forked from liggitt/auth-proxy
-
Notifications
You must be signed in to change notification settings - Fork 11
/
mellon_create_metadata.sh
executable file
·92 lines (76 loc) · 2.51 KB
/
mellon_create_metadata.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/env bash
set -e
PROG="$(basename "$0")"
printUsage() {
echo "Usage: $PROG ENTITY-ID ENDPOINT-URL"
echo ""
echo "Example:"
echo " $PROG urn:someservice https://sp.example.org/mellon"
echo ""
}
if [ "$#" -lt 2 ]; then
printUsage
exit 1
fi
ENTITYID="$1"
if [ -z "$ENTITYID" ]; then
echo "$PROG: An entity ID is required." >&2
exit 1
fi
BASEURL="$2"
if [ -z "$BASEURL" ]; then
echo "$PROG: The URL to the MellonEndpointPath is required." >&2
exit 1
fi
if ! echo "$BASEURL" | grep -q '^https\?://'; then
echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2
exit 1
fi
HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')"
BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
OUTFILE="saml_sp"
echo "Output files:"
echo "Private key: $OUTFILE.key"
echo "Certificate: $OUTFILE.cert"
echo "Metadata: $OUTFILE.xml"
echo "Host: $HOST"
echo
echo "Endpoints:"
echo "SingleLogoutService: $BASEURL/logout"
echo "AssertionConsumerService: $BASEURL/postResponse"
echo
# No files should not be readable by the rest of the world.
umask 0077
TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)"
cat >"$TEMPLATEFILE" <<EOF
RANDFILE = /dev/urandom
[req]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
policy = policy_anything
[req_distinguished_name]
commonName = $HOST
EOF
openssl req -utf8 -batch -config "$TEMPLATEFILE" -new -x509 -days 3652 -nodes -out "$OUTFILE.cert" -keyout "$OUTFILE.key" 2>/dev/null
rm -f "$TEMPLATEFILE"
CERT="$(grep -v '^-----' "$OUTFILE.cert")"
cat >"$OUTFILE.xml" <<EOF
<EntityDescriptor entityID="$ENTITYID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/logout"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/postResponse" index="0"/>
</SPSSODescriptor>
</EntityDescriptor>
EOF
umask 0777
chmod go+r "$OUTFILE.xml"
chmod go+r "$OUTFILE.cert"