Idpv3x-c8

references

contexte

Exemple de deploiement d'un fournisseur d'IDP (V3.4) sur une centos8 avec les produits natifs de cette distribution ⇒ JVM openjdk 8 (11 possible mais potentiels pb LDAP: https://wiki.shibboleth.net/confluence/display/IDP30/LDAPonJava%3E8

https://wiki.shibboleth.net/confluence/display/IDP30/SystemRequirements

[root@idpx ~]# cat /etc/redhat-release 
CentOS Linux release 8.0.1905 (Core) 

java 8 jdk

[root@idpx ~]# yum install java-1.8.0-openjdk-devel.x86_64

Installer        54 Paquets
Mettre à niveau   1 Paquet

Taille totale des téléchargements : 56 M
Voulez-vous continuer ? [o/N] : o

Mis à niveau:
  lua-libs-5.3.4-11.el8.x86_64                                                                                                                                                                

Installé:
  java-1.8.0-openjdk-devel-1:1.8.0.252.b09-2.el8_1.x86_64        gtk2-2.24.32-4.el8.x86_64                                             alsa-lib-1.1.9-4.el8.x86_64                          
  atk-2.28.1-1.el8.x86_64                                        cairo-1.15.12-3.el8.x86_64                                            copy-jdk-configs-3.7-1.el8.noarch                    
  fribidi-1.0.4-7.el8_1.x86_64                                   gdk-pixbuf2-modules-2.36.12-5.el8.x86_64                              giflib-5.1.4-3.el8.x86_64                            
  graphite2-1.3.10-10.el8.x86_64                                 gtk-update-icon-cache-3.22.30-4.el8.x86_64                            harfbuzz-1.7.5-3.el8.x86_64                          
  hicolor-icon-theme-0.17-2.el8.noarch                           jasper-libs-2.0.14-4.el8.x86_64                                       java-1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1.x86_64    
  java-1.8.0-openjdk-headless-1:1.8.0.252.b09-2.el8_1.x86_64     javapackages-filesystem-5.3.0-1.module_el8.0.0+11+5b8c10bd.noarch     jbigkit-libs-2.1-14.el8.x86_64                       
  libX11-1.6.7-1.el8.x86_64                                      libX11-common-1.6.7-1.el8.noarch                                      libXau-1.0.8-13.el8.x86_64                           
  libXcomposite-0.4.4-14.el8.x86_64                              libXcursor-1.1.15-3.el8.x86_64                                        libXdamage-1.1.4-14.el8.x86_64                       
  libXext-1.3.3-9.el8.x86_64                                     libXfixes-5.0.3-7.el8.x86_64                                          libXft-2.3.2-10.el8.x86_64                           
  libXi-1.7.9-7.el8.x86_64                                       libXinerama-1.1.4-1.el8.x86_64                                        libXrandr-1.5.1-7.el8.x86_64                         
  libXrender-0.9.10-7.el8.x86_64                                 libXtst-1.2.3-7.el8.x86_64                                            libdatrie-0.2.9-7.el8.x86_64                         
  libfontenc-1.1.3-8.el8.x86_64                                  libjpeg-turbo-1.5.3-10.el8.x86_64                                     libthai-0.1.27-2.el8.x86_64                          
  libtiff-4.0.9-15.el8.x86_64                                    libxcb-1.13-5.el8.x86_64                                              lua-5.3.4-11.el8.x86_64                              
  pango-1.42.4-6.el8.x86_64                                      pixman-0.36.0-1.el8.x86_64                                            ttmkfdir-3.0.9-54.el8.x86_64                         
  tzdata-java-2019c-1.el8.noarch                                 xorg-x11-font-utils-1:7.5-40.el8.x86_64                               xorg-x11-fonts-Type1-7.5-19.el8.noarch               
  dejavu-fonts-common-2.35-6.el8.noarch                          dejavu-sans-fonts-2.35-6.el8.noarch                                   fontconfig-2.13.1-3.el8.x86_64                       
  fontpackages-filesystem-1.44-22.el8.noarch                     freetype-2.9.1-4.el8.x86_64                                           gdk-pixbuf2-2.36.12-5.el8.x86_64                     
  libpng-2:1.6.34-5.el8.x86_64                                   lksctp-tools-1.0.18-3.el8.x86_64                                      shared-mime-info-1.9-3.el8.x86_64     

test java version

[root@idpx ~]# java -version
openjdk version "1.8.0_252"
OpenJDK Runtime Environment (build 1.8.0_252-b09)
OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode)

tomcat

redhat et donc centos n'offre plus de package tomcat (ils mettent en avant JBoss) , donc on va installer un tomcat 9 en tar.gz :

tomcat user

[root@idpx ~]# useradd -m -d /opt/tomcat -U -s /bin/false tomcat

tomcat package tgz

[root@idpx ~]# wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.35/bin/apache-tomcat-9.0.35.tar.gz


