Exemple de deploiement d'un fournisseur d'IDP (V4.0.1) sur une centos8 avec les produits natifs de cette distribution ⇒ JVM openjdk 11
https://wiki.shibboleth.net/confluence/display/IDP4/SystemRequirements
[root@idpx ~]# cat /etc/redhat-release CentOS Linux release 8.3.2011
[root@idpx ~]# yum install java-11-openjdk-devel.x86_64 Installer 27 Paquets Taille totale des téléchargements : 64 M Taille des paquets installés : 246 M Installé: java-11-openjdk-devel-1:11.0.7.10-1.el8_1.x86_64 abattis-cantarell-fonts-0.0.25-4.el8.noarch dconf-0.28.0-3.el8.x86_64 gtk3-3.22.30-5.el8.x86_64 adwaita-cursor-theme-3.28.0-2.el8.noarch adwaita-icon-theme-3.28.0-2.el8.noarch at-spi2-atk-2.26.2-1.el8.x86_64 at-spi2-core-2.28.0-1.el8.x86_64 cairo-gobject-1.15.12-3.el8.x86_64 colord-libs-1.4.2-1.el8.x86_64 java-11-openjdk-1:11.0.7.10-1.el8_1.x86_64 java-11-openjdk-headless-1:11.0.7.10-1.el8_1.x86_64 lcms2-2.9-2.el8.x86_64 libepoxy-1.5.3-1.el8.x86_64 libwayland-client-1.17.0-1.el8.x86_64 libwayland-cursor-1.17.0-1.el8.x86_64 libwayland-egl-1.17.0-1.el8.x86_64 libxkbcommon-0.9.1-1.el8.x86_64 rest-0.8.1-2.el8.x86_64 xkeyboard-config-2.28-1.el8.noarch glib-networking-2.56.1-1.1.el8.x86_64 gsettings-desktop-schemas-3.32.0-4.el8.x86_64 json-glib-1.4.4-1.el8.x86_64 libgusb-0.3.0-1.el8.x86_64 libmodman-2.0.1-17.el8.x86_64 libproxy-0.4.15-5.2.el8.x86_64 libsoup-2.62.3-1.el8.x86_64
Passer par defaut sur java-11 si presence aussi du 1.8 avec alternatives
[root@idpx ~]# alternatives --config java Il existe 2 programmes qui fournissent « java ». Sélection Commande ----------------------------------------------- *+ 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/bin/java) 2 java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64/bin/java) [root@idpex ~]# alternatives --config java Il existe 2 programmes qui fournissent « java ». Sélection Commande ----------------------------------------------- * 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/bin/java) + 2 java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64/bin/java)
test java version
[root@idpx ~]# java -version openjdk version "11.0.9.1" 2020-11-04 LTS OpenJDK Runtime Environment 18.9 (build 11.0.9.1+1-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.9.1+1-LTS, mixed mode, sharing)
redhat et donc centos n'offre plus de package tomcat (ils mettent en avant JBoss) , donc on va installer un tomcat 9 en tar.gz :
[root@idpx ~]# useradd -m -d /opt/tomcat -U -s /bin/false tomcat
[root@idpx ~]# wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.45/bin/apache-tomcat-9.0.45.tar.gz [root@idpx ~]# cd /opt [root@idpx opt]# tar xvfz /root/apache-tomcat-9.0.45.tar.gz [root@idpx opt]# ln -s apache-tomcat-9.0.45 tomcat [root@idpx opt]# ls -ld tomcat lrwxrwxrwx 1 root root 20 10 mai 19:49 tomcat -> apache-tomcat-9.0.45
positionnement des droits d'acces au comte tomcat
[root@idpx opt]# chown -R tomcat:tomcat /opt/tomcat/ # ls -l tomcat/ total 148 drwxr-x--- 2 tomcat tomcat 4096 10 mai 16:09 bin -rw-r----- 1 tomcat tomcat 18984 30 mars 12:29 BUILDING.txt drwx------ 2 tomcat tomcat 4096 30 mars 12:29 conf -rw-r----- 1 tomcat tomcat 5587 30 mars 12:29 CONTRIBUTING.md drwxr-x--- 2 tomcat tomcat 4096 10 mai 16:09 lib -rw-r----- 1 tomcat tomcat 57092 30 mars 12:29 LICENSE drwxr-x--- 2 tomcat tomcat 4096 30 mars 12:29 logs -rw-r----- 1 tomcat tomcat 2333 30 mars 12:29 NOTICE -rw-r----- 1 tomcat tomcat 3257 30 mars 12:29 README.md -rw-r----- 1 tomcat tomcat 6898 30 mars 12:29 RELEASE-NOTES -rw-r----- 1 tomcat tomcat 16507 30 mars 12:29 RUNNING.txt drwxr-x--- 2 tomcat tomcat 4096 10 mai 16:09 temp drwxr-x--- 7 tomcat tomcat 4096 30 mars 12:29 webapps drwxr-x--- 2 tomcat tomcat 4096 30 mars 12:29 work
acces manager
