Versions Compared

Old Version 3

changes.mady.by.user Josh Helmer

Saved on

compared with

New Version Current

changes.mady.by.user Chris Franz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Logging

SimpleSAMLPhp logs are in the following location in the docker image

/var/simplesamlphp/log/simplesamlphp-1.log

This log should be sent to cloudwatch

 

adf

 

Landing Page

If the proxy cannot find the the IDP it will redirect to the following landing page

 

 

 

https://ci.openccc.net/cccacct-proxy/createAccount?eppn=<eppn>&redirectUrl=<redirectUrl>

 

and

 

https://ci.openccc.net/cccacct-proxy/recoverAccount?eppn=<eppn>&redirectUrl=<redirectUrl>

Request Signing

When the IDP proxy SSO Gateway is unable to find a EPPN → CCCID mapping, it will need to make a request to OpenCCC in order to build that mapping.   This will be accomplished by redirecting the user to the new IDP-Proxy SSO Gateway landing page in OpenCCC.   The IDP Proxy SSO Gateway landing page requires 2 3 arguments:   eppn, redirectMessage and redirectUrl.

eppn:  The EPPN value for the user that is attempting to reach a service protected by the IDP ProxySSO Gateway

redirectMessage: the "SP name from the IdP name" string that is displayed on the landing page to make the redirect feel less suspicious.

redirectUrl:  The URL to return to once the EPPN → CCCID mapping has been created.

In order to ensure that untrusted users are not doing URL hacking in order to register bad mappings, the IDP-Proxy SSO Gateway will need to sign each request to the IDP-Proxy SSO Gateway landing page.   We will use HMAC_SHA256 to generate the signature.  The signature will be generated from the request parameters and a secret key that will be shared by the IDP-Proxy SSO Gateway and the IDP-Proxy SSO Gateway landing page. 

Format of signature string

In order to ensure that the IDP-Proxy SSO Gateway and the IDP-Proxy SSO Gateway landing page are both able to generate the same signature, they must agree on the format of the message that is signed.   The current message format is based on how LTI signs messages, but is simplified.

...

  1. Sort all GET parameters alphabetically.
  2. URL encode the values for all GET parameters
  3. Add parameters to a GET format parameter string
  4. Sign the message string
  5. Generate a final URL that includes all the GET parameters and an additional "signature" parameter with the calculated signature.

The IDP-Proxy SSO Gateway landing page will repeat these steps and ensure that the signature generated by the IDP-Proxy SSO Gateway matches the signature generated by the landing page. 


Example:

eppn:  test@test.com

redirectUrl:  https://www.google.com

...

Info

Signing message must include all GET parameters included in the final request except the "signature" parameter. Message uses simple URL format but the GET parameters must be listed in alphabetical order.

 


signature (using 'test' as a secret key):  b78a0b9069957cd547b3a4e7ef54a3ab3392e7612f4ecfea2c8f13b652279534

...

Info

Note that final URL does not require parameters to be in any specific order.

 

...



Useful links:

Online HMAC_SHA256 generator