Exemple de deploiement d'un fournisseur d'IDP (V2.3.3) sur une centos6 avec les produits natifs de cette distribution ⇒ JVM openjdk et tomcat6 .
[root@shibidp3 shibboleth-idp]# arch i686 [root@shibidp3 shibboleth-idp]# cat /etc/redhat-release CentOS Linux release 6.0 (Final)
[root@shibidpext /]# arch i686 [root@shibidpext /]# cat /etc/redhat-release CentOS release 6.4 (Final)
Logiciels nécessaires
un JDK , ici avec openJDK !
[root@shibidp3 /]# rpm -qa | grep -i jdk java-1.6.0-openjdk-devel-1.6.0.0-1.31.b17.el6_0.i686 java-1.6.0-openjdk-1.6.0.0-1.31.b17.el6_0.i686
[root@shibidpext /]# yum install java-1.7.0-openjdk java-1.7.0-openjdk-devel Installed: java-1.7.0-openjdk.i686 1:1.7.0.25-2.3.10.4.el6_4 java-1.7.0-openjdk-devel.i686 1:1.7.0.25-2.3.10.4.el6_4
Sous CEntos/redhat le JRE et JDK installent java dans */usr/lib/jvm/java* <pre>$ rpm -qa | grep java</pre>
[root@shibidp3 /]# ls -l /usr/lib/jvm/java lrwxrwxrwx 1 root root 26 Sep 6 12:51 /usr/lib/jvm/java -> /etc/alternatives/java_sdk [root@shibidp3 /]# ls -l /etc/alternatives/java_sdk lrwxrwxrwx 1 root root 31 Sep 6 12:51 /etc/alternatives/java_sdk -> /usr/lib/jvm/java-1.6.0-openjdk $ grep -i java ~/.bash_profile #java export JAVA_HOME=/usr/lib/jvm/java export JAVA_OPTS="-Xmx256m"
[root@shibidpext ~]# ls -l /usr/lib/jvm/java lrwxrwxrwx 1 root root 26 Oct 9 12:37 /usr/lib/jvm/java -> /etc/alternatives/java_sdk [root@shibidpext ~]# ls -l /etc/alternatives/java_sdk lrwxrwxrwx 1 root root 31 Oct 9 12:37 /etc/alternatives/java_sdk -> /usr/lib/jvm/java-1.7.0-openjdk [root@shibidpext ~]# grep -i java ~/.bash_profile #java export JAVA_HOME=/usr/lib/jvm/java export JAVA_OPTS="-Xmx256m"
un serveur d'application java, ici tomcat6 nativement disponible sous centos6:
[root@shibidp3 /]# rpm -qa | grep -i tomcat6 tomcat6-servlet-2.5-api-6.0.24-24.el6_0.noarch tomcat6-lib-6.0.24-24.el6_0.noarch tomcat6-admin-webapps-6.0.24-24.el6_0.noarch tomcat6-jsp-2.1-api-6.0.24-24.el6_0.noarch tomcat6-el-2.1-api-6.0.24-24.el6_0.noarch tomcat6-6.0.24-24.el6_0.noarch tomcat6-webapps-6.0.24-24.el6_0.noarch
[root@shibidpext ~]# yum install tomcat6-servlet tomcat6-webapps tomcat6-admin-webapps Installed: tomcat6-admin-webapps.noarch 0:6.0.24-57.el6_4 tomcat6-webapps.noarch 0:6.0.24-57.el6_4 Dependency Installed: apache-tomcat-apis.noarch 0:0.1-1.el6 at.i686 0:3.1.10-43.el6_2.1 atk.i686 0:1.28.0-2.el6 axis.noarch 0:1.2.1-7.3.el6_3 bc.i686 0:1.06.95-1.el6 bcel.i686 0:5.2-7.2.el6 cairo.i686 0:1.8.8-3.1.el6 classpathx-jaf.i686 0:1.0-15.4.el6 classpathx-mail.noarch 0:1.1.1-9.4.el6 cvs.i686 0:1.11.23-15.el6 ecj.i686 1:3.4.2-6.el6 file.i686 0:5.04-15.el6 gettext.i686 0:0.17-16.el6 gtk2.i686 0:2.18.9-12.el6 hicolor-icon-theme.noarch 0:0.11-1.1.el6 jakarta-commons-collections.noarch 0:3.2.1-3.4.el6 jakarta-commons-daemon.i686 1:1.0.1-8.9.el6 jakarta-commons-dbcp.noarch 0:1.2.1-13.8.el6 jakarta-commons-discovery.noarch 1:0.4-5.4.el6 jakarta-commons-httpclient.i686 1:3.1-0.7.el6_3 jakarta-commons-logging.noarch 0:1.0.4-10.el6 jakarta-commons-pool.i686 0:1.3-12.7.el6 jakarta-taglibs-standard.noarch 0:1.1.1-11.4.el6 jasper-libs.i686 0:1.900.1-15.el6_1.1 java-1.5.0-gcj.i686 0:1.5.0.0-29.1.el6 java-1.6.0-openjdk.i686 1:1.6.0.0-1.62.1.11.11.90.el6_4 java_cup.i686 1:0.10k-5.el6 libXcomposite.i686 0:0.4.3-4.el6 libXcursor.i686 0:1.1.13-2.el6 libXdamage.i686 0:1.1.3-4.el6 libXfixes.i686 0:5.0-3.el6 libXft.i686 0:2.3.1-2.el6 libXinerama.i686 0:1.1.2-2.el6 libXrandr.i686 0:1.4.0-1.el6 libart_lgpl.i686 0:2.3.20-5.1.el6 libgcj.i686 0:4.4.7-3.el6 libgomp.i686 0:4.4.7-3.el6 libthai.i686 0:0.1.12-3.el6 log4j.i686 0:1.2.14-6.4.el6 mx4j.noarch 1:3.0.1-9.13.el6 pango.i686 0:1.28.1-7.el6_3 patch.i686 0:2.6-6.el6 pax.i686 0:3.4-10.1.el6 perl-CGI.i686 0:3.51-131.el6_4 perl-ExtUtils-MakeMaker.i686 0:6.55-131.el6_4 perl-ExtUtils-ParseXS.i686 1:2.2003.0-131.el6_4 perl-Test-Harness.i686 0:3.17-131.el6_4 perl-Test-Simple.i686 0:0.92-131.el6_4 perl-devel.i686 4:5.10.1-131.el6_4 pixman.i686 0:0.26.2-5.el6_4 redhat-lsb-core.i686 0:4.0-7.el6.centos regexp.i686 0:1.5-4.4.el6 sinjdoc.i686 0:0.5-9.1.el6 tomcat6.noarch 0:6.0.24-57.el6_4 tomcat6-el-2.1-api.noarch 0:6.0.24-57.el6_4 tomcat6-jsp-2.1-api.noarch 0:6.0.24-57.el6_4 tomcat6-lib.noarch 0:6.0.24-57.el6_4 tomcat6-servlet-2.5-api.noarch 0:6.0.24-57.el6_4 wsdl4j.noarch 0:1.5.2-7.8.el6 xalan-j2.noarch 0:2.7.0-9.8.el6 xml-commons-apis.i686 0:1.3.04-3.6.el6 xml-commons-resolver.i686 0:1.1-4.18.el6
[root@shibidp3 opt]# wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identityprovider-2.3.3-bin.zip [root@shibidp3 opt]# unzip shibboleth-identityprovider-2.3.3-bin.zip
[root@shibidpext opt]# wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identityprovider-2.4.0-bin.tar.gz [root@shibidpext opt]# tar xvfz shibboleth-identityprovider-2.4.0-bin.tar.gz
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare
copie et chargement des jar dans un directory endorsed
[root@shibidp3 tomcat6]# mkdir /usr/share/tomcat6/endorsed [root@shibidp3 shibboleth-identityprovider-2.3.3]# ls endorsed/ serializer-2.7.1.jar xercesImpl-2.10.0.jar xml-resolver-1.2.jar xalan-2.7.1.jar xml-apis-2.10.0.jar [root@shibidp3 shibboleth-identityprovider-2.3.3]# cp endorsed/*.jar /usr/share/tomcat6/endorsed/
[root@shibidpext /]# mkdir /usr/share/tomcat6/endorsed [root@shibidpext /]# ls /opt/shibboleth-identityprovider-2.4.0/endorsed/ serializer-2.10.0.jar xalan-2.7.1.jar xercesImpl-2.10.0.jar xml-apis-2.10.0.jar xml-resolver-1.2.jar [root@shibidpext /]# cp /opt/shibboleth-identityprovider-2.4.0/endorsed/*.jar /usr/share/tomcat6/endorsed/
prise en compte de *TOMCAT_HOME/endorsed* au lancement de tomcat:
# tail -1 /etc/tomcat6/tomcat6.conf JAVA_OPTS="$JAVA_OPTS -Djava.endorsed.dirs=/usr/share/tomcat6/endorsed -Xmx512m"
[root@shibidpext /]# tail -1 /etc/tomcat6/tomcat6.conf JAVA_OPTS="$JAVA_OPTS -Djava.endorsed.dirs=/usr/share/tomcat6/endorsed -Xmx512m"
Il s'agit d'un petit code xml qui indique a tomcat où se trouvre le WAR et fournis des proprietés de chargement de l'application par tomcat. cela evite l'auto-deployement par tomcat qui parfois pose pb avec le cache tomcat .