[root@idpx ~]# cd /opt
[root@idpx opt]# tar xvfz /root/apache-tomcat-9.0.35.tar.gz

[root@idpx opt]# mv apache-tomcat-9.0.35/* ./tomcat/

resultat

[root@idpx opt]# ls -al tomcat/
total 164
drwx------ 9 tomcat tomcat  4096 Jun  4 21:56 .
drwxr-xr-x 5 root   root    4096 Jun  4 21:54 ..
-rw-r--r-- 1 tomcat tomcat    18 Oct  1  2019 .bash_logout
-rw-r--r-- 1 tomcat tomcat   141 Oct  1  2019 .bash_profile
-rw-r--r-- 1 tomcat tomcat   312 Oct  1  2019 .bashrc
-rw-r----- 1 root   root   18982 May  5 22:40 BUILDING.txt
-rw-r----- 1 root   root    5409 May  5 22:40 CONTRIBUTING.md
-rw-r----- 1 root   root   57092 May  5 22:40 LICENSE
-rw-r----- 1 root   root    2333 May  5 22:40 NOTICE
-rw-r----- 1 root   root    3255 May  5 22:40 README.md
-rw-r----- 1 root   root    6898 May  5 22:40 RELEASE-NOTES
-rw-r----- 1 root   root   16262 May  5 22:40 RUNNING.txt
drwxr-x--- 2 root   root    4096 Jun  4 21:54 bin
drwx------ 2 root   root    4096 May  5 22:40 conf
drwxr-x--- 2 root   root    4096 Jun  4 21:54 lib
drwxr-x--- 2 root   root    4096 May  5 22:36 logs
drwxr-x--- 2 root   root    4096 Jun  4 21:54 temp
drwxr-x--- 7 root   root    4096 May  5 22:37 webapps
drwxr-x--- 2 root   root    4096 May  5 22:36 work

positionnement des droits d'acces au comte tomcat

[root@idpx opt]# chown -R tomcat:tomcat /opt/tomcat/

parametrage tomcat

acces manager

[root@idpx opt]# diff /opt/tomcat/webapps/manager/META-INF/context.xml /opt/tomcat/webapps/manager/META-INF/context.xml.orig
20c20
<          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|157.19.19.13" />
---
>          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />

compte admin d'acces au l'appli manager/html

[root@idpx opt]# diff /opt/tomcat/conf/tomcat-users.xml /opt/tomcat/conf/tomcat-users.xml.orig
44,46d43
<   <role rolename="manager-gui"/>
<   <role rolename="admin-gui"/>
<   <user username="dsi" password="secret" roles="manager-gui,admin-gui"/>

activation par systemd

[root@idpx opt]# vim /etc/systemd/system/tomcat.service
[root@idpx opt]# cat /etc/systemd/system/tomcat.service
[Unit]
Description=Tomcat 9
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

start

[root@idpx ~]# systemctl daemon-reload
[root@idpx ~]# systemctl enable tomcat.service
[root@idpx ~]# systemctl start tomcat.service

firewall

[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/24" port port=8080 protocol=tcp log prefix="http8080" accept'
success
[root@idpx opt]# firewall-cmd --reload
success

[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="http" log prefix="http" accept'
success
[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="https" log prefix="https" accept'
success
[root@idpx opt]# firewall-cmd --reload
success

ou plus generalement

firewall-cmd –zone=public –permanent –add-port=8080/tcp

acces tomcat

le serveur est maintenant accessible , exemple

http://idpx.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)

sauf si l'adresse ip source de consultation n'est pas autorisé par le control d'acces de l'application manager , cf adresse IP dans le parametre allow :

[root@idpx ~]# vim /opt/tomcat/webapps/manager/META-INF/context.xml 

<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.0.10|10.10.10.11" />
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>

proxy et TLS via apache

https://tomcat.apache.org/tomcat-9.0-doc/proxy-howto.html https://tomcat.apache.org/tomcat-9.0-doc/connectors.html https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp (secretRequired=“false”)

mise en place d'un proxy pour une gestion de TLS et ports par defaut (80/443) par apache il faut installer le mod_ssl d'apache pour disposer d'https

