# eduGAIN Access Check

## Overview

eduGAIN Access Check can be used by SP admins to validate the behaviour of
their federated service in a production environment.

It is actually composed of two parts:
* account manager
* identity provider

## Account Manager

This is a web application developed in Perl, allowing SP admins to create test accounts with multiple user profiles.

It requires the following CPAN distributions:
* CGI-Simple
* Config-Tiny
* Data-Dump
* DateTime
* List-MoreUtils
* Locale-Maketext-Lexicon
* Log-Any
* Email-MIME
* Email-Sender
* Rose-DB-Object
* Template-Toolkit
* Text-CSV
* UNIVERSAL-require
* XML-LibXML

Installation follows the usual autotools-based procedure:
```
$> configure
$> make
$> sudo make install
```

A database has to be created, and its schema populated. For instance, with MariaDB:
```
$> mysqladmin create -u root -p access_check
Enter password:
$> mysql -u root -p access_check < conf/manager.sql
Enter password:
$> mysql -u root -p mysql
Enter password:
MariaDB [mysql]> grant all privileges on access_check.* to access_check@localhost identified by 's3cr3t';
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> quit
```

The web server has to be configured to map access to the CGI script. For instance, with Apache:
```

    Alias /access-check /usr/local/share/access-check/www
    <Directory /usr/local/share/access-check/www>
        Require all granted
        Options ExecCGI
        DirectoryIndex access-check-manager.cgi
        AddHandler cgi-script .cgi
    </Directory>
```

Additional directories have to be created for logs and data, with write permission for the web server:
```
$> sudo mkdir /var/log/access-check
$> sudo mkdir /var/lib/access-check
$> sudo chown apache.apache /var/log/access-check
$> sudo chown apache.apache /var/lib/access-check
```

The application has to be properly configured, using the installed ```manager.conf``` file.

A cron task has to be set for downloading federation metadata. For instance:
```
# download eduGAIN metadata hourly
01 * * * * root curl --silent http://mds.edugain.org/ -o /var/lib/access-manager/edugain.xml
```

Another cron task has to be set for purging expired tokens and accounts. For instance:
```
# purge expired tokens hourly
01 * * * * root /usr/local/bin/access-check-manager.pl list_tokens --expired --delete > /dev/null
# purge expired accounts daily
02 0 * * * root /usr/local/bin/access-check-manager.pl list_accounts --expired --delete > /dev/null
```

## Identity Provider

The identity provider is actually [simpleSAMLphp](https://simplesamlphp.org/).

## Licensing
This software is licensed under GÉANT Standard Open Source Software Outward
Licence.

This software was developed by RENATER, with funding from the European
Community Seventh Framework Programme (FP7/2007-2013) under grant agreement nº
238875 (GÉANT).

This software was initialy authored by Olivier Salaün.