Skip to content
Snippets Groups Projects

eduGAIN Access Check

Overview

eduGAIN Access Check can be used by SP admins to validate the behaviour of their federated service in a production environment.

It is actually composed of two parts:

  • account manager
  • identity provider

Account Manager

This is a web application developed in Perl, allowing SP admins to create test accounts with multiple user profiles.

It requires the following CPAN distributions:

  • CGI
  • Config-Tiny
  • DateTime
  • HTTP-AcceptLanguage
  • List-MoreUtils
  • Log-Any
  • Rose-DB-Object
  • Template-Toolkit
  • Text-CSV
  • XML-LibXML

Installation follows the usual autotools-based procedure:

$> configure
$> make
$> sudo make install

A database has to be created, and its schema populated. For instance, with MariaDB:

$> mysqladmin create -u root -p access_check
Enter password:
$> mysql -u root -p access_check < conf/manager.sql
Enter password:
$> mysql -u root -p mysql
Enter password:
MariaDB [mysql]> grant all privileges on access_check.* to access_check@localhost identified by 's3cr3t';
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> quit

The web server has to be configured to map access to the CGI script. For instance, with Apache:


    Alias /access-check /usr/local/share/access-check/www
    <Directory /usr/local/share/access-check/www>
        Require all granted
        Options ExecCGI
        DirectoryIndex access-check-manager.cgi
        AddHandler cgi-script .cgi
    </Directory>

Additional directories have to be created for logs and data, with write permission for the web server:

$> sudo mkdir /var/log/access-check
$> sudo mkdir /var/lib/access-check
$> sudo chown apache.apache /var/log/access-check
$> sudo chown apache.apache /var/lib/access-check

The application has to be properly configured, using the installed manager.conf file.

A cron task has to be set for downloading federation metadata. For instance:

# download eduGAIN metadata hourly
01 * * * * root curl --silent http://mds.edugain.org/ -o /var/lib/access-manager/edugain.xml

Another cron task has to be set for purging expired tokens and accounts. For instance:

# purge expired tokens hourly
01 * * * * root /usr/local/bin/access-check-manager.pl list_tokens --expired --delete > /dev/null
# purge expired accounts daily
02 0 * * * root /usr/local/bin/access-check-manager.pl list_accounts --expired --delete > /dev/null

Identity Provider

The identity provider is actually simpleSAMLphp.

Licensing

This software is licensed under GÉANT Standard Open Source Software Outward Licence.

This software was developed by RENATER, with funding from the European Community Seventh Framework Programme (FP7/2007-2013) under grant agreement nº 238875 (GÉANT).

This software was initialy authored by Olivier Salaün.