diff options
author | Damien Laniel <dlaniel@entrouvert.com> | 2007-06-14 17:19:33 +0000 |
---|---|---|
committer | Damien Laniel <dlaniel@entrouvert.com> | 2007-06-14 17:19:33 +0000 |
commit | a32236b852cd05ee1f0eebfd87b9e81405ab2b68 (patch) | |
tree | 6433875335b17cec919f1d6e4af06c3c46c392f7 /docs | |
parent | e94f0ef2189f4340e50e86e2377d4b861a40cb07 (diff) | |
download | lasso-a32236b852cd05ee1f0eebfd87b9e81405ab2b68.tar.gz lasso-a32236b852cd05ee1f0eebfd87b9e81405ab2b68.tar.xz lasso-a32236b852cd05ee1f0eebfd87b9e81405ab2b68.zip |
added keys and metadata creation
Diffstat (limited to 'docs')
-rw-r--r-- | docs/lasso-book/writing-a-c-sp.txt | 74 | ||||
-rw-r--r-- | docs/lasso-book/writing-a-java-sp.txt | 33 | ||||
-rw-r--r-- | docs/lasso-book/writing-a-php-sp.txt | 76 |
3 files changed, 174 insertions, 9 deletions
diff --git a/docs/lasso-book/writing-a-c-sp.txt b/docs/lasso-book/writing-a-c-sp.txt index c59b7e6f..8aa4e143 100644 --- a/docs/lasso-book/writing-a-c-sp.txt +++ b/docs/lasso-book/writing-a-c-sp.txt @@ -60,6 +60,80 @@ support. It is possible to workaround the bug:: $ ./hello Hello world. +Service Provider keys and metadata files +======================================== + +Liberty key files +----------------- + +Service Provider needs private and public keys to sign sent messages. Private and +public keys are loaded from PEM files by Lasso. + +If you don't have PEM format keys, you need to create them. To create a couple public key/private key with OpenSSL, use the following commands: + +Create a private key in a file named name-of-the-private-key.pem:: + + openssl genrsa -out name-of-the-private-key.pem 2048 + +Extract the public key from the private key in a file named name-of-the-public-key.pem:: + + openssl rsa -in name-of-the-private-key.pem -pubout \ + -out name-of-the-public-key.pem + +Your Service Provider also needs Identity Provider public key to verify received messages. You must get it from your Identity Provider. + +Liberty Metadata files +---------------------- + +Metadata are xml document describing provider configuration, that is its identifier, urls where to send him +requests and supported Liberty Alliance profiles (that is methods describing how to send or process +requests). + +Your Service Provider needs Identity Provider metadata to know where to send +requests and how to process the requests he receives from the Identity Provider. +You must get them from your Identity Provider. Then, you must create some metadata for your +Service Provider and give them to your Identity Provider as well. + +Here is an example service provider metadata that you will have to adapt to your needs:: + + <?xml version="1.0"?> + <EntityDescriptor + providerID="http://sp.example.com/liberty/metadata" + xmlns="urn:liberty:metadata:2003-08"> + <SPDescriptor protocolSupportEnumeration="urn:liberty:iff:2003-08"> + <SoapEndpoint>http://sp.example.com/liberty/soap-endpoint</SoapEndpoint> + <SingleLogoutServiceURL>sp.example.com/liberty/single-logout</SingleLogoutServiceURL> + <AssertionConsumerServiceURL id="AssertionConsumerService1"isDefault="true">http://sp.example.com/liberty/assertion-consumer-service</AssertionConsumerServiceURL> + <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-soap</FederationTerminationNotificationProtocolProfile> + <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-http</FederationTerminationNotificationProtocolProfile> + <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-soap</SingleLogoutProtocolProfile> + <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-http</SingleLogoutProtocolProfile> + <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-soap</SingleLogoutProtocolProfile> + <AuthnRequestsSigned>true</AuthnRequestsSigned> + </SPDescriptor> + <Organization> + <OrganizationName>Example Organization</OrganizationName> + </Organization> + </EntityDescriptor> + +Where sp.example.com is the domain name of Service Provider. + +``http://sp.example.com/liberty/metadata`` is the Service Provider Liberty +identifier. + +``http://sp.example.com/liberty/soap-endpoint`` is the Service Provider SOAP +endpoint where Identity Provider send SOAP single logout or defederation +requests. + +``http://sp.example.com/liberty/assertion-consumer-service`` is the Service +Provider assertion consumer url where Identity Provider must return single sign +on authentication response. + +``http://sp.example.com/liberty/single-logout`` is the Service Provider single +logout url. Service Provider can initiate single logout from this url or +process HTTP single logout request from Identity Provider. ` + +More information about these metadatas can be found in Liberty Alliance specifications. Liberty and Lasso profiles ========================== diff --git a/docs/lasso-book/writing-a-java-sp.txt b/docs/lasso-book/writing-a-java-sp.txt index 9f457371..b3b5f2a2 100644 --- a/docs/lasso-book/writing-a-java-sp.txt +++ b/docs/lasso-book/writing-a-java-sp.txt @@ -59,20 +59,35 @@ Service Provider keys and metadata files Liberty key files ----------------- -Service Provider needs private and public keys to sign sent messages. It also -needs Identity Provider public key to verify received messages. Private and +Service Provider needs private and public keys to sign sent messages. Private and public keys are loaded from PEM files by Lasso. +If you don't have PEM format keys, you need to create them. To create a couple public key/private key with OpenSSL, use the following commands: + +Create a private key in a file named name-of-the-private-key.pem:: + + openssl genrsa -out name-of-the-private-key.pem 2048 + +Extract the public key from the private key in a file named name-of-the-public-key.pem:: + + openssl rsa -in name-of-the-private-key.pem -pubout \ + -out name-of-the-public-key.pem + +Your Service Provider also needs Identity Provider public