[root@idpx opt]# yum install httpd mod_ssl

Total download size: 2.0 M
Is this ok [y/N]: y
                 

et le configurer avec nos certificats

[root@idpx certs]#grep ^SSL /etc/httpd/conf.d/ssl.conf | tail -3
SSLCertificateFile /etc/pki/tls/certs/idp.imtbstsp_eu.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp.imtbstsp.key
SSLCertificateChainFile /etc/pki/tls/certs/chain-dc-TR1-CA2-idp-imtbstsp.pem

enfin configurer le proxy-ajp pour rediriger les requetes https d'apache vers tomcat

[root@idpx ~]# cat /etc/httpd/conf.d/shibboleth.conf
ProxyPass /idp/ ajp://127.0.0.1:8009/idp/ retry=0
ProxyPass /manager/ ajp://127.0.0.1:8009/manager/

et l'activer coté tomcat

[root@idpx opt]# vim /opt/tomcat/conf/server.xml 
<!-- Define an AJP 1.3 Connector on port 8009 -->
 <Connector protocol="AJP/1.3"
               port="8009"
               secretRequired="false"
               address="127.0.0.1"
               redirectPort="8443" />

sans l'option secretRequired=“false” (cf https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp ) , impossible d'acceder au manager via proxy_ajp, il faudrai mieux controler cet acces en limitant les acces proxy uniquement a 127.0.0.1 entre httpd et tomcat .

lancement httpd et verification de la presence du module AJP

[root@idpx opt]# systemctl start httpd.service 
[root@idpx opt]# httpd -M | grep ajp

 proxy_ajp_module (shared)

acces sans le port 8080 :

http://idpx.imtbstsp.eu/manager/html

puis en https via le proxy-ajp sans precision du port 443

https://idpx.imtbstsp.eu/manager/html

ntp

s'assurer que la machine est a l'heure, si VM c'est la machine hote qui fournie l'heure

shibboleth IDP

download

telechargement de la derniere version depuis http://shibboleth.net/downloads/identity-provider/

[root@idp34 ~]# wget https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.2.tar.gz
--2019-01-02 14:18:15--  https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.2.tar.gz
[root@idp34 ~]# mkdir /opt/src
[root@idp34 ~]# mv shibboleth-identity-provider-3.4.2.tar.gz /opt/src/
[root@idp34 ~]# cd /opt/src/ ; tar xvfz shibboleth-identity-provider-3.4.2.tar.gz
[root@idp34 src]# cd shibboleth-identity-provider-3.4.2
[root@idp34 shibboleth-identity-provider-3.4.2]# ls
bin  conf  credentials  doc  flows  LICENSE.txt  logs  messages  metadata  system  views  webapp

install

fresh install ici, attention en cas d'update ne pas tout ecraser !

[root@idp34 shibboleth-identity-provider-3.4.2]# export JAVA_HOME=/usr/lib/jvm/java
[root@idp34 shibboleth-identity-provider-3.4.2]# ./bin/install.sh
Source (Distribution) Directory (press <enter> to accept default): [/opt/src/shibboleth-identity-provider-3.4.2]

Installation Directory: [/opt/shibboleth-idp]

Hostname: [idp34.int-evry.fr]
idp3.imtbstsp.eu
SAML EntityID: [https://idp3.imtbstsp.eu/idp/shibboleth]

Attribute Scope: [int-evry.fr]
imtbstsp.eu
Backchannel PKCS12 Password: O gl Back d
Re-enter password: 
Cookie Encryption Key Password: O gl Cookie d
Re-enter password: 
Warning: /opt/shibboleth-idp/bin does not exist.
Warning: /opt/shibboleth-idp/edit-webapp does not exist.
Warning: /opt/shibboleth-idp/dist does not exist.
Warning: /opt/shibboleth-idp/doc does not exist.
Warning: /opt/shibboleth-idp/system does not exist.
Generating Signing Key, CN = idp3.imtbstsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ...
...done
Creating Encryption Key, CN = idp3.imtbstsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ...
...done
Creating Backchannel keystore, CN = idpr3.imtbs-tsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ...
...done
Creating cookie encryption key files...
...done
Rebuilding /opt/shibboleth-idp/war/idp.war ...
...done

BUILD SUCCESSFUL
Total time: 2 minutes 14 seconds

fichier de credentials créés

[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /opt/shibboleth-idp/credentials/
total 32
-rw-r--r-- 1 root root 1517  2 janv. 14:23 idp-backchannel.crt
-rw-r--r-- 1 root root 3399  2 janv. 14:23 idp-backchannel.p12
-rw-r--r-- 1 root root 1517  2 janv. 14:23 idp-encryption.crt
-rw------- 1 root root 2455  2 janv. 14:23 idp-encryption.key
-rw-r--r-- 1 root root 1517  2 janv. 14:23 idp-signing.crt
-rw------- 1 root root 2459  2 janv. 14:23 idp-signing.key
-rw-r--r-- 1 root root  502  2 janv. 14:23 sealer.jks
-rw-r--r-- 1 root root   47  2 janv. 14:23 sealer.kver

l'arborescence d'installation doit appartenir a tomcat

[root@idp34 shibboleth-identity-provider-3.4.2]# chown -R tomcat /opt/shibboleth-idp/

context tomcat pour l'IDP

le fichier idp.xml permet de déployer automatiquement la brique IdP sans avoir à recopier l'archive « .war » dans le répertoire webapps/ de Tomcat.

[root@idp3 localhost]# cat /etc/tomcat/Catalina/localhost/idp.xml 
<Context docBase="/opt/shibboleth-idp/war/idp.war"
         privileged="true"
         antiResourceLocking="false"
         swallowOutput="true" />

quelques secondes apres grace a l'auto-deploy

[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /var/lib/tomcat/webapps/idp/
total 32
drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 css
drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 images
-rw-r--r-- 1 tomcat tomcat 1008  2 janv. 14:23 index.jsp
drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 js
drwxr-xr-x 2 tomcat tomcat 4096  2 janv. 14:28 META-INF
drwxr-xr-x 5 tomcat tomcat 4096  2 janv. 14:28 WEB-INF
-rw-r--r-- 1 tomcat tomcat 5389  2 janv. 14:23 x509-prompt.jsp

status et jstl

test acces sur http://idp3.tem-tsp.eu:8080/idp/status

au premier abord, cette page ne s'est pas affichée

java.lang.NoClassDefFoundError: javax/servlet/jsp/jstl/core/Config
	org.springframework.web.servlet.support.JstlUtils.exposeLocalizationContext(JstlUtils.java:101)

en effet il faut ajouter la librairie jstl (cf http://stackoverflow.com/tags/jstl/info) qui n'est pas fournie par defaut (risque de conflit avec jboss) cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.13 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .

[root@idp34 shibboleth-identity-provider-3.4.2]# cd /var/lib/tomcat/webapps/idp/WEB-INF/lib/
[root@idp34 lib]# wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar
2019-01-02 14:34:08 (9,27 MB/s) - «jstl-1.2.jar» sauvegardé [414240/414240]
[root@idp34 lib]# systemctl restart tomcat

Pour l'acces en https au status il faut autorise l'IP source du navigateur d'admin

# vim /opt/shibboleth-idp/conf/access-control.xml
<code>
...
 <util:map id="shibboleth.AccessControlPolicies">

        <entry key="AccessByIPAddress">
            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" />
        </entry>
        ...

maintenant accessible en https://idp3.imtbstsp.eu/idp/status

acces status possible en shell également

[root@idp34 bin]# /opt/shibboleth-idp/bin/status.sh 
### Operating Environment Information
operating_system: Linux
operating_system_version: 3.10.0
operating_system_architecture: amd64
jdk_version: 1.8.0_191
available_cores: 12
used_memory: 137 MB
maximum_memory: 455 MB

### Identity Provider Information
idp_version: 3.4.2
start_time: 2019-01-02T14:35:21Z
current_time: 2019-01-02T14:36:42Z
uptime: 80907 ms

NTP

il faut que le systeme soit a l'heure (echanges SAML horodaté )

si on utilise une VM openvz, cf VZ capabilities: http://unix.stackexchange.com/questions/68016/error-when-running-ntpd-on-openvz-host-cap-set-proc-failed-to-drop-root-privi

[root@hardnode ~]# vzctl set 1033 --capability sys_time:on --save
CT configuration saved to /etc/vz/conf/1033.conf

Configuration

depuis la version 3 la configuration est eclatée en plusieurs fichiers, il est recommandé de faire un backup des originaux/distribution

[root@idp3 conf]# cp -p relying-party.xml relying-party.xml.dist
[root@idp3 conf]# cp -p attribute-resolver.xml attribute-resolver.xml.dist
[root@idp3 conf]# cp -p attribute-filter.xml attribute-filter.xml.dist

metadata federations

enregistrement dans la fédération de test renater , recuperation du certificats de signature des metadonnées renater .

