[[Idpv3x]]
This is an old revision of the document!
Idpv3x
references
contexte
Exemple de deploiement d'un fournisseur d'IDP (V3.0) sur une centos7 avec les produits natifs de cette distribution ⇒ JVM openjdk et tomcat7 et/ou jetty9 .
https://wiki.shibboleth.net/confluence/display/IDP30/SystemRequirements
Oracle Java or OpenJDK versions 7 and 8 are supported, and the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are required. Only Tomcat 8 and Jetty 9.2 - Jetty 9.3 are officially supported by the project at this time.
[root@idp3 ~]# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) [root@idp3 ~]# arch x86_64
java jdk
[root@idp3 ~]# yum install java-1.8.0-openjdk-devel.x86_64 Install 1 Package (+29 Dependent packages) Total download size: 46 M Installed size: 156 M Is this ok [y/d/N]: y Installed: java-1.8.0-openjdk-devel.x86_64 1:1.8.0.65-2.b17.el7_1 Dependency Installed: alsa-lib.x86_64 0:1.0.28-2.el7 fontconfig.x86_64 0:2.10.95-7.el7 fontpackages-filesystem.noarch 0:1.44-8.el7 freetype.x86_64 0:2.4.11-10.el7_1.1 giflib.x86_64 0:4.1.6-9.el7 java-1.8.0-openjdk.x86_64 1:1.8.0.65-2.b17.el7_1 java-1.8.0-openjdk-headless.x86_64 1:1.8.0.65-2.b17.el7_1 javapackages-tools.noarch 0:3.4.1-6.el7_0 libICE.x86_64 0:1.0.8-7.el7 libSM.x86_64 0:1.2.1-7.el7 libX11.x86_64 0:1.6.0-2.1.el7 libX11-common.noarch 0:1.6.0-2.1.el7 libXau.x86_64 0:1.0.8-2.1.el7 libXext.x86_64 0:1.3.2-2.1.el7 libXfont.x86_64 0:1.4.7-3.el7_1 libXi.x86_64 0:1.7.2-2.1.el7 libXrender.x86_64 0:0.9.8-2.1.el7 libXtst.x86_64 0:1.2.2-2.1.el7 libfontenc.x86_64 0:1.1.1-5.el7 libjpeg-turbo.x86_64 0:1.2.90-5.el7 libpng.x86_64 2:1.5.13-5.el7 libxcb.x86_64 0:1.9-5.el7 libxslt.x86_64 0:1.1.28-5.el7 python-javapackages.noarch 0:3.4.1-6.el7_0 python-lxml.x86_64 0:3.2.1-4.el7 ttmkfdir.x86_64 0:3.0.9-41.el7 tzdata-java.noarch 0:2015g-1.el7 xorg-x11-font-utils.x86_64 1:7.5-18.1.el7 xorg-x11-fonts-Type1.noarch 0:7.5-9.el7 Complete!
test java version
[root@idp3 ~]# java -version openjdk version "1.8.0_65" OpenJDK Runtime Environment (build 1.8.0_65-b17) OpenJDK 64-Bit Server VM (build 25.65-b01, mixed mode)
tomcat
[root@idp3 ~]# yum install tomcat tomcat-admin-webapps Installation 2 Paquets (+20 Paquets en dépendance) Taille totale des téléchargements : 11 M Taille d'installation : 14 M Installé : tomcat.noarch 0:7.0.54-2.el7_1 tomcat-admin-webapps.noarch 0:7.0.54-2.el7_1
parametrage compte admin tomcat
compte admin d'acces au l'appli manager/html
[root@idp3 tomcat]# diff -ur tomcat-users.xml.orig tomcat-users.xml --- tomcat-users.xml.orig 2016-05-11 22:26:59.631449352 +0200 +++ tomcat-users.xml 2016-05-11 22:29:33.294032465 +0200 @@ -34,13 +34,13 @@ <user username="role1" password="tomcat" roles="role1"/> --> -<!-- <role rolename="admin"/> --> -<!-- <role rolename="admin-gui"/> --> -<!-- <role rolename="admin-script"/> --> -<!-- <role rolename="manager"/> --> -<!-- <role rolename="manager-gui"/> --> -<!-- <role rolename="manager-script"/> --> -<!-- <role rolename="manager-jmx"/> --> -<!-- <role rolename="manager-status"/> --> -<!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> --> +<role rolename="admin"/> +<role rolename="admin-gui"/> +<role rolename="admin-script"/> +<role rolename="manager"/> +<role rolename="manager-gui"/> +<role rolename="manager-script"/> +<role rolename="manager-jmx"/> +<role rolename="manager-status"/> +<user name="admin" password="secretadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> </tomcat-users>
activation au boot
[root@idp3 tomcat]# systemctl enable tomcat.service Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /usr/lib/systemd/system/tomcat.service. [root@idp3 tomcat]# systemctl start tomcat.service
acces tomcat
le serveur est maintenant acessible , exemple
