~eduvpn/disco.eduvpn.org

Server Discovery
begin collecting CA fingerprints
d779e470 — Kolbjørn Barmen 13 days ago
fixed support address for uhasselt.be by request
f2c5645d — Kolbjørn Barmen 13 days ago
add server https://rad.eduvpn.lrz.de

refs

main
browse  log 

clone

read-only
https://git.sr.ht/~eduvpn/disco.eduvpn.org
read/write
git@git.sr.ht:~eduvpn/disco.eduvpn.org

You can also use your local clone with git send-email.

#App Server Discovery

These files are used by the native eduVPN applications to facilitate VPN server discovery on the disco.eduvpn.org domain.

The JSON files are signed using minisign.

To fetch the repository:

$ git clone git@git.sr.ht:~eduvpn/disco.eduvpn.org
$ cd disco.eduvpn.org

Make sure you are on the latest commit in case someone else updated the discovery files in the meantime, you don't want to overwrite those!

$ git pull

Modify server_list.json to add/remove servers. Look at the other entries on how to do this exactly. There is more documentation available on the format here.

NOTE: take the difference between secure_internet and institute_access server type in consideration!

The out/organization_list.json file is automatically generated. This file is used by the secure_internet servers ONLY! You can specify the metadata URLs the SP is linked to in _metadata_url_list (as an array). A special case is _is_feide_sp which is set to true for guest.eduvpn.no only. In this case the WAYF's HTML is scraped.

There is no signature verification of the SAML metadata as of this moment, this is something that should probably be implemented at some point. This attack requires compromising the _metadata_url_list locations, typically hosted at an NREN. The risk is limited though as the metadata information is only used as a "hint" for the SP, it can't be used to bypass anything.

#Discovery File Generation

First format the server_list.json to keep it consistent:

$ ./format.sh

In order to generate the files for uploading to disco.eduvpn.org:

$ ./generate.sh

NOTE: if there is ANY error, please fix that first! If for example a metadata URL can't be loaded, the organizations extracted from that particular metadata will NOT be part of the organization_list.json and thus not appear in the apps!

Sign the files:

$ ./sign.sh

Upload them:

$ ./upload.sh

When the generation, signing and uploading were successful you can also commit the changes to git:

Commit your changes to the repository, replace vpn.example.org with the hostname of the VPN server you add:

$ git commit -a -m 'add server https://vpn.example.org'
$ git push

The files are uploaded to:

https://disco.eduvpn.org/v2/server_list.json
https://disco.eduvpn.org/v2/server_list.json.minisig

And:

https://disco.eduvpn.org/v2/organization_list.json
https://disco.eduvpn.org/v2/organization_list.json.minisig

#Add Operator to Mailing List

We add all technical contact of the servers added to the list to the eduvpn-operators@lists.geant.org mailing list. This can be done here.

#Public Keys

The following Minisign public keys are trusted by the eduVPN applications:

Owner Public Key
fkooman@tuxed.net, kolla@uninett.no RWRtBSX1alxyGX+Xn3LuZnWUT0w//B6EmTJvgaAxBMYzlQeI+jdrO6KF
jornane@uninett.no RWQ68Y5/b8DED0TJ41B1LE7yAvkmavZWjDwCBUuC+Z2pP9HaSawzpEDA
RoSp RWQKqtqvd0R7rUDp0rWzbtYPA3towPWcLDCl7eY9pBMMI/ohCmrS0WiM

#Secure Internet

Status Server Notes Authentication URL Template Metadata URL
✅️ nl.eduvpn.org https://nl.eduvpn.org/php-saml-sp/login?ReturnTo=@RETURN_TO@&IdP=@ORG_ID@ https://metadata.surfconext.nl/sp/https%253A%252F%252Fnl.eduvpn.org%252Fsaml, https://eva-saml-idp.eduroam.nl/simplesamlphp/saml2/idp/metadata.php
✅️ eduvpn1.funet.fi https://eduvpn1.funet.fi/Shibboleth.sso/Login?entityID=@ORG_ID@&target=@RETURN_TO@ https://haka.funet.fi/metadata/haka-metadata.xml
✅️ eduvpn.renu.ac.ug https://eduvpn.renu.ac.ug/Shibboleth.sso/Login?entityID=@ORG_ID@&target=@RETURN_TO@ https://rif.renu.ac.ug/rr/metadata/federation/RIF/IDP/metadata.xml
✅️ eduvpn.marwan.ma https://eduvpn.marwan.ma/saml/login?ReturnTo=@RETURN_TO@&IdP=@ORG_ID@ https://www.eduidm.ma/metadata/eduidm.xml
✅️ vpn.pern.edu.pk https://vpn.pern.edu.pk/Shibboleth.sso/Login?entityID=@ORG_ID@&target=@RETURN_TO@ https://rr.pern.edu.pk/rr3/signedmetadata/federation/PERN-Federation/metadata.xml
✅️ eduvpn.ac.lk https://eduvpn.ac.lk/Shibboleth.sso/Login?entityID=@ORG_ID@&target=@RETURN_TO@ https://fr.ac.lk/signedmetadata/metadata.xml
✅️ eduvpn-poc.renater.fr https://eduvpn-poc.renater.fr/Shibboleth.sso/Login?entityID=@ORG_ID@&target=@RETURN_TO@ https://metadata.federation.renater.fr/eduVPN-58b9d/preview/preview-renater-eduVPN-metadata.xml
✅️ eduvpn1.eduvpn.de https://eduvpn1.eduvpn.de/saml/login?ReturnTo=@RETURN_TO@&IdP=@ORG_ID@ https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-basic-metadata.xml
✅️ eduvpn.myren.net.my https://eduvpn.myren.net.my/Shibboleth.sso/Login?entityID=@ORG_ID@&target=@RETURN_TO@ https://sifulan.my/metadata/metadata.xml
✅️ guest.eduvpn.ac.za https://guest.eduvpn.ac.za/Shibboleth.sso/Login?entityID=@ORG_ID@&target=@RETURN_TO@ https://metadata.safire.ac.za/safire-idp-proxy-metadata.xml
✅️ eduvpn.uran.ua https://eduvpn.uran.ua/saml/login?ReturnTo=@RETURN_TO@&IdP=@ORG_ID@ https://idp.uran.ua/rr3/signedmetadata/federation/PEANO/metadata.xml
eduvpn.deic.dk Must switch to php-saml-sp first https://eduvpn.deic.dk/php-saml-sp/login?ReturnTo=@RETURN_TO@&IdP=https://wayf.wayf.dk&ScopingIdpList=@ORG_ID@ For Organization List: https://metadata.wayf.dk/birk-idp.xml, for SP: https://metadata.wayf.dk/wayf-metadata.xml
eduvpn.eenet.ee Hub & Spoke, must switch to php-saml-sp first... https://taeva.taat.edu.ee/module.php/janus/exportentities.php?state=prodaccepted&mimetype=application%2Fsamlmetadata%2Bxml&external=null
eduvpn.rash.al 1 IdP with multiple organizations
guest.eduvpn.no Mail sent (Feide)
gdpt-eduvpndev1.tnd.aarnet.edu.au U/P login only N/A N/A
eduvpn.cynet.ac.cy U/P login only N/A N/A

#Open Issues

With SAML proxies we somehow need to indicate which IdP is to be used. This can typically be done using AuthnRequest "scoping". The SP needs to support this through a query parameter.

Support for this will be part of the next release of php-saml-sp.

With Feide we need to be even more clever as AuthnRequest "scoping" may not be supported (unconfirmed as of 2020-05-26). There we may not have any other choice than be clever ReturnTo (double) encoding. This needs a detailed proposal and testing.

#Triggering SAML Login through URL

#Mellon

Documentation

  • ReturnTo
  • IdP

URL format: /saml/login?ReturnTo=X&IdP=Y

#Shibboleth

Documentation

  • target
  • entityID

URL format: https://sp.example.org/Shibboleth.sso/Login?target=https%3A%2F%2Fsp.example.org%2Fresource.asp&entityID=https%3A%2F%2Fidp.example.org%2Fidp%2Fshibboleth

#simpleSAMLphp

See this. Seems saml:idp is not documented...

  • ReturnTo
  • AuthId
  • saml:idp

URL format: /simplesaml/module.php/core/as_login.php?AuthId=<authentication source>&ReturnTo=<return URL>

#php-saml-sp

  • ReturnTo
  • IdP
  • ScopingIdPList (for <samlp:Scoping>)

URL format: /php-saml-sp/login?ReturnTo=X&IdP=Y

#Web Server Configuration

The web server adds the Cache-Control: no-cache header to make sure that HTTP clients will cache, but always verify that they have the latest version of the JSON and minisig files before using them:

<Directory "/var/www/html/web/disco.eduvpn.org">
    Header set Cache-Control "no-cache"
</Directory>

#Generate a Minisign Key

$ minisign -G -p disco.pub -s disco.key

#CA Fingerprint

We start here to collect the fingerprints of the CAs of the VPN servers. At some point we will add them to the discovery file to allow VPN clients to verify the CA they obtained through the API calls (as part of the OpenVPN configuration).

We obtain the fingerprint like this:

# openssl x509 -in /var/lib/vpn-server-api/ca/ca.crt -noout -fingerprint -sha256 | tr '[:upper:]' '[:lower:]' | cut -d '=' -f 2 | tr -d ':'
Server Fingerprint
nl.eduvpn.org 8be9c607b89cf02e0f77577f1efa2df40e9f5f43f4aebdc4344edf66a6c29d27
demo.eduvpn.nl 6977a8df4eedb746ff49c7bb33e5191eb55dadd814b15f3d27f6f16b18765566