Configure a Trust Router client

Owned by wqx+qmnstigwu5kzxaiskxnikzy@idp.company.ja.net
Last updated: Apr 08, 2016 by Stefan Paetow
2 min read

A Trust Router network consists of at least one Trust Router, one APC and a set of Trust Router clients. The clients can be either Identity Providers or Relying Party Proxies, or both. To be able to interact with the Trust Router, the clients need to be configured appropriately. 

The Trust Router client consists of a server, TIDS, a command-line utility, TIDC, and a built-in library that can be configured in FreeRADIUS.

Command-line utility (TIDC)

TIDC can be used to test a connection to the Trust Router, and on successful completion its output is a JSON document describing the key and the constraints on it.

To use TIDC from the command-line, use the following syntax:

$ tidc [Hostname of Trust Router] [RP Realm] [Identity Realm] [Community of Interest, by default the APC name]

Example

Camford University has a Moonshot IdP registered in the Trust Router configuration as camford.ac.uk and would like to reach the dev.ja.net identity provider. The command-line to do this looks like this:

$ tidc tr.moonshot.ja.net camford.ac.uk dev.ja.net ov-apc.moonshot.ja.net

TIDC requires that the user that the command is being run as to have been provisioned with a credential for the APC (a Moonshot credential).

To troubleshoot error output from TIDC, see the Troubleshooting the Temporary ID Client.

 

FreeRADIUS configuration

FreeRADIUS is the only RADIUS server that currently has Trust Router support. To configure FreeRADIUS as a Trust Router client, the appropriate items in the realm module must be configured for the Trust Router. 

  1. Open the mods-enabled/realm file in the FreeRADIUS home directory for editing.

  2. Find the "realm suffix {" configuration directive, and fill out the fields as appropriate:

    realm suffix {
  format = suffix
  delimiter = "@"
  trust_router = "[Hostname of the Trust Router]"
  rp_realm = "[RP Realm]"
  default_community = "[Default Community of Interest]"
}

    Example

    Camford University has a Moonshot IdP registered in the Trust Router portal with a realm of moonshot-idp.camford.ac.uk, so its realm file would look like this:

    realm suffix {
  format = suffix
  delimiter = "@"
  trust_router = "tr.moonshot.ja.net"
  rp_realm = "moonshot-idp.camford.ac.uk"
  default_community = "ov-apc.moonshot.ja.net"
}

To be able to use the Trust Router support in FreeRADIUS, you must provision the FreeRADIUS user with a credential for the APC (a Moonshot credential).

To troubleshoot error output from FreeRADIUS, run it in debug mode and then continue look at Troubleshooting the Temporary ID Client:

On RHEL/CentOS/Scientific Linux
$ /usr/sbin/radiusd -fxx -l stdout
On Debian/Ubuntu
$ /usr/sbin/freeradius -fxx -l stdout

Server (TIDS)

TIDS is used to accept incoming Trust Router connections and only runs on Trust Router clients acting as Identity Providers. TIDS can be run either as a daemon process by configuring the daemon configuration files, or as a foreground process that delivers its output to the standard console. 

 

 

This page is still being written. Check back soon...