Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request for documentation on applying check_saml_sso plugin #1

Open
radman13666 opened this issue Nov 10, 2021 · 1 comment
Open

Request for documentation on applying check_saml_sso plugin #1

radman13666 opened this issue Nov 10, 2021 · 1 comment

Comments

@radman13666
Copy link

Hello,

I would like to know how exactly to add the check_saml_sso plugin to nagios to monitor IdPs.

Does the plugin have dependencies that are prerequisite? Please let me know so that I can use it appropriately in my Nagios server instance. Or help us with documentation to apply it correctly and as expected.
@ghalse
Copy link
Member

ghalse commented Nov 10, 2021

The plugin is written in Perl, and its dependencies are at the top of the file. For reference, they're:

  • Monitoring::Plugin
  • LWP::UserAgent
  • HTTP::Request
  • URI
  • URI::Escape
  • Time::HiRes
  • Date::Parse
  • POSIX

all should be available from your OS's package repository or CPAN, but the one that's most likely missing is Monitoring::Plugin. That comes from https://www.monitoring-plugins.org/. It is included by default in e.g. OMD.

Beyond that, is arguments are documented in the typical way nagios-compatible plugins work, with --help and -?.

To perform a simple test of whether you can reach a SAML-IdP's login page, you need to initiate the test at a service that can log into that service. For instance, we do:

check_saml_sso -H sp.example.ac.za --url '/Shibboleth.sso/Login?forceAuthn=true&entityID=https://idp.example.ac.za/idp/shibboleth&target=https://sp.example.ac.za/' --redirectonly --ssl

where sp.example.ac.za is a service provider with the Shibboleth Native SP that already has metadata for the identity provider at idp.example.ac.za. This avoids needing metadata exchange specifically for monitoring.

That works by scraping the resulting login page for the typical fields used to indicate password-based login, and those are configurable with --userfield and --passfield.

Complete end-to-end tests are supported if-and-only-if the IdP uses a web-form based username & password login. In that case, you can supply test credentials with --user and --pass and specify a string to look for in the final response with --ok. This was designed to work with SimpleSAMLphp's autotest module, in which case you can try:

check_saml_sso -H idp.example.ac.za --url '/simplesaml/module.php/autotest/login.php?SourceID=AuthSource' --ssl --user test_user --pass test_pass

Certificate tests are heavily tied into update-samlmd-idps.pl and our own use case. YMMV.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ghalse @radman13666