From Fedora Project Wiki

Description

IDP Installation testing.

Setup

  1. For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
  2. It is assumed that the IDP is installed on the same server/VM as the IPA master

How to test

Installation

Install the IDP on the same VM as your IPA server for simplicity.

First, install the Ipsilon server packages:

# dnf install ipsilon ipsilon-tools ipsilon-authkrb ipsilon-infosssd ipsilon-tools-ipa ipsilon-saml2 ipsilon-authfas ipsilon-authldap ipsilon-authform

Configure the Ipsilon server to use IPA.

#  ipsilon-server-install --ipa=yes --info-sssd=yes --form=yes --info-sssd-domain=example.com

Where the info-sssd-domain is the domain you configured for IPA.

Configure SSL

The ipsilon server installer doesn't yet have support for the Apache SSL plugin mod_nss. It always configures mod_ssl instead. IPA uses mod_nss, so we need to make a minor tweak to the IDP Apache configuration.

Edit /etc/httpd/conf.d/ipsilon-idp.conf

Replace

  SSLRequireSSL

With

  NSSRequireSSL

Remove /etc/httpd/conf.d/ssl.conf

  rm -f /etc/httpd/conf.d/ssl.conf

It is handy to add a rewrite rule to rewrite plain http requests against Ipsilon to https requests. This can be done by adding the following lines to the bottom of /etc/httpd/conf.d/ipsilon-idp.conf. Be sure to update the hostname to match your IPA/Ipsilon VM if you have deviated from the hostname recommended in the test day instructions!

  # Redirect Ipsilon requests to the secure port
  RewriteCond %{SERVER_PORT} !^443$
  RewriteRule ^/idp(.*) https://idp.example.com/idp/$1 [L,R=301,NC]

Configure Kerberos local user mapping

Ipsilon is set up for Kerberos authentication, but Kerberos authenticated users will be identified by their full principal name. We want to allow our IPA 'admin' user to authenticate via form-based authentication or Kerberos to perform Ipsilon administration tasks. This requires enabling local user mapping in mod_auth_kerb to allow Kerberos authenticated users to have their principal name mapped to a normal local user name (plain 'admin'). To enable local user mapping, ensure the following directive is uncommented in /etc/httpd/conf.d/ipsilon-idp.conf:

 KrbLocalUserMapping On

Restart Apache

The above configuration changes will not take effect until Apache is restarted. This can be done by running:

 # systemctl restart httpd

Verify the basics

Firefox should be launched from a machine that is enrolled to the IPA server. If you don't have Firefox installed you can install it and some fonts with:

# dnf -y install firefox dejavu-* xorg-x11-xauth
  1. Start firefox.
  2. Visit http://idp.example.com/idp
  3. Authenticate as 'admin' using the IPA admin password.

Alternatively, you can use Kerberos authentication by following these steps:

  1. Run 'kinit admin' on the VM you are using for Firefox.
  2. Visit http://idp.example.com and click on the 'configured' link to the right of the login form. Follow through the steps in the browser to configure Firefox for Kerberos authentication.
  3. Visit http://idp.example.com/idp and click on 'Log In'. You should be successfully authenticated as the 'admin' user using Kerberos.

Log out of Ipsilon to clean up for SP testing:

  1. Visit http://idp.example.com/idp and click on 'Log Out'.
  2. Run 'kdestroy -A' on your firefox system if you are testing kerberos authentication.

Expected Results

All the test steps should end with the specified results.