inc-librsvcs - Fwd: [Shib-Users] Ezproxy config for local IDP
Subject: InCommon Library Services
List archive
- From: Dean Woodbeck <>
- To: inc-librsvcs <>
- Subject: Fwd: [Shib-Users] Ezproxy config for local IDP
- Date: Wed, 17 Jun 2009 10:55:25 -0400 (EDT)
Not sure how many of you are on the shib users list, but there has been a
discussion about using Shib and EZProxy. This was posted today.
Dean
----- Forwarded Message -----
From: "Franck Borel" <>
To:
Sent: Wednesday, June 17, 2009 3:18:16 AM GMT -05:00 US/Canada Eastern
Subject: Re: [Shib-Users] Ezproxy config for local IDP
Hi Michael,
>
> I would be very interested in some documentation on how you made it
> all work. At some point (hopefully soon), we are going to switch
> EZProxy from using LDAP Authentication to using Shib with our local
> IdP.
>
I just upgrade our EZProxy to let him speak SAML 2. Here is an example
how you should configure your EZProxy:
EZProxy
=======
config.txt
------------
..
# Proxy by Hostname
Interface <IP adress>
LoginPort 80
LoginPortSSL 443
Interface ANY
LoginPort 2048
Option ProxyByHostname
Option IgnoreWildcardCertificate
RunAs ezproxy:users
Option SafariCookiePatch
MaxVirtualHosts 2000
MaxLifetime 60
MaxSessions 1000
MaxConcurrentTransfers 500
LogFormat %h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"
LogFile -strftime /opt/ezproxy-5.1c/log/ezproxy%Y%W.log
LogSPU -strftime /opt/ezproxy-5.1c/log/spu%Y%W.log %h %l %u %t "%r" %s
%b "%{Referer}i" "%
{User-agent}i"
Audit Most
AuditPurge 4
ShibbolethMetadata \
-EntityID=https://example.proxy.org/shibboleth-ezproxy \
-File=YOUR-metadata.xml \
-Cert=3
Group databaseuser
..
shibuser.txt
----------------
If Any(auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.7,
"urn:mace:dir:entitlement:common-lib-terms
");
Group +databaseuser
If Any(auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.7,"urn:example:admin");
Admin
user.txt
----------
::Shibboleth
IDP20 https://example.org/idp
/Shibboleth
---------
Here is an example for the metadata of the EZProxy:
<EntityDescriptor entityID="https://example.org";>
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:KeyName>example.org</ds:KeyName>
<ds:X509Data>
<
ds:X509SubjectName
>CN=example.org,C=US,ST=Ohio,L=Blabla,OU=Blablablub,O=Blablablubblub</
ds:X509SubjectName>
<ds:X509Certificate>
YOUR CERTIFICATE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:KeyName>example.org</ds:KeyName>
<ds:X509Data>
<
ds:X509SubjectName
>CN=example.org,C=US,ST=Ohio,L=Blabla,OU=Blablablub,O=Blablablubblub</
ds:X509SubjectName>
<ds:X509Certificate>
YOUR CERTIFICATE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
"
Location="https://example.org/Shibboleth.sso/SAML2/POST";
index="1"></AssertionConsumerService>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post
"
Location="https://example.org/Shibboleth.sso/SAML/POST";
index="2"></AssertionConsumerService>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="de">Blablablublub</
OrganizationName>
<OrganizationDisplayName xml:lang="de">blabla</
OrganizationDisplayName>
<OrganizationURL xml:lang="de">http://example.org</
OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<GivenName>Mr.</GivenName>
<SurName>Spok</SurName>
<EmailAddress></EmailAddress>
</ContactPerson>
</EntityDescriptor>
Hope this would help.
-- Franck
- Fwd: [Shib-Users] Ezproxy config for local IDP, Dean Woodbeck, 06/17/2009
- <Possible follow-up(s)>
- Fwd: [Shib-Users] Ezproxy config for local IDP, Dean Woodbeck, 06/17/2009
Archive powered by MHonArc 2.6.16.