[root@idpx opt]# diff /opt/tomcat/webapps/manager/META-INF/context.xml /opt/tomcat/webapps/manager/META-INF/context.xml.orig 20c20 < allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|157.19.19.13" /> --- > allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
compte admin d'acces au l'appli manager/html
[root@idpx opt]# diff /opt/tomcat/conf/tomcat-users.xml /opt/tomcat/conf/tomcat-users.xml.orig 44,46d43 < <role rolename="manager-gui"/> < <role rolename="admin-gui"/> < <user username="dsi" password="secret" roles="manager-gui,admin-gui"/>
[root@idpx opt]# vim /etc/systemd/system/tomcat.service [root@idpx opt]# cat /etc/systemd/system/tomcat.service [Unit] Description=Tomcat 9 After=network.target [Service] Type=forking User=tomcat Group=tomcat Environment="JAVA_HOME=/usr/lib/jvm/jre" Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom" Environment="CATALINA_BASE=/opt/tomcat" Environment="CATALINA_HOME=/opt/tomcat" Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid" Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC" ExecStart=/opt/tomcat/bin/startup.sh ExecStop=/opt/tomcat/bin/shutdown.sh [Install] WantedBy=multi-user.target
[root@idpx ~]# systemctl daemon-reload [root@idpx ~]# systemctl enable tomcat.service [root@idpx ~]# systemctl start tomcat.service
[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/24" port port=8080 protocol=tcp log prefix="http8080" accept' success [root@idpx opt]# firewall-cmd --reload success [root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="http" log prefix="http" accept' success [root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="https" log prefix="https" accept' success [root@idpx opt]# firewall-cmd --reload success
ou plus generalement
firewall-cmd –zone=public –permanent –add-port=8080/tcp
le serveur est maintenant accessible , exemple
http://idpx.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)
sauf si l'adresse ip source de consultation n'est pas autorisé par le control d'acces de l'application manager , cf adresse IP dans le parametre allow :
[root@idpx ~]# vim /opt/tomcat/webapps/manager/META-INF/context.xml <Context antiResourceLocking="false" privileged="true" > <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.0.10|10.10.10.11" /> <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/> </Context>
https://tomcat.apache.org/tomcat-9.0-doc/proxy-howto.html https://tomcat.apache.org/tomcat-9.0-doc/connectors.html https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp (secretRequired=“false”)
mise en place d'un proxy pour une gestion de TLS et ports par defaut (80/443) par apache il faut installer le mod_ssl d'apache pour disposer d'https
[root@idpx opt]# yum install httpd mod_ssl Total download size: 2.0 M Is this ok [y/N]: y
et le configurer avec nos certificats
[root@idpx certs]#grep ^SSL /etc/httpd/conf.d/ssl.conf | tail -3 SSLCertificateFile /etc/pki/tls/certs/idp.imtbstsp_eu.pem SSLCertificateKeyFile /etc/pki/tls/private/idp.imtbstsp.key SSLCertificateChainFile /etc/pki/tls/certs/chain-dc-TR1-CA2-idp-imtbstsp.pem
enfin configurer le proxy-ajp pour rediriger les requetes https d'apache vers tomcat
[root@idpx ~]# cat /etc/httpd/conf.d/shibboleth.conf ProxyPass /idp/ ajp://127.0.0.1:8009/idp/ retry=0 ProxyPass /manager/ ajp://127.0.0.1:8009/manager/
et l'activer coté tomcat
[root@idpx opt]# vim /opt/tomcat/conf/server.xml <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector protocol="AJP/1.3" port="8009" secretRequired="false" address="127.0.0.1" redirectPort="8443" />
sans l'option secretRequired=“false” (cf https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp ) , impossible d'acceder au manager via proxy_ajp, il faudrai mieux controler cet acces en limitant les acces proxy uniquement a 127.0.0.1 entre httpd et tomcat .
