Introduction to the Federated Identity Appliance Deployer Tool ------------------------------------------------------------------------------- This tool is a set of scripts that automates the deployment and configuration of software used to participate with your SAML2 or eduroam identity federation services. Configured deployment profiles listed alphabetically are: CAF - Canadian Access Federation ( http://www.canarie.ca/en/caf-service/about ) SWAMID - Swedish Academic Identity ( http://www.swamid.se/ ) Each federation may have a different deployment profile and supported configurations. What follows are the generic steps to follow to do an installation. Please consult ~/docs/README.<federation_name> for federation specific deployment instructions. Supported Platforms ------------------------------------------------------------------------------- This installer script is intended to be used on a clean install of: - Ubuntu Server 14.04 (SWAMID, CAF) - CentOS 7 'minimal' (SWAMID, CAF) - RedHat EL7.2 'minimal' (CAF only) It *MAY* run on pre-existing installations of these OS', but steps in the installer presume the installed services are 'alone' on the machine and may modify your existing host settings. Configuration ------------------------------------------------------------------------------- This script requires a configuration file to run. The configuration file is generated using a local HTML based configuration builder to construct it. This technique purposely avoids storing sensitive data anywhere other than where you create the configuration and where you place the config file. The configuration builder pages are federation specific. To Launch them, download this distribution, unzip it locally and use Chrome of Firefox to open the respective configuration page: for CAF - ~/www/appconfig/CAF/index.html for SWAMID - ~/www/appconfig/SWAMID/index.html The configuration builder uses javascript to perform basic validation and has the ability to import existing configuration files avoiding retyping information. For best configuration builder experience, we strongly recommend using Firefox or Google Chrome. Using IE for the configuration builder is discouraged and not supported. General Installation Steps ------------------------------------------------------------------------------- These steps expect that the implementer will perform backups or snapshots as necessary. 1. Review your federation specific post install steps 2. Determine your deployment style (dev? production?) 3. Create a configuration from your federations' configuration builder 4. save configuration as 'config' in this directory on your server 5. run the script ./deploy_idp.sh 6. answer any inline questions (self signed cert? password creation for keystores?) 7. perform any post installation steps per ~/docs/README.<federation_name> Default behaviour of this tool ------------------------------------------------------------------------------- The default behaviour of this tool is to deploy a test instance for any service. This configuration can also be used as the base for the production deployment with post installation steps per your respective federation. Per service defaults: eduroam (RADIUS): - uses MS-CHAPv2 to authenticate any user present - uses self signed CA and server certificate Shibboleth (SAML2): - uses self signed server certificate - blank passwords autogenerate for SSL keystores - optional anonymized usage reporting in FTICKS formats Please see: ~/docs/README.<federation_name> for federation specific usage Profile of installed software ------------------------------------------------------------------------------- SAML2 Uses: jetty: v9.3.21.v20170918 shibboleth-identityprovider-3.3.2 cas-client-3.3.3-release mysql-connector-java-5.1.35 (for EPTID) mysql DB 5.6 Community Release openjdk9.0.4 eduroam uses: freeRADIUS-3.0.1 samba-4.1.1 (to connect to AD for MS-CHAPv2) A detailed view of the versions and various components: http://bit.ly/idpInstaller3-SoftwareProfile Disclamer ------------------------------------------------------------------------------- Copyright 2017 Chris Phillips CANARIE, Anders Anders Lördal SWAMID This software is free software Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Contributors ------------------------------------------------------------------------------- Anders Lördal, SWAMID Chris Phillips, CANARIE Cybera.ca