Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:shibboleth:idpv3x [2019/01/02 14:28]
procacci@tem-tsp.eu [context tomcat pour l'IDP]
+++ docpublic:systemes:shibboleth:idpv3x [2019/01/02 21:57] (current)
procacci@tem-tsp.eu [SSO CAS]
@@ Line 304: / Line 304: @@
 en effet il faut ajouter la librairie jstl (cf http://stackoverflow.com/tags/jstl/info)  qui n'est pas fournie par defaut (risque de conflit avec jboss)
-cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.12 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .
+cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.13 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .
 <code>
-[root@idp3 ~]# cd /var/lib/tomcat/webapps/idp/WEB-INF/lib/
+[root@idp34 shibboleth-identity-provider-3.4.2]# cd /var/lib/tomcat/webapps/idp/WEB-INF/lib/
-[root@idp3 lib]# wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar
+[root@idp34 lib]# wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar
-[root@idp3 lib]# systemctl restart tomcat
+-01-02 14:34:08 (9,27 MB/s) - «jstl-1.2.jar» sauvegardé [414240/414240]
+[root@idp34 lib]# systemctl restart tomcat
 </code>
+Pour l'acces en https au status il faut autorise l'IP source du navigateur d'admin
+<code>
+# vim /opt/shibboleth-idp/conf/access-control.xml
+<code>
+...
+ <util:map id="shibboleth.AccessControlPolicies">
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" />
+        </entry>
+        ...
+</code>
+maintenant accessible en https://idp3.imtbstsp.eu/idp/status
 acces status possible en shell également
 <code>
- [root@idp3 ~]#  /opt/shibboleth-idp/bin/status.sh
+[root@idp34 bin]# /opt/shibboleth-idp/bin/status.sh
 ### Operating Environment Information
 operating_system: Linux
-operating_system_version: 2.6.32-042stab113.21
+operating_system_version: 3.10.0
 operating_system_architecture: amd64
-jdk_version: 1.8.0_91
+jdk_version: 1.8.0_191
-available_cores: 32
+available_cores: 12
-used_memory: 217 MB
+used_memory: 137 MB
 maximum_memory: 455 MB
 ### Identity Provider Information
-idp_version: 3.2.1
+idp_version: 3.4.2
-start_time: 2016-06-21T10:25:36+02:00
+start_time: 2019-01-02T14:35:21Z
-current_time: 2016-06-21T10:25:36+02:00
+current_time: 2019-01-02T14:36:42Z
-uptime: 518 ms
+uptime: 80907 ms
-service: shibboleth.LoggingService
-last successful reload attempt: 2016-06-21T08:20:43Z
-last reload attempt: 2016-06-21T08:20:43Z
-....
 </code>
-Pour l'acces en http au status il faut autorise l'IP
-<code>
-CT-a84f4e90 shibboleth-identity-provider-3.3.0# vim /opt/shibboleth-idp/conf/access-control.xml
-<code>
-...
- <util:map id="shibboleth.AccessControlPolicies">
-        <entry key="AccessByIPAddress">
-            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
-                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" />
-        </entry>
-        ...
-</code>
@@ Line 386: / Line 387: @@
 <code>
-[root@idp3 shibboleth-idp]# wget -O /opt/shibboleth-idp/credentials/metadata-federation-renater.crt https://federation.renater.fr/test/metadata-federation-renater.crt
+[root@idp34]# cd /opt/shibboleth-idp/credentials/
+[root@idp34 credentials]# /usr/bin/curl -O https://metadata.federation.renater.fr/certs/renater-metadata-signing-cert-2016.pem
 </code>
@@ Line 393: / Line 396: @@
 <code>
 [root@idp3 conf]# tail -18 metadata-providers.xml
+         <!-- Federation de test renater -->
+   <MetadataProvider id="RenaterTestMetadata"
+                              xsi:type="FileBackedHTTPMetadataProvider"
+                      backingFile="%{idp.home}/metadata/preview-sps-renater-test-metadata.xml"
+                      metadataURL="https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml">
+                <MetadataFilter xsi:type="SignatureValidation"
+                requireSignedRoot="true"
+                certificateFile="%{idp.home}/credentials/renater-metadata-signing-cert-2016.pem">
+                </MetadataFilter>
+        </MetadataProvider>
-    <!-- Federation de test renater -->
-    <MetadataProvider id="RenaterTestMetadata"
-                      xsi:type="FileBackedHTTPMetadataProvider"
-                      backingFile="%{idp.home}/metadata/renater-test-metadata.xml"
-                      metadataURL="https://federation.renater.fr/test/renater-test-metadata.xml">
-        <MetadataFilter xsi:type="SignatureValidation"
-            requireSignedRoot="true"
