diff --git a/docs/saml/image-1.png b/docs/saml/image-1.png new file mode 100644 index 0000000..7e28e4f Binary files /dev/null and b/docs/saml/image-1.png differ diff --git a/docs/saml/image-2.png b/docs/saml/image-2.png new file mode 100644 index 0000000..7ac1433 Binary files /dev/null and b/docs/saml/image-2.png differ diff --git a/docs/saml/image-3.png b/docs/saml/image-3.png new file mode 100644 index 0000000..843ecd7 Binary files /dev/null and b/docs/saml/image-3.png differ diff --git a/docs/saml/image.png b/docs/saml/image.png new file mode 100644 index 0000000..950b6e8 Binary files /dev/null and b/docs/saml/image.png differ diff --git a/docs/saml/saml.md b/docs/saml/saml.md new file mode 100644 index 0000000..681b148 --- /dev/null +++ b/docs/saml/saml.md @@ -0,0 +1,24 @@ +# Zero Trust Proxy Configurtion + +The first change is in `/etc/shibboleth/shibboleth2.xml` + +![image of shibboleth2.xml configuration in terminal](image.png) + +- Here in the `ApplicationDefaults` section we configure the policy that determines what our `REMOTE_USER` value will be as it flows through the proxy. The current set up is to check for eppn, then persistent-id, then finally targeted-id and then assign it to `REMOTE_USER`. + +Our next change is in to `/etc/shibboleth/attribute-map.xml` +![image of attribute-map.xml](image-1.png) + +- In this file we can configure how the eppn value is decoded. In the current configuration we have left it as scoped but its possible to transform it into a simple string value as well + +Here in `/etc/shibboleth/attribute-policy.xml` there are a few more change points +![shibboleth attribute-policy xml file](image-2.png) + +- First is the highlighted section showing the eppn. We currently have the `PermitValueRule` set to `basic:ANY` to allow the value to flow through simply as it is. Previously we were using the `PermitValueRuleReference ScopingRules` which can be seen towards the top of the screenshot, this policy defines what an acceptable value is for the rules that reference it. + +In `/etc/httpd/conf.d/front-end.conf` we have a completely new entry +![apache front-end.conf configuration file](image-3.png) + +- From the top we set a wide-open location match that will allow the application behind the proxy to be able to easily check back in with the proxy for each request (applying a zero trust-esque flow). In the auth section below we set up this location to require shibboleth and currently let the application handle what to do with an unauthorized user. + +- In the next block we preform one of two different regex matches depending on if a user has a BlazerID or if they are a XIAS user. Then we update REMOTE_USER and send it back down to the application diff --git a/mkdocs.yml b/mkdocs.yml index 35aefbc..058fdd9 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -40,7 +40,8 @@ markdown_extensions: - toc: permalink: true -plugins: # order matters! +plugins: + # order matters! - search - meta - blog: @@ -65,4 +66,29 @@ plugins: # order matters! nav: - Home: index.md + - Cheaha: + - Archiving Modules: cheaha/archiving_modules.md + - Shell Commands: cheaha/shell_commands.md + - GitLab Runner: + - Personal GitLab Runner Setup: gitlab_runner/personal_gitlab_runner_setup.md + - Openstack: + - VM Migration: openstack/vm_migration.md + - VM Service Setup: service/service_setup.md + - Identity: + - Saml: saml/saml.md - Ticket Issues: tickets.md + +validation: + nav: + omitted_files: warn + not_found: warn + absolute_links: warn + links: + not_found: warn + anchors: warn + absolute_links: warn + unrecognized_links: warn + +watch: + - scripts + - theme