Skip to content
Snippets Groups Projects
README.md 2.86 KiB
Newer Older
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
# eduGAIN Access Check
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
## Overview
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed

eduGAIN Access Check can be used by SP admins to validate the behaviour of
their federated service in a production environment.

It is actually composed of two parts:
* account manager
* identity provider

Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
## Account Manager
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed

This is a web application developed in Perl, allowing SP admins to create test accounts with multiple user profiles.

It requires the following CPAN distributions:
* CGI-Simple
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
* Config-Tiny
* Data-Dump
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
* DateTime
* Email-MIME
* Email-Sender
* JSON
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
* List-MoreUtils
* Locale-Maketext-Lexicon
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
* Log-Any
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
* Rose-DB-Object
* Template-Toolkit
* Text-CSV
* UNIVERSAL-require
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
* XML-LibXML

Installation follows the usual autotools-based procedure:
```
$> configure
$> make
$> sudo make install
```

A database has to be created, and its schema populated. For instance, with MariaDB:
```
$> mysqladmin create -u root -p access_check
Enter password:
$> mysql -u root -p access_check < conf/manager.sql
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
Enter password:
$> mysql -u root -p mysql
Enter password:
MariaDB [mysql]> grant all privileges on access_check.* to access_check@localhost identified by 's3cr3t';
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> quit
```

The web server has to be configured to map access to the CGI script. For instance, with Apache:
```

    Alias /access-check /usr/local/share/access-check/www
    <Directory /usr/local/share/access-check/www>
        Require all granted
        Options ExecCGI
        DirectoryIndex access-check-manager.cgi
        AddHandler cgi-script .cgi
    </Directory>
```

Additional directories have to be created for logs and data, with write permission for the web server:
```
$> sudo mkdir /var/log/access-check
$> sudo mkdir /var/lib/access-check
$> sudo chown apache.apache /var/log/access-check
$> sudo chown apache.apache /var/lib/access-check
```

The application has to be properly configured, using the installed ```manager.conf``` file.

A cron task has to be set for downloading federation metadata. For instance:
```
# download eduGAIN metadata hourly
01 * * * * root curl --silent http://mds.edugain.org/ -o /var/lib/access-manager/edugain.xml
```

Another cron task has to be set for purging expired tokens and accounts. For instance:
```
# purge expired tokens hourly
01 * * * * root /usr/local/bin/access-check-manager.pl list_tokens --expired --delete > /dev/null
# purge expired accounts daily
02 0 * * * root /usr/local/bin/access-check-manager.pl list_accounts --expired --delete > /dev/null
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
## Identity Provider
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed

The identity provider is actually [simpleSAMLphp](https://simplesamlphp.org/).

Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
## Licensing
Guillaume ROUSSE's avatar
Guillaume ROUSSE committed
This software is licensed under GÉANT Standard Open Source Software Outward
Licence.

This software was developed by RENATER, with funding from the European
Community Seventh Framework Programme (FP7/2007-2013) under grant agreement nº
238875 (GÉANT).

This software was initialy authored by Olivier Salaün.