eduGAIN Access Check
Overview
eduGAIN Access Check can be used by SP admins to validate the behaviour of their federated service in a production environment.
It is actually composed of two parts:
- account manager
- identity provider
Account Manager
This is a web application developed in Perl, allowing SP admins to create test accounts with multiple user profiles.
It requires the following CPAN distributions:
- CGI-Simple
- Config-Tiny
- Data-Dump
- DateTime
- Email-MIME
- Email-Sender
- JSON
- List-MoreUtils
- Locale-Maketext-Lexicon
- Log-Any
- Net-IP
- Rose-DB-Object
- Template-Toolkit
- UNIVERSAL-require
- XML-LibXML
Installation follows the usual autotools-based procedure:
$> configure
$> make
$> sudo make install
A database has to be created, and its schema populated. For instance, with MariaDB:
$> mysqladmin create -u root -p access_check
Enter password:
$> mysql -u root -p access_check < conf/manager.sql
Enter password:
$> mysql -u root -p mysql
Enter password:
MariaDB [mysql]> grant all privileges on access_check.* to access_check@localhost identified by 's3cr3t';
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> quit
The web server has to be configured to map access to the CGI script. For instance, with Apache:
Alias /access-check /usr/local/share/access-check/www
<Directory /usr/local/share/access-check/www>
Require all granted
Options ExecCGI
DirectoryIndex access-check-manager.cgi
AddHandler cgi-script .cgi
</Directory>
Additional directories have to be created for logs and data, with write permission for the web server:
$> sudo mkdir /var/log/access-check
$> sudo mkdir /var/lib/access-check
$> sudo chown apache.apache /var/log/access-check
$> sudo chown apache.apache /var/lib/access-check
The application has to be properly configured, using the installed manager.conf
file.
A cron task has to be set for downloading federation metadata. For instance:
# download eduGAIN metadata hourly
01 * * * * root curl --silent http://mds.edugain.org/ -o /var/lib/access-manager/edugain.xml
Another cron task has to be set for purging expired tokens and accounts. For instance:
# purge expired tokens hourly
01 * * * * root /usr/local/bin/access-check-manager.pl list_tokens --expired --delete > /dev/null
# purge expired accounts daily
02 0 * * * root /usr/local/bin/access-check-manager.pl list_accounts --expired --delete > /dev/null
Identity Provider
The identity provider is actually simpleSAMLphp.
Licensing
This software is licensed under GÉANT Standard Open Source Software Outward Licence.
This software was developed by RENATER, with funding from the European Community Seventh Framework Programme (FP7/2007-2013) under grant agreement nº 238875 (GÉANT).
This software was initialy authored by Olivier Salaün.