http://idp3.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)
proxy-ajp
mise en place d'un proxy ajp pour une gestion de TLS et ports par defaut (80/443) par apache
[root@idpmt3 ~]# cat /etc/httpd/conf.d/shibboleth.conf ProxyPass /idp/ ajp://127.0.0.1:8009/idp/ retry=0 ProxyPass /manager/ ajp://127.0.0.1:8009/manager/
acces sans le port 8080 :
TLS https
installation du module apache (frontal proxy ajp ) pour SSL/TLS
[root@idp3 ~]# yum install mod_ssl Installé : mod_ssl.x86_64 1:2.4.6-40.el7.centos.1 Terminé !
declarer le certificat et sa clé , wildcard possible
[root@idp3 ~]# grep ^SSL /etc/httpd/conf.d/ssl.conf | tail -3 SSLCertificateFile /etc/pki/tls/certs/wild_tem-tsp_eu.crt SSLCertificateKeyFile /etc/pki/tls/private/wild_digicert2015_tem-tsp.key SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt
test
ntp
s'assurer que la machine est a l'heure, si VM c'est la machine hote qui fournie l'heure
shibboleth IDP
download
telechargement de la derniere version depuis http://shibboleth.net/downloads/identity-provider/
[root@idp3 ~]# wget http://shibboleth.net/downloads/identity-provider/3.2.1/shibboleth-identity-provider-3.2.1.tar.gz [root@idp3 ~]# mkdir /opt/src [root@idp3 ~]# mv shibboleth-identity-provider-3.2.1.tar.gz /opt/src/ [root@idp3 src]# tar xvfz shibboleth-identity-provider-3.2.1.tar.gz [root@idp3 src]# cd shibboleth-identity-provider-3.2.1/ [root@idp3 shibboleth-identity-provider-3.2.1]# ls bin conf credentials dist doc embedded flows LICENSE.txt logs messages system views webapp
install
fresh install ici, attention en cas d'update ne pas tout ecraser !
[root@idp3 shibboleth-identity-provider-3.2.1]# export JAVA_HOME=/usr/lib/jvm/java [root@idp3 shibboleth-identity-provider-3.2.1]# ./bin/install.sh Source (Distribution) Directory: [/opt/src/shibboleth-identity-provider-3.2.1] Installation Directory: [/opt/shibboleth-idp] Hostname: [localhost.localdomain] idp3.tem-tsp.eu SAML EntityID: [https://idp3.tem-tsp.eu/idp/shibboleth] Attribute Scope: [localdomain] tem-tsp.eu Backchannel PKCS12 Password: glsecretidp Re-enter password: Cookie Encryption Key Password: Password cannot be zero length Cookie Encryption Key Password: glsecretidp Re-enter password: Warning: /opt/shibboleth-idp/bin does not exist. Warning: /opt/shibboleth-idp/dist does not exist. Warning: /opt/shibboleth-idp/doc does not exist. Warning: /opt/shibboleth-idp/system does not exist. Warning: /opt/shibboleth-idp/webapp does not exist. Generating Signing Key, CN = idpmt3.tem-tsp.eu URI = https://idp3.tem-tsp.eu/idp/shibboleth ... ...done Creating Encryption Key, CN = idpmt3.tem-tsp.eu URI = https://idp3.tem-tsp.eu/idp/shibboleth ... ...done Creating Backchannel keystore, CN = idpmt3.tem-tsp.eu URI = https://idp3.tem-tsp.eu/idp/shibboleth ... ...done Creating cookie encryption key files... ...done Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL
fichier de credentials créés
[root@idp3 shibboleth-identity-provider-3.2.1]# ls -l /opt/shibboleth-idp/credentials/ total 32 -rw-r--r-- 1 root root 1168 23 mai 22:14 idp-backchannel.crt -rw-r--r-- 1 root root 2554 23 mai 22:14 idp-backchannel.p12 -rw-r--r-- 1 root root 1164 23 mai 22:14 idp-encryption.crt -rw------- 1 root root 1675 23 mai 22:14 idp-encryption.key -rw-r--r-- 1 root root 1164 23 mai 22:14 idp-signing.crt -rw------- 1 root root 1675 23 mai 22:14 idp-signing.key -rw-r--r-- 1 root root 500 23 mai 22:14 sealer.jks -rw-r--r-- 1 root root 48 23 mai 22:14 sealer.kver
l'arborescence d'installation doit appartenir a tomcat
[root@idp3 shibboleth-identity-provider-3.2.1]# chown -R tomcat /opt/shibboleth-idp/
context tomcat pour l'IDP
le fichier idp.xml permet de déployer automatiquement la brique IdP sans avoir à recopier l'archive « .war » dans le répertoire webapps/ de Tomcat.