# cat /etc/tomcat6/Catalina/localhost/idp.xml <Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false" antiJARLocking="false" unpackWAR="false" swallowOutput="true" />
Afin de ne pas trainer les URL vers tomcat avec les :8080 ou :8433 , on met en place le proxy-ajp d'apache qui redirigera les requetes en */idp* vers les context */idp* dans tomcat
# grep ajp /etc/httpd/conf/httpd.conf LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ProxyPass /idp/ ajp://localhost:8009/idp/ ProxyPass /examples/ ajp://localhost:8009/jsp-examples/
Lancement du *install.sh* , le JAVA_HOME etant definit au préalable !.
[root@shibidp3 shibboleth-identityprovider-2.3.3]# ./install.sh Buildfile: src/installer/resources/build.xml install: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp] What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org] shibidp3.it-sudparis.eu A keystore is about to be generated for you. Please enter a password that will be used to protect it. secret Updating property file: /opt/shibboleth-identityprovider-2.3.3/src/installer/resources/install.properties Created dir: /opt/shibboleth-idp Created dir: /opt/shibboleth-idp/bin Created dir: /opt/shibboleth-idp/conf Created dir: /opt/shibboleth-idp/credentials Created dir: /opt/shibboleth-idp/lib Created dir: /opt/shibboleth-idp/lib/endorsed Created dir: /opt/shibboleth-idp/logs Created dir: /opt/shibboleth-idp/metadata Created dir: /opt/shibboleth-idp/war Generating signing and encryption key, certificate, and keystore. Copying 5 files to /opt/shibboleth-idp/bin Copying 8 files to /opt/shibboleth-idp/conf Copying 1 file to /opt/shibboleth-idp/metadata Copying 54 files to /opt/shibboleth-idp/lib Copying 5 files to /opt/shibboleth-idp/lib/endorsed Copying 1 file to /opt/shibboleth-identityprovider-2.3.3/src/installer Building war: /opt/shibboleth-identityprovider-2.3.3/src/installer/idp.war Copying 1 file to /opt/shibboleth-idp/war Deleting: /opt/shibboleth-identityprovider-2.3.3/src/installer/web.xml Deleting: /opt/shibboleth-identityprovider-2.3.3/src/installer/idp.war BUILD SUCCESSFUL Total time: 3 minutes 29 seconds
2.4
[root@shibidpext shibboleth-identityprovider-2.4.0]# ./install.sh Buildfile: src/installer/resources/build.xml install: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp] What is the fully qualified hostname of the Shibboleth Identity Provider server? [idpext.tem-tsp.eu] sidpext.tem-tsp.eu A keystore is about to be generated for you. Please enter a password that will be used to protect it. secret Updating property file: /opt/shibboleth-identityprovider-2.4.0/src/installer/resources/install.properties Generating signing and encryption key, certificate, and keystore. Copying 5 files to /opt/shibboleth-idp/bin Copying 8 files to /opt/shibboleth-idp/conf Copying 1 file to /opt/shibboleth-idp/metadata Copying 46 files to /opt/shibboleth-idp/lib Copying 5 files to /opt/shibboleth-idp/lib/endorsed Copying 1 file to /opt/shibboleth-identityprovider-2.4.0/src/installer Building war: /opt/shibboleth-identityprovider-2.4.0/src/installer/idp.war Copying 1 file to /opt/shibboleth-idp/war Deleting: /opt/shibboleth-identityprovider-2.4.0/src/installer/web.xml Deleting: /opt/shibboleth-identityprovider-2.4.0/src/installer/idp.war BUILD SUCCESSFUL Total time: 36 seconds
Les choix réalisés sont conservés dans
[root@shibidpext shibboleth-identityprovider-2.4.0]# cat src/installer/resources/install.properties #Fri Oct 11 17:12:19 CEST 2013 idp.home=/opt/shibboleth-idp idp.hostname=sidpext.tem-tsp.eu
L'installation a créé l'arborescence de l'IdP Shibboleth sous le répertoire /opt/shibboleth-idp/. Cette arborescence doit être accessible pour l'utilisateur qui exécute le serveur Tomcat, dans notre cas l'utilisateur tomcat<br /><verbatim> $ chown -R tomcat /opt/shibboleth-idp/</verbatim>
[root@shibidpext shibboleth-identityprovider-2.4.0]# chown -R tomcat /opt/shibboleth-idp/ [root@shibidpext shibboleth-identityprovider-2.4.0]# ls -al ../shibboleth-idp/ total 36 drwxr-xr-x 9 tomcat root 4096 Oct 11 17:11 . drwxr-xr-x 4 root root 4096 Oct 11 17:11 .. drwxr-xr-x 2 tomcat root 4096 Oct 11 17:12 bin drwxr-xr-x 2 tomcat root 4096 Oct 11 17:12 conf drwxr-xr-x 2 tomcat root 4096 Oct 11 17:12 credentials drwxr-xr-x 3 tomcat root 4096 Oct 11 17:12 lib drwxr-xr-x 2 tomcat root 4096 Oct 11 17:11 logs drwxr-xr-x 2 tomcat root 4096 Oct 11 17:12 metadata drwxr-xr-x 2 tomcat root 4096 Oct 11 17:12 war
si au lancement on a ce genre de logs
[root@shibidp3 tomcat6]# tail -f /var/log/tomcat6/localhost.2011-09-06.log Sep 6, 2011 4:53:34 PM org.apache.catalina.core.StandardContext listenerStart SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.OpensamlConfig' defined in URL [file:/opt/shibboleth-idp/conf/internal.xml]: Cannot resolve reference to bean 'shibboleth.ParserPool' while setting bean property 'parserPool'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.ParserPool' defined in URL [file:/opt/shibboleth-idp/conf/internal.xml]: Cannot create inner bean 'shibboleth.XercesSecurityManager' of type [org.apache.xerces.util.SecurityManager] while setting bean property 'builderAttributes' with key [TypedStringValue: value [http://apache.org/xml/properties/security-manager], target type [null]]; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.apache.xerces.util.SecurityManager] for bean with name 'shibboleth.XercesSecurityManager' defined in URL [file:/opt/shibboleth-idp/conf/internal.xml]; nested exception is java.lang.ClassNotFoundException: org.apache.xerces.util.SecurityManager at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:275) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104)
c'est probablement du a un mauvais chargement des librairies “endorsed”, cf https://lists.internet2.edu/sympa/arc/shibboleth-users/2011-01/msg00240.html
il faut explicitement les “charger” via la config tomcat
[root@shibidp3 shibboleth-idp]# diff /etc/tomcat6/catalina.properties.orig /etc/tomcat6/catalina.properties 47c47 < common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar --- > common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/endorsed/*.jar
lors du premier lancement de tomcat une fois l'IDP deployé les log tomcat indiquent:
[root@shibidpext /]# /etc/init.d/tomcat6 start Starting tomcat6: [ OK ] Oct 11, 2013 5:22:32 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/i386:/lib:/usr/lib Oct 11, 2013 5:22:33 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Oct 11, 2013 5:22:33 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 340 ms Oct 11, 2013 5:22:33 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Oct 11, 2013 5:22:33 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 Oct 11, 2013 5:22:33 PM org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor manager.xml Oct 11, 2013 5:22:33 PM org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor host-manager.xml Oct 11, 2013 5:22:33 PM org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor idp.xml Oct 11, 2013 5:22:36 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory sample Oct 11, 2013 5:22:36 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory examples Oct 11, 2013 5:22:36 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT Oct 11, 2013 5:22:36 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Oct 11, 2013 5:22:36 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Oct 11, 2013 5:22:36 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/13 config=null Oct 11, 2013 5:22:36 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 3561 ms
l'utilisateur tomcat fait tourné tomcat , il faut donc que les droits d'aces aux logs soient postionnés comme il faut pour qu'il puisse y accrire
[root@shibidp3 shibboleth-idp]# chown -R tomcat logs
Pendant la pahese d'installation et parametrage il est oportunt de mettre en mode DEBUG l'IDP :
$ vim /opt/shibboleth-idp/conf/logging.xml <logger name="edu.internet2.middleware.shibboleth"> <level value="DEBUG" /> </logger>
Lecture par
$ tail -f /opt/shibboleth-idp/logs/idp-process.log
a ce niveau, on peux tester l'IDP via *idp/profile/Status* : http://yourIDPhostname.domain.tld/idp/profile/Status
qui retourne un simple *OK*
status detaillé sur http://yourIDPhostname.domain.tld/idp/status sur l'IP du navigateur est autorisé à la lire, cf plus bas …
Les fhichiers de configuration XML se trouvent dans */opt/shibboleth-idp/conf/*
Le fichier de configuration principal (avant (1.3) s'etait idp.xml qui a été eclaté en relying-party.xml, handler.xml …)
il faut configurer notre IDP pour qu'il accepte des requetes depuis des services de confiance (Service Providers) et partage une communauté d'utilisateur au travers de Fédérations d'identité (autres IDPs).
