These scripts are for deploying a Where-Are-You-From (WAYF) service for an RCauth online CA. It is running as an Identity Provider-proxy in front of an RCauth Delegation Server.
There are three roles:
- common - contains only the variables common to the every role.
- basic - sets up the host apart from the SimpleSAMLphp installation
- simplesamlphp - sets up SimpleSAMLphp, starting from a upstream tarball,
with a large number of patches installed on top. In addition, there is a
special
rcauth
module installed, providing two filters and a theme.
There is only a single playbook, wayf.yml, that runs all the roles.
-
You need to have a host certificate ready for the WAYF. Place your PEM formatted certificate and key file in the roles/basic/files/ directory (see the *.crt.PLACEHOLDER and *.key.PLACEHOLDER files).
It is assumed you will be using a certificate from one of the standard browser-supported CAs. In case of a sub-CA you also will need to specify thehostcert_intermediate
variable to the correct PEM file on the remote host (see further below on how to configure variables) and make sure it is present in the roles/basic/files/ (see the *.chain.PLACEHOLDER). -
You need to have a SAML metadata certificate ready for the WAYF. Place the PEM formatted certificate and key file in the roles/basic/files/ directory. If you don't have them yet, you can create one using e.g.
FQDN=<ssp_hostname> openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes \ -out saml-cert-${FQDN}.pem -keyout saml-key-${FQDN}.pem \ -subj "/CN=${FQDN}"`
-
Create a directory under config/ with the files as indicated in the example config/PLACEHOLDER/ directory. You will need to change several of the default variables.
Note that the defaults are set in the defaults/main.yml files of the different roles, while the files under the config directory are there to override those defaults. -
You need to make an 'inventory' file containing the FQDN of the host, see hosts.inventory.PLACEHOLDER for an example. Note that the FQDN set in the 'inventory' file can be different from the hostname used in the WAYF's URL, the latter being set using the
ssp_hostname
variable by the common role. The inventory file also should point to the configuration directory as described in the previous point. -
You will need to provide the correct certificate and URL for the eduGAIN metadata feed you will be using. Specify both as
edugain_cert
andedugain_url
in the simplesamlphp_env.yml file. Put the certificate in the roles/simplesamlphp/files directory. For SURFconext you can find the URL and certificate at https://metadata.surfconext.nl/. -
You will need to create and set the different secrets as indicated in the example secrets_env.yml file.
-
The current scripts have been tested against SimpleSAMLphp version 1.18, for different versions you will need to adapt the patches.
-
Several remote IdP and SP metadata files are included under roles/simplesamlphp/files/metadata. For the IdPs in the form of an .orig file plus a corresponding .patch. Which metadata is installed is defined by the 4 variables {prod,test}_{idp,sp}_remotes defined in the simplesamlphp role.