[root@idp3 localhost]# cat /etc/tomcat/Catalina/localhost/idp.xml
<Context docBase="/opt/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
swallowOutput="true" />
quelques secondes apres
root@idp3 localhost]# ls -l /var/lib/tomcat/webapps/idp/ total 32 drwxr-xr-x 2 tomcat tomcat 4096 25 mai 20:38 css drwxr-xr-x 2 tomcat tomcat 4096 25 mai 20:38 images -rw-r--r-- 1 tomcat tomcat 1008 23 mai 22:14 index.jsp drwxr-xr-x 2 tomcat tomcat 4096 25 mai 20:38 js drwxr-xr-x 2 tomcat tomcat 4096 25 mai 20:38 META-INF drwxr-xr-x 5 tomcat tomcat 4096 25 mai 20:38 WEB-INF -rw-r--r-- 1 tomcat tomcat 5588 23 mai 22:14 x509-prompt.jsp
status et jstl
test acces sur http://idp3.tem-tsp.eu:8080/idp/status
au premier abord, cette page ne s'est pas affichée
java.lang.NoClassDefFoundError: javax/servlet/jsp/jstl/core/Config org.springframework.web.servlet.support.JstlUtils.exposeLocalizationContext(JstlUtils.java:101)
en effet il faut ajouter la librairie jstl (cf http://stackoverflow.com/tags/jstl/info) qui n'est pas fournie par defaut (risque de conflit avec jboss) cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.12 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .
[root@idp3 ~]# cd /var/lib/tomcat/webapps/idp/WEB-INF/lib/ [root@idp3 lib]# wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar [root@idp3 lib]# systemctl restart tomcat
acces status possible en shell également
[root@idp3 ~]# /opt/shibboleth-idp/bin/status.sh ### Operating Environment Information operating_system: Linux operating_system_version: 2.6.32-042stab113.21 operating_system_architecture: amd64 jdk_version: 1.8.0_91 available_cores: 32 used_memory: 217 MB maximum_memory: 455 MB ### Identity Provider Information idp_version: 3.2.1 start_time: 2016-06-21T10:25:36+02:00 current_time: 2016-06-21T10:25:36+02:00 uptime: 518 ms service: shibboleth.LoggingService last successful reload attempt: 2016-06-21T08:20:43Z last reload attempt: 2016-06-21T08:20:43Z ....
Pour l'acces en http au status il faut autorise l'IP
CT-a84f4e90 shibboleth-identity-provider-3.3.0# vim /opt/shibboleth-idp/conf/access-control.xml
<code>
...
<util:map id="shibboleth.AccessControlPolicies">
<entry key="AccessByIPAddress">
<bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" />
</entry>
...
