Exemple de deploiement d'un fournisseur d'IDP (V3.4) sur une centos8 avec les produits natifs de cette distribution ⇒ JVM openjdk 8 (11 possible mais potentiels pb LDAP: https://wiki.shibboleth.net/confluence/display/IDP30/LDAPonJava%3E8
https://wiki.shibboleth.net/confluence/display/IDP30/SystemRequirements
[root@idpx ~]# cat /etc/redhat-release CentOS Linux release 8.0.1905 (Core)
[root@idpx ~]# yum install java-1.8.0-openjdk-devel.x86_64 Installer 54 Paquets Mettre à niveau 1 Paquet Taille totale des téléchargements : 56 M Voulez-vous continuer ? [o/N] : o Mis à niveau: lua-libs-5.3.4-11.el8.x86_64 Installé: java-1.8.0-openjdk-devel-1:1.8.0.252.b09-2.el8_1.x86_64 gtk2-2.24.32-4.el8.x86_64 alsa-lib-1.1.9-4.el8.x86_64 atk-2.28.1-1.el8.x86_64 cairo-1.15.12-3.el8.x86_64 copy-jdk-configs-3.7-1.el8.noarch fribidi-1.0.4-7.el8_1.x86_64 gdk-pixbuf2-modules-2.36.12-5.el8.x86_64 giflib-5.1.4-3.el8.x86_64 graphite2-1.3.10-10.el8.x86_64 gtk-update-icon-cache-3.22.30-4.el8.x86_64 harfbuzz-1.7.5-3.el8.x86_64 hicolor-icon-theme-0.17-2.el8.noarch jasper-libs-2.0.14-4.el8.x86_64 java-1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1.x86_64 java-1.8.0-openjdk-headless-1:1.8.0.252.b09-2.el8_1.x86_64 javapackages-filesystem-5.3.0-1.module_el8.0.0+11+5b8c10bd.noarch jbigkit-libs-2.1-14.el8.x86_64 libX11-1.6.7-1.el8.x86_64 libX11-common-1.6.7-1.el8.noarch libXau-1.0.8-13.el8.x86_64 libXcomposite-0.4.4-14.el8.x86_64 libXcursor-1.1.15-3.el8.x86_64 libXdamage-1.1.4-14.el8.x86_64 libXext-1.3.3-9.el8.x86_64 libXfixes-5.0.3-7.el8.x86_64 libXft-2.3.2-10.el8.x86_64 libXi-1.7.9-7.el8.x86_64 libXinerama-1.1.4-1.el8.x86_64 libXrandr-1.5.1-7.el8.x86_64 libXrender-0.9.10-7.el8.x86_64 libXtst-1.2.3-7.el8.x86_64 libdatrie-0.2.9-7.el8.x86_64 libfontenc-1.1.3-8.el8.x86_64 libjpeg-turbo-1.5.3-10.el8.x86_64 libthai-0.1.27-2.el8.x86_64 libtiff-4.0.9-15.el8.x86_64 libxcb-1.13-5.el8.x86_64 lua-5.3.4-11.el8.x86_64 pango-1.42.4-6.el8.x86_64 pixman-0.36.0-1.el8.x86_64 ttmkfdir-3.0.9-54.el8.x86_64 tzdata-java-2019c-1.el8.noarch xorg-x11-font-utils-1:7.5-40.el8.x86_64 xorg-x11-fonts-Type1-7.5-19.el8.noarch dejavu-fonts-common-2.35-6.el8.noarch dejavu-sans-fonts-2.35-6.el8.noarch fontconfig-2.13.1-3.el8.x86_64 fontpackages-filesystem-1.44-22.el8.noarch freetype-2.9.1-4.el8.x86_64 gdk-pixbuf2-2.36.12-5.el8.x86_64 libpng-2:1.6.34-5.el8.x86_64 lksctp-tools-1.0.18-3.el8.x86_64 shared-mime-info-1.9-3.el8.x86_64
test java version
[root@idpx ~]# java -version openjdk version "1.8.0_252" OpenJDK Runtime Environment (build 1.8.0_252-b09) OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode)
redhat et donc centos n'offre plus de package tomcat (ils mettent en avant JBoss) , donc on va installer un tomcat 9 en tar.gz :
[root@idpx ~]# useradd -m -d /opt/tomcat -U -s /bin/false tomcat
[root@idpx ~]# wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.35/bin/apache-tomcat-9.0.35.tar.gz [root@idpx ~]# cd /opt [root@idpx opt]# tar xvfz /root/apache-tomcat-9.0.35.tar.gz [root@idpx opt]# mv apache-tomcat-9.0.35/* ./tomcat/