-            certificateFile="%{idp.home}/credentials/metadata-federation-renater.crt">
-        </MetadataFilter>
-        <MetadataFilter xsi:type="EntityRoleWhiteList">
-            <RetainedRole>md:SPSSODescriptor</RetainedRole>
-        </MetadataFilter>
     </MetadataProvider>
@@ Line 416: / Line 420: @@
 <code>
-[root@idp3 conf]# systemctl restart tomcat.service
+[root@idp34 conf]# systemctl restart tomcat.service
-[root@idp3 conf]# ls -l ../metadata/
-total 6480
+[root@idp34 conf]#  ls -ltr ../metadata/
--rw-r--r--  1 tomcat root     12221 23 mai   22:14 idp-metadata.xml
+total 31308
--rw-r--r--  1 tomcat tomcat 6613630 21 juin  18:54 renater-test-metadata.xml
+-rw-r--r-- 1 tomcat root      14590  2 janv. 14:23 idp-metadata.xml
+-rw-r--r-- 1 tomcat tomcat  6787283  2 janv. 14:47 preview-sps-renater-test-metadata.xml
 </code>
@@ Line 430: / Line 436: @@
 idp-process.log :
--06-21 18:55:56,043 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:306] - Next refresh cycle for metadata provider 'https://federation.renater.fr/test/renater-test-metadata.xml' will occur on '2016-06-21T19:55:55.999Z' ('2016-06-21T21:55:55.999+02:00' local time)
--06-21 18:55:56,062 - INFO [Shibboleth-Audit.Reload:241] - 20160621T165556Z||||http://shibboleth.net/ns/profiles/reload-metadata|||||||||
+-01-02 14:48:18,248 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:574] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: New metadata successfully loaded for 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml'
+-01-02 14:48:18,250 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:384] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: Next refresh cycle for metadata provider 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' will occur on '2019-01-02T15:33:16.891Z' ('2019-01-02T15:33:16.891Z' local time)
+-01-02 14:48:18,268 - 127.0.0.1 - INFO [Shibboleth-Audit.Reload:275] - 20190102T144818Z||||http://shibboleth.net/ns/profiles/reload-metadata|||||||||
 </code>
@@ Line 642: / Line 652: @@
 https://services.renater.fr/federation/docs/installation/idp3/chap08
-<code>
-[root@idp3]# cd /opt/src/
-[root@idp3 src]# git clone https://github.com/Unicon/shib-cas-authn3 shib-cas-authn3-git-master
+<code>
-Cloning into 'shib-cas-authn3-git-master'...
+[root@idp34 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/3.2.3/shib-cas-authn3-3.2.3.tar
-remote: Counting objects: 1172, done.
+[root@idp34 src]# tar xvf shib-cas-authn3-3.2.3.tar
-remote: Total 1172 (delta 0), reused 0 (delta 0), pack-reused 1172
+...
-Receiving objects: 100% (1172/1172), 991.61 KiB | 884.00 KiB/s, done.
+shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/cas-client-core-3.4.1.jar
-Resolving deltas: 100% (427/427), done.
+shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar
+shib-cas-authn3-3.2.3/edit-webapp/no-conversation-state.jsp
+..
-[root@idp3 src]# cp -R /opt/src/shib-cas-authn3-git-master/IDP_HOME/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/
+[root@idp34 src]# cp shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib
-[root@idp3 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/v3.0.0/shib-cas-authenticator-3.0.0.jar
-[root@idp3 src]# mv shib-cas-authenticator-3.0.0.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
-[root@idp3 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.3.3/cas-client-core-3.3.3.jar
-[root@idp3 src]# mv cas-client-core-3.3.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
+[root@idp34 src]# cp -R shib-cas-authn3-3.2.3/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/
+[root@idp34 src]# ls -ltr /opt/shibboleth-idp/flows/authn/Shibcas/
+total 8
+-rw-r--r-- 1 root root 2290  2 janv. 21:23 shibcas-authn-flow.xml
+-rw-r--r-- 1 root root 3241  2 janv. 21:23 shibcas-authn-beans.xml
+[root@idp34 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.5.1/cas-client-core-3.5.1.jar
+[root@idp34 src]# cp cas-client-core-3.5.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
 </code>
@@ Line 688: / Line 701: @@
 <code>
+[root@idp34 conf]# cd /opt/shibboleth-idp/conf/authn/
+[root@idp34 authn]# cp general-authn.xml general-authn.xml.dist
 [root@idp3 authn]# diff general-authn.xml general-authn.xml.dist
 ,98d92

docpublic/systemes/shibboleth/idpv3x.1546439329.txt.gz · Last modified: 2019/01/02 14:28 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top