NTP
il faut que le systeme soit a l'heure (echanges SAML horodaté )
si on utilise une VM openvz, cf VZ capabilities: http://unix.stackexchange.com/questions/68016/error-when-running-ntpd-on-openvz-host-cap-set-proc-failed-to-drop-root-privi
[root@hardnode ~]# vzctl set 1033 --capability sys_time:on --save CT configuration saved to /etc/vz/conf/1033.conf
Configuration
depuis la version 3 la configuration est eclatée en plusieurs fichiers, il est recommandé de faire un backup des originaux/distribution
[root@idp3 conf]# cp -p relying-party.xml relying-party.xml.dist [root@idp3 conf]# cp -p attribute-resolver.xml attribute-resolver.xml.dist [root@idp3 conf]# cp -p attribute-filter.xml attribute-filter.xml.dist
metadata federations
enregistrement dans la fédération de test renater , recuperation du certificats de signature des metadonnées renater .
[root@idp3 shibboleth-idp]# wget -O /opt/shibboleth-idp/credentials/metadata-federation-renater.crt https://federation.renater.fr/test/metadata-federation-renater.crt
ajout du chargement des metadata test-renater
[root@idp3 conf]# tail -18 metadata-providers.xml
<!-- Federation de test renater -->
<MetadataProvider id="RenaterTestMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/renater-test-metadata.xml"
metadataURL="https://federation.renater.fr/test/renater-test-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation"
requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/metadata-federation-renater.crt">
</MetadataFilter>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
</MetadataProvider>
La premiere fois on recharge tomcat pour que le téléchargement initial du fichier soit réalisé
[root@idp3 conf]# systemctl restart tomcat.service [root@idp3 conf]# ls -l ../metadata/ total 6480 -rw-r--r-- 1 tomcat root 12221 23 mai 22:14 idp-metadata.xml -rw-r--r-- 1 tomcat tomcat 6613630 21 juin 18:54 renater-test-metadata.xml
ensuite on pourra faire un simple rechargement du service metadata pour cette federation
[root@idp3 conf]# /opt/shibboleth-idp/bin/reload-metadata.sh -id=RenaterTestMetadata
Metadata reloaded.
idp-process.log :
2016-06-21 18:55:56,043 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:306] - Next refresh cycle for metadata provider 'https://federation.renater.fr/test/renater-test-metadata.xml' will occur on '2016-06-21T19:55:55.999Z' ('2016-06-21T21:55:55.999+02:00' local time)
2016-06-21 18:55:56,062 - INFO [Shibboleth-Audit.Reload:241] - 20160621T165556Z||||http://shibboleth.net/ns/profiles/reload-metadata|||||||||
URL metadata idp locale
URL de visualisation des metadata de notre IDP
authentification
1er test en simple auth ldap
[root@idp3 conf]# diff ldap.properties ldap.properties.dist
8,9c8,9
< idp.authn.LDAP.ldapURL = ldap://ldap.int.eu:389
< idp.authn.LDAP.useStartTLS = true
---
> idp.authn.LDAP.ldapURL = ldap://localhost:10389
> #idp.authn.LDAP.useStartTLS = true
16c16
< idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/chain-29966-_.int.eu.pem
---
> idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
18c18
< #idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
---
> idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
28c28
< idp.authn.LDAP.baseDN = ou=people,dc=int,dc=fr
---
> idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org
33,34c33,34
< idp.authn.LDAP.bindDN = uid=binduser,dc=int,dc=fr
< idp.authn.LDAP.bindDNCredential = secret
---
> idp.authn.LDAP.bindDN = uid=myservice,ou=system
> idp.authn.LDAP.bindDNCredential = myServicePassword
38c38
< idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=int,dc=fr
---
> idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org
[root@idp3 conf]# systemctl restart tomcat.service
personnaliser la page de login interne
il est possible de personnaliser la page de login intégré a l'IDP cf:
- https://spaces.internet2.edu/pages/viewpage.action?pageId=49841792#LinuxIdentityProviderIdPv3(RHEL7)-1.CustomizetheIdP'sLoginPage
# vim /opt/src/shibboleth-identity-provider-3.3.0/system/messages/messages.properties ... idp.logo = /images/etablissement-logo-site.png ... root.title = Shibboleth IdP Etablissement.fr ...
mettre le logo dans le repertoire source images, curieusement un bin/install.sh a bien deployé le nouveau messages.properties mais pas le png du logo dans /var/lib/tomcat/webapps/idp/images/ que j'ai du faire à la main (cp) .