lancement httpd et verification de la presence du module AJP
[root@idpx opt]# systemctl start httpd.service [root@idpx opt]# httpd -M | grep ajp proxy_ajp_module (shared)
acces sans le port 8080 :
http://idpx.imtbstsp.eu/manager/html
puis en https via le proxy-ajp sans precision du port 443
telechargement de la derniere version depuis http://shibboleth.net/downloads/identity-provider/
[root@idpx opt]# mkdir shibidp-src-4.1.2 [root@idpx opt]# cd shibidp-src-4.1.2/ [root@idpx shibidp-src-4.1.2]# wget https://shibboleth.net/downloads/identity-provider/4.1.2/shibboleth-identity-provider-4.1.2.tar.gz [root@idpx shibidp-src]# tar xvfz shibboleth-identity-provider-4.1.2.tar.gz [root@idpx shibidp-src]# cd shibboleth-identity-provider-4.1.2 [root@idpx shibboleth-identity-provider-4.1.2]# ls bin conf credentials doc flows LICENSE.txt logs messages metadata system views webapp
fresh install ici, attention en cas d'update ne pas tout ecraser !
[root@idpx shibboleth-identity-provider-4.1.2]# ./bin/install.sh Buildfile: /opt/shibidp-src/shibboleth-identity-provider-4.1.2/bin/build.xml install: Source (Distribution) Directory (press <enter> to accept default): [/opt/shibidp-src/shibboleth-identity-provider-4.1.2] ? Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.V4Install:151] - New Install. Version: 4.1.2 Host Name: [idpx.intbstsp.fr] ? idpex.imtbstsp.eu INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-signing, CN = idpx.imtbs-tsp.eu URI = https://idpx.imtbstsp.eu/idp/shibboleth, keySize=3072 INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-encryption, CN = idpx.imtbs-tsp.eu URI = https://idpx.imtbstsp.eu/idp/shibboleth, keySize=3072 Backchannel PKCS12 Password: Re-enter password: INFO [net.shibboleth.idp.installer.V4Install:592] - Creating backchannel keystore, CN = idpx.imtbstsp.eu URI = https://idpx.imtbstsp.eu/idp/shibboleth, keySize=3072 Cookie Encryption Key Password: Re-enter password: INFO [net.shibboleth.idp.installer.V4Install:633] - Creating backchannel keystore, CN = idpx.imtbstsp.eu URI = https://idpx.imtbstsp.eu/idp/shibboleth, keySize=3072 INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool:166] - No existing versioning property, initializing... SAML EntityID: [https://idpx.imtbstsp.eu/idp/shibboleth] ? Attribute Scope: [imtbstsp.eu] ? INFO [net.shibboleth.idp.installer.V4Install:433] - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.2 INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL Total time: 1 minute 5 seconds
fichier de credentials créés
[root@idpx shibboleth-identity-provider-4.1.2]# ls -l /opt/shibboleth-idp/credentials/ total 36 -rw------- 1 root root 1517 11 juin 15:18 idp-backchannel.crt -rw------- 1 root root 3399 11 juin 15:18 idp-backchannel.p12 -rw------- 1 root root 1517 11 juin 15:18 idp-encryption.crt -rw------- 1 root root 2459 11 juin 15:18 idp-encryption.key -rw------- 1 root root 1517 11 juin 15:18 idp-signing.crt -rw------- 1 root root 2455 11 juin 15:18 idp-signing.key -rw------- 1 root root 502 11 juin 15:19 sealer.jks -rw------- 1 root root 53 11 juin 15:19 sealer.kver -rw------- 1 root root 581 11 juin 15:19 secrets.properties
l'arborescence d'installation doit appartenir a tomcat
[root@idpx shibboleth-identity-provider-4.1.2]# chown -R tomcat /opt/shibboleth-idp/
see the Servlet container preparation notes
https://wiki.shibboleth.net/confluence/display/IDP30/ApacheTomcat8
le fichier idp.xml permet de déployer automatiquement la brique IdP sans avoir à recopier l'archive « .war » dans le répertoire webapps/ de Tomcat.
