configurations for XDMoD to work with DEX

ubccr · Jul 17, 2020 · 2da534f · 2da534f
1 parent b93ae6a
commit 2da534f
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 72 deletions.
diff --git a/xdmod/conf/simplesamlphp/config/authsources.php b/xdmod/conf/simplesamlphp/config/authsources.php
@@ -4,84 +4,38 @@
     'saml:SP',
     'host'=> 'localhost:4443',
     'entityID' => 'https://localhost:4443/simplesaml/module.php/saml/sp/metadata.php/xdmod-sp',
-    'privatekey'  => 'xdmod-sp.key',
-    'idp' => 'xdmod-hosted-idp-ldap',
-    'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
+    'idp' => 'xdmod-hosted-idp-dex',
     'authproc' => array(
       40 => array(
         'class' => 'core:AttributeMap',
         /*
-         *  These will need to map to the fields you have in your ldap
+         *  These will need to map to the fields from DEX to what Open XDMoD uses
          */
-        'mail' => 'email_address',
-        'givenName' => 'first_name',
-        'sn' => 'last_name',
-        'department' => 'field_of_science',
-        'uid' => 'username'
+        'email' => 'email_address',
+        'preferred_username' => 'username'
+      ),
+      // Ensures that the 'username' property has one or more non-whitespace characters
+      60 => array(
+        'class' => 'authorize:Authorize',
+        'username' => array(
+          '/\S+/'
+        ),
       )
     )
   ),
-  'ldap' => array(
-    'ldap:LDAP',
-    /*
-     * testing username and pass:
-     * Username: tesla
-     * Password: password
-     */
-
-    /* The hostname of the LDAP server. */
-    'hostname' => 'ldap',
-
-    /* Whether SSL/TLS should be used when contacting the LDAP server. */
-    'enable_tls' => TRUE,
-
-    /*
-    * Which attributes should be retrieved from the LDAP server.
-    * This can be an array of attribute names, or NULL, in which case
-    * all attributes are fetched.
-    */
-    'attributes' => NULL,
-
-    /*
-    * The pattern which should be used to create the user's DN given the username.
-    * %username% in this pattern will be replaced with the user's username.
-    *
-    * This option is not used if the search.enable option is set to TRUE.
-    */
-    'dnpattern' => 'uid=%username%,dc=example,dc=org',
-
-    /*
-    * As an alternative to specifying a pattern for the users DN, it is possible to
-    * search for the username in a set of attributes. This is enabled by this option.
-    */
-    'search.enable' => TRUE,
-
-    /*
-    * The DN which will be used as a base for the search.
-    * This can be a single string, in which case only that DN is searched, or an
-    * array of strings, in which case they will be searched in the order given.
-    */
-    'search.base' => 'dc=example,dc=org',
-
-    /*
-    * The attribute(s) the username should match against.
-    *
-    * This is an array with one or more attribute names. Any of the attributes in
-    * the array may match the value the username.
-    */
-    'search.attributes' => array('uid', 'mail'),
-
-    /*
-    * The username & password where SimpleSAMLphp should bind to before searching. If
-    * this is left NULL, no bind will be performed before searching.
-    */
-    'search.username' => 'cn=admin,dc=example,dc=org',
-    'search.password' => 'admin'
+  'dex'=> array(
+    'authoidcoauth2:OIDCOAuth2',
+    'auth_endpoint' => 'https://localhost:5554',
+    'api_endpoint' => 'https://ondemand:5554',
+    'key' => 'localhost',
+    'secret' => '334389048b872a533002b34d73f8c29fd09efc50',
+    'scope' => 'openid email profile',
+    'response_type' => 'code',
+    'redirect_uri' => 'https://localhost:4443/simplesaml/module.php/authoidcoauth2/linkback.php'
   ),
   'admin' => array(
     // The default is to use core:AdminPassword, but it can be replaced with
     // any authentication source.
     'core:AdminPassword',
   ),
 );
-
diff --git a/xdmod/conf/simplesamlphp/metadata/saml20-idp-hosted.php b/xdmod/conf/simplesamlphp/metadata/saml20-idp-hosted.php
@@ -1,5 +1,5 @@
 <?php
-  $metadata['xdmod-hosted-idp-ldap'] = array(
+  $metadata['xdmod-hosted-idp-dex'] = array(
     /*
      * The hostname for this IdP. This makes it possible to run multiple
      * IdPs from the same configuration. '__DEFAULT__' means that this one
@@ -18,5 +18,5 @@
      * The authentication source which should be used to authenticate the
      * user. This must match one of the entries in config/authsources.php.
      */
-    'auth' => 'ldap',
+    'auth' => 'dex',
 );
diff --git a/xdmod/conf/simplesamlphp/metadata/saml20-idp-remote.php b/xdmod/conf/simplesamlphp/metadata/saml20-idp-remote.php
@@ -9,9 +9,9 @@
  * THIS IS A DUMMY PLACEHOLDER IT WILL BE REPLACED
  */
 
-$metadata['xdmod-hosted-idp-ldap'] = array (
+$metadata['xdmod-hosted-idp-dex'] = array (
   'metadata-set' => 'saml20-idp-remote',
-  'entityid' => 'xdmod-hosted-idp-ldap',
+  'entityid' => 'xdmod-hosted-idp-dex',
   'SingleSignOnService' =>
   array (
     0 =>

diff --git a/xdmod/scripts/xdmod-setup-sso.sh b/xdmod/scripts/xdmod-setup-sso.sh
@@ -14,9 +14,9 @@ cat << EOF > /etc/xdmod/simplesamlphp/metadata/saml20-idp-remote.php
  * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
  */
 
-\$metadata['xdmod-hosted-idp-ldap'] = array (
+\$metadata['xdmod-hosted-idp-dex'] = array (
   'metadata-set' => 'saml20-idp-remote',
-  'entityid' => 'xdmod-hosted-idp-ldap',
+  'entityid' => 'xdmod-hosted-idp-dex',
   'SingleSignOnService' =>
   array (
     0 =>