Attribute resolver
attribute-resolver-ldap.xml s'appui sur le varaible definit plus haut dans ldap.properties , ici one ne fait qu'une simple deactivation de StartTLSTrustCredential (commentaires)
[root@idp3 conf]# cp attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist
[root@idp3 conf]# diff attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist
92d91
< <!--
97d95
< -->
<code>
et declaration de l'usage de l'attribute-resolver-ldap dans services.xml
<code>
[root@idp3 conf]# diff services.xml services.xml.dist
113c113
< <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value>
---
> <value>%{idp.home}/conf/attribute-resolver.xml</value>
attribute-filter
on reprend l'exemple et on l'etend a tout SP (ANY)
[root@idp3 conf]# diff attribute-filter.xml attribute-filter.xml.dist 18,19c18 < <!-- <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> --> < <PolicyRequirementRule xsi:type="ANY" /> --- > <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> [root@idp3 conf]# /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.AttributeFilterService Configuration reloaded.
schema name change v2/v3
attention quand on reprend des attribute-filter maisons de la v2 vers le v3 , les schemas ont changés, exempe “basic:OR” deviens tout simplement “OR” cf https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterLegacyNameSpaceMapping et https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterConfiguration#AttributeFilterConfiguration-SchemaName
exemple de remplacement automatique syntaxte v2 vs v3 via “vi” dans attribute-resolver.xml
:1,$s/basic:AttributeRequesterString/Requester/g :1,$s/basic:AttributeValueString/Value/g :1,$s/basic:Rule/Rule/g :1,$s/saml:AttributeRequesterInEntityGroup/InEntityGroup/g :1,$s/basic:ANY/ANY/g :1,$s/basic:OR/OR/g
service.xml
test attributes cli
[root@idp3 shibboleth-idp]# ./bin/aacli.sh --requester=https://test.federation.renater.fr/test/ressource --configDir=conf/ --principal=etudiant1
{
"requester": "https://test.federation.renater.fr/test/ressource",
"principal": "etudiant1",
"attributes": [
{
"name": "uid",
"values": [
"StringAttributeValue{value=etudiant1}" ]
},
{
"name": "mail",
"values": [
"StringAttributeValue{value=etudiant1@example.org}" ]
},
{
"name": "eduPersonPrincipalName",
"values": [
"ScopedStringAttributeValue{value=etudiant1, scope=int.eu}" ]
}
]
}
Enregistrement dans une federation
dans un premier temps dans la fédération de test Renater
Test login ldap interne
ayant positionné par defaut le password scheme via ldap, l'usage d'un login/password de l'annuaire ldap d'etablissement configuré permet d'acceder à la ressource de test renater https://test.federation.renater.fr/test/ressource qui affiche la liste d'attributs envoyés et demande maintenant en v3 la consentement (addon uApprove en v2)
Information to be Provided to Service eduPersonPrincipalName teststud@int.fr mail teststud@example.org uid teststud Ask me again at next login Ask me again if information to be provided to this service changes Do not ask me again
idp-process.log :
2016-07-03 14:45:51,638 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:139] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'teststud' succeeded C2016-07-03 14:51:14,116 - INFO [Shibboleth-Consent-Audit.SSO:241] - 20160703T125114Z|https://test.federation.renater.fr/test/ressource|AttributeReleaseConsent|teststud|eduPersonPrincipalName,mail,uid||true,true,true 2016-07-03 14:51:14,861 - INFO [Shibboleth-Audit.SSO:241] - 20160703T125114Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_05d30b93263d3dbca128a0d1bdb5272d|https://test.federation.renater.fr/test/ressource|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp3.int.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_afd5c50a6363cebb0030af5e220dce18|teststud|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,mail,eduPersonPrincipalName|AAdzZWNyZXQxvKd8LuQ9/WK6sRwUecDTulilU/xNcE1LRr2tf2P8S97xNb9mu4uVLASdS+D5MlyZAWt5NYNLGBuyVeD8n441NlUDVO7uCO8B6PxjUANyWOYmM6UOP7b9jpAC9ED70JLXoz2Bztm4VKeQ9Ia5FxgKJzh37Q==|_c861303bf16b99871bcac75ecca3703b|
SSO CAS
https://services.renater.fr/federation/docs/installation/idp3/chap08
