thor/wg-ui
1
0
Fork 0
mirror of https://github.com/Threnklyn/wg-ui.git synced 2026-06-03 20:28:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shibboleth SP documentation (#80)

Browse Source 
Documentation on a solution for Shibboleth SP.
This solution is in production for Stockholm University, and therefor validated working.
This commit is contained in:
Johan Wassberg
2020-07-15 15:11:27 +02:00
committed by GitHub
parent 79d245f9c7
commit 97b2fef125
1 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
doc/auth-shibboleth-sso.md
+60
View File
@@ -0,0 +1,60 @@
# Shibboleth SP Implementation
This is a short documentation on how you can setup wg-ui with Shibboleth SP (and apache)
as auth proxy
The documentation will not cover how to configure `shibd` or the IdP part of this integration.
The [upstream documentation](https://wiki.shibboleth.net/confluence/) or
[SWAMIDs
documentation](https://wiki.sunet.se/display/SWAMID/SAML+WebSSO+Service+Provider+Best+Current+Practice)
could point you in the right direction.
## SSO Proxy & Auth
This example uses
[eduPersonPrincipalName](https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-201203.html#eduPersonPrincipalName)
(or eppn as Shibboleth calls it) as the primary key to identify users. Make
sure that it is released from the IdP to the SP as a SAML attribute. The
attributes(s) are then forward/proxied as request header to the application.
The only thing that needs to be configured in the Wireguard UI end is that the
application needs to be started with the `--auth-user-header` flag set to
`eppn`.
### The `apache` configuration
```
<VirtualHost *:443>
<LocationMatch "/">
AuthType Shibboleth
Require shib-attr entitlement ~ ^urn:mace:swami.se:gmai:vpn:user$
ShibRequireSessionWith idp.example.com
ShibUseHeaders On
</LocationMatch>
SSLCertificateFile /path/to/vpn.example.com.pem
SSLCertificateKeyFile /path/to/vpn.example.com.key
SSLCertificateChainFile /path/to/CA.crt
ProxyPass "/" "http://127.0.0.1:8080/"
ProxyPassReverse "/" "http://127.0.0.1:8080/"
</VirtualHost>
```
#### Configuration in depth
```
Require shib-attr entitlement ~ ^urn:mace:swami.se:gmai:su-vpn:user$
```
By default apache and shibd lets everyone through and since Wireguard UI has no
knowlege about the user in beforehand we release another
([eduPersonEntitlement](https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-201203.html#eduPersonEntitlement) (or entitlement as Shibboleth calls it))
from the IdP to the SP and require a specific value on the user in order to be
allowed to use the service.
```
ShibUseHeaders On
```
This enables `shibd` to publish SAML attributes to the application (in this case
proxy) through request headers.