Exemple de deploiement d'un fournisseur d'IDP (V3.0) sur une centos7 avec les produits natifs de cette distribution ⇒ JVM openjdk et tomcat7 et/ou jetty9 .
https://wiki.shibboleth.net/confluence/display/IDP30/SystemRequirements
Oracle Java or OpenJDK versions 7 and 8 are supported, and the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are required. Only Tomcat 8 and Jetty 9.2 - Jetty 9.3 are officially supported by the project at this time.
[root@idp34 ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [root@idp3 ~]# arch x86_64
[root@idp34 ~]# yum install java-1.8.0-openjdk-devel.x86_64 Installation 1 Paquet (+33 Paquets en dépendance) Taille totale des téléchargements : 48 M Taille d'installation : 163 M Is this ok [y/d/N]: y Installé : java-1.8.0-openjdk-devel.x86_64 1:1.8.0.191.b12-1.el7_6 Dépendances installées : alsa-lib.x86_64 0:1.1.6-2.el7 copy-jdk-configs.noarch 0:3.3-10.el7_5 dejavu-fonts-common.noarch 0:2.33-6.el7 dejavu-sans-fonts.noarch 0:2.33-6.el7 fontconfig.x86_64 0:2.13.0-4.3.el7 fontpackages-filesystem.noarch 0:1.44-8.el7 freetype.x86_64 0:2.8-12.el7 giflib.x86_64 0:4.1.6-9.el7 java-1.8.0-openjdk.x86_64 1:1.8.0.191.b12-1.el7_6 java-1.8.0-openjdk-headless.x86_64 1:1.8.0.191.b12-1.el7_6 javapackages-tools.noarch 0:3.4.1-11.el7 libICE.x86_64 0:1.0.9-9.el7 libSM.x86_64 0:1.2.2-2.el7 libX11.x86_64 0:1.6.5-2.el7 libX11-common.noarch 0:1.6.5-2.el7 libXau.x86_64 0:1.0.8-2.1.el7 libXcomposite.x86_64 0:0.4.4-4.1.el7 libXext.x86_64 0:1.3.3-3.el7 libXi.x86_64 0:1.7.9-1.el7 libXrender.x86_64 0:0.9.10-1.el7 libXtst.x86_64 0:1.2.3-1.el7 libfontenc.x86_64 0:1.1.3-3.el7 libjpeg-turbo.x86_64 0:1.2.90-6.el7 libpng.x86_64 2:1.5.13-7.el7_2 libxcb.x86_64 0:1.13-1.el7 libxslt.x86_64 0:1.1.28-5.el7 lksctp-tools.x86_64 0:1.0.17-2.el7 python-javapackages.noarch 0:3.4.1-11.el7 python-lxml.x86_64 0:3.2.1-4.el7 ttmkfdir.x86_64 0:3.0.9-42.el7 tzdata-java.noarch 0:2018g-1.el7 xorg-x11-font-utils.x86_64 1:7.5-21.el7 xorg-x11-fonts-Type1.noarch 0:7.5-9.el7 Terminé !