[root@idp3]# cd /opt/src/ [root@idp3 src]# git clone https://github.com/Unicon/shib-cas-authn3 shib-cas-authn3-git-master Cloning into 'shib-cas-authn3-git-master'... remote: Counting objects: 1172, done. remote: Total 1172 (delta 0), reused 0 (delta 0), pack-reused 1172 Receiving objects: 100% (1172/1172), 991.61 KiB | 884.00 KiB/s, done. Resolving deltas: 100% (427/427), done. [root@idp3 src]# cp -R /opt/src/shib-cas-authn3-git-master/IDP_HOME/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/ [root@idp3 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/v3.0.0/shib-cas-authenticator-3.0.0.jar [root@idp3 src]# mv shib-cas-authenticator-3.0.0.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ [root@idp3 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.3.3/cas-client-core-3.3.3.jar [root@idp3 src]# mv cas-client-core-3.3.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
Modification du Web flow pour utiliser le plugin CAS via /opt/shibboleth-idp/conf/idp.properties
[root@idp3 conf]# diff idp.properties idp.properties.dist
100,114c100
< #idp.authn.flows= Password
< idp.authn.flows= Shibcas
<
< # CAS Client properties (usage loosely matches that of the Java CAS Client)
< ## CAS Server Properties
< shibcas.casServerUrlPrefix = https://cas16.int.eu/cas
< shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login
<
< ## Shibboleth Server Properties
< shibcas.serverName = https://cas16.int.eu
<
< # La partie ci-dessous est une fonctionnalité avancée de l'extention shib-cas en question (optionnelle)
< # By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs.
< # Takes a comma separated list of fully qualified class names
< # shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass
---
> idp.authn.flows= Password
declaration du bean Shibcas dans general-auth.xml :
[root@idp3 authn]# diff general-authn.xml general-authn.xml.dist 93,98d92 < <!-- https://services.renater.fr/federation/docs/installation/idp3/chap08 --> < <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow" < p:passiveAuthenticationSupported="true" < p:forcedAuthenticationSupported="true" < p:nonBrowserSupported="false" /> <
et reconstruction du idp.war + stop / start tomcat
[root@idp3 bin]# systemctl start tomcat.service [root@idp3 bin]# /opt/shibboleth-idp/bin/build.sh Installation Directory: [/opt/shibboleth-idp] RETURN (!?) Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL # on remove tout le deploiement dans l'arboresence tomcat webapps afin d'etre sur que le nouveau idp.war remplace tout [root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp [root@idp3 bin]# systemctl start tomcat.service
un nouveau test sur https://test.federation.renater.fr/test/ressource montre bien que nous passons par CAS maintenant .
attribute filter
https://services.renater.fr/federation/docs/installation/idp3/chap10
le nombre important de SP et leur mouvement reguliers dans une large fédération comme celle de Renater impose l'usage d'automatisme pour le gestion des filtre . “Depuis 2015 et l'IDP 2.4 , Shibboleth introduit une nouvelle règle PermitValueRule de type AttributeInMetadata utilisable dans votre fichier de configuration attribute-filter.xml. Cette fonctionnalité vous permet, pour un ensemble de SPs, d'autoriser la diffusion au plus juste des attributs utilisateur, uniquement s'ils sont déclarés comme demandés par le SP dans les méta-données de la fédération. L'option onlyIfRequired permet par ailleurs de ne diffuser l'attribut que s'il est indiqué comme obligatoire.”
on ajoute les regles proposé sur la doc renater
<!-- On fournit les attributs requis, contexte Fédération de Test --> <AttributeFilterPolicy id="releaseToAllRenaterSps"> ....
puis redeploiement
[root@idp3 conf]# vim attribute-filter.xml [root@idp3 shibboleth-idp]# cd ../bin/ [root@idp3 bin]# systemctl stop tomcat.service [root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp [root@idp3 bin]# ./build.sh Installation Directory: [/opt/shibboleth-idp] Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL Total time: 4 seconds [root@idp3 bin]# [root@idp3 bin]# systemctl start tomcat.service
un nouveau test sur https://test.federation.renater.fr/test/ressource montre maintenant plus d'attributs .
script attibute definition entitlement
l'attribut “entitlement” est construit a partir d'un script , cela change entre idp v2 et v3 sur plusieurs points en terme de schema et moteur de script java 1.7 (Rhino) vs 1.8 (Nashorn)
ref :
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPJava1.8 https://wiki.shibboleth.net/confluence/display/IDP30/ScriptedAttributeDefinition
exemple
<!-- jehan eduPersonEntitlement -->
<resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" >
<resolver:Dependency ref="myLDAP" />
<resolver:Dependency ref="schacUserStatus" />
<resolver:Dependency ref="mail" />
<resolver:Dependency ref="eduPersonPrimaryOrgUnitDN" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="entitlement" />
<Script>
<![CDATA[
logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");
var BasicAttribute = Java.type("edu.internet2.middleware.shibboleth.common.attribute.provider.BasicAttribute");
if (eduPersonEntitlement == null) {
eduPersonEntitlement = new BasicAttribute("eduPersonEntitlement");
}
if (schacUserStatus != null && mail != null ) {
for ( i = 0; schacUserStatus != null && i < schacUserStatus.getValues().size(); i++ ){
value = schacUserStatus.getValues().get(i);
if (schacUserStatus.getValues().get(i).matches(".*cert.*")) {
eduPersonEntitlement.getValues().add("urn:mace:terena.org:tcs:perso-user");
}//if
else if (schacUserStatus.getValues().get(i).matches(".*pubhtml.*")) {
eduPersonEntitlement.getValues().add("urn:mace:imt:employee:int.fr:perso-webspace");
}//if
}
if (eduPersonPrimaryOrgUnitDN != null ) {
if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*DSI.*")) {
eduPersonEntitlement.getValues().add("urn:mace:int:it:int.fr:dsi-user");
}//if
else if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*INTM.*")) {
eduPersonEntitlement.getValues().add("urn:mace:int:staff:int.fr:intm-user");
}//if
}
else eduPersonEntitlement.getValues().add("");
logger.info("Values of scriptTest were: {} ", eduPersonEntitlement.getValues());
]]>
</Script>
</resolver:AttributeDefinition>
newcerts
nouvelle generation de certificats de metadata (autosignés) en cas de changement de hostname et/ou de clonage de VM afin de publier des metadata avec les bon certificats internes pour SAML .
ref
- https://wiki.umbc.edu/display/MW/Updating+the+Shibboleth+IdP's+SSL+Certificate
[root@idp3 credentials]# openssl req -x509 -new -out idp3-signing.crt -keyout idp3-signing.key -days 3650 writing new private key to 'idp3-signing.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Country Name (2 letter code) [XX]:FR State or Province Name (full name) []:Essonne Locality Name (eg, city) [Default City]:Evry Organization Name (eg, company) [Default Company Ltd]:IMT Organizational Unit Name (eg, section) []:DISI Common Name (eg, your name or your server's hostname) []:idp3.int.eu Email Address []:admin@int.eu
retrait passphrase
[root@idp3 credentials]# openssl rsa -in idp3-signing.key -out idp3-signing-np.key Enter pass phrase for idp3-signing.key: writing RSA key
idem avec l'encryption et backchannel
[root@idp3 credentials]# openssl req -x509 -new -out idp3-encryption.crt -keyout idp3-encryption.key -days 3650 # openssl rsa -in idp3-encryption.key -out idp3-encryption-np.key [root@idp3 credentials]# openssl req -x509 -new -out idp3-backchannel.crt -keyout idp3-backchannel.key -days 3650 # openssl rsa -in idp3-backchannel.key -out idp3-backchannel-np.key
retrait de passphrase du p12 : http://blog.armbruster-it.de/2010/03/remove-the-passphrase-from-a-pkcs12-certificate/
[root@idp3 credentials]# openssl pkcs12 -in idp3-backchannel.p12 -nodes -out idp3-p12-p-temp.pem Enter Import Password: MAC verified OK [root@idp3 credentials]# openssl pkcs12 -export -in idp3-p12-p-temp.pem -out idp3-backchannel-np.p12 Enter Export Password: rien Verifying - Enter Export Password: rien
bien que cela ne semble pas tres utile dans le cadre de la federation, il convient de mettre a jour le fichier local metadata/idp-metadata.xml afin d'etre consistent avec ces nouveau certificat et entityID + hostname d'URL de services
