FIDO/GLUU Identity Provider: Difference between revisions
Line 45: | Line 45: | ||
[[File:Gluu-login.png|frame|center|Gluu Login]] | [[File:Gluu-login.png|frame|center|Gluu Login]] | ||
You will want to login as '''admin''' with the password specified during the setup step (Password for oxTrust and LDAP superuser) specified earlier. If the login fails, you may need to reboot your system, as some of the required services may not have started on install. | |||
== Create ThumbSignIn Account == | |||
TBD | |||
== Configuring Gluu == | |||
To use the Gluu configuration UI you will need to login to oxAuth. You should be able to do this by following the link provided during install. Once you have logged into Gluu as a superuser, you should see a configuration UI that looks like the following: | |||
[[File:Main Gluu Config.png|frame|center]] | |||
=== Configuring ThumbSignIn Plugin === | |||
TBD | |||
==== Testing ==== | |||
=== Configuring Registration === | |||
TBD - With a link for a more advanced article for custom registration. | |||
=== Configuring SAML Trusted Partners === | |||
TBD - May wish to tweak to insure Gluu doesn't corrupt a working Shibboleth configuration. | |||
== Testing == | == Testing == | ||
It is always a good idea to test and validate a new IDP deployment within a test environment. The [[NIEF Testbed]] is intended for exactly this purpose. | It is always a good idea to test and validate a new IDP deployment within a test environment. The [[NIEF Testbed]] is intended for exactly this purpose. |
Revision as of 16:49, 5 March 2019
This guide describes how to implement a NIEF SAML Identity Provider (IDP) system that authenticates with Fast IDentity Online (FIDO) credentials held on a personal mobile device.
Background
FIDO is a standard for performing multifactor authentication of users by verifying proof of possession of a smart phone, along with requiring the user to authenticate themself to the smart phone with a biometric. This FIDO/Gluu Implementation Guide provides details on how to deploy a NIEF SAML IDP using the Gluu Server along with the ThumbSignIn online FIDO service. The Gluu Server only runs on the Linux operating system (it can be run within a virtual machine or docker container).
This guide is designed around the use of commercial software that has free versions that are sufficient for small and simple deploys:
Getting Started
The Gluu Server runs on various versions of Linux, details of all supported versions can be found within the Gluu Installation Guide. For this guide, we will assume the use of CentOS 7 as it is free and the version of Linux the NIEF team knows best. Prior to installing Gluu update the CentOS selinux settings to permissive within the /etc/selinux/config file.
Installing Gluu
Installing RPMs
It may be easier to follow the detailed Gluu Installation Guide, but the quick version of the install steps are included here. Each of these commands should be executed from a root login on the Linux machine to add/trust the Gluu repository and then install the Gluu Server RPM:
# wget https://repo.gluu.org/centos/Gluu-centos7.repo -O /etc/yum.repos.d/Gluu.repo # wget https://repo.gluu.org/centos/RPM-GPG-KEY-GLUU -O /etc/pki/rpm-gpg/RPM-GPG-KEY-GLUU # rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-GLUU # yum clean all # yum install gluu-server-3.1.5
Updating Linux Startup
Next you need to update the Linux server to start the Gluu service on boot:
# /sbin/gluu-serverd-3.1.5 enable # /sbin/gluu-serverd-3.1.5 start
Initial Gluu Setup
Finally, you need to login to the Gluu container and configure it for initial use:
# /sbin/gluu-serverd-3.1.5 login # cd /install/community-edition-setup # ./setup.py
This setup script will prompt for a variety of things, most of these should be obvious how to populate or can be left as the default settings. There are three we call out as important:
- Password for oxTrust and LDAP superuser - This password is important for further configuration of the system, be sure to set it to something you can remember and/or use in your password manager.
- Install Apache HTTPD Server - If your Linux deploy already has a working Apache httpd install, you may wish to forgo this and use your configuration of Apache HTTPD. If you prefer to use the Gluu version, you may need to disable the Apache Httpd you have installed.
- Install Shibboleth SAML IDP - This defaults to false, but it is required for our purposes.
At the end of this install you will be redirected to use a browser to point to the configuration GUI for Gluu. If that URL works, you should see a login page that looks like this:
You will want to login as admin with the password specified during the setup step (Password for oxTrust and LDAP superuser) specified earlier. If the login fails, you may need to reboot your system, as some of the required services may not have started on install.
Create ThumbSignIn Account
TBD
Configuring Gluu
To use the Gluu configuration UI you will need to login to oxAuth. You should be able to do this by following the link provided during install. Once you have logged into Gluu as a superuser, you should see a configuration UI that looks like the following:
Configuring ThumbSignIn Plugin
TBD
Testing
Configuring Registration
TBD - With a link for a more advanced article for custom registration.
Configuring SAML Trusted Partners
TBD - May wish to tweak to insure Gluu doesn't corrupt a working Shibboleth configuration.
Testing
It is always a good idea to test and validate a new IDP deployment within a test environment. The NIEF Testbed is intended for exactly this purpose.