les metadata sont signées, il faut donc initialement recuperer le certificat qui va permettre de verifier et certifier ces metadata dans le repertoire /opt/shibboleth-idp/credentials de votre IDP
pour la fédération Renater (nationale, test et locales) le certificat utilisé pour signer les méta-données est disponible ici: https://services-federation.renater.fr/metadata/metadata-federation-renater.crt
[root@shibbc1 credentials]# wget https://services-federation.renater.fr/metadata/metadata-federation-renater.crt Connexion vers services-federation.renater.fr|195.220.94.192|:443...connecté. 2014-04-05 14:42:41 (26,6 MB/s) - «metadata-federation-renater.crt» sauvegardé [891/891]
Ajouter dans l'element MetadataProvider un chainage de fournisseurs/fédérations
<!-- MetadataProvider the combining other MetadataProviders --> <metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider"> <!-- Load the IdP's own metadata. This is necessary for artifact support. --> <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/idp-metadata.xml" maxRefreshDelay="P1D" /> <!-- Federation Renater Test Education-Recherche --> <MetadataProvider id="RENATERTest" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" metadataURL="https://services-federation.renater.fr/metadata/renater-test-metadata.xml" backingFile="/opt/shibboleth-idp/metadata/renater-test-metadata.xml"> <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata"> <MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata" maxValidityInterval="604800" /> <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata" trustEngineRef="shibboleth.MetadataTrustEngine" requireSignedMetadata="true" /> <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata"> <RetainedRole>samlmd:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataFilter> </MetadataProvider> </metadata:MetadataProvider>
en plus du chargement prédefinie pour notre IDP (id=“IdPCredential”) il faut décarer le certificat qui a signé les metadonnées de la fédération dans le TrustEngine id=“shibboleth.MetadataTrustEngine” :
<!-- ========================================== --> <!-- Security Configurations --> <!-- ========================================== --> <!-- Trust engine used to evaluate the signature on loaded metadata. --> <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="RenaterCredentials" xsi:type="security:X509Filesystem"> <security:Certificate>/opt/shibboleth-idp/credentials/metadata-federation-renater.crt</security:Certificate> </security:Credential> </security:TrustEngine>
autrement on a au chargement de l'IDP une erreur de ce type
15:00:17.470 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.RelyingPartyConfigurationManager service, error creating components. The root cause of this error was: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'shibboleth.MetadataTrustEngine' is defined
Test d'acces aux metadata de notre propre IDP:
Test de fonctionnement (status) de l'IDP
Si au transfert des attributs, ils sont retirés sur ce genre de critere:
18:07:44.049 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:509] - Filtering out potential name identifier attributes which can not be encoded by edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML1NameIdentifierEncoder 18:07:44.049 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:528] - Removing attribute uid, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML1NameIdentifierEncoder 18:07:44.049 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:528] - Removing attribute eduPersonAffiliation, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML1NameIdentifierEncoder 18:07:44.092 - INFO [Shibboleth-Audit:696] - 20110918T140744Z|urn:mace:shibboleth:1.0:profiles:AuthnRequest||https://intranet.it-sudparis.eu|urn:mace:shibboleth:2.0:profiles:saml1:sso|https://shibidp3.it-sudparis.eu/idp/shibboleth|urn:oasis:names:tc:SAML:1.0:profiles:browser-post|_2002e1d5ee60ea559c40ce9cec7f88e6|benkelfa|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified||_a323a8ca7334683a922bf4e1862da751|_bc3519b23d3ae97cc63832de9034df85,|
c'est que notre IDP a repondu au SP en SAML1 (?) et que l'envoie automatique des attribus (attribute push) n'est pas parametrer pour ce profile SSO, il faut alors passer de “includeAttributeStatement=“false” a “true” :
<rp:ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" includeAttributeStatement="true" assertionLifetime="PT5M" signResponses="conditional" signAssertions="never"/>
il est necessaire que l'utilisateur tomcat puisse ecrire dans le repertoire des metadata, autrement:
NFO: Initializing Spring root WebApplicationContext Sep 6, 2011 6:41:23 PM org.apache.catalina.core.StandardContext listenerStart SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.RelyingPartyConfigurationManager': Invocation of init method failed; nested exception is edu.internet2.middleware.shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.RelyingPartyConfigurationManager service, error creating components. at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1338) ... Caused by: edu.internet2.middleware.shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.RelyingPartyConfigurationManager service, error creating components. at edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:192) ... Caused by: java.io.IOException: Permission denied at java.io.UnixFileSystem.createFileExclusively(Native Method) at java.io.File.createNewFile(File.java:900) ... ... 47 more Sep 6, 2011 6:41:23 PM org.apache.catalina.core.ApplicationContext log INFO: Closing Spring root WebApplicationContext <code> <code> [root@shibidp3 conf]# chown -R tomcat /opt/shibboleth-idp/metadata/ # /etc/init.d/tomcat6 restart [root@shibidp3 conf]# ls -ltra ../metadata/ total 164 -rw-r--r-- 1 tomcat root 5509 Jun 8 13:52 idp-metadata.xml drwxr-xr-x 9 root root 4096 Sep 6 16:05 .. -rw-r--r-- 1 tomcat tomcat 144457 Sep 6 18:45 metadata.it.xml drwxr-xr-x 2 tomcat root 4096 Sep 6 18:45 .
Exemple precedent depuis la doc jasig … pour l'histoire …
https://spaces.internet2.edu/display/SHIB2/FlowsAndConfig The IdP's relying-party.xml configuration file specifies most settings used in communicating with SP's. The metadata part of the configuration points to URL's or files containing trust and location information describing partners.
uncomment ligne 100 de *relying-party.xml* afin de declarer une ressource de *metadata* .
[root@shibidp1 /usr/local/idp/conf] $ vim relying-party.xml <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" metadataFile="/usr/local/idp/metadata/IT-metadata.xml" maintainExpiredMetadata="true"> <!-- <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" /> --> </MetadataProvider>
* metadata/IT-metadata.xml* à partir de l'exemple de declaration d'un IDP: https://spaces.internet2.edu/display/SHIB2/MetadataExample
L'utilitaire de “construction” preconisé est maintenant maven, il faut donc l'installer .
[root@shibidp3 src]# wget http://mirror.mkhelif.fr/apache//maven/binaries/apache-maven-3.0.3-bin.tar.gz [root@shibidp3 src]# tar xvfz apache-maven-3.0.3-bin.tar.gz apache-maven-3.0.3/boot/plexus-classworlds-2.4.jar apache-maven-3.0.3/lib/maven-embedder-3.0.3.jar apache-maven-3.0.3/lib/maven-settings-3.0.3.jar apache-maven-3.0.3/lib/plexus-utils-2.0.6.jar apache-maven-3.0.3/lib/maven-core-3.0.3.jar apache-maven-3.0.3/lib/maven-model-3.0.3.jar apache-maven-3.0.3/lib/maven-settings-builder-3.0.3.jar apache-maven-3.0.3/lib/plexus-interpolation-1.14.jar apache-maven-3.0.3/lib/plexus-component-annotations-1.5.5.jar apache-maven-3.0.3/lib/plexus-sec-dispatcher-1.3.jar apache-maven-3.0.3/lib/plexus-cipher-1.4.jar apache-maven-3.0.3/lib/maven-repository-metadata-3.0.3.jar apache-maven-3.0.3/lib/maven-artifact-3.0.3.jar apache-maven-3.0.3/lib/maven-plugin-api-3.0.3.jar apache-maven-3.0.3/lib/sisu-inject-plexus-2.1.1.jar apache-maven-3.0.3/lib/sisu-inject-bean-2.1.1.jar apache-maven-3.0.3/lib/sisu-guice-2.9.4-no_aop.jar apache-maven-3.0.3/lib/maven-model-builder-3.0.3.jar apache-maven-3.0.3/lib/maven-aether-provider-3.0.3.jar apache-maven-3.0.3/lib/aether-api-1.11.jar apache-maven-3.0.3/lib/aether-spi-1.11.jar apache-maven-3.0.3/lib/aether-util-1.11.jar apache-maven-3.0.3/lib/aether-impl-1.11.jar apache-maven-3.0.3/lib/maven-compat-3.0.3.jar apache-maven-3.0.3/lib/wagon-provider-api-1.0-beta-7.jar apache-maven-3.0.3/lib/commons-cli-1.2.jar apache-maven-3.0.3/lib/wagon-http-lightweight-1.0-beta-7.jar apache-maven-3.0.3/lib/wagon-http-shared-1.0-beta-7.jar apache-maven-3.0.3/lib/xercesMinimal-1.9.6.2.jar apache-maven-3.0.3/lib/nekohtml-1.9.6.2.jar apache-maven-3.0.3/lib/wagon-file-1.0-beta-7.jar apache-maven-3.0.3/lib/aether-connector-wagon-1.11.jar apache-maven-3.0.3/LICENSE.txt apache-maven-3.0.3/NOTICE.txt apache-maven-3.0.3/README.txt apache-maven-3.0.3/bin/m2.conf apache-maven-3.0.3/bin/mvn.bat apache-maven-3.0.3/bin/mvnDebug.bat apache-maven-3.0.3/bin/mvn apache-maven-3.0.3/bin/mvnDebug apache-maven-3.0.3/bin/mvnyjp apache-maven-3.0.3/conf/ apache-maven-3.0.3/conf/settings.xml apache-maven-3.0.3/lib/ apache-maven-3.0.3/lib/ext/ apache-maven-3.0.3/lib/ext/README.txt [root@shibidp3 local]# ln -s /usr/local/src/apache-maven-3.0.3 maven
Nous allons définir les chemins d'accès à Maven en créant un fichier */etc/profile.d/maven.sh* :
$ cat /etc/profile.d/maven.sh M3_HOME=/usr/local/maven export M3_HOME M3=$M3_HOME/bin PATH=$M3:$PATH export PATH $ source /etc/profile.d/maven.sh
Nous pouvons maintenant télécharger les sources du client CAS et le compiler:
[root@shibidp3 ~]# wget http://downloads.jasig.org/cas-clients/cas-client-3.2.1-release.tar.gz [root@shibidp3 ~]# tar xvfz cas-client-3.2.1-release.tar.gz [root@shibidp3 cas-client-core]# mvn package [INFO] Scanning for projects... Downloading: http://repo1.maven.org/maven2/org/jasig/parent/jasig-parent/22/jasig-parent-22.pom Downloaded: http://repo1.maven.org/maven2/org/jasig/parent/jasig-parent/22/jasig-parent-22.pom (6 KB at 12.9 KB/sec) Downloading: http://repo1.maven.org/maven2/org/sonatype/oss/oss-parent/5/oss-parent-5.pom Downloaded: http://repo1.maven.org/maven2/org/sonatype/oss/oss-parent/5/oss-parent-5.pom (4 KB at 8.9 KB/sec) ... Downloaded: http://repo1.maven.org/maven2/org/codehaus/plexus/plexus-utils/1.5.1/plexus-utils-1.5.1.pom (3 KB at 8.4 KB/sec) [INFO] Building jar: /root/cas-client-3.2.1/cas-client-core/target/cas-client-core-3.2.1-sources.jar [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 11.588s [INFO] Finished at: Mon Sep 12 17:36:59 MSD 2011 [INFO] Final Memory: 6M/109M [INFO] ------------------------------------------------------------------------
Une fois que le JAR du client a été généré, il faut le recopier parmi les autres librairies utilisées par l'IdP, dans les sources ; nous allons ensuite redéployer l'application :
$ [root@shibidp3 cas-client-core]# cp target/cas-client-core-3.2.1.jar /opt/shibboleth-identityprovider-2.3.3/lib/ [root@shibidp3 cas-client-core]# ls -l /opt/shibboleth-identityprovider-2.3.3/lib/cas* -rw-r--r-- 1 root root 87309 Sep 12 17:38 /opt/shibboleth-identityprovider-2.3.3/lib/cas-client-core-3.2.1.jar
ajouter l'appel au filtre CAS dans le web.xml des sources de l'IdP puis regénérer le fichier idp.war.
# vim /opt/shibboleth-identityprovider-2.3.3/src/main/webapp/WEB-INF/web.xml
ajout des ligne concernant le filtre CAS
[root@shibidp3 WEB-INF]# diff web.xml.orig web.xml 52a53,113 > <!-- CAS Filter Configuration --> > <context-param> > <param-name>serverName</param-name> > <param-value>https://shibidp3.it-sudparis.eu</param-value> > </context-param> > > > <!-- CAS Authentication Filter --> > <filter> > <filter-name>CAS Authentication Filter</filter-name> > <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> > <init-param> > <param-name>casServerLoginUrl</param-name> > <param-value>https://cas.it-sudparis.eu/cas/login</param-value> > </init-param> > </filter> > > <!-- CAS Validation Filter --> > <filter> > <filter-name>CAS Validation Filter</filter-name> > <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> > <init-param> > <param-name>casServerUrlPrefix</param-name> > <param-value>https://cas.it-sudparis.eu/cas</param-value> > </init-param> > </filter> > > <!-- CAS HttpServletRequest Wrapper Filter --> > <filter> > <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> > <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> > </filter> > > <!-- CAS Assertion Thread Local Filter --> > <filter> > <filter-name>CAS Assertion Thread Local Filter</filter-name> > <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> > </filter> > > <!-- CAS Filter for Shibb RemoteUser --> > <filter-mapping> > <filter-name>CAS Authentication Filter</filter-name> > <url-pattern>/Authn/RemoteUser</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS Validation Filter</filter-name> > <url-pattern>/Authn/RemoteUser</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> > <url-pattern>/Authn/RemoteUser</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>CAS Assertion Thread Local Filter</filter-name> > <url-pattern>/Authn/RemoteUser</url-pattern> > </filter-mapping> > >
ensuite redéployer l'application Shibboleth ; répondez no à la question Would you like to overwrite this Shibboleth sonfiguration?
[root@shibidp3 shibboleth-identityprovider-2.3.3]# ./install.sh Buildfile: src/installer/resources/build.xml install: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp] The directory '/opt/shibboleth-idp' already exists. Would you like to overwrite this Shibboleth configuration? (yes, [no]) Updating property file: /opt/shibboleth-identityprovider-2.3.3/src/installer/resources/install.properties Copying 55 files to /opt/shibboleth-idp/lib Copying 5 files to /opt/shibboleth-idp/lib/endorsed Copying 1 file to /opt/shibboleth-identityprovider-2.3.3/src/installer Building war: /opt/shibboleth-identityprovider-2.3.3/src/installer/idp.war Copying 1 file to /opt/shibboleth-idp/war Deleting: /opt/shibboleth-identityprovider-2.3.3/src/installer/web.xml Deleting: /opt/shibboleth-identityprovider-2.3.3/src/installer/idp.war BUILD SUCCESSFUL Total time: 24 seconds
Il se peut qu'apres rechargement de l'idp par tomcat dans idp-porcess.log on ait cette erreur
12:23:54.064 - ERROR [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:257] - Unable to filter metadata org.opensaml.saml2.metadata.provider.FilterException: Metadata's validity interval, 33914165940ms, is larger than is allowed, 604800000ms.
alors il faut augmenter la tolerance du nombre de seconde/ms acceptable dans relying-party.xml
<MetadataFilter xsi:type=“RequiredValidUntil” xmlns=“urn:mace:shibboleth:2.0:metadata” maxValidityInterval=“604800000” /> ⇒ on a ajouter ici 3×0
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
activer (decommenter) Username/password login handler dans handler.xml
<!-- Username/password login handler --> <ph:LoginHandler xsi:type="ph:UsernamePassword" jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod> </ph:LoginHandler>
et parametrer Java Authentication and Authorization Service (JAAS) avec l'acces au serveur ldap dans login.config
exemple au plus simple ici, ldap non securisé et compte banaliser de bind ldap “anonyme”
edu.vt.middleware.ldap.jaas.LdapLoginModule required host="ldapserver1.int-evry.fr" base="ou=people,dc=ext,dc=fr" ssl="false" serviceUser="cn=binduser,ou=System,dc=ext,dc=fr" serviceCredential="secret" userField="uid";
Connecteur ldap
[root@shibidp1 /opt/shibboleth-idp/conf] $ vim attribute-resolver.xml <!-- Example LDAP Connector --> <resolver:DataConnector id="tmspLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldap://ldapserver.int-evry.fr" baseDN="ou=people,dc=int-evry,dc=fr" principal="cn=binder,ou=system,dc=int,dc=fr" principalCredential="secret"> <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </FilterTemplate> </resolver:DataConnector>
Exemple de definition d'attribut (ici uid)
<!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <!-- Schema: Core schema attributes--> <resolver:AttributeDefinition id="uid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uid"> <resolver:Dependency ref="tmspLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:uid" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" /> </resolver:AttributeDefinition>
Attribut que l'on souhaites distribuer aux Services Provider shibboleth.
