|
Simo Sorce |
5f23c37 |
#!/usr/bin/env bash
|
|
Simo Sorce |
5f23c37 |
set -e
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
PROG="$(basename "$0")"
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
printUsage() {
|
|
Simo Sorce |
5f23c37 |
echo "Usage: $PROG ENTITY-ID ENDPOINT-URL"
|
|
Simo Sorce |
5f23c37 |
echo ""
|
|
Simo Sorce |
5f23c37 |
echo "Example:"
|
|
Simo Sorce |
5f23c37 |
echo " $PROG urn:someservice https://sp.example.org/mellon"
|
|
Simo Sorce |
5f23c37 |
echo ""
|
|
Simo Sorce |
5f23c37 |
}
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
if [ "$#" -lt 2 ]; then
|
|
Simo Sorce |
5f23c37 |
printUsage
|
|
Simo Sorce |
5f23c37 |
exit 1
|
|
Simo Sorce |
5f23c37 |
fi
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
ENTITYID="$1"
|
|
Simo Sorce |
5f23c37 |
if [ -z "$ENTITYID" ]; then
|
|
Simo Sorce |
5f23c37 |
echo "$PROG: An entity ID is required." >&2
|
|
Simo Sorce |
5f23c37 |
exit 1
|
|
Simo Sorce |
5f23c37 |
fi
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
BASEURL="$2"
|
|
Simo Sorce |
5f23c37 |
if [ -z "$BASEURL" ]; then
|
|
Simo Sorce |
5f23c37 |
echo "$PROG: The URL to the MellonEndpointPath is required." >&2
|
|
Simo Sorce |
5f23c37 |
exit 1
|
|
Simo Sorce |
5f23c37 |
fi
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
if ! echo "$BASEURL" | grep -q '^https\?://'; then
|
|
Simo Sorce |
5f23c37 |
echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2
|
|
Simo Sorce |
5f23c37 |
exit 1
|
|
Simo Sorce |
5f23c37 |
fi
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')"
|
|
Simo Sorce |
5f23c37 |
BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
|
|
Simo Sorce |
5f23c37 |
|
|
 |
b1f3f24 |
OUTFILE="$(echo "$ENTITYID" | sed 's/[^0-9A-Za-z.]/_/g' | sed 's/__*/_/g')"
|
|
Simo Sorce |
5f23c37 |
echo "Output files:"
|
|
|
5d20714 |
echo "Private key: $OUTFILE.key"
|
|
|
5d20714 |
echo "Certificate: $OUTFILE.cert"
|
|
|
5d20714 |
echo "Metadata: $OUTFILE.xml"
|
|
|
5d20714 |
echo "Host: $HOST"
|
|
Simo Sorce |
5f23c37 |
echo
|
|
Simo Sorce |
5f23c37 |
echo "Endpoints:"
|
|
|
5d20714 |
echo "SingleLogoutService (SOAP): $BASEURL/logout"
|
|
|
5d20714 |
echo "SingleLogoutService (HTTP-Redirect): $BASEURL/logout"
|
|
|
5d20714 |
echo "AssertionConsumerService (HTTP-POST): $BASEURL/postResponse"
|
|
|
5d20714 |
echo "AssertionConsumerService (HTTP-Artifact): $BASEURL/artifactResponse"
|
|
|
5d20714 |
echo "AssertionConsumerService (PAOS): $BASEURL/paosResponse"
|
|
Simo Sorce |
5f23c37 |
echo
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
# No files should not be readable by the rest of the world.
|
|
Simo Sorce |
5f23c37 |
umask 0077
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)"
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
cat >"$TEMPLATEFILE" <
|
|
Simo Sorce |
5f23c37 |
RANDFILE = /dev/urandom
|
|
Simo Sorce |
5f23c37 |
[req]
|
|
Simo Sorce |
5f23c37 |
default_bits = 2048
|
|
Simo Sorce |
5f23c37 |
default_keyfile = privkey.pem
|
|
Simo Sorce |
5f23c37 |
distinguished_name = req_distinguished_name
|
|
Simo Sorce |
5f23c37 |
prompt = no
|
|
Simo Sorce |
5f23c37 |
policy = policy_anything
|
|
Simo Sorce |
5f23c37 |
[req_distinguished_name]
|
|
Simo Sorce |
5f23c37 |
commonName = $HOST
|
|
Simo Sorce |
5f23c37 |
EOF
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
openssl req -utf8 -batch -config "$TEMPLATEFILE" -new -x509 -days 3652 -nodes -out "$OUTFILE.cert" -keyout "$OUTFILE.key" 2>/dev/null
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
rm -f "$TEMPLATEFILE"
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
CERT="$(grep -v '^-----' "$OUTFILE.cert")"
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
cat >"$OUTFILE.xml" <
|
|
|
5d20714 |
|
|
|
5d20714 |
|
|
|
5d20714 |
entityID="$ENTITYID"
|
|
|
5d20714 |
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
|
|
|
5d20714 |
|
|
|
5d20714 |
AuthnRequestsSigned="true"
|
|
|
5d20714 |
WantAssertionsSigned="true"
|
|
|
5d20714 |
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
|
|
5d20714 |
<KeyDescriptor use="signing">
|
|
|
5d20714 |
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
|
5d20714 |
<ds:X509Data>
|
|
|
5d20714 |
<ds:X509Certificate>$CERT</ds:X509Certificate>
|
|
|
5d20714 |
</ds:X509Data>
|
|
|
5d20714 |
</ds:KeyInfo>
|
|
|
5d20714 |
</KeyDescriptor>
|
|
|
5d20714 |
<KeyDescriptor use="encryption">
|
|
|
5d20714 |
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
|
5d20714 |
<ds:X509Data>
|
|
|
5d20714 |
<ds:X509Certificate>$CERT</ds:X509Certificate>
|
|
|
5d20714 |
</ds:X509Data>
|
|
|
5d20714 |
</ds:KeyInfo>
|
|
|
5d20714 |
</KeyDescriptor>
|
|
|
5d20714 |
|
|
|
5d20714 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
|
|
|
5d20714 |
Location="$BASEURL/logout" />
|
|
|
5d20714 |
|
|
|
5d20714 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
|
|
5d20714 |
Location="$BASEURL/logout" />
|
|
|
5d20714 |
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
|
|
|
5d20714 |
|
|
|
5d20714 |
index="0"
|
|
|
5d20714 |
isDefault="true"
|
|
|
5d20714 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
|
|
5d20714 |
Location="$BASEURL/postResponse" />
|
|
|
5d20714 |
|
|
|
5d20714 |
index="1"
|
|
|
5d20714 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
|
|
|
5d20714 |
Location="$BASEURL/artifactResponse" />
|
|
|
5d20714 |
|
|
|
5d20714 |
index="2"
|
|
|
5d20714 |
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
|
|
|
5d20714 |
Location="$BASEURL/paosResponse" />
|
|
|
5d20714 |
</SPSSODescriptor>
|
|
Simo Sorce |
5f23c37 |
</EntityDescriptor>
|
|
Simo Sorce |
5f23c37 |
EOF
|
|
Simo Sorce |
5f23c37 |
|
|
Simo Sorce |
5f23c37 |
umask 0777
|
|
Simo Sorce |
5f23c37 |
chmod go+r "$OUTFILE.xml"
|
|
Simo Sorce |
5f23c37 |
chmod go+r "$OUTFILE.cert"
|