[root@idpx localhost]# cat /opt/tomcat/conf/Catalina/localhost/idp.xml <Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false" swallowOutput="true"> <!-- Work around lack of Max-Age support in IE/Edge for Tomcat 8.0.x --> <CookieProcessor alwaysAddExpires="true" /> </Context>
quelques secondes apres grace a l'auto-deploy
[root@idpx lib]# ls /opt/tomcat/webapps/idp/ css images index.jsp js META-INF WEB-INF x509-prompt.jsp
définition du idp.home pour prise en charge par java/tomcat .
[root@idpx conf]# grep idp /etc/systemd/system/tomcat.service Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC -Didp.home=/opt/shibboleth-idp"
relance systemct et tomcat pour prise en compte
[root@idpx conf]# systemctl daemon-reload [root@idpx conf]# systemctl stop tomcat.service [root@idpx conf]# systemctl start tomcat.service
test acces sur http://idpx.tem-tsp.eu:8080/idp/status
au premier abord, cette page ne s'est pas affichée
java.lang.NoClassDefFoundError: javax/servlet/jsp/jstl/core/Config org.springframework.web.servlet.support.JstlUtils.exposeLocalizationContext(JstlUtils.java:101)
en effet il faut ajouter la librairie jstl (cf http://stackoverflow.com/tags/jstl/info) qui n'est pas fournie par defaut (risque de conflit avec jboss) cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.13 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .
librairie jstl-1.2.jar pour la fonction status
[root@idpx war]# cd /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ [root@idpx lib]# wget https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar
mais install.sh echoue
donc reconstruction de tout le package depuis les sources
[root@idpx]# cd /opt/shibboleth-identity-provider-4.1.2/ [root@idpx] cd webapp/ [root@idpx webapp]# ls css images index.jsp js META-INF WEB-INF [root@idpx webapp]# cd WEB-INF/ [root@idpx WEB-INF]# ls classes idpui.tld jsp lib spring.tld web.xml [root@idpx WEB-INF]# cd lib/ [root@idpx lib]# wget https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar
puis rebuild
[root@idpx shibboleth-identity-provider-4.1.2]# ./bin/install.sh Buildfile: /opt/shibboleth-identity-provider-4.1.2/bin/build.xml install: Source (Distribution) Directory (press <enter> to accept default): [/opt/shibboleth-identity-provider-4.1.2] ? Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.V4Install:162] - Update from version 4.1.2 to version 4.1.2 INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.2 INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL Total time: 7 seconds
Pour l'acces en https au status il faut autorise l'IP source du navigateur d'admin
# vim /opt/shibboleth-idp/conf/access-control.xml <code> ... <util:map id="shibboleth.AccessControlPolicies"> <entry key="AccessByIPAddress"> <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl" p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" /> </entry> ...