test java version
[root@idp34 ~]# java -version openjdk version "1.8.0_191" OpenJDK Runtime Environment (build 1.8.0_191-b12) OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
[root@idp3 ~]# yum install tomcat tomcat-admin-webapps Installé : tomcat.noarch 0:7.0.76-8.el7_5 tomcat-admin-webapps.noarch 0:7.0.76-8.el7_5
compte admin d'acces au l'appli manager/html
[root@idp3 tomcat]# diff -ur tomcat-users.xml.orig tomcat-users.xml --- tomcat-users.xml.orig 2016-05-11 22:26:59.631449352 +0200 +++ tomcat-users.xml 2016-05-11 22:29:33.294032465 +0200 @@ -34,13 +34,13 @@ <user username="role1" password="tomcat" roles="role1"/> --> -<!-- <role rolename="admin"/> --> -<!-- <role rolename="admin-gui"/> --> -<!-- <role rolename="admin-script"/> --> -<!-- <role rolename="manager"/> --> -<!-- <role rolename="manager-gui"/> --> -<!-- <role rolename="manager-script"/> --> -<!-- <role rolename="manager-jmx"/> --> -<!-- <role rolename="manager-status"/> --> -<!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> --> +<role rolename="admin"/> +<role rolename="admin-gui"/> +<role rolename="admin-script"/> +<role rolename="manager"/> +<role rolename="manager-gui"/> +<role rolename="manager-script"/> +<role rolename="manager-jmx"/> +<role rolename="manager-status"/> +<user name="admin" password="secretadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> </tomcat-users>
[root@idp3 tomcat]# systemctl enable tomcat.service Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /usr/lib/systemd/system/tomcat.service. [root@idp3 tomcat]# systemctl start tomcat.service
le serveur est maintenant acessible , exemple
http://idp3.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)
mise en place d'un proxy ajp pour une gestion de TLS et ports par defaut (80/443) par apache il faut installer le mod_ssl d'apache pour disposer d'https
[root@idp34 tomcat]# yum install mod_ssl Installé : mod_ssl.x86_64 1:2.4.6-88.el7.centos
et le configurer avec nos certificats
[root@idp34 certs]#grep ^SSL /etc/httpd/conf.d/ssl.conf | tail -3 SSLCertificateFile /etc/pki/tls/certs/idp.imtbstsp_eu.pem SSLCertificateKeyFile /etc/pki/tls/private/idp.imtbstsp.key SSLCertificateChainFile /etc/pki/tls/certs/chain-dc-TR1-CA2-idp-imtbstsp.pem
enfin configurer le proxy-ajp pour rediriger les requetes https d'apache vers tomcat
[root@idp3' ~]# cat /etc/httpd/conf.d/shibboleth.conf ProxyPass /idp/ ajp://127.0.0.1:8009/idp/ retry=0 ProxyPass /manager/ ajp://127.0.0.1:8009/manager/
acces sans le port 8080 :
http://idp3.tem-tsp.eu/manager/html
puis en https via le proxy-ajp sans precision du port 443
s'assurer que la machine est a l'heure, si VM c'est la machine hote qui fournie l'heure
telechargement de la derniere version depuis http://shibboleth.net/downloads/identity-provider/
[root@idp34 ~]# wget https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.2.tar.gz --2019-01-02 14:18:15-- https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.2.tar.gz [root@idp34 ~]# mkdir /opt/src [root@idp34 ~]# mv shibboleth-identity-provider-3.4.2.tar.gz /opt/src/ [root@idp34 ~]# cd /opt/src/ ; tar xvfz shibboleth-identity-provider-3.4.2.tar.gz [root@idp34 src]# cd shibboleth-identity-provider-3.4.2 [root@idp34 shibboleth-identity-provider-3.4.2]# ls bin conf credentials doc flows LICENSE.txt logs messages metadata system views webapp
fresh install ici, attention en cas d'update ne pas tout ecraser !
[root@idp34 shibboleth-identity-provider-3.4.2]# export JAVA_HOME=/usr/lib/jvm/java [root@idp34 shibboleth-identity-provider-3.4.2]# ./bin/install.sh Source (Distribution) Directory (press <enter> to accept default): [/opt/src/shibboleth-identity-provider-3.4.2] Installation Directory: [/opt/shibboleth-idp] Hostname: [idp34.int-evry.fr] idp3.imtbstsp.eu SAML EntityID: [https://idp3.imtbstsp.eu/idp/shibboleth] Attribute Scope: [int-evry.fr] imtbstsp.eu Backchannel PKCS12 Password: O gl Back d Re-enter password: Cookie Encryption Key Password: O gl Cookie d Re-enter password: Warning: /opt/shibboleth-idp/bin does not exist. Warning: /opt/shibboleth-idp/edit-webapp does not exist. Warning: /opt/shibboleth-idp/dist does not exist. Warning: /opt/shibboleth-idp/doc does not exist. Warning: /opt/shibboleth-idp/system does not exist. Generating Signing Key, CN = idp3.imtbstsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ... ...done Creating Encryption Key, CN = idp3.imtbstsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ... ...done Creating Backchannel keystore, CN = idpr3.imtbs-tsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ... ...done Creating cookie encryption key files... ...done Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL Total time: 2 minutes 14 seconds
fichier de credentials créés
[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /opt/shibboleth-idp/credentials/ total 32 -rw-r--r-- 1 root root 1517 2 janv. 14:23 idp-backchannel.crt -rw-r--r-- 1 root root 3399 2 janv. 14:23 idp-backchannel.p12 -rw-r--r-- 1 root root 1517 2 janv. 14:23 idp-encryption.crt -rw------- 1 root root 2455 2 janv. 14:23 idp-encryption.key -rw-r--r-- 1 root root 1517 2 janv. 14:23 idp-signing.crt -rw------- 1 root root 2459 2 janv. 14:23 idp-signing.key -rw-r--r-- 1 root root 502 2 janv. 14:23 sealer.jks -rw-r--r-- 1 root root 47 2 janv. 14:23 sealer.kver
l'arborescence d'installation doit appartenir a tomcat
[root@idp34 shibboleth-identity-provider-3.4.2]# chown -R tomcat /opt/shibboleth-idp/
le fichier idp.xml permet de déployer automatiquement la brique IdP sans avoir à recopier l'archive « .war » dans le répertoire webapps/ de Tomcat.
[root@idp3 localhost]# cat /etc/tomcat/Catalina/localhost/idp.xml <Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false" swallowOutput="true" />
quelques secondes apres grace a l'auto-deploy
[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /var/lib/tomcat/webapps/idp/ total 32 drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 css drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 images -rw-r--r-- 1 tomcat tomcat 1008 2 janv. 14:23 index.jsp drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 js drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 META-INF drwxr-xr-x 5 tomcat tomcat 4096 2 janv. 14:28 WEB-INF -rw-r--r-- 1 tomcat tomcat 5389 2 janv. 14:23 x509-prompt.jsp
test acces sur http://idp3.tem-tsp.eu:8080/idp/status
au premier abord, cette page ne s'est pas affichée
java.lang.NoClassDefFoundError: javax/servlet/jsp/jstl/core/Config org.springframework.web.servlet.support.JstlUtils.exposeLocalizationContext(JstlUtils.java:101)
en effet il faut ajouter la librairie jstl (cf http://stackoverflow.com/tags/jstl/info) qui n'est pas fournie par defaut (risque de conflit avec jboss) cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.13 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .
[root@idp34 shibboleth-identity-provider-3.4.2]# cd /var/lib/tomcat/webapps/idp/WEB-INF/lib/ [root@idp34 lib]# wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar 2019-01-02 14:34:08 (9,27 MB/s) - «jstl-1.2.jar» sauvegardé [414240/414240] [root@idp34 lib]# systemctl restart tomcat
Pour l'acces en https au status il faut autorise l'IP source du navigateur d'admin
# vim /opt/shibboleth-idp/conf/access-control.xml <code> ... <util:map id="shibboleth.AccessControlPolicies"> <entry key="AccessByIPAddress"> <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl" p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" /> </entry> ...
maintenant accessible en https://idp3.imtbstsp.eu/idp/status
acces status possible en shell également
[root@idp34 bin]# /opt/shibboleth-idp/bin/status.sh ### Operating Environment Information operating_system: Linux operating_system_version: 3.10.0 operating_system_architecture: amd64 jdk_version: 1.8.0_191 available_cores: 12 used_memory: 137 MB maximum_memory: 455 MB ### Identity Provider Information idp_version: 3.4.2 start_time: 2019-01-02T14:35:21Z current_time: 2019-01-02T14:36:42Z uptime: 80907 ms
il faut que le systeme soit a l'heure (echanges SAML horodaté )
si on utilise une VM openvz, cf VZ capabilities: http://unix.stackexchange.com/questions/68016/error-when-running-ntpd-on-openvz-host-cap-set-proc-failed-to-drop-root-privi
[root@hardnode ~]# vzctl set 1033 --capability sys_time:on --save CT configuration saved to /etc/vz/conf/1033.conf
depuis la version 3 la configuration est eclatée en plusieurs fichiers, il est recommandé de faire un backup des originaux/distribution
[root@idp3 conf]# cp -p relying-party.xml relying-party.xml.dist [root@idp3 conf]# cp -p attribute-resolver.xml attribute-resolver.xml.dist [root@idp3 conf]# cp -p attribute-filter.xml attribute-filter.xml.dist
enregistrement dans la fédération de test renater , recuperation du certificats de signature des metadonnées renater .