[root@shibidp1 /opt/shibboleth-idp/conf] $ vim attribute-filter.xml <!-- Release the transient ID to anyone --> <AttributeFilterPolicy id="releaseTransientIdToAnyone"> <PolicyRequirementRule xsi:type="basic:ANY" /> <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="supannEtablissement"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy> ... <!-- Release attributes to our local service provider --> <AttributeFilterPolicy> <PolicyRequirementRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://intranet.it-sudparis.eu" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://trombi.it-sudparis.eu" /> </PolicyRequirementRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> ... <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="departmentNumber"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy>
Le script *aacli.sh* permet de tester l'interrogation et la restitution d'attributs: Avec la fédération de test de Renater et l'ajout d'edupersonAffiliation ou departmenNumber par exemple
[root@shibidp1 /opt/shibboleth-idp] $ ./bin/aacli.sh --requester=https://trombi.it-sudparis.eu --configDir=conf/ --principal=test <?xml version="1.0" encoding="UTF-8"?><saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">test.test@it-sudparis.eu</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="supannEtablissement" Name="urn:oid:1.3.6.1.4.1.7135.1.2.1.14" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">INT EVRY 0911781S</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="eduPersonPrimaryAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">affiliate</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TEST</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">NONE@univ-nancy2.fr</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">affiliate@univ-nancy2.fr</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">testeure</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="departmentNumber" Name="urn:oid:2.16.840.1.113730.3.1.2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">INTM</saml:AttributeValue> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">MAI</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">test.test@it-sudparis.eu</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">compte de test s2ia</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
Si l'annuaire n'est pas encore compatible supann/eduperson , on peux creer des attribut compatibles (ici eduPersonAffiliation) sur la base d'attributs pre-existants (ici employeeType) . Exemple
<!-- https://spaces.internet2.edu/display/SHIB2/ResolverMappedAttributeDefinition --> <resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="eduPersonAffiliation" sourceAttributeID="employeeType"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:eduPersonAffiliation" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" /> <!-- default to the generic value 'affiliate' --> <DefaultValue>affiliate</DefaultValue> <!-- map internal values like 'student-worker' and 'undergraduate' to 'student' --> <ValueMap> <ReturnValue>employee</ReturnValue> <!--<SourceValue ignoreCase="true">CN=.*,ou=permanents,dc=people,dc=mysite,dc=fr</SourceValue> --> <SourceValue ignoreCase="true">permanent</SourceValue> </ValueMap> <!-- map your internal 'Institut' value to 'invite' --> <ValueMap> <ReturnValue>invite</ReturnValue> <SourceValue>Institut</SourceValue> </ValueMap> <!-- map your internal 'CDD' value to 'member' --> <ValueMap> <ReturnValue>member</ReturnValue> <SourceValue>CDD</SourceValue> </ValueMap> <!-- map your internal 'Doctorant' value to 'member' --> <ValueMap> <ReturnValue>member</ReturnValue> <SourceValue>Doctorant</SourceValue> </ValueMap> </resolver:AttributeDefinition>
construction d'un attribut sur la base d'une dn de branche ldap ⇒ split REgex :
<!-- https://spaces.internet2.edu/display/SHIB2/ResolverRegexSplitAttributeDefinition --> <resolver:AttributeDefinition xsi:type="RegexSplit" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="employeeType" sourceAttributeID="distinguishedName" regex=".*,OU=([^,]*),DC=people,DC=mysite,DC=fr"> <resolver:Dependency ref="tl1AD" /> <!-- Remaining configuration from the next step goes here --> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:employeeType" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" /> </resolver:AttributeDefinition>
il faut un Service Provider pour tester notre fournisseur d'identité (IDP), pour faire simple dans un premier temps, nous allons utiliser un fournisseur de service Test du CRU, mais il faut au préalable enregisterer notre nouvel IDP dans la federation de Test du CRU :
https://federation.cru.fr/test/gestion/enregistrement//idp
Ce formulaire requiert une authentification préalable. Vous pouvez vous authentifier avec un compte CRU ; si vous n'en avez pas, vous serez invité à vous en créer un lors de la procédure d'authentification
Nom de l'organisme : Test Telecom et Management SudParis providerId : https://shibidp1.it-sudparis.eu/idp/shibboleth serveur : shibidp1.it-sudparis.eu domaine : it-sudparis.eu URL du service SSO : https://shibidp1.it-sudparis.eu/idp/profile/Shibboleth/SSO URL du service AA : https://shibidp1.it-sudparis.eu/idp/AA Certificat X.509 : [contenu du fichier /opt/shibboleth-idp/credentials/idp.crt]
https://federation.cru.fr/sp-test
On selection sur le Wayf du CRU notre IDP fraichement enregistré ci-dessus “Test Telecom et Management SudParis” (TMSP) On est alors renvoyé sur le serveur CAS de TMSP . On obtient alors un acces authentifié ainsi qu'un “push” d'attributs , ceux declaré dans l'attreibute filter !
-shib- HTTP_REMOTE_USER HTTP_SHIB_APPLICATION_ID default HTTP_SHIB_ATTRIBUTES PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaX....c2U+ HTTP_SHIB_AUTHENTICATION_INSTANT 2008-12-04T16:19:27.886Z HTTP_SHIB_AUTHENTICATION_METHOD urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified ... HTTP_SHIB_EP_UNSCOPEDAFFILIATION HTTP_SHIB_IDENTITY_PROVIDER https://shibidp1.it-sudparis.eu/idp/shibboleth HTTP_SHIB_INETORGPERSON_DISPLAYNAME ... HTTP_SHIB_INETORGPERSON_TITLE HTTP_SHIB_INETORGPERSON_UID test HTTP_SHIB_ORIGIN_SITE https://shibidp1.it-sudparis.eu/idp/shibboleth HTTP_SHIB_PERSISTENTID -env- DOCUMENT_ROOT="/var/www/federation.cru.fr" GATEWAY_INTERFACE="CGI/1.1" HTTPS="on" HTTP_ACCEPT="image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*" HTTP_ACCEPT_ENCODING="gzip, deflate" HTTP_ACCEPT_LANGUAGE="fr" HTTP_CACHE_CONTROL="no-cache" HTTP_CONNECTION="Keep-Alive" ... HTTP_HOST="federation.cru.fr" HTTP_REFERER="https://shibidp1.it-sudparis.eu/idp/Authn/RemoteUser?ticket=ST-62022-aOxDU5FqLQRqziaW6gIY" HTTP_REMOTE_USER="" HTTP_SHIB_APPLICATION_ID="default" HTTP_SHIB_ATTRIBUTES="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIElzc3VlSW5zdGFudD0iMjAwOC0xMi0wNFQxNjoxOToyNy45NDBaIiBNYWpvclZlcnNpb249IjEiIE1pbm9yVmVyc2lvbj0iMSIgUmVjaXBpZW50PSJodHRwczovL2ZlZGVyYXRpb24uY3J1LmZyL3NwLXRlc3QvU2hpYmJvbGV0aC5zc28vU0FNTC9QT1NUIiBSZXNwb25zZUlEPSJfMDA4YjAyZmIzNDk3OTZjMWZlMmE5NmZmMzg0ZTkxMTEiIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgo8ZHM6UmVmZXJlbmNlIFVSST0iI18wMDhiMDJmYjM0OTc5NmMxZmUyYTk2ZmYzODRlOTExMSI+CjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0iZHMgc2FtbCBzYW1scCB4cyIvPjwvZHM6VHJhbnNmb3JtPgo8L2RzOlRyYW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU+QWhvaVRySDBHR3NTTlJxZElvMzhMaTd1b0g4PTwvZHM6RGlnZXN0VmFsdWU+CjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZEluZm8+CjxkczpTaWduYXR1cmVWYWx1ZT4KUXN2Q3FnOXlDTzdIVWdrR0ZidlZub2cxZFpMSng1c25hdzlQR0o1czNaQ0ZFVWhHVkJ5QWcycFBPUkZ3M0lOM0huQy9JYWVnNnZYcgpEVy94aHhadUlwZ3RMV2lST1p6YVpiNDlXQjVOT1NmYkc4V0pYd05CVnB6ckVPNUZtNDEwR0t3R1pTYUtxa3V4VlBPeXpjYlE2MUMxCnVYaGdpOEJwSGlUb0xGRmdkTmZ5U0MvR3U2ZVFSck1sVFhlSFd6L1JoZWdwK0ZyaFFMWmZkQ05seGd6ckVndzNpRmVvQ2hlR1JFUFkKbzVQWmtEQjJ0OWI1WDdaekJoZmFZdG9jRWpITUR1dTlJUG5JYjZsNGhkM2lsOE1BMDZrYlNsVGdKUUVpd01YTjg5S0ExWDQ1SXRIUQp4TUY1MTBJUTRvbkUxbTk2cDVYb1V1UmhEN0FXS2xrLzMzSzZCdz09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURTRENDQWpDZ0F3SUJBZ0lWQUp2Mmw2MXNLZjFWZ3pnSFBnR1JkbXZJZEJlR01BMEdDU3FHU0liM0RRRUJCUVVBTUNJeElEQWUKQmdOVkJBTVRGM05vYVdKcFpIQXhMbWwwTFhOMVpIQmhjbWx6TG1WMU1CNFhEVEE0TVRJd05EQTRNakl3TkZvWERUSTRNVEl3TkRBNApNakl3TkZvd0lqRWdNQjRHQTFVRUF4TVhjMmhwWW1sa2NERXVhWFF0YzNWa2NHRnlhWE11WlhVd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFESTZSSDYvaTFwNEZ3bnArU3hJTkRURkVTU0FCeWMzL2E3Z0w0dUlqdWZSS2FyYUpJSXVVZlEKLzhQUXVkNm1UbkttVFNZMSsxNzRFOXI3OElBVGhLVGJkWDBZODZKeGNBbFBYa2FQRmozRzJhTVpFeTdZa2p4SGc3YkVxS21ydEVtRQppNWxzNjlOUVhKYWUxL3YzUmVCZk5tc21iNGxwZkxxbnNwSHpOMGtNMng5aWV1Q1VUdXc2VW13YzY1WmE5R0s5SjBuLzhHMzcwdlZuCjlNVVdjT2J4NHFlcW1lS3ZYSzYxS3BBUVE1VlBTcm9iQjBOYWZGSHEyT0hiNEVxNk5KbWpiM3hIUTBqTnJnYTI4WU5EeEtTakxGOGgKVW9sVHI0YmRCcm9xRktxcVJLMkRPdWtYc2drWWd5Nm1Ud3hNYkhsYnpUWC9VUk03SzY1NWtGSWNvamNwQWdNQkFBR2pkVEJ6TUZJRwpBMVVkRVFSTE1FbUNGM05vYVdKcFpIQXhMbWwwTFhOMVpIQmhjbWx6TG1WMWhpNW9kSFJ3Y3pvdkwzTm9hV0pwWkhBeExtbDBMWE4xClpIQmhjbWx6TG1WMUwybGtjQzl6YUdsaVltOXNaWFJvTUIwR0ExVWREZ1FXQkJTNkVJRWxPeEN4NTZtaTY5N3dVaXBWdEVIQ3NqQU4KQmdrcWhraUc5dzBCQVFVRkFBT0NBUUVBeFNIS2xoZlozY0h1ZCs3S0pIbDBzZUFkUXB3T0MxMWpMejllT3NJempQU1ZuUEpRVzhyVQpBVUEya1dLaU1ybVFTNnQ2bkVwUEtueDVCY3lTWE1MaTV3dXZjUTQwSVdVblB0ZWJBTG1oMjZLU2hlaUU3cm1GeHE0YktaaEcrWm9PCnFZcGhsRGhxUG9ETFZwTW55NWpnZVB5cTVndkxGTzAzYTdlM0RzTGVIMVNoZjZzazE3KzF0aXhHNDFQVnh3NUxmbDhPRHZCRjJ3bVkKL2pvc1ZhWmZKM0NiSm9RaEJ5VURBR0gvQ2YzMjdDY2VmbG9QUG9MZEN5dC9ETzFhR2ZsVWRpUUEvREY5NitYbGJHRVFMN2VkSHRFcwpFTEt6NjZaOFdLNmZhc0hxTklubFRlK1NTQTM1NCtzUGV6bHpTeUltVmJZYUhINm5hTFF1RlY3Y21VTlBPUT09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0ic2FtbHA6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiBBc3NlcnRpb25JRD0iXzUyYWMwZTliZTY0OGE0YzNkNDgyZjQ2MjQyODIzMDY5IiBJc3N1ZUluc3RhbnQ9IjIwMDgtMTItMDRUMTY6MTk6MjcuOTQwWiIgSXNzdWVyPSJodHRwczovL3NoaWJpZHAxLml0LXN1ZHBhcmlzLmV1L2lkcC9zaGliYm9sZXRoIiBNYWpvclZlcnNpb249IjEiIE1pbm9yVmVyc2lvbj0iMSIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiI+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMDgtMTItMDRUMTY6MTk6MjcuOTQwWiIgTm90T25PckFmdGVyPSIyMDA4LTEyLTA0VDE2OjI0OjI3Ljk0MFoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb25Db25kaXRpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly9mZWRlcmF0aW9uLmNydS5mci9zcC10ZXN0PC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uQ29uZGl0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50IEF1dGhlbnRpY2F0aW9uSW5zdGFudD0iMjAwOC0xMi0wNFQxNjoxOToyNy44ODZaIiBBdXRoZW50aWNhdGlvbk1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6dW5zcGVjaWZpZWQiPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlkZW50aWZpZXIgRm9ybWF0PSJ1cm46bWFjZTpzaGliYm9sZXRoOjEuMDpuYW1lSWRlbnRpZmllciI+XzQ1ZWQ5ZGUwNzA0MjdmMTYyODU3M2ZiNDQ1ZDQyZmM0PC9zYW1sOk5hbWVJZGVudGlmaWVyPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24+PHNhbWw6Q29uZmlybWF0aW9uTWV0aG9kPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpjbTpiZWFyZXI8L3NhbWw6Q29uZmlybWF0aW9uTWV0aG9kPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOlN1YmplY3RMb2NhbGl0eSBJUEFkZHJlc3M9IjE1Ny4xNTkuNTAuMTk3Ii8+PC9zYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJZGVudGlmaWVyIEZvcm1hdD0idXJuOm1hY2U6c2hpYmJvbGV0aDoxLjA6bmFtZUlkZW50aWZpZXIiPl80NWVkOWRlMDcwNDI3ZjE2Mjg1NzNmYjQ0NWQ0MmZjNDwvc2FtbDpOYW1lSWRlbnRpZmllcj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjxzYW1sOkNvbmZpcm1hdGlvbk1ldGhvZD51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6Y206YmVhcmVyPC9zYW1sOkNvbmZpcm1hdGlvbk1ldGhvZD48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpBdHRyaWJ1dGUgQXR0cmlidXRlTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6dWlkIiBBdHRyaWJ1dGVOYW1lc3BhY2U9InVybjptYWNlOnNoaWJib2xldGg6MS4wOmF0dHJpYnV0ZU5hbWVzcGFjZTp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBBdHRyaWJ1dGVOYW1lPSJ1cm46bWFjZTpkaXI6YXR0cmlidXRlLWRlZjptYWlsIiBBdHRyaWJ1dGVOYW1lc3BhY2U9InVybjptYWNlOnNoaWJib2xldGg6MS4wOmF0dHJpYnV0ZU5hbWVzcGFjZTp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdC50ZXN0QGl0LXN1ZHBhcmlzLmV1PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+" HTTP_SHIB_AUTHENTICATION_INSTANT="2008-12-04T16:19:27.886Z" HTTP_SHIB_AUTHENTICATION_METHOD="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" ... HTTP_SHIB_IDENTITY_PROVIDER="https://shibidp1.it-sudparis.eu/idp/shibboleth" ... HTTP_SHIB_INETORGPERSON_MAIL="test.testATit-sudparis.eu" ... HTTP_SHIB_INETORGPERSON_UID="test" ... HTTP_SHIB_NAMEIDENTIFIER_FORMAT="urn:mace:shibboleth:1.0:nameIdentifier" HTTP_SHIB_ORIGIN_SITE="https://shibidp1.it-sudparis.eu/idp/shibboleth" HTTP_SHIB_PERSISTENTID="" HTTP_SHIB_PERSON_COMMONNAME="" ... QUERY_STRING="" REMOTE_ADDR="157.159.10.14" REMOTE_HOST="proxy.int-evry.fr" REMOTE_PORT="42422" REQUEST_METHOD="GET" REQUEST_URI="/sp-test" SCRIPT_FILENAME="/usr/local/shibboleth/tools/sptest.cgi" SCRIPT_NAME="/sp-test" SERVER_ADDR="195.220.94.183" SERVER_ADMIN="webmaster@cru.fr" SERVER_NAME="federation.cru.fr" SERVER_PORT="443" SERVER_PROTOCOL="HTTP/1.1" SERVER_SIGNATURE="Apache/2.2.3 (Red Hat) Server at federation.cru.fr Port 443\n" SERVER_SOFTWARE="Apache/2.2.3 (Red Hat)"
17:18:10.095 - INFO [Shibboleth-Access:72] - 20081204T161810Z|157.159.50.197|shibidp1.it-sudparis.eu:443|/profile/Shibboleth/SSO| ... 17:18:10.098 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:325] - Authenticating user with login handler of type edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler 17:18:10.098 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler:75] - Redirecting to https://shibidp1.it-sudparis.eu:443/idp/Authn/RemoteUser ... ... 17:19:27.884 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet:48] - Remote user identified as test returning control back to authentication engine ... 17:19:27.889 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler:487] - Resolving attributes for principal test of SAML request from relying party https://federation.cru.fr/sp-test ... 17:19:27.890 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:334] - Resolving data connector tmspLDAP for principal test 17:19:27.891 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:764] - Search filter: (uid=test) Log ldap Dec 4 17:19:27 ldapsync4 slapd[2271]: conn=104704 fd=28 ACCEPT from IP=157.159.10.217:59641 (IP=0.0.0.0:389) Dec 4 17:19:27 ldapsync4 slapd[2271]: conn=104704 op=0 BIND dn="cn=binder,ou=system,dc=int,dc=fr" method=128 Dec 4 17:19:27 ldapsync4 slapd[2271]: conn=104704 op=0 BIND dn="cn=binder,ou=System,dc=int,dc=fr" mech=SIMPLE ssf=0 Dec 4 17:19:27 ldapsync4 slapd[2271]: conn=104704 op=0 RESULT tag=97 err=0 text= Dec 4 17:19:27 ldapsync4 slapd[2271]: conn=104704 op=1 SRCH base="ou=people,dc=int,dc=fr" scope=2 deref=3 filter="(uid=test)" ... 17:19:27.899 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:881] - Found the following attribute: uid=[test] 17:19:27.899 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:881] - Found the following attribute: eduPersonAffiliation=[student] ... 17:19:27.920 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:316] - Resolved attribute uid containing 1 values 17:19:27.920 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:294] - Resolving attribute eduPersonAffiliation for principal test ... 17:19:27.932 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:138] - shibboleth.AttributeResolver resolved, for principal test, the attributes: [uid, eduPersonPrincipalName, eduPersonAffiliation, eduPersonPrimaryAffiliation, eduPersonScopedAffiliation, surname, givenName, eduPersonNickname, title, eduPersonOrgDN, postalCode, organizationalUnit, employeeType, commonName, transientId, eduPersonPrimaryOrgUnitDN, eduPersonOrgUnitDN, departmentNumber, email, jpegPhoto, postalAddress] ... 17:19:27.933 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:122] - Evaluating if filter policy releaseTransientIdToAnyone is active for principal test 17:19:27.933 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:131] - Filter policy releaseTransientIdToAnyone is active for principal test 17:19:27.933 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:156] - Processing permit value rule for attribute transientId for principal test ... 17:19:27.935 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:101] - Removing attribute from return set, no more values: eduPersonNickname 17:19:27.935 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:101] - Removing attribute from return set, no more values: title ... 17:19:27.937 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:106] - Filtered attributes for principal test. The following attributes remain: [uid, transientId, email] 17:19:27.938 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOEndpointSelector:78] - Selecting endpoint from metadata corresponding to provided ACS URL: https://federation.cru.fr/sp-test/Shibboleth.sso/SAML/POST 17:19:27.938 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOEndpointSelector:82] - Relying party role contains 1 endpoints
Il faut utiliser le “handler” RemoteUser : cf https://mail.internet2.edu/wws/arc/shibboleth-users/2008-03/msg00500.html
Chad La Joie wrote: You shouldn't ever set the defaultAuthentication to PreviousSession, that won't ever work and I'll add a note about that to the document. If you are using CAS as an additional SSO service you need to use the RemoteUser authentication mechanism. The path you need to protect is <context_path>/Authn/RemoteUser.