resultat
[root@idpx opt]# ls -al tomcat/ total 164 drwx------ 9 tomcat tomcat 4096 Jun 4 21:56 . drwxr-xr-x 5 root root 4096 Jun 4 21:54 .. -rw-r--r-- 1 tomcat tomcat 18 Oct 1 2019 .bash_logout -rw-r--r-- 1 tomcat tomcat 141 Oct 1 2019 .bash_profile -rw-r--r-- 1 tomcat tomcat 312 Oct 1 2019 .bashrc -rw-r----- 1 root root 18982 May 5 22:40 BUILDING.txt -rw-r----- 1 root root 5409 May 5 22:40 CONTRIBUTING.md -rw-r----- 1 root root 57092 May 5 22:40 LICENSE -rw-r----- 1 root root 2333 May 5 22:40 NOTICE -rw-r----- 1 root root 3255 May 5 22:40 README.md -rw-r----- 1 root root 6898 May 5 22:40 RELEASE-NOTES -rw-r----- 1 root root 16262 May 5 22:40 RUNNING.txt drwxr-x--- 2 root root 4096 Jun 4 21:54 bin drwx------ 2 root root 4096 May 5 22:40 conf drwxr-x--- 2 root root 4096 Jun 4 21:54 lib drwxr-x--- 2 root root 4096 May 5 22:36 logs drwxr-x--- 2 root root 4096 Jun 4 21:54 temp drwxr-x--- 7 root root 4096 May 5 22:37 webapps drwxr-x--- 2 root root 4096 May 5 22:36 work
positionnement des droits d'acces au comte tomcat
[root@idpx opt]# chown -R tomcat:tomcat /opt/tomcat/
acces manager
[root@idpx opt]# diff /opt/tomcat/webapps/manager/META-INF/context.xml /opt/tomcat/webapps/manager/META-INF/context.xml.orig 20c20 < allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|157.19.19.13" /> --- > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
compte admin d'acces au l'appli manager/html
[root@idpx opt]# diff /opt/tomcat/conf/tomcat-users.xml /opt/tomcat/conf/tomcat-users.xml.orig 44,46d43 < <role rolename="manager-gui"/> < <role rolename="admin-gui"/> < <user username="dsi" password="secret" roles="manager-gui,admin-gui"/>
[root@idpx opt]# vim /etc/systemd/system/tomcat.service [root@idpx opt]# cat /etc/systemd/system/tomcat.service [Unit] Description=Tomcat 9 After=network.target [Service] Type=forking User=tomcat Group=tomcat Environment="JAVA_HOME=/usr/lib/jvm/jre" Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom" Environment="CATALINA_BASE=/opt/tomcat" Environment="CATALINA_HOME=/opt/tomcat" Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid" Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC" ExecStart=/opt/tomcat/bin/startup.sh ExecStop=/opt/tomcat/bin/shutdown.sh [Install] WantedBy=multi-user.target
[root@idpx ~]# systemctl daemon-reload [root@idpx ~]# systemctl enable tomcat.service [root@idpx ~]# systemctl start tomcat.service
[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/24" port port=8080 protocol=tcp log prefix="http8080" accept' success [root@idpx opt]# firewall-cmd --reload success [root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="http" log prefix="http" accept' success [root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="https" log prefix="https" accept' success [root@idpx opt]# firewall-cmd --reload success
ou plus generalement
firewall-cmd –zone=public –permanent –add-port=8080/tcp
le serveur est maintenant accessible , exemple
http://idpx.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)
sauf si l'adresse ip source de consultation n'est pas autorisé par le control d'acces de l'application manager , cf adresse IP dans le parametre allow :
[root@idpx ~]# vim /opt/tomcat/webapps/manager/META-INF/context.xml <Context antiResourceLocking="false" privileged="true" > <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.0.10|10.10.10.11" /> <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/> </Context>
https://tomcat.apache.org/tomcat-9.0-doc/proxy-howto.html https://tomcat.apache.org/tomcat-9.0-doc/connectors.html https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp (secretRequired=“false”)
mise en place d'un proxy pour une gestion de TLS et ports par defaut (80/443) par apache il faut installer le mod_ssl d'apache pour disposer d'https
[root@idpx opt]# yum install httpd mod_ssl Total download size: 2.0 M Is this ok [y/N]: y
et le configurer avec nos certificats
[root@idpx certs]#grep ^SSL /etc/httpd/conf.d/ssl.conf | tail -3 SSLCertificateFile /etc/pki/tls/certs/idp.imtbstsp_eu.pem SSLCertificateKeyFile /etc/pki/tls/private/idp.imtbstsp.key SSLCertificateChainFile /etc/pki/tls/certs/chain-dc-TR1-CA2-idp-imtbstsp.pem
enfin configurer le proxy-ajp pour rediriger les requetes https d'apache vers tomcat
[root@idpx ~]# cat /etc/httpd/conf.d/shibboleth.conf ProxyPass /idp/ ajp://127.0.0.1:8009/idp/ retry=0 ProxyPass /manager/ ajp://127.0.0.1:8009/manager/
et l'activer coté tomcat
[root@idpx opt]# vim /opt/tomcat/conf/server.xml <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector protocol="AJP/1.3" port="8009" secretRequired="false" address="127.0.0.1" redirectPort="8443" />
sans l'option secretRequired=“false” (cf https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp ) , impossible d'acceder au manager via proxy_ajp, il faudrai mieux controler cet acces en limitant les acces proxy uniquement a 127.0.0.1 entre httpd et tomcat .
lancement httpd et verification de la presence du module AJP
[root@idpx opt]# systemctl start httpd.service [root@idpx opt]# httpd -M | grep ajp proxy_ajp_module (shared)
acces sans le port 8080 :
http://idpx.imtbstsp.eu/manager/html
puis en https via le proxy-ajp sans precision du port 443
s'assurer que la machine est a l'heure, si VM c'est la machine hote qui fournie l'heure
telechargement de la derniere version depuis http://shibboleth.net/downloads/identity-provider/
[root@idp34 ~]# wget https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.2.tar.gz --2019-01-02 14:18:15-- https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.2.tar.gz [root@idp34 ~]# mkdir /opt/src [root@idp34 ~]# mv shibboleth-identity-provider-3.4.2.tar.gz /opt/src/ [root@idp34 ~]# cd /opt/src/ ; tar xvfz shibboleth-identity-provider-3.4.2.tar.gz [root@idp34 src]# cd shibboleth-identity-provider-3.4.2 [root@idp34 shibboleth-identity-provider-3.4.2]# ls bin conf credentials doc flows LICENSE.txt logs messages metadata system views webapp
fresh install ici, attention en cas d'update ne pas tout ecraser !