[root@idp34]# cd /opt/shibboleth-idp/credentials/
[root@idp34 credentials]# /usr/bin/curl -O https://metadata.federation.renater.fr/certs/renater-metadata-signing-cert-2016.pem 

ajout du chargement des metadata test-renater

[root@idp3 conf]# tail -18 metadata-providers.xml
         
         <!-- Federation de test renater -->
   <MetadataProvider id="RenaterTestMetadata"
                              xsi:type="FileBackedHTTPMetadataProvider"
                      backingFile="%{idp.home}/metadata/preview-sps-renater-test-metadata.xml"
                      metadataURL="https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml">

                <MetadataFilter xsi:type="SignatureValidation"
                requireSignedRoot="true"
                certificateFile="%{idp.home}/credentials/renater-metadata-signing-cert-2016.pem">
                </MetadataFilter>
        </MetadataProvider>

          
   
 
    </MetadataProvider>
    
</MetadataProvider>

La premiere fois on recharge tomcat pour que le téléchargement initial du fichier soit réalisé

[root@idp34 conf]# systemctl restart tomcat.service 

[root@idp34 conf]#  ls -ltr ../metadata/
total 31308
-rw-r--r-- 1 tomcat root      14590  2 janv. 14:23 idp-metadata.xml
-rw-r--r-- 1 tomcat tomcat  6787283  2 janv. 14:47 preview-sps-renater-test-metadata.xml

ensuite on pourra faire un simple rechargement du service metadata pour cette federation

[root@idp3 conf]# /opt/shibboleth-idp/bin/reload-metadata.sh -id=RenaterTestMetadata
Metadata reloaded.

idp-process.log :

2019-01-02 14:48:18,248 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:574] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: New metadata successfully loaded for 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml'
2019-01-02 14:48:18,250 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:384] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: Next refresh cycle for metadata provider 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' will occur on '2019-01-02T15:33:16.891Z' ('2019-01-02T15:33:16.891Z' local time)
2019-01-02 14:48:18,268 - 127.0.0.1 - INFO [Shibboleth-Audit.Reload:275] - 20190102T144818Z||||http://shibboleth.net/ns/profiles/reload-metadata|||||||||


URL metadata idp locale

URL de visualisation des metadata de notre IDP

authentification

1er test en simple auth ldap

[root@idp3 conf]# diff ldap.properties ldap.properties.dist 
8,9c8,9
< idp.authn.LDAP.ldapURL                          = ldap://ldap.int.eu:389
< idp.authn.LDAP.useStartTLS                     = true
---
> idp.authn.LDAP.ldapURL                          = ldap://localhost:10389
> #idp.authn.LDAP.useStartTLS                     = true
16c16
< idp.authn.LDAP.trustCertificates                = %{idp.home}/credentials/chain-29966-_.int.eu.pem
---
> idp.authn.LDAP.trustCertificates                = %{idp.home}/credentials/ldap-server.crt
18c18
< #idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-server.truststore
---
> idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-server.truststore
28c28
< idp.authn.LDAP.baseDN                           = ou=people,dc=int,dc=fr
---
> idp.authn.LDAP.baseDN                           = ou=people,dc=example,dc=org
33,34c33,34
< idp.authn.LDAP.bindDN                           = uid=binduser,dc=int,dc=fr
< idp.authn.LDAP.bindDNCredential                 = secret
---
> idp.authn.LDAP.bindDN                           = uid=myservice,ou=system
> idp.authn.LDAP.bindDNCredential                 = myServicePassword
38c38
< idp.authn.LDAP.dnFormat                         = uid=%s,ou=people,dc=int,dc=fr
---
> idp.authn.LDAP.dnFormat                         = uid=%s,ou=people,dc=example,dc=org

[root@idp3 conf]# systemctl restart tomcat.service 

personnaliser la page de login interne

il est possible de personnaliser la page de login intégré a l'IDP cf:

# vim /opt/src/shibboleth-identity-provider-3.3.0/system/messages/messages.properties
...
idp.logo = /images/etablissement-logo-site.png
...
root.title = Shibboleth IdP Etablissement.fr
...

mettre le logo dans le repertoire source images, curieusement un bin/install.sh a bien deployé le nouveau messages.properties mais pas le png du logo dans /var/lib/tomcat/webapps/idp/images/ que j'ai du faire à la main (cp) .

