Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

 

Logging

SimpleSAMLPhp logs are in the following location in the docker image

/var/simplesamlphp/log/simplesamlphp-1.log

This log should be sent to cloudwatch

 

adf

 

Landing Page

If the proxy cannot find the the IDP it will redirect to the following landing page

 

 

 

https://ci.openccc.net/cccacct-proxy/createAccount?eppn=<eppn>&redirectUrl=<redirectUrl>

 

and

 

https://ci.openccc.net/cccacct-proxy/recoverAccount?eppn=<eppn>&redirectUrl=<redirectUrl>


Request Signing

When the IDP proxy is unable to find a EPPN → CCCID mapping, it will need to make a request to OpenCCC in order to build that mapping.   This will be accomplished by redirecting the user to the new IDP-Proxy landing page.   The IDP Proxy landing page requires 2 arguments:   eppn and redirectUrl.

eppn:  The EPPN value for the user that is attempting to reach a service protected by the IDP Proxy

redirectUrl:  The URL to return to once the EPPN → CCCID mapping has been created.

In order to ensure that untrusted users are not doing URL hacking in order to register bad mappings, the IDP-Proxy will need to sign each request to the IDP-Proxy landing page.   We will use HMAC_SHA256 to generate the signature.  The signature will be generated from the request parameters and a secret key that will be shared by the IDP-Proxy and the IDP-Proxy landing page. 

Format of signature string

In order to ensure that the IDP-Proxy and the IDP-Proxy landing page are both able to generate the same signature, they must agree on the format of the message that is signed.   The current message format is based on how LTI signs messages, but is simplified.

To generate the message that needs to be signed:

  1. Sort all GET parameters alphabetically.
  2. URL encode the values for all GET parameters
  3. Add parameters to a GET format parameter string
  4. Sign the message string
  5. Generate a final URL that includes all the GET parameters and an additional "signature" parameter with the calculated signature.

The IDP-Proxy landing page will repeat these steps and ensure that the signature generated by the IDP-Proxy matches the signature generated by the landing page.

 

Example:

eppn:  test@test.com

redirectUrl:  https://www.google.com

Signing message:  eppn=test%40test.com&redirectUrl=https%3A%2F%2Fwww.google.com

Signing message must include all GET parameters included in the final request except the "signature" parameter. Message uses simple URL format but the GET parameters must be listed in alphabetical order.

 

signature (using 'test' as a secret key):  b78a0b9069957cd547b3a4e7ef54a3ab3392e7612f4ecfea2c8f13b652279534

Final URL:   https://ci.openccc.net/idp-proxy/login?redirectUrl=https://www.google.com&eppn=test@test.com&signature=b78a0b9069957cd547b3a4e7ef54a3ab3392e7612f4ecfea2c8f13b652279534

Note that final URL does not require parameters to be in any specific order.

 

 

Useful links:

Online HMAC_SHA256 generator

 

 

  • No labels