Logging
SimpleSAMLPhp logs are in the following location in the docker image
/var/simplesamlphp/log/simplesamlphp-1.log
This log should be sent to cloudwatch
adf
Landing Page
If the proxy cannot find the the IDP it will redirect to the following landing page
https://ci.openccc.net/cccacct-proxy/createAccount?eppn=<eppn>&redirectUrl=<redirectUrl>
and
https://ci.openccc.net/cccacct-proxy/recoverAccount?eppn=<eppn>&redirectUrl=<redirectUrl>
Request Signing
When the IDP proxy SSO Gateway is unable to find a EPPN → CCCID mapping, it will need to make a request to OpenCCC in order to build that mapping. This will be accomplished by redirecting the user to the new IDP-Proxy SSO Gateway landing page in OpenCCC. The IDP Proxy SSO Gateway landing page requires 2 3 arguments: eppn, redirectMessage and redirectUrl.
eppn: The EPPN value for the user that is attempting to reach a service protected by the IDP ProxySSO Gateway
redirectMessage: the "SP name from the IdP name" string that is displayed on the landing page to make the redirect feel less suspicious.
redirectUrl: The URL to return to once the EPPN → CCCID mapping has been created.
In order to ensure that untrusted users are not doing URL hacking in order to register bad mappings, the IDP-Proxy SSO Gateway will need to sign each request to the IDP-Proxy SSO Gateway landing page. We will use HMAC_SHA256 to generate the signature. The signature will be generated from the request parameters and a secret key that will be shared by the IDP-Proxy SSO Gateway and the IDP-Proxy SSO Gateway landing page.
Format of signature string
In order to ensure that the IDP-Proxy SSO Gateway and the IDP-Proxy SSO Gateway landing page are both able to generate the same signature, they must agree on the format of the message that is signed. The current message format is based on how LTI signs messages, but is simplified.
...
- Sort all GET parameters alphabetically.
- URL encode the values for all GET parameters
- Add parameters to a GET format parameter string
- Sign the message string
- Generate a final URL that includes all the GET parameters and an additional "signature" parameter with the calculated signature.
The IDP-Proxy SSO Gateway landing page will repeat these steps and ensure that the signature generated by the IDP-Proxy SSO Gateway matches the signature generated by the landing page.
Example:
eppn: test@test.com
redirectUrl: https://www.google.com
...
Info |
---|
Signing message must include all GET parameters included in the final request except the "signature" parameter. Message uses simple URL format but the GET parameters must be listed in alphabetical order. |
signature (using 'test' as a secret key): b78a0b9069957cd547b3a4e7ef54a3ab3392e7612f4ecfea2c8f13b652279534
...
Info |
---|
Note that final URL does not require parameters to be in any specific order. |
...
Useful links: