Generate Shibboleth SP/SAML2 metadata X509 certificates, keys and then stores them in e.g. Vault
Of course, install and use this application inside a venv or container.
$ pip3 install shib-keygen-api$ FLASK_APP=shib_keygen_api:app flask run$ pip3 install gunicorn
$ gunicorn shib_keygen_api:appYou can configure the application with either
- environment variables prefixed with
FLASK_ - in a
.cfg-file that you point the environment variableFLASK_CONFIGtowards
| Key | Value | Example |
|---|---|---|
OUTPUT_PLUGIN |
Output plugin to store the certs | dir |
PLUGIN_CONFIG |
Dict where the configuration for output plugin is stored. Key is the plugin name.API-key or password to use when connecting | {"dir": {"path":"/srv/shib-certs"}} |
LOGGING |
Dict where the configuration logging.dictConfig is stored. | {"root": {"level":"INFO"}} |
Example:
$ cat <<EOF > shib_keygen_api.cfg
OUTPUT_PLUGIN="dir"
PLUGIN_CONFIG = {
"dir": {
"path": "/srv/shib-certs"
},
}
EOF
$ env FLASK_CONFIG=$PWD/shib_keygen_api.cfg gunicorn -b localhost:5000 shib_keygen_api:app --reload --reload-extra-file shib_keygen_api.cfg
$ # or
$ env FLASK_CONFIG=$PWD/shib_keygen_api.cfg FLASK_APP=shib_keygen_api:app flask run --reload --extra-files shib_keygen_api.cfgPLUGIN_CONFIG = {
"dir": {
"path": "/srv/shib-certs"
},
}PLUGIN_CONFIG = {
"vault": {
"path": "secret/",
"secret_key_name": "binaryData", # key to store the certificate in
"storage_method": "binarylist", # How we store the data, e.g. "raw"
"default_kv_version": 1, # https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv.html#setting-the-default-kv-version
"client": {}, # Any option from https://hvac.readthedocs.io/en/stable/source/hvac_v1.html#hvac.v1.Client
"auth_method": "approle", # From https://hvac.readthedocs.io/en/stable/source/hvac_api.html#hvac.api.AuthMethods
"auth_method_params": { # https://hvac.readthedocs.io/en/stable/source/hvac_api_auth_methods.html
"role_id": "7ef99e5e-1d05-4b31-946a-eb86dbc98d93",
"secret_id": "d2566186-267e-4ed4-9a25-f488bebdb3a5",
},
},
}You can process the certificate and key data before we store it Vault in different ways:
storage_method |
Explaination |
|---|---|
raw |
Nothing done, the default. |
base64 |
We base64 encode the data |
binarylist |
We create a binary list of the data1 |
- Add
/generateendpoint - Decide plugin signature
- Erase memory after use https://github.com/AtakamaLLC/pysecbytes
- Implement plugins
-
stdoutplugin -
dirplugin -
vaultplugin
-
- Implement configuration for each plugin
- Add
/statuspage- Add a
statuscheck for each plugin
- Add a
- Add certificate and key generation using
openssl-req(1)- Either use
pyopensslhttps://stackoverflow.com/a/60804101 - or
cryptographyhttps://cryptography.io/en/latest/x509/tutorial/#creating-a-self-signed-certificate
- Either use
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent