[[SP v2]]
This is an old revision of the document!
SP v2
Réference
Repo opensuse
opensuse maintient des packages RPM pour plusieurs distribution RPM dont centos !
- centos7
[root@wood yum.repos.d]# wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo
yum install
# yum install shibboleth Dependencies Resolved ================================================================================================= Package Arch Version Repository Size ================================================================================================= Installing: shibboleth x86_64 2.5.4-3.2 security_shibboleth 1.1 M Installing for dependencies: libcurl-openssl x86_64 7.42.1-1.1 security_shibboleth 210 k libevent x86_64 2.0.21-4.el7 base 214 k liblog4shib1 x86_64 1.0.9-3.1 security_shibboleth 68 k libmemcached x86_64 1.0.16-3.el7 base 236 k libsaml8 x86_64 2.5.4-3.3 security_shibboleth 923 k libtool-ltdl x86_64 2.4.2-20.el7 base 49 k libxml-security-c17 x86_64 1.7.3-3.1 security_shibboleth 286 k libxmltooling6 x86_64 1.5.4-4.2 security_shibboleth 702 k opensaml-schemas x86_64 2.5.4-3.3 security_shibboleth 29 k unixODBC x86_64 2.3.1-10.el7 base 413 k xerces-c x86_64 3.1.1-6.el7 base 878 k xmltooling-schemas x86_64 1.5.4-4.2 security_shibboleth 12 k Transaction Summary ============================================================= Install 1 Package (+12 Dependent packages) Total download size: 5.1 M Installed size: 28 M Is this ok [y/d/N]: y
Installed: shibboleth.x86_64 0:2.5.4-3.2
Post install
demarrage automatique
[root@wood yum.repos.d]# systemctl list-units --all | grep -i shib
shibd.service loaded inactive dead LSB: Shibboleth 2 Service Provider Daemon
[root@wood yum.repos.d]# systemctl enable shibd.service
shibd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig shibd on
The unit files have no [Install] section. They are not meant to be enabled
using systemctl.
Possible reasons for having this kind of units are:
1) A unit may be statically enabled by being symlinked from another unit's
.wants/ or .requires/ directory.
2) A unit's purpose may be to act as a helper for some other unit which has
a requirement dependency on it.
3) A unit may be started when needed via activation (socket, path, timer,
D-Bus, udev, scripted systemctl call, ...).
[root@wood yum.repos.d]# chkconfig --list | grep shibd
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
shibd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
et manuel la premiere fois:
# /etc/init.d/shibd start ; tail -f /var/log/shibboleth/shibd.log
Ainsi que httpd restart / reload pour charger le mod_shib contenu dans /etc/httpd/conf.d/shib.conf
[root@wood ~]# systemctl restart httpd.service
emplacement des fichiers de log
definis dans les fichier .logger :
[root@wood shibboleth]# grep fileName *.logger native.logger:log4j.appender.native_log.fileName=/var/log/shibboleth-www/native.log native.logger:log4j.appender.warn_log.fileName=/var/log/shibboleth-www/native_warn.log shibd.logger:log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log shibd.logger:log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log shibd.logger:log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log shibd.logger:log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log
httpd.conf
$ diff httpd.conf httpd.conf.orig 275c275 < UseCanonicalName On --- > UseCanonicalName Off
test Status
Parametrer l'ACL dans /etc/shibboleth/shibboleth2.xml qui permet d'acceder a cet URL
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 157.159.50.97"/>
Acces:
les metadata directement:
Parametrage shibboleth2.xml
le fichier /etc/shibboleth/shibboleth2.xml contient l'essentiel du paramétrage du service Prodider shibboleth. Sont représentés ici uniquement les parties modifiéed par rapport au fichier original, à savoir le service SSO, les messages d'erreur, et les Metadata.
SSO
Attention, depuis le version 2.4 l'élément SessionInitiator a été remplacé par l'élément SSO ! https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO
<ApplicationDefaults entityID="https://wood.tem-tsp.eu/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id">
..
<!-- <SSO entityID="https://idp.example.org/shibboleth" -->
<SSO
discoveryProtocol="SAMLDS" discoveryURL="https://shibidp1.it-sudparis.eu/WAYFIT/WAYF.php">
SAML2 SAML1
</SSO>
error messages
<Errors supportContact="jehan.procaccia@it-sudparis.eu"
metadata="metadataError_fr.html"
access="accessError_fr.html"
ssl="sslError_fr.html"
localLogout="localLogout_fr.html"
globalLogout="globalLogout_fr.html"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
...
Metadata
<!-- Chains together all your metadata sources. -->
<MetadataProvider type="Chaining">
<!--
Federation IT />
-->
<MetadataProvider type="XML" uri="http://shibidp.it-sudparis.eu/metadata/metadata.itsp.xml"
backingFilePath="/etc/shibboleth/metadata.itsp.xml" reloadInterval="7200">
</MetadataProvider>
<!-- Meta-donné de la fération de test Ãucation-Recherche -->
<MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-test-metadata.xml"
backingFilePath="/etc/shibboleth/renater-test-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
</MetadataProvider>
</MetadataProvider>
autoriser l'ecriture au user shibd (user sous lequel tourne le daemon shibd) au repertoire de config / telecharement des metadata par defaut /etc/shibboeth
[root@wood shibboleth]# chgrp shibd . [root@wood shibboleth]# chmod 775 .
Certificats de signature des metadata
cf https://services.renater.fr/federation/technique/metadata
certificat Renater
[root@wood shibboleth]# wget https://federation.renater.fr/renater/metadata-federation-renater.crt
Multiples vhost sur un meme SP
references
générer la paire de clé pour l'application/vhost
[root@colmut shibboleth]# ./keygen.sh -h moodev.tem-tsp.eu -f Generating a 2048 bit RSA private key ......+++ .....................................................................................+++ writing new private key to './sp-key.pem' ----- [root@colmut shibboleth]# mv sp-key.pem moodev.tem-tsp.eu-sp-key.pem [root@colmut shibboleth]# mv sp-cert.pem moodev.tem-tsp.eu-sp-cert.pem [root@colmut shibboleth]# chown shibd moodev.tem-tsp.eu-sp-key.pem moodev.tem-tsp.eu-sp-cert.pem
déclaration de l'application override avec chargement des certificats auto-signés ci-dessus
...
<ApplicationOverride id="moodev" entityID="https://moodev.tem-tsp.eu/sp"
REMOTE_USER="eppn persistent-id targeted-id">
<CredentialResolver type="File" key="moodev.tem-tsp.eu-sp-key.pem" certificate="moodev.tem-tsp.eu-sp-cert.pem"/>
</ApplicationOverride>
</ApplicationDefaults>