Attribute resolver

attribute-resolver-ldap.xml s'appui sur le varaible definit plus haut dans ldap.properties , ici one ne fait qu'une simple deactivation de StartTLSTrustCredential (commentaires)

[root@idp3 conf]# cp attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist
[root@idp3 conf]# diff attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist 
92d91
< 	  <!--
97d95
< 	  --> 

<code>


et declaration de l'usage de l'attribute-resolver-ldap dans services.xml 

<code>
[root@idp3 conf]# diff services.xml services.xml.dist
113c113
<         <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value>
---
>         <value>%{idp.home}/conf/attribute-resolver.xml</value>

attribute-filter

on reprend l'exemple et on l'etend a tout SP (ANY)

[root@idp3 conf]# diff attribute-filter.xml attribute-filter.xml.dist 
18,19c18
< <!--         <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> -->
< 	 <PolicyRequirementRule xsi:type="ANY" />
---
>         <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />

[root@idp3 conf]# /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.AttributeFilterService
Configuration reloaded.

schema name change v2/v3

attention quand on reprend des attribute-filter maisons de la v2 vers le v3 , les schemas ont changés, exempe “basic:OR” deviens tout simplement “OR” cf https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterLegacyNameSpaceMapping et https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterConfiguration#AttributeFilterConfiguration-SchemaName

exemple de remplacement automatique syntaxte v2 vs v3 via “vi” dans attribute-resolver.xml

:1,$s/basic:AttributeRequesterString/Requester/g

:1,$s/basic:AttributeValueString/Value/g

:1,$s/basic:Rule/Rule/g

:1,$s/saml:AttributeRequesterInEntityGroup/InEntityGroup/g

:1,$s/basic:ANY/ANY/g

:1,$s/basic:OR/OR/g


service.xml

test attributes cli

[root@idp3 shibboleth-idp]# ./bin/aacli.sh --requester=https://test.federation.renater.fr/test/ressource --configDir=conf/ --principal=etudiant1

{
"requester": "https://test.federation.renater.fr/test/ressource",
"principal": "etudiant1",
"attributes": [


  {
    "name": "uid",
    "values": [
              "StringAttributeValue{value=etudiant1}"          ]
  },  

  {
    "name": "mail",
    "values": [
              "StringAttributeValue{value=etudiant1@example.org}"          ]
  },  

  {
    "name": "eduPersonPrincipalName",
    "values": [
              "ScopedStringAttributeValue{value=etudiant1, scope=int.eu}"          ]
  }  

]
}

Enregistrement dans une federation

dans un premier temps dans la fédération de test Renater

https://federation.renater.fr/registry

Test login ldap interne

ayant positionné par defaut le password scheme via ldap, l'usage d'un login/password de l'annuaire ldap d'etablissement configuré permet d'acceder à la ressource de test renater https://test.federation.renater.fr/test/ressource qui affiche la liste d'attributs envoyés et demande maintenant en v3 la consentement (addon uApprove en v2)

Information to be Provided to Service
eduPersonPrincipalName 	teststud@int.fr
mail 	teststud@example.org
uid 	teststud

Ask me again at next login 
Ask me again if information to be provided to this service changes 
Do not ask me again 

idp-process.log :

2016-07-03 14:45:51,638 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:139] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'teststud' succeeded
C2016-07-03 14:51:14,116 - INFO [Shibboleth-Consent-Audit.SSO:241] - 20160703T125114Z|https://test.federation.renater.fr/test/ressource|AttributeReleaseConsent|teststud|eduPersonPrincipalName,mail,uid||true,true,true
2016-07-03 14:51:14,861 - INFO [Shibboleth-Audit.SSO:241] - 20160703T125114Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_05d30b93263d3dbca128a0d1bdb5272d|https://test.federation.renater.fr/test/ressource|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp3.int.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_afd5c50a6363cebb0030af5e220dce18|teststud|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,mail,eduPersonPrincipalName|AAdzZWNyZXQxvKd8LuQ9/WK6sRwUecDTulilU/xNcE1LRr2tf2P8S97xNb9mu4uVLASdS+D5MlyZAWt5NYNLGBuyVeD8n441NlUDVO7uCO8B6PxjUANyWOYmM6UOP7b9jpAC9ED70JLXoz2Bztm4VKeQ9Ia5FxgKJzh37Q==|_c861303bf16b99871bcac75ecca3703b|

SSO CAS

https://services.renater.fr/federation/docs/installation/idp3/chap08

[root@idp34 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/3.2.3/shib-cas-authn3-3.2.3.tar
[root@idp34 src]# tar xvf shib-cas-authn3-3.2.3.tar
...
shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/cas-client-core-3.4.1.jar
shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar
shib-cas-authn3-3.2.3/edit-webapp/no-conversation-state.jsp
..