handler.xml
<!-- Login Handlers --> <LoginHandler xsi:type="RemoteUser"> <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod> </LoginHandler>
relying-party.xml
<DefaultRelyingParty provider="https://shibidp1.it-sudparis.eu/idp/shibboleth" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" defaultSigningCredentialRef="IdPCredential">
on filtre dans le *web.xml* l'acces au context * /Authn/RemoteUser* vers notre CAS local
/usr/share/tomcat5/webapps/idp/WEB-INF/web.xml <display-name>Shibboleth 2.0.0 Identity Provider</display-name> <filter> <filter-name>CAS Validate Filter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://cas.it-sudparis.eu/cas/login</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://cas.it-sudparis.eu/cas/serviceValidate</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> <param-value>shibidp1.it-sudparis.eu</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name> <param-value>true</param-value> </init-param> </filter> <!-- l'acces a l'URL /SSO est filtré par la servlet nommée "CAS Validate Filter" (definie plus haut ...) qui renvoie vers CAS --> <filter-mapping> <filter-name>CAS Validate Filter</filter-name> <url-pattern>/Authn/RemoteUser</url-pattern> </filter-mapping>
Il faut evidement que l'idp dispose de la librairie *casclient.jar* pour que cela marche !
[root@shibidp1 /usr/share/tomcat5/webapps/idp/WEB-INF] $ ls lib/casclient.jar lib/casclient.jar
Au premier abord on tombe sur des besoins de confiances (transfert securisés) entre SP et IDP . Sans aucune prise en compte des certificats/keystore, l'IDP genere alors ce type d'erreur dans ces log *idp-process.log* justement a propos de chaine de certification:
13:46:23.897 INFO [Shibboleth-Access:72] - 20080328T124623Z|157.159.50.197|shibidp1.it-sudparis.eu:443|/profile/SAML2/Redirect/SSO| 13:46:24.015 ERROR [edu.yale.its.tp.cas.client.CASReceipt:55] - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://cas.it-sudparis.eu/cas/serviceValidate] ticket=[ST-1000-SyFXxMK1TGTvYOss2vmv] service=[https%3A%2F%2Fshibidp1.it-sudparis.eu%2Fidp%2FAuthn%2FRemoteUser] renew=false]]] 13:46:24.015 ERROR [edu.yale.its.tp.cas.client.filter.CASFilter:380] - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://cas.it-sudparis.eu/cas/serviceValidate] ticket=[ST-1000-SyFXxMK1TGTvYOss2vmv] service=[https%3A%2F%2Fshibidp1.it-sudparis.eu%2Fidp%2FAuthn%2FRemoteUser] renew=false]]] 13:46:24.016 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/idp].[RemoteUserAuthHandler]:250] - Servlet.service() for servlet RemoteUserAuthHandler threw exception sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
On procede alors a la création d'un keystore qui comprend le certificat et la clé de notre serveur, ainsi que le chaine de certification (ici au format openssl pkcs12 afin de s'affranchir des commandes esoteriques JDK …avis perso ) .
[root@shibidp1 /usr/local/idp/credentials] $ openssl pkcs12 -export -in shibidp1-tmsp.pem -inkey shibidp1-tmsp.key -out shibidp1_tmsp_v2_0_openssl.p12 -name tomcat -CAfile ca-chain-institut-telecom.crt -caname root -chain Enter Export Password: Verifying - Enter Export Password:
Il faut alors indiquer au serveur d'application tomcat via *server.xml* de repondre au demandes d'attribut sur une port sécurisé (8443) qui justement utilisera ce keystore.
<!-- https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepare Shibboleth IdPs and SP may communicate directly (Attribute Query, Artifact Resolution, and Logout) --> <Connector port="8443" maxHttpHeaderSize="8192" maxSpareThreads="75" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="/usr/local/idp/credentials/shibidp1_tmsp_v2_0_openssl.p12" keystorePass="secret" keystoreType="pkcs12" truststoreAlgorithm="DelegateToApplication"/>
enfin il faut que le JVM qui tourne tomcat ait confiance en notre autorité qui a signée notre serveur, ici tmsp_ca à signé shibidp1.it-sudparis.eu (shibidp1_tmsp.pem !), on ajoute donc cette autorité a celles bien connus deja presentes dans le *cacerts* livré avec la JVM sun:
[root@shibidp1 /usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/lib/security] $ keytool -import -keystore cacerts -file /etc/pki/tls/certs/tmsp_ca.crt -alias TeMSudParis
Alors, les log d'acces via le SP de testshib (https://sp.testshib.org/ vers l'IDP https://shibidp1.it-sudparis.eu/idp/shibboleth) sont positifs:
13:58:09.904 INFO [Shibboleth-Access:72] - 20080328T125809Z|157.159.50.197|shibidp1.it-sudparis.eu:443|/profile/SAML2/Redirect/SSO| 13:58:17.523 INFO [Shibboleth-Access:72] - 20080328T125817Z|157.159.50.197|shibidp1.it-sudparis.eu:443|/profile/SAML2/Redirect/SSO| 13:58:17.767 INFO [Shibboleth-Audit:557] - 20080328T125817Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_64727b9822abbb6ccf19d28fa1e618fc|https://sp.testshib.org/shibboleth-sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://shibidp1.it-sudparis.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_010a91ef682d99661d6e41e046e50aaa|test|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified||
pour un site ne disposant au préalable d'un SSO (CAS souvent !) , shibboleth offre un service interne de SSO. dans cet exemple nous montrons un IDP sur un site disposant d'un Active Directory comme base de compte .
Nous utiliserons alors le systeme SSO interne a shibboleth plutot que de s'appuyer sur une SSO externe comme CAS.
https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass et pour AD https://spaces.internet2.edu/display/SHIB2/IdPADConfigIssues
il faut activer le LoginHandler UsernamePassword dans handler.xml et commenter le LoginHnadler RemoteUser, autrement c'est ce dernier qui prend la main .
cf http://marc.info/?l=shibboleth-users&m=125606962922962&w=2 et http://www.edugate.ie/shibboleth-identity-provider-setup/idp-configuration
[root@idp /opt/shibboleth-idp/conf] $ vim handler.xml <!-- Login Handlers --> <!-- <ph:LoginHandler xsi:type="ph:RemoteUser"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod> </ph:LoginHandler> --> <!-- Username/password login handler --> <ph:LoginHandler xsi:type="ph:UsernamePassword" jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod> </ph:LoginHandler>
c'est ici qu'on definit le moyen d'aller rechercher une authentification sur AD cf https://spaces.internet2.edu/display/SHIB2/IdPADConfigIssues
il y est recommender d'utiliser le Global Catalogue (port 3268) plutot qu'un acces directe en 389 pour des raison de referrals .