[root@idp34 shibboleth-identity-provider-3.4.2]# export JAVA_HOME=/usr/lib/jvm/java [root@idp34 shibboleth-identity-provider-3.4.2]# ./bin/install.sh Source (Distribution) Directory (press <enter> to accept default): [/opt/src/shibboleth-identity-provider-3.4.2] Installation Directory: [/opt/shibboleth-idp] Hostname: [idp34.int-evry.fr] idp3.imtbstsp.eu SAML EntityID: [https://idp3.imtbstsp.eu/idp/shibboleth] Attribute Scope: [int-evry.fr] imtbstsp.eu Backchannel PKCS12 Password: O gl Back d Re-enter password: Cookie Encryption Key Password: O gl Cookie d Re-enter password: Warning: /opt/shibboleth-idp/bin does not exist. Warning: /opt/shibboleth-idp/edit-webapp does not exist. Warning: /opt/shibboleth-idp/dist does not exist. Warning: /opt/shibboleth-idp/doc does not exist. Warning: /opt/shibboleth-idp/system does not exist. Generating Signing Key, CN = idp3.imtbstsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ... ...done Creating Encryption Key, CN = idp3.imtbstsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ... ...done Creating Backchannel keystore, CN = idpr3.imtbs-tsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ... ...done Creating cookie encryption key files... ...done Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL Total time: 2 minutes 14 seconds
fichier de credentials créés
[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /opt/shibboleth-idp/credentials/ total 32 -rw-r--r-- 1 root root 1517 2 janv. 14:23 idp-backchannel.crt -rw-r--r-- 1 root root 3399 2 janv. 14:23 idp-backchannel.p12 -rw-r--r-- 1 root root 1517 2 janv. 14:23 idp-encryption.crt -rw------- 1 root root 2455 2 janv. 14:23 idp-encryption.key -rw-r--r-- 1 root root 1517 2 janv. 14:23 idp-signing.crt -rw------- 1 root root 2459 2 janv. 14:23 idp-signing.key -rw-r--r-- 1 root root 502 2 janv. 14:23 sealer.jks -rw-r--r-- 1 root root 47 2 janv. 14:23 sealer.kver
l'arborescence d'installation doit appartenir a tomcat
[root@idp34 shibboleth-identity-provider-3.4.2]# chown -R tomcat /opt/shibboleth-idp/
le fichier idp.xml permet de déployer automatiquement la brique IdP sans avoir à recopier l'archive « .war » dans le répertoire webapps/ de Tomcat.
[root@idp3 localhost]# cat /etc/tomcat/Catalina/localhost/idp.xml <Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false" swallowOutput="true" />
quelques secondes apres grace a l'auto-deploy
[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /var/lib/tomcat/webapps/idp/ total 32 drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 css drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 images -rw-r--r-- 1 tomcat tomcat 1008 2 janv. 14:23 index.jsp drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 js drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 META-INF drwxr-xr-x 5 tomcat tomcat 4096 2 janv. 14:28 WEB-INF -rw-r--r-- 1 tomcat tomcat 5389 2 janv. 14:23 x509-prompt.jsp
test acces sur http://idp3.tem-tsp.eu:8080/idp/status
au premier abord, cette page ne s'est pas affichée
java.lang.NoClassDefFoundError: javax/servlet/jsp/jstl/core/Config org.springframework.web.servlet.support.JstlUtils.exposeLocalizationContext(JstlUtils.java:101)
en effet il faut ajouter la librairie jstl (cf http://stackoverflow.com/tags/jstl/info) qui n'est pas fournie par defaut (risque de conflit avec jboss) cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.13 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .
[root@idp34 shibboleth-identity-provider-3.4.2]# cd /var/lib/tomcat/webapps/idp/WEB-INF/lib/ [root@idp34 lib]# wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar 2019-01-02 14:34:08 (9,27 MB/s) - «jstl-1.2.jar» sauvegardé [414240/414240] [root@idp34 lib]# systemctl restart tomcat
Pour l'acces en https au status il faut autorise l'IP source du navigateur d'admin
# vim /opt/shibboleth-idp/conf/access-control.xml <code> ... <util:map id="shibboleth.AccessControlPolicies"> <entry key="AccessByIPAddress"> <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl" p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" /> </entry> ...
maintenant accessible en https://idp3.imtbstsp.eu/idp/status
acces status possible en shell également
[root@idp34 bin]# /opt/shibboleth-idp/bin/status.sh ### Operating Environment Information operating_system: Linux operating_system_version: 3.10.0 operating_system_architecture: amd64 jdk_version: 1.8.0_191 available_cores: 12 used_memory: 137 MB maximum_memory: 455 MB ### Identity Provider Information idp_version: 3.4.2 start_time: 2019-01-02T14:35:21Z current_time: 2019-01-02T14:36:42Z uptime: 80907 ms
il faut que le systeme soit a l'heure (echanges SAML horodaté )
si on utilise une VM openvz, cf VZ capabilities: http://unix.stackexchange.com/questions/68016/error-when-running-ntpd-on-openvz-host-cap-set-proc-failed-to-drop-root-privi
[root@hardnode ~]# vzctl set 1033 --capability sys_time:on --save CT configuration saved to /etc/vz/conf/1033.conf
depuis la version 3 la configuration est eclatée en plusieurs fichiers, il est recommandé de faire un backup des originaux/distribution
[root@idp3 conf]# cp -p relying-party.xml relying-party.xml.dist [root@idp3 conf]# cp -p attribute-resolver.xml attribute-resolver.xml.dist [root@idp3 conf]# cp -p attribute-filter.xml attribute-filter.xml.dist
enregistrement dans la fédération de test renater , recuperation du certificats de signature des metadonnées renater .
