Sample Trust Router Client configuration (v1.0)
- wqx+qmnstigwu5kzxaiskxnikzy@idp.company.ja.net
- Stefan Paetow
This page contains a sample configuration for a Trust Router connecting to the primary Janet Trust Router, tr.moonshot.ja.net.
To use this configuration, you must make several changes:
- Replace the items in the configuration as appropriate:
your.identity.realm.example.org- Your identity realm, e.g. camford.ac.ukyour.idp.service.realm.example.org- Your IdP host, e.g. moonshot-idp.camford.ac.ukyour.rp-proxy.service.realm.example.org - Your RP proxy host, e.g. moonshot-rp.camford.ac.ukIf you are using a combined IdP and RP proxy service,
your.rp-proxy.service.realm.example.orgwill be the same asyour.idp.service.realm.organd you can delete the unneeded entry.your-trustrouter-credential@ov-apc.moonshot.ja.net- Your 'username' on the APC, which is stored in theuserelement of thecredentials.xmlfile issued to you by your Trust Router operator.
- In the Moonshot portal, register your Trust Router as a service realm for your organisation, e.g. moonshot-tr.camford.ac.uk
- In the Moonshot portal, change the AAA server name for the IdP realm(s) that connect to your Trust Router to the hostname of your Trust Router, i.e. set the AAA server for
your.identity.realm.example.orgto the host you registered in Step 2. - Once the changes have been applied, change to theÂ
/etc/trust_router/conf.d/defaultdirectory and runtrust_router as thetrustrouteruser. There should be no errors.
Â
trusts.cfg
{
"communities": [
{
"apcs": [
],
"community_id": "ov-apc.moonshot.ja.net",
"idp_realms": [
"your.identity.realm.example.org"
],
"rp_realms": [
"tr.moonshot.ja.net",
"your.rp-proxy.service.realm.example.org",
"your.idp.service.realm.example.org"
],
"type": "apc",
"expiration_interval": 10
}
],
"idp_realms": [
{
"aaa_servers": [
"your.idp.hostname.example.org"
],
"apcs": [
"ov-apc.moonshot.ja.net"
],
"realm_id": "your.identity.realm.example.org",
"shared_config": "no"
}
],
"rp_clients": [
{
"filter": {
"filter_lines": [
{
"action": "accept",
"domain_constraints": [
],
"filter_specs": [
{
"field": "rp_realm",
"match": "tr.moonshot.ja.net"
},
{
"field": "rp_realm",
"match": "*.tr.moonshot.ja.net"
}
],
"realm_constraints": [
"tr.moonshot.ja.net",
"*.tr.moonshot.ja.net"
]
}
],
"type": "rp_permitted"
},
"gss_names": [
"trustrouter@ov-apc.moonshot.ja.net"
]
},
{
"filter": {
"filter_lines": [
{
"action": "accept",
"domain_constraints": [
"your.rp-proxy.hostname.example.org",
"*.your.rp-proxy.hostname.example.org"
],
"filter_specs": [
{
"field": "rp_realm",
"match": "your.rp-proxy.service.realm.example.org"
},
{
"field": "rp_realm",
"match": "*.your.rp-proxy.service.realm.example.org"
}
],
"realm_constraints": [
"your.rp-proxy.service.realm.example.org",
"*.your.rp-proxy.service.realm.example.org"
]
},
{
"action": "accept",
"domain_constraints": [
"your.idp.hostname.example.org",
"*.your.idp.hostname.example.org"
],
"filter_specs": [
{
"field": "rp_realm",
"match": "your.idp.service.realm.example.org"
},
{
"field": "rp_realm",
"match": "*.your.idp.service.realm.example.org"
}
],
"realm_constraints": [
"your.idp.service.realm.example.org",
"*.your.idp.service.realm.example.org"
]
}
],
"type": "rp_permitted"
},
"gss_names": [
"your-trustrouter-credential@ov-apc.moonshot.ja.net"
]
}
]
}
For more information about the format of this file, see the Trust Router trusts.cfg format.