[root@idp /opt/shibboleth-idp/conf] $ cat login.config ShibUserPassAuth { edu.vt.middleware.ldap.jaas.LdapLoginModule required host="ldap://ad1.mysite.fr" port="3268" base="dc=people,dc=mysite,dc=fr" ssl="false" subtreeSearch="true" serviceUser="cn=testshib,ou=users,dc=people,dc=mysite,dc=fr" serviceCredential="secret" userField="samaccountname";
Il faut definir un resolver pour recuperer les attributs
[root@idp /opt/shibboleth-idp/conf] $ vim attribute-resolver.xml <!-- Example LDAP Connector --> <resolver:DataConnector id="tl1AD" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldap://ad1.mysite.fr:389" baseDN="ou=users,dc=people,dc=mysite,dc=fr" principal="cn=testshib,ou=users,dc=people,dc=mysite,dc=fr" principalCredential="wayfrom"> <FilterTemplate> <![CDATA[ (samaccountname=$requestContext.principalName) ]]> </FilterTemplate> </resolver:DataConnector>
[root@idp /opt/shibboleth-idp/conf] $ vim attribute-resolver.xml <!-- Schema: Core schema attributes--> <resolver:AttributeDefinition id="uid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="sAMAccountName"> <resolver:Dependency ref="tl1AD" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:uid" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="email" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="mail"> <resolver:Dependency ref="tl1AD" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:mail" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> </resolver:AttributeDefinition>
A partir des attributs resolus ci-dessus on peut definir des politiques de diffusion de ces derniers, par liste de Service Provider par exemple :
[root@idp /opt/shibboleth-idp/conf] $ vim attribute-filter.xml <!-- Release the transient ID to anyone --> <AttributeFilterPolicy id="releaseTransientIdToAnyone"> <PolicyRequirementRule xsi:type="basic:ANY" /> <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy> <!-- release email pour certains SP de le fédération --> <AttributeFilterPolicy> <PolicyRequirementRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.nancy-universite.fr" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://federation.cru.fr/cru/gestion" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.cru.fr/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.jres.org/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.sympa.org/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://sec.cru.fr/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.csiesr.fr/sympa" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="http://listes.esup-portail.org/sympa" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cori.recherche.gouv.fr" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.cru.fr/sympa" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.renater.fr/sympa" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.adrisi.fr/sympa" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://2009.jres.org/shibboleth" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.jres.org/sympa" /> </PolicyRequirementRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy> <!-- SP Institut Telecom + test renater --> <AttributeFilterPolicy> <PolicyRequirementRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://trombi.it-sudparis.eu" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://trombi.it-sudparis.eu/" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://annu.it-sudparis.eu/" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://blog.it-sudparis.eu/" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://services-federation.renater.fr/test/ressource" /> </PolicyRequirementRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="surname"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="uid"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy>
Definition d'un attribut basé sur une expression reguliere
<!-- https://spaces.internet2.edu/display/SHIB2/ResolverRegexSplitAttributeDefinition --> <resolver:AttributeDefinition xsi:type="RegexSplit" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="employeeType" sourceAttributeID="distinguishedName" regex=".*,OU=([^,]*),DC=people,DC=mysite,DC=fr"> <resolver:Dependency ref="tl1AD" /> <!-- Remaining configuration from the next step goes here --> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:employeeType" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" /> </resolver:AttributeDefinition>
<!-- https://spaces.internet2.edu/display/SHIB2/ResolverMappedAttributeDefinition --> <resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="StatusTL1" sourceAttributeID="distinguishedName"> <resolver:Dependency ref="tl1AD" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:StatusTL1" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.7391.4.1.1.2" friendlyName="StatusTL1" /> <!-- default to the generic value 'affiliate' --> <DefaultValue>affiliate</DefaultValue> <!-- map internal values like 'student-worker' and 'undergraduate' to 'student' --> <ValueMap> <ReturnValue>permanents</ReturnValue> <SourceValue ignoreCase="true">CN=.*,ou=permanents,dc=people,dc=mysite,dc=fr</SourceValue> </ValueMap> </resolver:AttributeDefinition>
http://trombi.it-sudparis.eu/secure/printenv.pl
Variables d'environnement positionnées par le SP shibboleth : employeeType=permanents StatusTL1=permanents Shib_Authentication_Instant=2009-10-28T08:57:19.836Z Shib_Application_ID=trombi Shib_Session_ID=_0a9cff9b168c31bb183887572681058a Shib_Identity_Provider=https://idp.telecom-lille1.eu/idp/shibboleth sn=Shib-tl1-int REMOTE_USER=testhib@telecom-lille1.eu mail=testshib@telecom-lille1.eu displayName=Shib-tl1-int Shib_AuthnContext_Class=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Shib_Authentication_Method=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
création JehanProcaccia - 20 Mar 2008
https://wiki.shibboleth.net/confluence/display/SHIB2/IdP2Upgrade
[root@shibidp3 shibboleth-identityprovider-2.3.6]# ./install.sh Buildfile: src/installer/resources/build.xml install: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp] The directory '/opt/shibboleth-idp' already exists. Would you like to overwrite this Shibboleth configuration? (yes, [no]) no Updating property file: /opt/shibboleth-identityprovider-2.3.6/src/installer/resources/install.properties Copying 51 files to /opt/shibboleth-idp/lib Copying 5 files to /opt/shibboleth-idp/lib/endorsed Copying 1 file to /opt/shibboleth-identityprovider-2.3.6/src/installer Building war: /opt/shibboleth-identityprovider-2.3.6/src/installer/idp.war Copying 1 file to /opt/shibboleth-idp/war Deleting: /opt/shibboleth-identityprovider-2.3.6/src/installer/web.xml Deleting: /opt/shibboleth-identityprovider-2.3.6/src/installer/idp.war BUILD SUCCESSFUL
Ne pas oublier les modifications locale
ici par exemple l'usage la librairie CAS client, il faut ajouter le <filter> dans le web.xml
/opt/shibboleth-identityprovider-2.3.6/src/main/webapp/WEB-INF/web.xml
c'est aussi dans ce fichier qu'on declare les @IP ayant acces a l'URL http://idp.it-sudparis.eu /idp/status
Attention, il faut redeployer l'application (idp.war) via le script d'install
[root@shibidp3 shibboleth-identityprovider-2.3.6]# ./install.sh
en prenant garde de ne pas ecraser la config (repondre [no] )
et copier le jar de la librairie CAS dans le repartoire source de deploiement $IDP_HOME/lib avant installation
[root@shibidp1 /usr/local/shibboleth-identityprovider-2.3.8] $ cp /usr/local/shibboleth-identityprovider-2.1.0/lib/cas-client-core-3.1.3.jar /usr/local/shibboleth-identityprovider-2.3.8/lib/ [root@shibidp1 /usr/local/shibboleth-identityprovider-2.3.8] $ ./install.sh
ensuite on le retrouve bien deployé
[root@shibidp3 shibboleth-identityprovider-2.3.6]# ls -ltra /opt/shibboleth-idp/lib/ | tail -3 -rw-r--r-- 1 root root 87310 May 5 16:40 cas-client-core-3.2.1.jar drwxr-xr-x 2 root root 4096 May 5 16:47 endorsed drwxr-xr-x 3 root root 4096 May 5 16:47 .
si on oublie de recopier la librairie et qu'on a par redeployer les source pour generer le war, c'est assez troublant, l'IDP semble tourné d'apres les logs idp-process.log, c'est dans /var/log/tomcat6/localhost.log qu'on retrouvre l'erreur “SEVERE” lié au manque du CAS client !.
nous sommes passés de it-sudparis.eu a tem-tsp.eu ! cela implique plusieurs taches
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPCertRenew
[root@shibidp1 shibboleth-identityprovider-2.4.0]# ./install.sh renew-cert Buildfile: src/installer/resources/build.xml renew-cert: This will create a new set of credentials for your IdP. If you ran this command previously and still have '*.new' files, they will be overwritten. Do you wish to proceed? (yes, [no]) yes Where is the Shibboleth Identity Provider installed? [/opt/shibboleth-idp] What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org] idp1.tem-tsp.eu A keystore is about to be generated for you. Please enter a password that will be used to protect it. secret Generating new signing and encryption key, certificate, and keystore. BUILD SUCCESSFUL Total time: 29 seconds [root@shibidp1 shibboleth-identityprovider-2.4.0]# ls -ltr /opt/shibboleth-idp/credentials/ | tail -3 -rw-r--r-- 1 root root 1679 May 14 10:31 idp.key.new -rw-r--r-- 1 root root 1155 May 14 10:31 idp.crt.new -rw-r--r-- 1 root root 2173 May 14 10:31 idp.jks.new [root@shibidp1 credentials]# cp idp.jks.new idp.jks cp: overwrite `idp.jks'? y [root@shibidp1 credentials]# cp idp.crt.new idp.crt cp: overwrite `idp.crt'? y [root@shibidp1 credentials]# cp idp.key.new idp.key cp: overwrite `idp.key'? y
[root@idpr shibboleth-idp]# grep idpr /etc/sysconfig/network HOSTNAME="idpr.tem-tsp.eu" [root@idpr metadata]# hostname idpr.tem-tsp.eu
changer la configuration du fichier ssl.conf d'apache pour charger les nouveau certificats public (TCS/renater)
il faut modifier les metadata de notre propre IDP : /opt/shibboleth-idp/metadata/idp-metadata.xml
$ vim /opt/shibboleth-idp/metadata/idp-metadata.xml ... < MIIDLDCCAhSgAwIBAgIVANglo+Sutu51HUayHY5NWsVctK5OMA0GCSqGSIb3DQEB < BQUAMBsxGTAXBgNVBAMTEGlkcG10LnRlbS10c3AuZXUwHhcNMTQwNTE5MTEzMTQ4 ... --- > MIIDSDCCAjCgAwIBAgIVAOcj4Pu5khNxBuX5dSD5nr6TeIUhMA0GCSqGSIb3DQEB > BQUAMCIxIDAeBgNVBAMTF3NoaWJpZHAzLml0LXN1ZHBhcmlzLmV1MB4XDTExMDkw ... < <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idpr.tem-tsp.eu/idp/profile/Shibboleth/SSO"/> --- > <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://shibidp1.it-sudparis.eu/idp/profile/Shibboleth/SSO"/> ... < <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idpr.tem-tsp.eu:8443/idp/profile/SAML2/SOAP/AttributeQuery"/> --- > <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shibidp1.it-sudparis.eu:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
il faut aussi appliquer le changement des informations dans le guicher Renater : federation.renater.fr/registry
onglet informations techinques ⇒ URL et certificat
quand on utilise un filtre CAS, il faut penser à l'URL de retour au service qui est au nom de notre IDP, donc changer le hostname là aussi !
dans /usr/local/shibboleth-identityprovider-2.4.0/src/main/webapp/WEB-INF/web.xml
<context-param> <param-name>serverName</param-name> <param-value>https://idpr.tem-tsp.eu</param-value> </context-param>
relancer install.sh pour deployer ce nouveau web.xml en prenant garde de ne pas ecraser le configuration actuelle .