[root@idp34]# cd /opt/shibboleth-idp/credentials/ [root@idp34 credentials]# /usr/bin/curl -O https://metadata.federation.renater.fr/certs/renater-metadata-signing-cert-2016.pem
ajout du chargement des metadata test-renater
[root@idp3 conf]# tail -18 metadata-providers.xml <!-- Federation de test renater --> <MetadataProvider id="RenaterTestMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/preview-sps-renater-test-metadata.xml" metadataURL="https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/renater-metadata-signing-cert-2016.pem"> </MetadataFilter> </MetadataProvider> </MetadataProvider> </MetadataProvider>
La premiere fois on recharge tomcat pour que le téléchargement initial du fichier soit réalisé
[root@idp34 conf]# systemctl restart tomcat.service [root@idp34 conf]# ls -ltr ../metadata/ total 31308 -rw-r--r-- 1 tomcat root 14590 2 janv. 14:23 idp-metadata.xml -rw-r--r-- 1 tomcat tomcat 6787283 2 janv. 14:47 preview-sps-renater-test-metadata.xml
ensuite on pourra faire un simple rechargement du service metadata pour cette federation
[root@idp3 conf]# /opt/shibboleth-idp/bin/reload-metadata.sh -id=RenaterTestMetadata Metadata reloaded. idp-process.log : 2019-01-02 14:48:18,248 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:574] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: New metadata successfully loaded for 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' 2019-01-02 14:48:18,250 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:384] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: Next refresh cycle for metadata provider 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' will occur on '2019-01-02T15:33:16.891Z' ('2019-01-02T15:33:16.891Z' local time) 2019-01-02 14:48:18,268 - 127.0.0.1 - INFO [Shibboleth-Audit.Reload:275] - 20190102T144818Z||||http://shibboleth.net/ns/profiles/reload-metadata|||||||||
URL de visualisation des metadata de notre IDP
1er test en simple auth ldap
[root@idp3 conf]# diff ldap.properties ldap.properties.dist 8,9c8,9 < idp.authn.LDAP.ldapURL = ldap://ldap.int.eu:389 < idp.authn.LDAP.useStartTLS = true --- > idp.authn.LDAP.ldapURL = ldap://localhost:10389 > #idp.authn.LDAP.useStartTLS = true 16c16 < idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/chain-29966-_.int.eu.pem --- > idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt 18c18 < #idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore --- > idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore 28c28 < idp.authn.LDAP.baseDN = ou=people,dc=int,dc=fr --- > idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org 33,34c33,34 < idp.authn.LDAP.bindDN = uid=binduser,dc=int,dc=fr < idp.authn.LDAP.bindDNCredential = secret --- > idp.authn.LDAP.bindDN = uid=myservice,ou=system > idp.authn.LDAP.bindDNCredential = myServicePassword 38c38 < idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=int,dc=fr --- > idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org [root@idp3 conf]# systemctl restart tomcat.service
il est possible de personnaliser la page de login intégré a l'IDP cf:
# vim /opt/src/shibboleth-identity-provider-3.3.0/system/messages/messages.properties ... idp.logo = /images/etablissement-logo-site.png ... root.title = Shibboleth IdP Etablissement.fr ...
mettre le logo dans le repertoire source images, curieusement un bin/install.sh a bien deployé le nouveau messages.properties mais pas le png du logo dans /var/lib/tomcat/webapps/idp/images/ que j'ai du faire à la main (cp) .
attribute-resolver-ldap.xml s'appui sur le varaible definit plus haut dans ldap.properties , ici one ne fait qu'une simple deactivation de StartTLSTrustCredential (commentaires)
[root@idp3 conf]# cp attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist [root@idp3 conf]# diff attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist 92d91 < <!-- 97d95 < --> <code> et declaration de l'usage de l'attribute-resolver-ldap dans services.xml <code> [root@idp3 conf]# diff services.xml services.xml.dist 113c113 < <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value> --- > <value>%{idp.home}/conf/attribute-resolver.xml</value>
on reprend l'exemple et on l'etend a tout SP (ANY)
[root@idp3 conf]# diff attribute-filter.xml attribute-filter.xml.dist 18,19c18 < <!-- <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> --> < <PolicyRequirementRule xsi:type="ANY" /> --- > <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> [root@idp3 conf]# /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.AttributeFilterService Configuration reloaded.
attention quand on reprend des attribute-filter maisons de la v2 vers le v3 , les schemas ont changés, exempe “basic:OR” deviens tout simplement “OR” cf https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterLegacyNameSpaceMapping et https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterConfiguration#AttributeFilterConfiguration-SchemaName
exemple de remplacement automatique syntaxte v2 vs v3 via “vi” dans attribute-resolver.xml
:1,$s/basic:AttributeRequesterString/Requester/g :1,$s/basic:AttributeValueString/Value/g :1,$s/basic:Rule/Rule/g :1,$s/saml:AttributeRequesterInEntityGroup/InEntityGroup/g :1,$s/basic:ANY/ANY/g :1,$s/basic:OR/OR/g
[root@idp3 shibboleth-idp]# ./bin/aacli.sh --requester=https://test.federation.renater.fr/test/ressource --configDir=conf/ --principal=etudiant1 { "requester": "https://test.federation.renater.fr/test/ressource", "principal": "etudiant1", "attributes": [ { "name": "uid", "values": [ "StringAttributeValue{value=etudiant1}" ] }, { "name": "mail", "values": [ "StringAttributeValue{value=etudiant1@example.org}" ] }, { "name": "eduPersonPrincipalName", "values": [ "ScopedStringAttributeValue{value=etudiant1, scope=int.eu}" ] } ] }
dans un premier temps dans la fédération de test Renater
ayant positionné par defaut le password scheme via ldap, l'usage d'un login/password de l'annuaire ldap d'etablissement configuré permet d'acceder à la ressource de test renater https://test.federation.renater.fr/test/ressource qui affiche la liste d'attributs envoyés et demande maintenant en v3 la consentement (addon uApprove en v2)
Information to be Provided to Service eduPersonPrincipalName teststud@int.fr mail teststud@example.org uid teststud Ask me again at next login Ask me again if information to be provided to this service changes Do not ask me again
idp-process.log :
2016-07-03 14:45:51,638 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:139] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'teststud' succeeded C2016-07-03 14:51:14,116 - INFO [Shibboleth-Consent-Audit.SSO:241] - 20160703T125114Z|https://test.federation.renater.fr/test/ressource|AttributeReleaseConsent|teststud|eduPersonPrincipalName,mail,uid||true,true,true 2016-07-03 14:51:14,861 - INFO [Shibboleth-Audit.SSO:241] - 20160703T125114Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_05d30b93263d3dbca128a0d1bdb5272d|https://test.federation.renater.fr/test/ressource|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp3.int.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_afd5c50a6363cebb0030af5e220dce18|teststud|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,mail,eduPersonPrincipalName|AAdzZWNyZXQxvKd8LuQ9/WK6sRwUecDTulilU/xNcE1LRr2tf2P8S97xNb9mu4uVLASdS+D5MlyZAWt5NYNLGBuyVeD8n441NlUDVO7uCO8B6PxjUANyWOYmM6UOP7b9jpAC9ED70JLXoz2Bztm4VKeQ9Ia5FxgKJzh37Q==|_c861303bf16b99871bcac75ecca3703b|
https://services.renater.fr/federation/docs/installation/idp3/chap08
[root@idp34 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/3.2.3/shib-cas-authn3-3.2.3.tar [root@idp34 src]# tar xvf shib-cas-authn3-3.2.3.tar ... shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/cas-client-core-3.4.1.jar shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar shib-cas-authn3-3.2.3/edit-webapp/no-conversation-state.jsp .. [root@idp34 src]# cp shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib [root@idp34 src]# cp -R shib-cas-authn3-3.2.3/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/ [root@idp34 src]# ls -ltr /opt/shibboleth-idp/flows/authn/Shibcas/ total 8 -rw-r--r-- 1 root root 2290 2 janv. 21:23 shibcas-authn-flow.xml -rw-r--r-- 1 root root 3241 2 janv. 21:23 shibcas-authn-beans.xml [root@idp34 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.5.1/cas-client-core-3.5.1.jar [root@idp34 src]# cp cas-client-core-3.5.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
Modification du Web flow pour utiliser le plugin CAS via /opt/shibboleth-idp/conf/idp.properties
[root@idp3 conf]# diff idp.properties idp.properties.dist 100,114c100 < #idp.authn.flows= Password < idp.authn.flows= Shibcas < < # CAS Client properties (usage loosely matches that of the Java CAS Client) < ## CAS Server Properties < shibcas.casServerUrlPrefix = https://cas16.int.eu/cas < shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login < < ## Shibboleth Server Properties < shibcas.serverName = https://cas16.int.eu < < # La partie ci-dessous est une fonctionnalité avancée de l'extention shib-cas en question (optionnelle) < # By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs. < # Takes a comma separated list of fully qualified class names < # shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass --- > idp.authn.flows= Password
declaration du bean Shibcas dans general-auth.xml :
[root@idp34 conf]# cd /opt/shibboleth-idp/conf/authn/ [root@idp34 authn]# cp general-authn.xml general-authn.xml.dist [root@idp3 authn]# diff general-authn.xml general-authn.xml.dist 93,98d92 < <!-- https://services.renater.fr/federation/docs/installation/idp3/chap08 --> < <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow" < p:passiveAuthenticationSupported="true" < p:forcedAuthenticationSupported="true" < p:nonBrowserSupported="false" /> <
et reconstruction du idp.war + stop / start tomcat
[root@idp3 bin]# systemctl start tomcat.service [root@idp3 bin]# /opt/shibboleth-idp/bin/build.sh Installation Directory: [/opt/shibboleth-idp] RETURN (!?) Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL # on remove tout le deploiement dans l'arboresence tomcat webapps afin d'etre sur que le nouveau idp.war remplace tout [root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp [root@idp3 bin]# systemctl start tomcat.service
un nouveau test sur https://test.federation.renater.fr/test/ressource montre bien que nous passons par CAS maintenant .
https://services.renater.fr/federation/docs/installation/idp3/chap10
le nombre important de SP et leur mouvement reguliers dans une large fédération comme celle de Renater impose l'usage d'automatisme pour le gestion des filtre . “Depuis 2015 et l'IDP 2.4 , Shibboleth introduit une nouvelle règle PermitValueRule de type AttributeInMetadata utilisable dans votre fichier de configuration attribute-filter.xml. Cette fonctionnalité vous permet, pour un ensemble de SPs, d'autoriser la diffusion au plus juste des attributs utilisateur, uniquement s'ils sont déclarés comme demandés par le SP dans les méta-données de la fédération. L'option onlyIfRequired permet par ailleurs de ne diffuser l'attribut que s'il est indiqué comme obligatoire.”
on ajoute les regles proposé sur la doc renater
<!-- On fournit les attributs requis, contexte Fédération de Test --> <AttributeFilterPolicy id="releaseToAllRenaterSps"> ....
puis redeploiement
[root@idp3 conf]# vim attribute-filter.xml [root@idp3 shibboleth-idp]# cd ../bin/ [root@idp3 bin]# systemctl stop tomcat.service [root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp [root@idp3 bin]# ./build.sh Installation Directory: [/opt/shibboleth-idp] Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL Total time: 4 seconds [root@idp3 bin]# [root@idp3 bin]# systemctl start tomcat.service
un nouveau test sur https://test.federation.renater.fr/test/ressource montre maintenant plus d'attributs .