[root@idp34]# cd /opt/shibboleth-idp/credentials/ [root@idp34 credentials]# /usr/bin/curl -O https://metadata.federation.renater.fr/certs/renater-metadata-signing-cert-2016.pem
ajout du chargement des metadata test-renater
[root@idp3 conf]# tail -18 metadata-providers.xml <!-- Federation de test renater --> <MetadataProvider id="RenaterTestMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/preview-sps-renater-test-metadata.xml" metadataURL="https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/renater-metadata-signing-cert-2016.pem"> </MetadataFilter> </MetadataProvider> </MetadataProvider> </MetadataProvider>
La premiere fois on recharge tomcat pour que le téléchargement initial du fichier soit réalisé
[root@idp34 conf]# systemctl restart tomcat.service [root@idp34 conf]# ls -ltr ../metadata/ total 31308 -rw-r--r-- 1 tomcat root 14590 2 janv. 14:23 idp-metadata.xml -rw-r--r-- 1 tomcat tomcat 6787283 2 janv. 14:47 preview-sps-renater-test-metadata.xml
ensuite on pourra faire un simple rechargement du service metadata pour cette federation
[root@idp3 conf]# /opt/shibboleth-idp/bin/reload-metadata.sh -id=RenaterTestMetadata Metadata reloaded. idp-process.log : 2019-01-02 14:48:18,248 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:574] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: New metadata successfully loaded for 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' 2019-01-02 14:48:18,250 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:384] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: Next refresh cycle for metadata provider 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' will occur on '2019-01-02T15:33:16.891Z' ('2019-01-02T15:33:16.891Z' local time) 2019-01-02 14:48:18,268 - 127.0.0.1 - INFO [Shibboleth-Audit.Reload:275] - 20190102T144818Z||||http://shibboleth.net/ns/profiles/reload-metadata|||||||||
URL de visualisation des metadata de notre IDP
1er test en simple auth ldap
[root@idp3 conf]# diff ldap.properties ldap.properties.dist 8,9c8,9 < idp.authn.LDAP.ldapURL = ldap://ldap.int.eu:389 < idp.authn.LDAP.useStartTLS = true --- > idp.authn.LDAP.ldapURL = ldap://localhost:10389 > #idp.authn.LDAP.useStartTLS = true 16c16 < idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/chain-29966-_.int.eu.pem --- > idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt 18c18 < #idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore --- > idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore 28c28 < idp.authn.LDAP.baseDN = ou=people,dc=int,dc=fr --- > idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org 33,34c33,34 < idp.authn.LDAP.bindDN = uid=binduser,dc=int,dc=fr < idp.authn.LDAP.bindDNCredential = secret --- > idp.authn.LDAP.bindDN = uid=myservice,ou=system > idp.authn.LDAP.bindDNCredential = myServicePassword 38c38 < idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=int,dc=fr --- > idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org [root@idp3 conf]# systemctl restart tomcat.service
il est possible de personnaliser la page de login intégré a l'IDP cf:
# vim /opt/src/shibboleth-identity-provider-3.3.0/system/messages/messages.properties ... idp.logo = /images/etablissement-logo-site.png ... root.title = Shibboleth IdP Etablissement.fr ...
mettre le logo dans le repertoire source images, curieusement un bin/install.sh a bien deployé le nouveau messages.properties mais pas le png du logo dans /var/lib/tomcat/webapps/idp/images/ que j'ai du faire à la main (cp) .
attribute-resolver-ldap.xml s'appui sur le varaible definit plus haut dans ldap.properties , ici one ne fait qu'une simple deactivation de StartTLSTrustCredential (commentaires)
[root@idp3 conf]# cp attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist [root@idp3 conf]# diff attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist 92d91 < <!-- 97d95 < --> <code> et declaration de l'usage de l'attribute-resolver-ldap dans services.xml <code> [root@idp3 conf]# diff services.xml services.xml.dist 113c113 < <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value> --- > <value>%{idp.home}/conf/attribute-resolver.xml</value>
on reprend l'exemple et on l'etend a tout SP (ANY)
[root@idp3 conf]# diff attribute-filter.xml attribute-filter.xml.dist 18,19c18 < <!-- <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> --> < <PolicyRequirementRule xsi:type="ANY" /> --- > <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> [root@idp3 conf]# /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.AttributeFilterService Configuration reloaded.
attention quand on reprend des attribute-filter maisons de la v2 vers le v3 , les schemas ont changés, exempe “basic:OR” deviens tout simplement “OR” cf https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterLegacyNameSpaceMapping et https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterConfiguration#AttributeFilterConfiguration-SchemaName
exemple de remplacement automatique syntaxte v2 vs v3 via “vi” dans attribute-resolver.xml
:1,$s/basic:AttributeRequesterString/Requester/g :1,$s/basic:AttributeValueString/Value/g :1,$s/basic:Rule/Rule/g :1,$s/saml:AttributeRequesterInEntityGroup/InEntityGroup/g :1,$s/basic:ANY/ANY/g :1,$s/basic:OR/OR/g
[root@idp3 shibboleth-idp]# ./bin/aacli.sh --requester=https://test.federation.renater.fr/test/ressource --configDir=conf/ --principal=etudiant1 { "requester": "https://test.federation.renater.fr/test/ressource", "principal": "etudiant1", "attributes": [ { "name": "uid", "values": [ "StringAttributeValue{value=etudiant1}" ] }, { "name": "mail", "values": [ "StringAttributeValue{value=etudiant1@example.org}" ] }, { "name": "eduPersonPrincipalName", "values": [ "ScopedStringAttributeValue{value=etudiant1, scope=int.eu}" ] } ] }
dans un premier temps dans la fédération de test Renater
ayant positionné par defaut le password scheme via ldap, l'usage d'un login/password de l'annuaire ldap d'etablissement configuré permet d'acceder à la ressource de test renater https://test.federation.renater.fr/test/ressource qui affiche la liste d'attributs envoyés et demande maintenant en v3 la consentement (addon uApprove en v2)
Information to be Provided to Service eduPersonPrincipalName teststud@int.fr mail teststud@example.org uid teststud Ask me again at next login Ask me again if information to be provided to this service changes Do not ask me again
idp-process.log :
2016-07-03 14:45:51,638 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:139] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'teststud' succeeded C2016-07-03 14:51:14,116 - INFO [Shibboleth-Consent-Audit.SSO:241] - 20160703T125114Z|https://test.federation.renater.fr/test/ressource|AttributeReleaseConsent|teststud|eduPersonPrincipalName,mail,uid||true,true,true 2016-07-03 14:51:14,861 - INFO [Shibboleth-Audit.SSO:241] - 20160703T125114Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_05d30b93263d3dbca128a0d1bdb5272d|https://test.federation.renater.fr/test/ressource|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp3.int.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_afd5c50a6363cebb0030af5e220dce18|teststud|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,mail,eduPersonPrincipalName|AAdzZWNyZXQxvKd8LuQ9/WK6sRwUecDTulilU/xNcE1LRr2tf2P8S97xNb9mu4uVLASdS+D5MlyZAWt5NYNLGBuyVeD8n441NlUDVO7uCO8B6PxjUANyWOYmM6UOP7b9jpAC9ED70JLXoz2Bztm4VKeQ9Ia5FxgKJzh37Q==|_c861303bf16b99871bcac75ecca3703b|
https://services.renater.fr/federation/docs/installation/idp3/chap08