[root@idp34 src]# cp shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib

[root@idp34 src]# cp -R shib-cas-authn3-3.2.3/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/
[root@idp34 src]# ls -ltr /opt/shibboleth-idp/flows/authn/Shibcas/
total 8
-rw-r--r-- 1 root root 2290  2 janv. 21:23 shibcas-authn-flow.xml
-rw-r--r-- 1 root root 3241  2 janv. 21:23 shibcas-authn-beans.xml

[root@idp34 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.5.1/cas-client-core-3.5.1.jar
[root@idp34 src]# cp cas-client-core-3.5.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/

Modification du Web flow pour utiliser le plugin CAS via /opt/shibboleth-idp/conf/idp.properties

[root@idp3 conf]# diff idp.properties idp.properties.dist 
100,114c100
< #idp.authn.flows= Password
< idp.authn.flows= Shibcas
< 
< # CAS Client properties (usage loosely matches that of the Java CAS Client)
< ## CAS Server Properties
< shibcas.casServerUrlPrefix = https://cas16.int.eu/cas
< shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login
<  
< ## Shibboleth Server Properties
< shibcas.serverName = https://cas16.int.eu
< 
< # La partie ci-dessous est une fonctionnalité avancée de l'extention shib-cas en question (optionnelle)
< # By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs.
< # Takes a comma separated list of fully qualified class names
< # shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass
---
> idp.authn.flows= Password

declaration du bean Shibcas dans general-auth.xml :

[root@idp34 conf]# cd /opt/shibboleth-idp/conf/authn/
[root@idp34 authn]# cp general-authn.xml general-authn.xml.dist

[root@idp3 authn]# diff general-authn.xml general-authn.xml.dist 
93,98d92
< 	<!-- https://services.renater.fr/federation/docs/installation/idp3/chap08 -->
< 	 <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
<                 p:passiveAuthenticationSupported="true"
<                 p:forcedAuthenticationSupported="true"
<                 p:nonBrowserSupported="false" />
< 

et reconstruction du idp.war + stop / start tomcat

[root@idp3 bin]# systemctl start tomcat.service

[root@idp3 bin]# /opt/shibboleth-idp/bin/build.sh
Installation Directory: [/opt/shibboleth-idp]

RETURN (!?)

Rebuilding /opt/shibboleth-idp/war/idp.war ...

...done

BUILD SUCCESSFUL

# on remove tout le deploiement dans l'arboresence tomcat webapps afin d'etre sur que le nouveau idp.war remplace tout

[root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp

[root@idp3 bin]# systemctl start tomcat.service

un nouveau test sur https://test.federation.renater.fr/test/ressource montre bien que nous passons par CAS maintenant .

attribute filter

https://services.renater.fr/federation/docs/installation/idp3/chap10

le nombre important de SP et leur mouvement reguliers dans une large fédération comme celle de Renater impose l'usage d'automatisme pour le gestion des filtre . “Depuis 2015 et l'IDP 2.4 , Shibboleth introduit une nouvelle règle PermitValueRule de type AttributeInMetadata utilisable dans votre fichier de configuration attribute-filter.xml. Cette fonctionnalité vous permet, pour un ensemble de SPs, d'autoriser la diffusion au plus juste des attributs utilisateur, uniquement s'ils sont déclarés comme demandés par le SP dans les méta-données de la fédération. L'option onlyIfRequired permet par ailleurs de ne diffuser l'attribut que s'il est indiqué comme obligatoire.”

on ajoute les regles proposé sur la doc renater

<!-- On fournit les attributs requis, contexte Fédération de Test -->
  <AttributeFilterPolicy id="releaseToAllRenaterSps">
  ....
  

puis redeploiement

[root@idp3 conf]# vim attribute-filter.xml
[root@idp3 shibboleth-idp]# cd ../bin/
[root@idp3 bin]# systemctl stop tomcat.service 
[root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp
[root@idp3 bin]# ./build.sh 
Installation Directory: [/opt/shibboleth-idp]

Rebuilding /opt/shibboleth-idp/war/idp.war ...