l'attribut “entitlement” est construit a partir d'un script , cela change entre idp v2 et v3 sur plusieurs points en terme de schema et moteur de script java 1.7 (Rhino) vs 1.8 (Nashorn)
ref :
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPJava1.8 https://wiki.shibboleth.net/confluence/display/IDP30/ScriptedAttributeDefinition
exemple
<!-- jehan eduPersonEntitlement --> <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" > <resolver:Dependency ref="myLDAP" /> <resolver:Dependency ref="schacUserStatus" /> <resolver:Dependency ref="mail" /> <resolver:Dependency ref="eduPersonPrimaryOrgUnitDN" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:eduPersonEntitlement" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="entitlement" /> <Script> <![CDATA[ logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute"); var BasicAttribute = Java.type("edu.internet2.middleware.shibboleth.common.attribute.provider.BasicAttribute"); if (eduPersonEntitlement == null) { eduPersonEntitlement = new BasicAttribute("eduPersonEntitlement"); } if (schacUserStatus != null && mail != null ) { for ( i = 0; schacUserStatus != null && i < schacUserStatus.getValues().size(); i++ ){ value = schacUserStatus.getValues().get(i); if (schacUserStatus.getValues().get(i).matches(".*cert.*")) { eduPersonEntitlement.getValues().add("urn:mace:terena.org:tcs:perso-user"); }//if else if (schacUserStatus.getValues().get(i).matches(".*pubhtml.*")) { eduPersonEntitlement.getValues().add("urn:mace:imt:employee:int.fr:perso-webspace"); }//if } if (eduPersonPrimaryOrgUnitDN != null ) { if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*DSI.*")) { eduPersonEntitlement.getValues().add("urn:mace:int:it:int.fr:dsi-user"); }//if else if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*INTM.*")) { eduPersonEntitlement.getValues().add("urn:mace:int:staff:int.fr:intm-user"); }//if } else eduPersonEntitlement.getValues().add(""); logger.info("Values of scriptTest were: {} ", eduPersonEntitlement.getValues()); ]]> </Script> </resolver:AttributeDefinition>
nouvelle generation de certificats de metadata (autosignés) en cas de changement de hostname et/ou de clonage de VM afin de publier des metadata avec les bon certificats internes pour SAML .
ref
[root@idp3 credentials]# openssl req -x509 -new -out idp3-signing.crt -keyout idp3-signing.key -days 3650 writing new private key to 'idp3-signing.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Country Name (2 letter code) [XX]:FR State or Province Name (full name) []:Essonne Locality Name (eg, city) [Default City]:Evry Organization Name (eg, company) [Default Company Ltd]:IMT Organizational Unit Name (eg, section) []:DISI Common Name (eg, your name or your server's hostname) []:idp3.int.eu Email Address []:admin@int.eu
retrait passphrase
[root@idp3 credentials]# openssl rsa -in idp3-signing.key -out idp3-signing-np.key Enter pass phrase for idp3-signing.key: writing RSA key
idem avec l'encryption et backchannel
[root@idp3 credentials]# openssl req -x509 -new -out idp3-encryption.crt -keyout idp3-encryption.key -days 3650 # openssl rsa -in idp3-encryption.key -out idp3-encryption-np.key [root@idp3 credentials]# openssl req -x509 -new -out idp3-backchannel.crt -keyout idp3-backchannel.key -days 3650 # openssl rsa -in idp3-backchannel.key -out idp3-backchannel-np.key
retrait de passphrase du p12 : http://blog.armbruster-it.de/2010/03/remove-the-passphrase-from-a-pkcs12-certificate/
[root@idp3 credentials]# openssl pkcs12 -in idp3-backchannel.p12 -nodes -out idp3-p12-p-temp.pem Enter Import Password: MAC verified OK [root@idp3 credentials]# openssl pkcs12 -export -in idp3-p12-p-temp.pem -out idp3-backchannel-np.p12 Enter Export Password: rien Verifying - Enter Export Password: rien
bien que cela ne semble pas tres utile dans le cadre de la federation, il convient de mettre a jour le fichier local metadata/idp-metadata.xml afin d'etre consistent avec ces nouveau certificat et entityID + hostname d'URL de services