...
How to install and configure gridshib and SAML tools for gatekeeper
############################################################
# Gridshib for GT4 #
############################################################
...
==> ant deploy deploy-echoservice (if previous one is installed, try ant undeploy undeploy-echoservice)
2. Follow the instruction from http://gridshib.globus.org/docs/gridshib-gt-0.5.1/admin-index.html
3. There will be errors if the configurations of "shibechoservice" are not changed.
...
/O=Grid/OU=GlobusTest/OU=simpleCA-gatekeeper.rcac.purdue.edu/OU=rcac.purdue.edu/CN=VMware
iii) Start container
4. ### LOG statement settings ###
...
This logging statement helps a lot!
Then start the container
5. Before running ShibEchoService, Configure in the $GLOBUS_LOCATION/etc/gridshib-gt-echo-0_5_1
...
<parameter name="shibecho-SPproviderId" value="https://globus.org/gridshib"/>
...
<parameter name="shibecho-SPproviderId" value="urn:mace:inqueue"/>
<parameter <parameter name="shibecho-IdPproviderId" value="https://idp.example.org/shibboleth"/>
...
<parameter name="shibecho-IdPproviderId" value="_https://shadow120.punch.purdue.edu/shibboleth_"/>
<parameter name="shibecho-AAUrl" value="https://idp.example.org:8443/shibboleth-idp/AA"/>
...
<parameter name="shibecho-AAUrl" value="_https://shadow120.punch.purdue.edu:8443/shibboleth-idp/AA_"/>
2) Change "echo-attr-authz.xml"* <saml:Attribute AttributeName="urn:mace:dir:attribute-def:countryresident" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml:AttributeValue>US</saml:AttributeValue> : "countryresident" and "US" are added
* <username>user1</username> : "user1" is added
3) Put DN into trusted_authn_authorities.txt (Do not put vmware at the end of the line) as mentioned above
...
entityID="urn:mace:inqueue:shadow120.punch.purdue.edu"
<shibmd:Scope regexp="false">scope.edu</shibmd:Scope>
...
Location="_https://shadow120.punch.purdue.edu:8443/shibboleth-idp/AA_"
* Replace existing attributes with the attribute(with value) to test
...
<saml:AttributeValue>US</saml:AttributeValue>
</saml:Attribute>
6. Before running ShibEchoService, put shibboleth-idp CA's cert into /etc/grid-security/certificate
...
5) A validates G via trusting G' (G' - CA cert - is in IdP's meta file, IQ-meta.xml in case of me)
7. Before running ShibEchoService, Configure in the shibboleth-id side (shadow120.punch.purdue.edu)
...
==> truststoreFile="/opt/cacerts" truststorePass="*****"
5) Run tomcat again.
8. Run "ShibEchoService" at the client
==> shibecho -s https://gatekeeper.rcac.purdue.edu:8443/wsrf/services/ShibEchoService
##################################################
# SAML-TOOLS #
##################################################
1 1. Install gridshib-saml-tools-0_1_3.tar.gz at the client host
==> download at the http://gridshib.globus.org/download.html
2. export GRIDSHIB_HOME=/opt/gridshib-saml-tools-0_1_3
3. Change gridshib-saml-issuer.properties (/opt/gridshib-saml-tools-0_1_3/etc/gridshib/tools/gridshib-saml-issuer.properties)
...
keyLocation=file:///home/wlee/.globus/userkey.pem
4. Change mode to 744 for gridshib-saml-issuer, java (/opt/gridshib-saml-tools-0_1_3/)
5. Run
$ gridshib-saml-issuer --user wlee --authn --x509 --outfile /tmp/x509up_u1000 or
$ gridshib-saml-issuer --user user1 --outfile /tmp/x509up_u1000 --authn --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 128.210.189.246
6. Checking proxy
$openssl x509 -text -noout -in /tmp/x509up_u1000
...
<assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AssertionID="_8bf376635a93560be5a3a690437fcb9e" IssueInstant="2007-02-06T18:57:22.984Z" Issuer="O=Grid,OU=GlobusTest,OU=simpleCA-gatekeeper.rcac.purdue.edu,OU=rcac.purdue.edu,CN=VMware" MajorVersion="1" MinorVersion="1"><authenticationStatement AuthenticationInstant="2007-02-06T18:57:19.975Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="urn:mace:inqueue:shadow120.punch.purdue.edu">user1</NameIdentifier></Subject><SubjectLocality IPAddress="128.210.189.246"></SubjectLocality></AuthenticationStatement><attributeStatement><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="urn:mace:inqueue:shadow120.punch.purdue.edu">user1</NameIdentifier></Subject><attribute AttributeName="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><attributeValue xsi:type="xsd:string">http://www.nanohub.org</AttributeValue></Attribute></AttributeStatement></Assertion>
#####################################################################
# HOW TO Configure for other services #
#####################################################################
...
==> put <authz value="counter:org.globus.gridshib.SAMLAuthnPIP counter:org.globus.gridshib.PDP"/> (counter is random scope)
2. Put parameters at the server-config.wsdd file
...
(create trusted_authn_authorities.txt file)
3. Change appropriate attributes at the attr-authz.xml file (e.g. to use countryresident attribute, put one of values)
...
<saml:AttributeValue>US</saml:AttributeValue>
4. Run SecureCounterService
...