Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorizing endpoints or domains against a Shibboleth IDP (two different set of keys for encrypt/signing) #169

Open
drio opened this issue Sep 29, 2022 · 4 comments
Assignees
Labels
need triage question Further information is requested

Comments

@drio
Copy link

drio commented Sep 29, 2022

Disclaimer: I have posted this also here. I will make sure I link both once I get things working.

I have successfully added SAML authentication to an Apache server. The IdP I use implements SAML via Shibboleth. Now I want to migrate to Caddy. That’s how I discovered this plugin.

The plugin uses the crewjam/saml package. I have used that before successfully on a standalone golang server against the same IdP I want to use for my Caddy server.

There is one caveat though. The current Apache configuration uses two different set of keys for signing and encrypting.

My questions are:

  1. Can I use this plugin to authorize my domains/endpoints against my SAML IdP?
  2. Can I use the two separate set of keys to setup the SAML flow or I have to use the same keys for signing and encrypting?
  3. When I started working with SAML and crewjam/saml I found this example very useful to get things going. What would be the Caddyfile to implement that with Caddy and the auth plugin? Maybe I can add it to the examples/docs.

Thank you,
-drd

@drio drio added need triage question Further information is requested labels Sep 29, 2022
@greenpau
Copy link
Owner

@drio , please take a look at the following links. I am not sure what you mean by separate keys. Upon authentication via SAML IdP, the portal issues its own token and uses its own keys to authenticate access to some path.

https://authp.github.io/docs/authenticate/saml/jumpcloud

https://github.com/authp/authp.github.io/blob/main/assets/conf/saml/jumpcloud/Caddyfile

@drio
Copy link
Author

drio commented Sep 29, 2022

Thank you for the reply @greenpau.

I am not sure what you mean by separate keys.

When I look at the metadata (xml file) that I use to configure my apache webserver, I see the following:

...
        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
        <CredentialResolver type="File" use="signing" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
        <CredentialResolver type="File" use="encryption" key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
...

My IDP handles the authentication, I just need my webserver to handle the authorization only (via interaction with the IDP). I guessing I only need the saml identity provider and the authorization policy mypolicy from the Caddyfile you posted.

@billksun
Copy link

@drio, I'm curious about the outcome, were you able to get Shibboleth working with Caddy in the end?

@drio
Copy link
Author

drio commented Dec 18, 2023

@billksun I ended up bulding my own thing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
need triage question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants