kingdom
+     State or province: London
+     Organization Name: Cottage Labs
+     Common name, the domain: 
+     Valid days: 365
+     Bits to generate the private key: 1024 bits
+     Digest Algorithm: SHA1
+     ```
+     From here, we got the certificate and certificate key, which we added to the .env file.
+2. Register the metadata with SAML test
+   * Visit https://rdms.cottagelabs.com/users/auth/saml/metadata and save the file locally
+   * Upload the file to https://samltest.id/upload.php (the fetch doesn't seem to work)
+3. Fill in the env file will all of the values needed
+   ```
+   # SAML Login 
+   SAML_SERVICE_URL=https://rdms.cottagelabs.com/users/auth/saml/callback 
+   SAML_IDP_SERVICE_URL=https://samltest.id/saml/idp 
+   SAML_SP_ID=https://rdms.cottagelabs.com/ 
+   SAML_IDP_SSO_SERVICE_URL=https://samltest.id/idp/profile/SAML2/Redirect/SSO 
+   SAML_IDP_CERT=-----BEGIN CERTIFICATE----- MIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwgg
+   EKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOEjj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1klbN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF/cL5fOpdVa54wT
+   I0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8nspXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0GA1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVzdC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsFAAOCAQEASk
+   3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHTTNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nblD1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcUZOpx4s
+   wtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu3kXPjhSfj1AJGR1l9JGvJrHki1iHTA== -----END CERTIFICATE----- 
+   SAML_SP_CERTIFICATE=-----BEGIN CERTIFICATE----- xxx -----END CERTIFICATE----- 
+   SAML_SP_CERTIFICATE_KEY=-----BEGIN PRIVATE KEY----- xxx -----END PRIVATE KEY-----
+   SAML_ATTRIBUTE_UID=urn:oasis:names:tc:SAML:attribute:pairwise-id
+   SAML_ATTRIBUTE_NAME=urn:mace:dir:attribute-def:displayName
+   SAML_ATTRIBUTE_EMAIL=urn:mace:dir:attribute-def:mail
+   SAML_ATTRIBUTE_ROLE=urn:mace:dir:attribute-def:eduPersonAffiliation
+   # If Authorization is restricted, only users with affiliation=staff are allowed access
+   SAML_RESTRICT_AUTHORIZATION=true
+   ```
+   The values for the IDP were obtained from https://samltest.id/download/#SAMLtests_IdP
+   The values for the required attributes were taken from discussions recorded in https://gitlab.ruhr-uni-bochum.de/FDM/rdm-system/antleaf-projectmanagement/-/issues/24#note_132494 and https://gitlab.ruhr-uni-bochum.de/FDM/rdm-system/antleaf-projectmanagement/-/issues/24#note_132512
+   If `SAML_RESTRICT_AUTHORIZATION` is set to `true`, only users with affiliation=staff are allowed access. See [note](https://gitlab.ruhr-uni-bochum.de/FDM/rdm-system/antleaf-projectmanagement/-/blob/main/Introduction/RUB%20RDMS%20Authentication%20and%20Authorization.md) and https://gitlab.ruhr-uni-bochum.de/FDM/rdm-system/antleaf-projectmanagement/-/issues/164
+4. Reload the environment variables in the container
+   Bring the container down and up again
+5. Test the service is regsitered with SAML test at https://samltest.id/start-sp-test/
+   ```
+   entityID: https://rdms.cottagelabs.com/ 
+   Destination Resource(RelayState, optional): https://rdms.cottagelabs.com/users/auth/saml/callback
+   ```
+   * The entityID is the application URL. 
+   * The destination resource is the callback URL. It works even without it.
+   This should redirect you to a login page within samltest
+   If at this point you get the message the service is not registered, please wait a few minutes. We had to wait about 5 minutes before it started working.
+6. test with the SAML login on the rdms application
+   Visit [Login](https://rdms.cottagelabs.com/users/sign_in?locale=en) -> [Sign in with SAML](https://rdms.cottagelabs.com/users/auth/saml?locale=en)
+   It should redirect you to samltest, get you to add the username and password and redirect to Cottage labs RDMS application.
+# RUB IdP
+Some attributes might be requested via raw OID values, e.g. RUB IdP. See example [here](https://gitlab.ruhr-uni-bochum.de/FDM/rdm-system/rdms/-/blob/8c22e9148634561b78bc8271d202ccb2c27a5874/.env.template#L136)