...done

BUILD SUCCESSFUL
Total time: 4 seconds
[root@idp3 bin]# 
[root@idp3 bin]# systemctl start tomcat.service 

un nouveau test sur https://test.federation.renater.fr/test/ressource montre maintenant plus d'attributs .

script attibute definition entitlement

l'attribut “entitlement” est construit a partir d'un script , cela change entre idp v2 et v3 sur plusieurs points en terme de schema et moteur de script java 1.7 (Rhino) vs 1.8 (Nashorn)

ref :

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPJava1.8 https://wiki.shibboleth.net/confluence/display/IDP30/ScriptedAttributeDefinition

exemple

  <!-- jehan  eduPersonEntitlement -->
  <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" >
     <resolver:Dependency ref="myLDAP" />
     <resolver:Dependency ref="schacUserStatus" />
     <resolver:Dependency ref="mail" />
  <resolver:Dependency ref="eduPersonPrimaryOrgUnitDN" />

      <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                  name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
      <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                  name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="entitlement" />

        <Script>
             <![CDATA[  
                logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");        
                var BasicAttribute = Java.type("edu.internet2.middleware.shibboleth.common.attribute.provider.BasicAttribute");
        if (eduPersonEntitlement == null) {
                        eduPersonEntitlement = new BasicAttribute("eduPersonEntitlement");
                        }

        if (schacUserStatus != null && mail != null ) {

                for ( i = 0; schacUserStatus != null && i < schacUserStatus.getValues().size(); i++ ){
                          value = schacUserStatus.getValues().get(i);

                         if (schacUserStatus.getValues().get(i).matches(".*cert.*")) {
                            eduPersonEntitlement.getValues().add("urn:mace:terena.org:tcs:perso-user");
                         }//if
                         else if (schacUserStatus.getValues().get(i).matches(".*pubhtml.*")) {
                                eduPersonEntitlement.getValues().add("urn:mace:imt:employee:int.fr:perso-webspace");
                         }//if
                       }
            if (eduPersonPrimaryOrgUnitDN != null ) {
                if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*DSI.*")) {
                 eduPersonEntitlement.getValues().add("urn:mace:int:it:int.fr:dsi-user");
                }//if
                else if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*INTM.*")) {
                 eduPersonEntitlement.getValues().add("urn:mace:int:staff:int.fr:intm-user");
                }//if
               }
             else eduPersonEntitlement.getValues().add("");
        logger.info("Values of scriptTest were: {} ", eduPersonEntitlement.getValues());
            ]]>
         </Script>

 </resolver:AttributeDefinition>

newcerts

nouvelle generation de certificats de metadata (autosignés) en cas de changement de hostname et/ou de clonage de VM afin de publier des metadata avec les bon certificats internes pour SAML .

ref

[root@idp3 credentials]# openssl req -x509 -new -out idp3-signing.crt -keyout idp3-signing.key -days 3650
writing new private key to 'idp3-signing.key'
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase: 
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:Essonne
Locality Name (eg, city) [Default City]:Evry
Organization Name (eg, company) [Default Company Ltd]:IMT
Organizational Unit Name (eg, section) []:DISI
Common Name (eg, your name or your server's hostname) []:idp3.int.eu
Email Address []:admin@int.eu

retrait passphrase

[root@idp3 credentials]# openssl rsa -in idp3-signing.key -out idp3-signing-np.key
Enter pass phrase for idp3-signing.key:
writing RSA key

idem avec l'encryption et backchannel

[root@idp3 credentials]# openssl req -x509 -new -out idp3-encryption.crt -keyout idp3-encryption.key -days 3650
# openssl rsa -in idp3-encryption.key -out idp3-encryption-np.key

[root@idp3 credentials]# openssl req -x509 -new -out idp3-backchannel.crt -keyout idp3-backchannel.key -days 3650
# openssl rsa -in idp3-backchannel.key -out idp3-backchannel-np.key

retrait de passphrase du p12 : http://blog.armbruster-it.de/2010/03/remove-the-passphrase-from-a-pkcs12-certificate/

[root@idp3 credentials]# openssl pkcs12 -in idp3-backchannel.p12 -nodes -out idp3-p12-p-temp.pem
Enter Import Password:
MAC verified OK
[root@idp3 credentials]# openssl pkcs12 -export -in idp3-p12-p-temp.pem  -out idp3-backchannel-np.p12
Enter Export Password: rien
Verifying - Enter Export Password: rien

bien que cela ne semble pas tres utile dans le cadre de la federation, il convient de mettre a jour le fichier local metadata/idp-metadata.xml afin d'etre consistent avec ces nouveau certificat et entityID + hostname d'URL de services