[root@idp34 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/3.2.3/shib-cas-authn3-3.2.3.tar [root@idp34 src]# tar xvf shib-cas-authn3-3.2.3.tar ... shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/cas-client-core-3.4.1.jar shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar shib-cas-authn3-3.2.3/edit-webapp/no-conversation-state.jsp .. [root@idp34 src]# cp shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib [root@idp34 src]# cp -R shib-cas-authn3-3.2.3/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/ [root@idp34 src]# ls -ltr /opt/shibboleth-idp/flows/authn/Shibcas/ total 8 -rw-r--r-- 1 root root 2290 2 janv. 21:23 shibcas-authn-flow.xml -rw-r--r-- 1 root root 3241 2 janv. 21:23 shibcas-authn-beans.xml [root@idp34 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.5.1/cas-client-core-3.5.1.jar [root@idp34 src]# cp cas-client-core-3.5.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
Modification du Web flow pour utiliser le plugin CAS via /opt/shibboleth-idp/conf/idp.properties
[root@idp3 conf]# diff idp.properties idp.properties.dist 100,114c100 < #idp.authn.flows= Password < idp.authn.flows= Shibcas < < # CAS Client properties (usage loosely matches that of the Java CAS Client) < ## CAS Server Properties < shibcas.casServerUrlPrefix = https://cas16.int.eu/cas < shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login < < ## Shibboleth Server Properties < shibcas.serverName = https://cas16.int.eu < < # La partie ci-dessous est une fonctionnalité avancée de l'extention shib-cas en question (optionnelle) < # By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs. < # Takes a comma separated list of fully qualified class names < # shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass --- > idp.authn.flows= Password
declaration du bean Shibcas dans general-auth.xml :
[root@idp34 conf]# cd /opt/shibboleth-idp/conf/authn/ [root@idp34 authn]# cp general-authn.xml general-authn.xml.dist [root@idp3 authn]# diff general-authn.xml general-authn.xml.dist 93,98d92 < <!-- https://services.renater.fr/federation/docs/installation/idp3/chap08 --> < <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow" < p:passiveAuthenticationSupported="true" < p:forcedAuthenticationSupported="true" < p:nonBrowserSupported="false" /> <
et reconstruction du idp.war + stop / start tomcat
[root@idp3 bin]# systemctl start tomcat.service [root@idp3 bin]# /opt/shibboleth-idp/bin/build.sh Installation Directory: [/opt/shibboleth-idp] RETURN (!?) Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL # on remove tout le deploiement dans l'arboresence tomcat webapps afin d'etre sur que le nouveau idp.war remplace tout [root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp [root@idp3 bin]# systemctl start tomcat.service
un nouveau test sur https://test.federation.renater.fr/test/ressource montre bien que nous passons par CAS maintenant .
https://services.renater.fr/federation/docs/installation/idp3/chap10
le nombre important de SP et leur mouvement reguliers dans une large fédération comme celle de Renater impose l'usage d'automatisme pour le gestion des filtre . “Depuis 2015 et l'IDP 2.4 , Shibboleth introduit une nouvelle règle PermitValueRule de type AttributeInMetadata utilisable dans votre fichier de configuration attribute-filter.xml. Cette fonctionnalité vous permet, pour un ensemble de SPs, d'autoriser la diffusion au plus juste des attributs utilisateur, uniquement s'ils sont déclarés comme demandés par le SP dans les méta-données de la fédération. L'option onlyIfRequired permet par ailleurs de ne diffuser l'attribut que s'il est indiqué comme obligatoire.”
on ajoute les regles proposé sur la doc renater
<!-- On fournit les attributs requis, contexte Fédération de Test --> <AttributeFilterPolicy id="releaseToAllRenaterSps"> ....
puis redeploiement
[root@idp3 conf]# vim attribute-filter.xml [root@idp3 shibboleth-idp]# cd ../bin/ [root@idp3 bin]# systemctl stop tomcat.service [root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp [root@idp3 bin]# ./build.sh Installation Directory: [/opt/shibboleth-idp] Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL Total time: 4 seconds [root@idp3 bin]# [root@idp3 bin]# systemctl start tomcat.service
un nouveau test sur https://test.federation.renater.fr/test/ressource montre maintenant plus d'attributs .
l'attribut “entitlement” est construit a partir d'un script , cela change entre idp v2 et v3 sur plusieurs points en terme de schema et moteur de script java 1.7 (Rhino) vs 1.8 (Nashorn)
ref :
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPJava1.8 https://wiki.shibboleth.net/confluence/display/IDP30/ScriptedAttributeDefinition
exemple
<!-- jehan eduPersonEntitlement --> <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" > <resolver:Dependency ref="myLDAP" /> <resolver:Dependency ref="schacUserStatus" /> <resolver:Dependency ref="mail" /> <resolver:Dependency ref="eduPersonPrimaryOrgUnitDN" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:eduPersonEntitlement" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="entitlement" /> <Script> <![CDATA[ logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute"); var BasicAttribute = Java.type("edu.internet2.middleware.shibboleth.common.attribute.provider.BasicAttribute"); if (eduPersonEntitlement == null) { eduPersonEntitlement = new BasicAttribute("eduPersonEntitlement"); } if (schacUserStatus != null && mail != null ) { for ( i = 0; schacUserStatus != null && i < schacUserStatus.getValues().size(); i++ ){ value = schacUserStatus.getValues().get(i); if (schacUserStatus.getValues().get(i).matches(".*cert.*")) { eduPersonEntitlement.getValues().add("urn:mace:terena.org:tcs:perso-user"); }//if else if (schacUserStatus.getValues().get(i).matches(".*pubhtml.*")) { eduPersonEntitlement.getValues().add("urn:mace:imt:employee:int.fr:perso-webspace"); }//if } if (eduPersonPrimaryOrgUnitDN != null ) { if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*DSI.*")) { eduPersonEntitlement.getValues().add("urn:mace:int:it:int.fr:dsi-user"); }//if else if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*INTM.*")) { eduPersonEntitlement.getValues().add("urn:mace:int:staff:int.fr:intm-user"); }//if } else eduPersonEntitlement.getValues().add(""); logger.info("Values of scriptTest were: {} ", eduPersonEntitlement.getValues()); ]]> </Script> </resolver:AttributeDefinition>
nouvelle generation de certificats de metadata (autosignés) en cas de changement de hostname et/ou de clonage de VM afin de publier des metadata avec les bon certificats internes pour SAML .
ref
[root@idp3 credentials]# openssl req -x509 -new -out idp3-signing.crt -keyout idp3-signing.key -days 3650 writing new private key to 'idp3-signing.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Country Name (2 letter code) [XX]:FR State or Province Name (full name) []:Essonne Locality Name (eg, city) [Default City]:Evry Organization Name (eg, company) [Default Company Ltd]:IMT Organizational Unit Name (eg, section) []:DISI Common Name (eg, your name or your server's hostname) []:idp3.int.eu Email Address []:admin@int.eu
retrait passphrase
[root@idp3 credentials]# openssl rsa -in idp3-signing.key -out idp3-signing-np.key Enter pass phrase for idp3-signing.key: writing RSA key
idem avec l'encryption et backchannel
[root@idp3 credentials]# openssl req -x509 -new -out idp3-encryption.crt -keyout idp3-encryption.key -days 3650 # openssl rsa -in idp3-encryption.key -out idp3-encryption-np.key [root@idp3 credentials]# openssl req -x509 -new -out idp3-backchannel.crt -keyout idp3-backchannel.key -days 3650 # openssl rsa -in idp3-backchannel.key -out idp3-backchannel-np.key
retrait de passphrase du p12 : http://blog.armbruster-it.de/2010/03/remove-the-passphrase-from-a-pkcs12-certificate/
[root@idp3 credentials]# openssl pkcs12 -in idp3-backchannel.p12 -nodes -out idp3-p12-p-temp.pem Enter Import Password: MAC verified OK [root@idp3 credentials]# openssl pkcs12 -export -in idp3-p12-p-temp.pem -out idp3-backchannel-np.p12 Enter Export Password: rien Verifying - Enter Export Password: rien
bien que cela ne semble pas tres utile dans le cadre de la federation, il convient de mettre a jour le fichier local metadata/idp-metadata.xml afin d'etre consistent avec ces nouveau certificat et entityID + hostname d'URL de services