Skip to content

ITS Strategy & Architecture Posts

How this site is built and updated

We've been (very) infrequently updating this blog thing since 2006. In that time it's had a number of homes: it probably started as a VM on a machine under the desk in my office, then it spent years flipping between running directly and indirectly (as a VM) on servers in our datacenter. After our old hardware started failing, we moved it to the cloud, running on an EC2 server. Now, it's running in a container. Initially, this blog was created to test and document this new fangled SAML authentication protocol, starting with mod_shib (from Shibboleth v1. When Shibboleth v2 was released, we switched to SAML 2.0 and mod_shib2.

In late 2014, our team started deploying Drupal websites on AWS using Docker images running on CoreOS. As part of that effort we created a base LAMP image using Ubuntu. We also added SimpleSAMLphp to the image to support authentication, since it had features that were a better fit for our environment than mod_shib2 (mainly that there was no separate daemon, like shibd, and that it could store session data in the same database as Drupal, making load balancing much simpler).

In early 2015 we started merging the two efforts, resulting in this new containerized, load-balanced, and easily updated version of our blog.

Leave a Comment

Slacking with Shibboleth

Someone asked how to get Slack SAML SSO working with a Shibboleth IdP. It's pretty straightforward, despite the lack of SP metadata from Slack and the inability of Slack to import IdP metadata.

Slack will attempt an authentication when you save its SAML configuration, so you need to set up the IdP first.

Comments closed

AWS Reserved Instances and Consolidated Billing

Amazon documents how reserved instances and consolidated billing work together, but it's apparently still confusing because Bob's account has instances and is also the paying account. Our setup is different - the only resource created inside the paying account is the S3 bucket where Amazon posts our billing data. Here's my edited version of the AWS document.

Comments closed

I Broke My Pi’s Networking!

While messing around with Raspberry Pis, Docker, bridged networks, wireless networks, etc. I managed to bork my Pis. If this happened at home, I could use a serial console cable, or plug the Pi into the spare HDMI port on my monitor and use a USB keyboard, or attach a USB SD card reader to another Pi. Unfortunately, this happened at work, where I have no Pi console cable, no HDMI monitor (one downside to the Apple Thunderbolt Display), no USB keyboard and no USB SD card reader (although since I borked both Pis, the SD card reader would have been useless).

I did have my Macbook Pro and its SD reader, and several Ubuntu Vagrant boxes (running on VirtualBox).

Comments closed

Yubikey PIV for SSH on Macs

We generally use Duo for two factor authentication, including SSH. We have some scenarios where people would like to use two factor authentication, but Duo is considered too intrusive. For example, when using Duo for SSH-based git push and git pull there's no Duo prompt, it only works with Duo push, and you have to unlock your phone, tap on the Duo notification, then tap on 'approve'. You may also need to make changes to your git server; with GitLab we have to use a non-suid copy of login_duo, with a second configuration file, and manually update the git account's authorized_keys file to use login_duo for every SSH key (that needs to use two factor):

command="/usr/sbin/login_duo_git -c \
  /etc/security/login_duo_git.conf -f alice \
  /home/git/gitlab-shell/bin/gitlab-shell key-2",... \
  ssh-rss AAAA...

I've had a few Yubikeys lying around, and I finally decided to try one for SSH. I found Thomas Habets' Yubikey 4 for SSH with physical presence proof instructions for Linux, and modified them to work on Macs. I've tested with OS X 10.11 (El Capitan) and macOS 10.12 (Sierra), but if you're using an older version of OS X you should upgrade, or follow Yubikey's instructions to ensure that Yubikeys are recognized.

Comments closed

Authentication and Authorization with Shibboleth and LDAP

Previously, I tried setting up a more efficient Shibboleth Attribute Authority - one where I could query for a specific attribute value for a specific attribute for a specific user (e.g. does have an experimentId attribute with the value 2?). While you can add attribute values to the attribute elements in a SimpleAggregation AttributeResolver query, the IdP rejects the query.

Another Shib-based option would be to develop a plugin that can create attributes from server environment variables (like REMOTE_URI). One could then use the Template and Tranform Attribute Resolvers to create a new NameID attribute for the SimpleAggregation query (something like eppn:https://SERVER_NAME/REMOTE_URI). Then an Attribute Authority could be configured to split the NameID into multiple attributes and use those for a SQL query or LDAP lookup.

That seemed like a bunch of work, so instead I took a look at using Apache’s mod_authnz_ldap on the SP instead. In this scenario, when an unauthenticated user attempts to access a set of experiment results, they are first sent to an IdP (via the embedded discovery service) to authenticate, then mod_authnz_ldap queries a remote LDAP server for attributes (group membership seems to be the easiest model) and determines whether the user has access.

Comments closed