maintenant accessible en https://idpx.imtbstsp.eu/idp/status
acces status possible en shell également
[root@idpx shibboleth-idp]# /opt/shibboleth-idp/bin/status.sh ### Operating Environment Information operating_system: Linux operating_system_version: 4.18.0 operating_system_architecture: amd64 jdk_version: 11.0.11 available_cores: 32 used_memory: 144 MB maximum_memory: 910 MB ### Identity Provider Information idp_version: 4.1.2 start_time: 2021-06-11T13:36:01.576Z current_time: 2021-06-11T13:36:37.322735Z uptime: PT35.746S enabled modules: idp.authn.Password (Password Authentication) idp.admin.Hello (Hello World) installed plugins: service: shibboleth.LoggingService last successful reload attempt: 2021-06-11T13:35:43.310718Z last reload attempt: 2021-06-11T13:35:43.310718Z service: shibboleth.AttributeFilterService last successful reload attempt: 2021-06-11T13:35:45.623677Z last reload attempt: 2021-06-11T13:35:45.623677Z ... service: shibboleth.ManagedBeanService last successful reload attempt: 2021-06-11T13:35:46.160136Z last reload attempt: 2021-06-11T13:35:46.160136Z
il faut que le systeme soit a l'heure (echanges SAML horodaté )
si on utilise une VM openvz, cf VZ capabilities: http://unix.stackexchange.com/questions/68016/error-when-running-ntpd-on-openvz-host-cap-set-proc-failed-to-drop-root-privi
[root@hardnode ~]# vzctl set 1033 --capability sys_time:on --save CT configuration saved to /etc/vz/conf/1033.conf
depuis la version 3 la configuration est eclatée en plusieurs fichiers, il est préférable de faire un backup des originaux/distribution
[root@idpx conf]# cp -p metadata-providers.xml metadata-providers.xml.dist [root@idpx conf]# cp -p relying-party.xml relying-party.xml.dist [root@idpx conf]# cp -p attribute-resolver.xml attribute-resolver.xml.dist [root@idpx conf]# cp -p attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist [root@idpx conf]# cp -p attribute-filter.xml attribute-filter.xml.dist
enregistrement dans la fédération de test renater , recuperation du certificats de signature des metadonnées renater .
[root@idpx]# cd /opt/shibboleth-idp/credentials/ [root@idpx credentials]# /usr/bin/curl -O https://metadata.federation.renater.fr/certs/renater-metadata-signing-cert-2016.pem
ajout du chargement des metadata test-renater
[root@idpx conf]# tail -13 metadata-providers.xml <!-- Federation de test renater --> <MetadataProvider id="RenaterTestMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/preview-sps-renater-test-metadata.xml" metadataURL="https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/renater-metadata-signing-cert-2016.pem"> </MetadataFilter> </MetadataProvider> </MetadataProvider>
La premiere fois on recharge tomcat pour que le téléchargement initial du fichier soit réalisé
[root@idpx conf]# systemctl restart tomcat.service [root@idpx conf]# ls -ltr ../metadata/ -rw-r--r-- 1 tomcat root 14647 10 mai 22:17 idp-metadata.xml -rw-r----- 1 tomcat tomcat 6207564 10 mai 22:49 preview-sps-renater-test-metadata.xml
ensuite on pourra faire un simple rechargement du service metadata pour cette federation
[root@idpx conf]# /opt/shibboleth-idp/bin/reload-metadata.sh -id=RenaterTestMetadata Metadata reloaded. idp-process.log : 2021-05-10 21:50:22,183 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:366] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: Metadata from 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' has not changed since last refresh 2021-05-10 21:50:22,216 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:396] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: Next refresh cycle for metadata provider 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' will occur on '2021-05-10T21:35:22.161963Z' ('2021-05-10T22:35:22.161963+01:00[GMT+01:00]' local time) 2021-05-10 21:50:22,226 - 127.0.0.1 - INFO [Shibboleth-Audit.Reload:283] - 127.0.0.1|2021-05-10T20:50:22.089031Z|2021-05-10T20:50:22.225867Z||||||||||||||||||Java/11.0.9.1
