This is an old revision of the document!
opensuse maintient des packages RPM pour plusieurs distribution RPM dont centos !
[root@wood yum.repos.d]# wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo
# yum install shibboleth Dependencies Resolved ============================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================ Installing: shibboleth x86_64 2.5.5-3.1 security_shibboleth 1.1 M Installing for dependencies: libcurl-openssl x86_64 7.43.0-1.1 security_shibboleth 211 k libevent x86_64 2.0.21-4.el7 base 214 k liblog4shib1 x86_64 1.0.9-3.1 security_shibboleth 68 k libmemcached x86_64 1.0.16-3.el7 base 236 k libsaml8 x86_64 2.5.5-1.1 security_shibboleth 923 k libtool-ltdl x86_64 2.4.2-20.el7 base 49 k libxml-security-c17 x86_64 1.7.3-3.1 security_shibboleth 286 k libxmltooling6 x86_64 1.5.6-1.1 security_shibboleth 702 k opensaml-schemas x86_64 2.5.5-1.1 security_shibboleth 29 k unixODBC x86_64 2.3.1-10.el7 base 413 k xerces-c x86_64 3.1.1-7.el7_1 updates 878 k xmltooling-schemas x86_64 1.5.6-1.1 security_shibboleth 12 k Transaction Summary ====================================================================================================================================== Install 1 Package (+12 Dependent packages) Total download size: 5.1 M Installed size: 28 M
Installed: shibboleth.x86_64 0:2.5.5-3.1
[root@wood yum.repos.d]# systemctl list-units --all | grep -i shib shibd.service loaded inactive dead LSB: Shibboleth 2 Service Provider Daemon [root@wood yum.repos.d]# systemctl enable shibd.service shibd.service is not a native service, redirecting to /sbin/chkconfig. Executing /sbin/chkconfig shibd on The unit files have no [Install] section. They are not meant to be enabled using systemctl. Possible reasons for having this kind of units are: 1) A unit may be statically enabled by being symlinked from another unit's .wants/ or .requires/ directory. 2) A unit's purpose may be to act as a helper for some other unit which has a requirement dependency on it. 3) A unit may be started when needed via activation (socket, path, timer, D-Bus, udev, scripted systemctl call, ...). [root@wood yum.repos.d]# chkconfig --list | grep shibd Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. shibd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
et manuel la premiere fois:
# /etc/init.d/shibd start ; tail -f /var/log/shibboleth/shibd.log
Ainsi que httpd restart / reload pour charger le mod_shib contenu dans /etc/httpd/conf.d/shib.conf
[root@wood ~]# systemctl restart httpd.service
definis dans les fichier .logger :
[root@wood shibboleth]# grep fileName *.logger native.logger:log4j.appender.native_log.fileName=/var/log/shibboleth-www/native.log native.logger:log4j.appender.warn_log.fileName=/var/log/shibboleth-www/native_warn.log shibd.logger:log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log shibd.logger:log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log shibd.logger:log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log shibd.logger:log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log
$ diff httpd.conf httpd.conf.orig 275c275 < UseCanonicalName On --- > UseCanonicalName Off
Parametrer l'ACL dans /etc/shibboleth/shibboleth2.xml qui permet d'acceder a cet URL
<!-- Status reporting service. --> <Handler type="Status" Location="/Status" acl="127.0.0.1 157.159.50.97"/>
Acces:
les metadata directement:
le fichier /etc/shibboleth/shibboleth2.xml contient l'essentiel du paramétrage du service Prodider shibboleth. Sont représentés ici uniquement les parties modifiéed par rapport au fichier original, à savoir le service SSO, les messages d'erreur, et les Metadata.
Attention, depuis le version 2.4 l'élément SessionInitiator a été remplacé par l'élément SSO ! https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO
<ApplicationDefaults entityID="https://wood.tem-tsp.eu/shibboleth" REMOTE_USER="eppn persistent-id targeted-id"> .. <!-- <SSO entityID="https://idp.example.org/shibboleth" --> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://shibidp1.it-sudparis.eu/WAYFIT/WAYF.php"> SAML2 SAML1 </SSO>
<Errors supportContact="jehan.procaccia@it-sudparis.eu" metadata="metadataError_fr.html" access="accessError_fr.html" ssl="sslError_fr.html" localLogout="localLogout_fr.html" globalLogout="globalLogout_fr.html" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> ...
<!-- Chains together all your metadata sources. --> <MetadataProvider type="Chaining"> <!-- Federation IT /> --> <MetadataProvider type="XML" uri="http://shibidp.it-sudparis.eu/metadata/metadata.itsp.xml" backingFilePath="/etc/shibboleth/metadata.itsp.xml" reloadInterval="7200"> </MetadataProvider> <!-- Meta-donné de la fération de test Ãucation-Recherche --> <MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-test-metadata.xml" backingFilePath="/etc/shibboleth/renater-test-metadata.xml" reloadInterval="7200"> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> <MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/> </MetadataProvider> </MetadataProvider>
autoriser l'ecriture au user shibd (user sous lequel tourne le daemon shibd) au repertoire de config / telecharement des metadata par defaut /etc/shibboeth
[root@wood shibboleth]# chgrp shibd . [root@wood shibboleth]# chmod 775 .
cf https://services.renater.fr/federation/technique/metadata
certificat Renater
[root@wood shibboleth]# wget https://federation.renater.fr/renater/metadata-federation-renater.crt
avant de generer une nouvelle paire de clée, il est preferable de sauvegarder la paire initiale (car le -f / force les ecrasera )
[root@wood shibboleth]# cp sp-key.pem sp-key-wood.pem [root@wood shibboleth]# cp sp-cert.pem sp-cert-wood.pem
générer la paire de clé pour l'application/vhost
[root@wood shibboleth]# ./keygen.sh -h mood.paris-saclay.fr -f Generating a 2048 bit RSA private key ............................................................................................+++ ....................+++ writing new private key to './sp-key.pem' ----- [root@wood shibboleth]# mv sp-key.pem sp-key-mood.paris-saclay.fr.pem [root@wood shibboleth]# mv sp-cert.pem sp-cert-mood.paris-saclay.fr.pem [root@wood shibboleth]# chown shibd sp-cert-mood.paris-saclay.fr.pem sp-key-mood.paris-saclay.fr.pem
déclaration de l'application override avec chargement des certificats auto-signés ci-dessus
... <ApplicationOverride id="mood" entityID="https://mood.paris-saclay.fr/sp" REMOTE_USER="eppn persistent-id targeted-id"> <CredentialResolver type="File" key="sp-key-mood.paris-saclay.fr.pem" certificate="sp-cert-mood.paris-saclay.fr.pem"/> </ApplicationOverride> </ApplicationDefaults>