I’ve been running my nextcloud instance for quite some years now, and I finally decided to change its authentication from LDAP to SAML for a better single sign on experience. By using keycloak as IdP there’ll also be an option to enable multi factor authentication (MFA) for all connected applications at once. Where I come […]
I recently encountered a system crash that required power cycling one of my machines. At that point I decided to have a look at hardware watchdogs (which should trigger an automatic reboot in case the watchdog does no longer respond). Fortunately the system involved had such a hardware watchdog in place: However there was no […]
Usually I’m using a web based mail tool, however for some tasks a full-featured mail client comes in handy. So after quite some idle time I started up my thunderbird today just to find that the GSSAPI/Kerberos authentication fails. Since the last time I used it I re-installed the mail server, so it is not […]
Involved components Involved certificates/CAs CAs Certificates Preparations/configuration for android clients Exporting/Importing certificates In order to make the OPNsense CAs/certificates usable by android devices, they require some minor tweaks: The exported CA certificate needs to be converted to DER format: Client certificates/keys need to be in PKCS12 format (and protected by password, otherwise android devices will […]
As soon as the radius daemon on my OPNsense box was responding properly I decided to add radsecproxy. But before doing so I had to get an idea how things work together. So keep in mind, all I have right now is a basic freeradius setup that can authenticate users against LDAP (at least with […]
The main challenge to do so, is to make this change permanent (as the OPNsense web frontend does not support that kind of config modification). So here’s a short wrap up of the things required: Now edit custom.users: Rebuild the template files and restart freeradius: And the tests results look like this: In my case […]
While trying to get radius working with my Samba domain controller, I was looking for a way to get attributes like radiusTunnelPrivateGroupId into it. In the end the solution was something completely different, but anyhow: Here’s what I did to raise the domain level (and as it turns out the function and forest level) of […]
Due to some hardware problems with my switches (cheap Chinese ones) I recently decided to switch my core home network to Ubiquity systems. Only 3 weeks later I had to realize that my old FritzBox had lost its 2.4 GHz WiFi (seems to be quite common and may obviously go unnoticed for a long time […]
As mentioned earlier I was going to replace thiss-mdq with pyFF for my SAML federation metadata query service. Comparison thiss-mdq / pyFF On its project site thiss-mdq describes itself as The thiss-mdq is a minimal implementation of MDQ that only supports JSON data. while pyFF considers itself “a SAML metadata aggregator written in python”. Both […]
Categories
SAML discovery service
Federated services If you want to provide web bases services in a federated (SAML) environment, you’ll need a way for your users to select their home institution in order to log into the service using their local credentials. That service is called discovery service. What’s that discovery service doing? So what happens if a user […]