URL de visualisation des metadata de notre IDP
depuis la 4.1, il est fait plus largement usage de fichiers .properties plutot que des fichiers de configuration .xml (ils restent malgres tout actifs/lus si upgrade) . ainsi il convient d'utiliser authn.properties pour parametrer le login Flow (à la place de authn/general-authn.xml ) en lançant le shell script bin/module.sh pour activer un module d'auth (ici simple Password)
[root@idpx shibboleth-idp]# bin/module.sh -e idp.authn.Password Enabling idp.authn.Password... conf/authn/password-authn-config.xml created views/login.vm created views/login-error.vm created [OK]
https://wiki.shibboleth.net/confluence/display/IDP4/LDAPAuthnConfiguration
shibboleth.LDAPValidator est definit comme backend par defaut:
[root@idpx shibboleth-idp]# vim conf/authn/password-authn-config.xml <util:list id="shibboleth.authn.Password.Validators"> <ref bean="shibboleth.LDAPValidator" /> </util:list>
1er test en simple auth ldap , attention a bien activer idp.authn.LDAP.authenticator = bindSearchAuthenticator si un compte privilegié est necessaire pour se binder à l'annuaire, et au secret associé qui est par defaut dans credentials/secrets.properties
[root@idpex conf]# diff ldap.properties ldap.properties.dist 6d5 < idp.authn.LDAP.authenticator = bindSearchAuthenticator 9,10c8,9 < idp.authn.LDAP.ldapURL = ldap://ldapfr.imtbstsp.eu:389 < idp.authn.LDAP.useStartTLS = true --- > idp.authn.LDAP.ldapURL = ldap://localhost:10389 > #idp.authn.LDAP.useStartTLS = true 17c16 < idp.authn.LDAP.sslConfig = certificateTrust --- > #idp.authn.LDAP.sslConfig = certificateTrust 19c18 < idp.authn.LDAP.trustCertificates = /etc/pki/tls/certs/starimtbstsp_eu.pem --- > idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt 21c20 < ##idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore --- > idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore 30,31c29,30 < idp.authn.LDAP.baseDN = ou=people,ou=staff,dc=int,dc=fr < idp.authn.LDAP.subtreeSearch = true --- > idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org > #idp.authn.LDAP.subtreeSearch = false 35,37c34 < idp.authn.LDAP.bindDN = uid=binduser,ou=dsa,dc=int,dc=fr < ##idp.authn.LDAP.bindDNCredential = secretNotHEre But In ../credentials/secrets.properties < --- > idp.authn.LDAP.bindDN = uid=myservice,ou=system 41c38 < idp.authn.LDAP.dnFormat = uid=%s,ou=people,ou=staff,dc=int,dc=fr --- > idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org
l'usage d'un bindDN pour lire l'annuaire, suppose de de definir un password associé a ce compte
idp.authn.LDAP.bindDNCredential : Password to bind with during search, used by bindSearchAuthenticator, usually set via %{idp.home}/credentials/secrets.properties
[root@idpx shibboleth-idp]# grep bindDNCredential credentials/secrets.properties #idp.authn.LDAP.bindDNCredential = myServicePassword idp.authn.LDAP.bindDNCredential = SECRET
[root@idpx conf]# systemctl restart tomcat.service
Avant de passer a une delagation d'authN via CAS, il est possible de personnaliser la page de login intégré a l'IDP cf:
apparement en V4 le /system/messages est vide !?
en v3 s'etait :
# vim /opt/src/shibboleth-identity-provider-3.3.0/system/messages/messages.properties ... idp.logo = /images/etablissement-logo-site.png ... root.title = Shibboleth IdP Etablissement.fr ...
mettre le logo dans le repertoire source images, curieusement un bin/install.sh a bien deployé le nouveau messages.properties mais pas le png du logo dans /var/lib/tomcat/webapps/idp/images/ que j'ai du faire à la main (cp) .