key to verify received messages. You must get it from your Identity Provider. + Liberty Metadata files ---------------------- -Service Provider need to get Identity Provider metadata to know where to send -requests and how to process received requests from Identity Provider. Metadata -are xml document describing provider identifier, deployed urls where to send -requests and initiate profile and methods describing how to send or process -requests. +Metadata are xml document describing provider configuration, that is its identifier, urls where to send him +requests and supported Liberty Alliance profiles (that is methods describing how to send or process +requests). -Service provider typically describe metadata like this:: +Your Service Provider needs Identity Provider metadata to know where to send +requests and how to process the requests he receives from the Identity Provider. +You must get them from your Identity Provider. Then, you must create some metadata for your +Service Provider and give them to your Identity Provider as well. + +Here is an example service provider metadata that you will have to adapt to your needs:: <?xml version="1.0"?> <EntityDescriptor @@ -111,6 +126,8 @@ on authentication response. logout url. Service Provider can initiate single logout from this url or process HTTP single logout request from Identity Provider. ` +More information about these metadatas can be found in Liberty Alliance specifications. + Lasso Server and remote providers settings ========================================== diff --git a/docs/lasso-book/writing-a-php-sp.txt b/docs/lasso-book/writing-a-php-sp.txt index 02447bde..7790570b 100644 --- a/docs/lasso-book/writing-a-php-sp.txt +++ b/docs/lasso-book/writing-a-php-sp.txt @@ -38,7 +38,6 @@ The other way is to load it dynamically, like:: You can easily include this code every time you need lasso. - The first thing to do is to call ``lasso_init()``. Similarly, the last thing should be to call ``lasso_shutdown()``. @@ -52,6 +51,81 @@ therefore be:: If your PHP code is used in HTML script environment, it could be difficult to call ``lasso_shutdown()``, this is not mandatory. +Service Provider keys and metadata files +======================================== + +Liberty key files +----------------- + +Service Provider needs private and public keys to sign sent messages. Private and +public keys are loaded from PEM files by Lasso. + +If you don't have PEM format keys, you need to create them. To create a couple public key/private key with OpenSSL, use the following commands: + +Create a private key in a file named name-of-the-private-key.pem:: + + openssl genrsa -out name-of-the-private-key.pem 2048 + +Extract the public key from the private key in a file named name-of-the-public-key.pem:: + + openssl rsa -in name-of-the-private-key.pem -pubout \ + -out name-of-the-public-key.pem + +Your Service Provider also needs Identity Provider public key to verify received messages. You must get it from your Identity Provider. + +Liberty Metadata files +---------------------- + +Metadata are xml document describing provider configuration, that is its identifier, urls where to send him +requests and supported Liberty Alliance profiles (that is methods describing how to send or process +requests). + +Your Service Provider needs Identity Provider metadata to know where to send +requests and how to process the requests he receives from the Identity Provider. +You must get them from your Identity Provider. Then, you must create some metadata for your +Service Provider and give them to your Identity Provider as well. + +Here is an example service provider metadata that you will have to adapt to your needs:: + + <?xml version="1.0"?> + <EntityDescriptor + providerID="http://sp.example.com/liberty/metadata" + xmlns="urn:liberty:metadata:2003-08"> + <SPDescriptor protocolSupportEnumeration="urn:liberty:iff:2003-08"> + <SoapEndpoint>http://sp.example.com/liberty/soap-endpoint</SoapEndpoint> + <SingleLogoutServiceURL>sp.example.com/liberty/single-logout</SingleLogoutServiceURL> + <AssertionConsumerServiceURL id="AssertionConsumerService1"isDefault="true">http://sp.example.com/liberty/assertion-consumer-service</AssertionConsumerServiceURL> + <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-soap</FederationTerminationNotificationProtocolProfile> + <FederationTerminationNotificationProtocolProfile>http://projectliberty.org/profiles/fedterm-idp-http</FederationTerminationNotificationProtocolProfile> + <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-soap</SingleLogoutProtocolProfile> + <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-idp-http</SingleLogoutProtocolProfile> + <SingleLogoutProtocolProfile>http://projectliberty.org/profiles/slo-sp-soap</SingleLogoutProtocolProfile> + <AuthnRequestsSigned>true</AuthnRequestsSigned> + </SPDescriptor> + <Organization> + <OrganizationName>Example Organization</OrganizationName> + </Organization> + </EntityDescriptor> + +Where sp.example.com is the domain name of Service Provider. + +``http://sp.example.com/liberty/metadata`` is the Service Provider Liberty +identifier. + +``http://sp.example.com/liberty/soap-endpoint`` is the Service Provider SOAP +endpoint where Identity Provider send SOAP single logout or defederation +requests. + +``http://sp.example.com/liberty/assertion-consumer-service`` is the Service +Provider assertion consumer url where Identity Provider must return single sign +on authentication response. + +``http://sp.example.com/liberty/single-logout`` is the Service Provider single +logout url. Service Provider can initiate single logout from this url or +process HTTP single logout request from Identity Provider. ` + +More information about these metadata can be found in Liberty Alliance specifications. + Liberty and Lasso profiles ========================== |