Guardian is a lightweight authentication proxy for HTTP services. It allows authenticating existing web applications without needing to modify the underlying application to support authentication. It currently supports SAML and OAuth2, but can be easily extended to support many authentication protocols.
We recommend using the chef cookbook
contained in the cookbook sub-directory of the source repo to configure Guardian. This
section (except the Quick Start) provides an overview of Guardian usage without
chef.
- Create a SAML 2.0 application in your SAML provider:
- Sign on URL: https://<myhost>/_authn/provider/<myapp>/callback
- Audience URI: https://<myhost>
- Request compression: Compressed
- Configure the Guardian chef cookbook attributes (see
examples)
- guardian.router.downstream (URL of your application)
- protocol: https:
- hostname: <myhost>
- port: 443
- guardian.router.routes (protected routes for your application):
- /path1.hostname: localhost
- /path1.port: 8080
- /path2.hostname: someotherlocalapp.local
- /path2.port: 80
- guardian.authn.providers (SAML provider information)
- name: <myapp>
- strategy: SAML
- certificate: your SAML provider's certificate
- params.entryPoint: the single sign-on URL from your SAML provider
- params.issuer: the issuer URL from your SAML provider
- params.identifierFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- guardian.router.downstream (URL of your application)
- Run the chef cookbook (recipe: guardian::default)
Guardian supports pluggable protocols and several identity providers. Use the following sections to configure your identity provider with one of these protocols.
In your SAML provider, create a new SAML 2.0 application. Provide the following information about your application (NOTE: your provider may have different names for these):
-
Single sign on URL / SAML Assertion Customer Service (ACS) URL: The Guardian callback URL. Append
/_authn/provider/\<myapp\>/callbackto your application's URL. In this URL,\<myapp\>is a custom name for your application that you'll refer to when configuring Guardian. For example:https://foo.example.com/_authn/provider/examplepp/callbackThe SAML assertion is sent to this url with a HTTP POST.
-
Audience URI / SP Entity ID: The URL of your application.
-
Request compression: Compressed
Gather the following information from your SAML provider:
- Entity ID / Issuer: The unique URI for your identity provider. Guardian will only accept SAML assertions from this ID.
- Single sign-on URL: The SSO endpoint that Guardian will send authentication requests to.
- Public X.509 Certificate: A PEM encoded SSL certifacte for your identity provider. Guardian will validate incoming SAML assertions with this certificate.
TODO.
We recommend you use the chef cookbook to install Guardian. To install manually follow these steps:
- Install NodeJS and NPM
- Install Redis
- Install MySQL
- Create a
guardianuser - Clone the guardian repository from GitHub and change ownership to the guardian user.
- Run
npm installas the guardian user from the root of the cloned repository.
Guardian requires several configuration files. By default configuration files are located
in the conf folder in the Guardian installation directory. You may override this with the
-c parameter to the Guardian binaries.
Configures one or more identity providers.
SAML providers should contain the following parameters:
- name: A unique name for the provider
- stategy: SAML
- certificate: A file containing the identity providers X.509 certificate
- defaultRoute: The URL to redirect to after authentication if no return path is set (defaults to '/')
- params.issuer: The Entity ID / Issuer from the identity provider
- params.identifierFormat: The name ID format used by the identity provider.
This is usually
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. - params.entryPoint: The Single Sign-On URL for the identity provider
Example SAML configuration:
{
"authn": {
"providers": {
"exampleapp": {
"name": "My SAML Provider",
"strategy": "SAML",
"certificate": "/etc/guardian/my-idp-cert.pem",
"params": {
"issuer": "http://my-idp-uri/",
"identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"entryPoint": "https://my-idp-host/my-idp-single-signon-url"
}
}
}
}
}Configures the upstream web application that Guardian is proxying.
Guardian rewrites redirects from the upstream application to use the Guardian URL (similar to Nginx's proxy_redirect directive). The downstream configuration section contains the browser visible URL for your application.
Configuration parameters are defined in NodeJS's url.format method.
Routes define one or more proxy end points. The configuration is keyed by the URL path. For each path, Guardian will reverse proxy the request to the given URL.
Configuration parameters are defined in NodeJS's url.format method.
{
"router": {
"downstream": {
"protocol": "https:",
"hostname": "foo.example.com",
"port": 443
},
"routes": {
"/service1": {
"hostname": "service1.example.com",
"port": 8080
},
"/service2": {
"hostname": "localhost",
"port": 8080
}
}
}
}Global site configuration. Currently an empty JSON hash:
{}Configures the session provider. Currently an empty JSON hash:
{}Guardian runs on port 9002 by default. In normal installations another webserver (or load balancer) sits in front of Guardian and proxies requests to the Guardian port.
Guardian spawns several dameon processes to perform authentication and proxy requests. The
chef cookbook will create these
services. If you installed manually you'll need to run these daemons on
your own (or create a service for them). All daemons are found in Guardian's bin directory.
- guardian-authn: Listens on port 9002 for http requests. Authenticates requests and proxies them to guardian-router.
- guardian-session: Maintains authenticated sessions.
- guardian-router: Proxies requests to the underlying web application.
- Ubuntu 14.04
- John Manero ([email protected], [email protected])
- Ryan Hass ([email protected])