Skip to content
This repository has been archived by the owner on Jul 11, 2018. It is now read-only.

Working with the ServiceRegistry

Jump to bottom
Remold edited this page Jul 24, 2015 · 1 revision

Introduction

All administration of entities (Service Providers, Identity Providers) for EngineBlock is done through the ServiceRegistry.

The ServiceRegistry is a SimpleSAMLphp installation with the JANUS metadata registry administration module.

EngineBlock connects with JANUS via its REST API.

Location

The default location for the ServiceRegistry upon installation is: https://serviceregistry.demo.openconext.org

Under the Federation tab, in the Tools section click on JANUS module.

Access

In a standard Openconext demo vm, ServiceRegistry is configured to act as a SAML SP, requiring login with a configured IdP.

By default, it is using the Mujina IdP.

The default Mujina 'admin' account is configured in JANUS with the 'admin' role.

Additional IdPs can be configured using ServiceRegistry itself.

In addition to (dis-)allowing IdPs, specific users must be given access to be able to access the configuration interfaces of OpenConext.

Any user that needs access to either ServiceRegistry, Manage or Grouper must be a member of the 'vomanage' team in the Teams application.

By default the 'admin' user of the Mujina IdP is the owner of the 'vomanage' team.

Fixing login to ServiceRegistry

EngineBlock is down/broken/misconfigured! I can't log in to the ServiceRegistry to fix it?!

I'm here for you. We can fix this. :)

Follow these steps:

  • Log in to the openconext demo server with SSH
  • Go to the serviceregistry directory (probably at /opt/www/OpenConext-serviceregistry/)
  • Edit config/module_janus.php with your favorite editor ('nano' is a simple one)

Change:

'auth' => 'default-sp',
'useridattr' => urn:mace:dir:attribute-def:uid',
#'auth'=>'admin',
#'useridattr' => 'user',

To:

#'auth' => 'default-sp',
#'useridattr' => 'urn:mace:dir:attribute-def:uid',
'auth'=>'admin',
'useridattr' => 'user',
  • Save the file
  • Now log in to JANUS with the password 'admin' and fix the problem!
  • Clear the EngineBlock cache of ServiceRegistry data (log in to the EngineBlock server if the ServiceRegistry is not on the same machine) rm vf /tmp/eb_sr_cache--*
  • Check if you can log in with EngineBlock again
  • Revert the previously made change to the ServiceRegistry.

Users, Login & Roles

JANUS roles & rights

By default JANUS supports multiple user roles.

An admin user can manage the roles for users using the 'Admin' tab of JANUS.

Available roles and :

  • all; Every logged in user can:
    • Add an entity in the 'test' state
    • Edit his/her own entity.
    • Block/unblock an entity in test state.
    • Export the metadata for an entity in test state
  • admin; Users with the admin role can:
    • See all entities
    • Administer the users and connections
    • Export all entity metadata
    • Edit the Attribute Release Policy
  • operations; Users with the operations role can:
    • Subscribe to updates from entities in their 'Inbox'
    • Export all entity metadata
  • secretariat; Users in secretariat can do everything users in operations can, with 1 added right:
    • Block/unblock an entity in 'QA' mode
  • technical; Users in technical can disable consent for entities in the QA state.
    • support
    • administrative
    • billing
    • other

Removing users

Use the admin tab

ToDo

Removing entities (Service Providers or Identity Providers)

Use the connections tab

ToDo

Workflows

Adding SAML entities

Adding a Service Provider

When creating a new entry for a SP, the you will first see the JANUS dashboard.

On the Connections tab, click the Options link and the fields for a new connection will be shown.

Create a new connection

In the new connection id, enter the entityID of the SP.

Note that at first, this field only accepts input that is a correct URI.

As the type, choose "SAML 2.0 SP" and click Create.

Do not enter XML into the "Create entity from XML" field.

Next, you will see the newly created SP in the SP list as "- r0".

When we've provided additional details, the SP will get a better name in this list.

Select the "- r0" entry to edit it.

Importing Metadata by URL

Now, we will add the rest of the SP configuration.

Go to the "Import metadata" tab and enter the URL where the SP's metadata is hosted.

Click the "Get Metadata" button to let JANUS retrieve and process the SP's metadata.

Importing Metadata by XML file

Alternative: You could also import the metadata by pasting the actual metadata in the "Import XML" field.

Click "Save" button.

View and edit metadata

Go to the Metadata tab and you will see that the metadata import has resulted in new entries.

Fill the name, displayName and description fields.

Click "Save" button when finished editing this tab.

Access Control (ACL)

By default, all configured IdP's will have access to the SP.

If you need to limit the IdP's that can gain access to this SP, open the "Identity Provider (IdP)" tab and either select IdP's from the Blacklist or from the Whitelist.

If you select IdP's in the Blacklist, these IdP's will **NOT **have access to the SP.

If you select IdP's in the Whitelist, **ONLY **these IdP's will have access to the SP.

Don't forget to click the "Save" button when finished editing this tab.

Attribute Release

In the Connections Tab an pre-configured attribute release policy can be selected for this SP.

To create ARP profiles, use the ARP tab on the JANUS landing page.

Consent

By default enduser consent of attribute release towards SPs is enabled.

For certain SP's it should not be necessary to provide consent, depending on local policy.

This can be configured in the ServiceRegistry by adding an attribute to the SP for which you want to disable consent.

Add the coin:no_consent_required attribute to disable consent.

Adding an Identity Provider

Create a new connection

Select the "Option" button to start entering a new IdP.

The Connection ID MUST match the entityID of the service as is published in the metadata file.

Select Create and you will proceed to the next screen to add detailed information.

Importing Metadata by URL

The screen will show the basis information already added, and give access to functionality to add additional metadata.

In this screen choose the 'METADATA' tab, an fill in the metadata of the service if it is not provided via the SAML metadata file (which we will load in the next step).

Note that all fields displayed below are currently mandatory.

Add a revision description and select save.

Now we can add SAML metadata.

To load these data select 'Import metadata' from the available tabs.

Enter the metadata URL in the select field and select 'get Metadata'

If all went well, you will return to the connection tab with no errors.

View and edit metadata

To check if the SAML metadata was added correctly, select "Metadata" again and compare the first three files with the Metadata provided by the IdP.

In case the IdP supports both SAML1 as well as SAML2, check if the correct SAML2 SingleSignOn Bindings and locations are set.

Access Control (ACL)

If need be SPs can be configured to dis/allow access via this IdP.

Select the 'Service provider' tab and configure accordingly.

OAuth configuration

The OpenSocial/VOOT API is secured using OAuth.

There are several ways clients can communicate with the Container and/or can communicate "through" the container: See [Configuring OpenConext API clients](Configuring OpenConext API clients) for the details.

Clone this wiki locally