/idp-installer-CAF

The CAF managed version of the idp-installer

Primary LanguageShellApache License 2.0Apache-2.0

Introduction to the Federated Identity Appliance Deployer Tool
-------------------------------------------------------------------------------

This tool is a set of scripts that automates the deployment and configuration
of software used to participate with your SAML2 or eduroam identity federation
services.


Configured deployment profiles listed alphabetically are:
 
 CAF - Canadian Access Federation  ( http://www.canarie.ca/en/caf-service/about )
 SWAMID - Swedish Academic Identity ( http://www.swamid.se/ )


Each federation may have a different deployment profile and supported
configurations. What follows are the generic steps to follow to do an installation.

Please consult ~/docs/README.<federation_name> for federation
specific deployment instructions.


Supported Platforms
-------------------------------------------------------------------------------

This installer script is intended to be used on a clean install of:
 - Ubuntu Server 14.04   (SWAMID, CAF)
 - CentOS 7 'minimal'    (SWAMID, CAF)
 - RedHat EL7.2 'minimal' (CAF only)

It *MAY* run on pre-existing installations of these OS', but steps in the installer
presume the installed services are 'alone' on the machine and may modify your
existing host settings.


Configuration
-------------------------------------------------------------------------------

This script requires a configuration file to run. 
The configuration file is generated using a local HTML based configuration builder
to construct it. This technique purposely avoids storing sensitive data
anywhere other than where you create the configuration and where you place the config file.

The configuration builder pages are federation specific.
To Launch them, download this distribution, unzip it locally and use Chrome of Firefox to
open the respective configuration page:

for CAF    - ~/www/appconfig/CAF/index.html
for SWAMID - ~/www/appconfig/SWAMID/index.html


The configuration builder uses javascript to perform basic validation and
has the ability to import existing configuration files avoiding retyping
information.

For best configuration builder experience, we strongly recommend using Firefox
or Google Chrome. Using IE for the configuration builder is discouraged and not supported.


General Installation Steps
-------------------------------------------------------------------------------

These steps expect that the implementer will perform backups or snapshots as necessary.

1. Review your federation specific post install steps
2. Determine your deployment style (dev? production?)
3. Create a configuration from your federations' configuration builder
4. save configuration as 'config' in this directory on your server
5. run the script ./deploy_idp.sh
6. answer any inline questions (self signed cert? password creation for keystores?)
7. perform any post installation steps per ~/docs/README.<federation_name>


Default behaviour of this tool
-------------------------------------------------------------------------------

The default behaviour of this tool is to deploy a test instance for any service.

This configuration can also be used as the base for the production deployment
with post installation steps per your respective federation.

Per service defaults:

eduroam (RADIUS):
	- uses MS-CHAPv2 to authenticate any user present
	- uses self signed CA and server certificate

Shibboleth (SAML2):
	- uses self signed server certificate
	- blank passwords autogenerate for SSL keystores
	- optional anonymized usage reporting in FTICKS formats


Please see: ~/docs/README.<federation_name> for federation specific usage


Profile of installed software 
-------------------------------------------------------------------------------
SAML2 Uses:
      jetty: v9.3.21.v20170918
      shibboleth-identityprovider-3.3.2
      cas-client-3.3.3-release
      mysql-connector-java-5.1.35 (for EPTID)
      mysql DB 5.6 Community Release
      openjdk9.0.4



eduroam uses:
      freeRADIUS-3.0.1
      samba-4.1.1 (to connect to AD for MS-CHAPv2)

A detailed view of the versions and various components: http://bit.ly/idpInstaller3-SoftwareProfile

Disclamer
-------------------------------------------------------------------------------
Copyright 2017 Chris Phillips CANARIE, Anders Anders Lördal SWAMID

 This software is free software Licensed under the 
   Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.


Contributors 
-------------------------------------------------------------------------------
 Anders Lördal, SWAMID
 Chris Phillips, CANARIE
 Cybera.ca