en IDP v4 , lors du deploiement initial mettre l'image du logo dans les sources , permet apres un install.sh d'assurer son deploiement dans le webapps de tomcat et donc le rend bien operationnel
/opt/shibidp-src/shibboleth-identity-provider-4.0.1/webapp/images/IMT_logo_RVB.jpg [root@idp4t messages]# grep idp.logo= /opt/shibboleth-idp/messages/messages_fr.properties idp.logo=/images/IMT_logo_RVB.jpg
ref : https://wiki.shibboleth.net/confluence/display/IDP4/ErrorHandlingConfiguration
en IDP v 4.1.2 pour afficher le logo de l'etablissement dans les views (ecran d'interception) , il faut :
[root@idp4t shibboleth-idp]# ls -l edit-webapp/images/logo-imtbs-tsp.png -rw-r--r-- 1 root root 13640 30 juin 07:53 edit-webapp/images/logo-oursite.png
[root@idp4t shibboleth-idp]# cat messages/messages.properties # You can define message properties here to override messages defined in # the system-supplied message file or to add your own messages. idp.logo = /images/logo-oursite.png
on rebuild le war afin qu'il soit redeployer dans le webapps de tomcat
[root@idp4t shibboleth-idp]# ./bin/build.sh Buildfile: /opt/shibboleth-idp/bin/build.xml build-war: Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.2 INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL Total time: 7 seconds
reference :
le changement majeure avec la V3 est qu'il n'est plus definit dans l'attributeResolver d'encodage des attributs (façon dont sont rrepresentés les attributs d'IDP dans la protocole SAML ) , ceci est fait “automatiquement” par l'AttributeRegistryConfiguration
reference
forcer le failFast globalement ou sur certains module de l'IDP permet en phase d'installation / configuration de forcer l'arret de l'IDP à la premiere erreure de parametrage/configuration rencontrée et permet ainsi de se focaliser sur la source du probleme
[root@idpx conf]# diff services.properties services.properties.dist 10d9 < idp.service.failFast = true
la distribution 4.x vient avec un attribute-resolver.xml minimal. Nous souhaitons profiter de plus d'attributs issue du refentiel d'ID LDAP on peux s'appuyer sur le modele examples/attribute-resolver-ldap.xml pour disposer d'une resolution d'attributs depuis l'annuaire d'etablissement .
[root@idpx conf]#cp examples/attribute-resolver-ldap.xml ./attribute-resolver-ldap.xml
pour utiliser ce fichier attribute-resolver-ldap.xml il faut en declarer l'usage dans services.xml en remplacement du default “attribute-resolver.xml”
[root@idpx conf]# diff services.xml services.xml.dist 24,25c24 < <!-- <value>%{idp.home}/conf/attribute-resolver.xml</value> --> < <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value>
il contient un exemple de DataConnector vers LDAP qui fait usage des varaibles definies dans ldap.properties
nous y avons ajouter ici une liste d'attributs utiles dans nos usage de federations locales (eduPersonAffiliation supannEntiteAffectation supannAutreMail)
Le parametre d'exportAttributes est bien praique dans le DataConnector LDAP , il permet de reprendre et definir automatiquement ces attributs par l'attribute-resolver :
<DataConnector id="myLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}" connectionStrategy="%{idp.attribute.resolver.LDAP.connectionStrategy}" noResultIsError="true" multipleResultsIsError="true" excludeResolutionPhases="c14n/attribute" exportAttributes="mail displayName sn givenName departmentNumber employeeNumber eduPersonEntitlement eduPersonAssurance uid eduPersonAffiliation supannEntiteAffectation supannAutreMail"> <FilterTemplate> <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]]> </FilterTemplate>
sur la définition d'attributs, notre annuaire ldap contenant en propre l'attribut eduPersonAffiliation , nous avons retirer les traitement “scope” (@domain) pour en faire un Simple attribut reprit tel quel :
<!-- <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}"> --> <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation"> <InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation"/> </AttributeDefinition>
Idem pour l'EPPN qui est deja au format login@domain dans mon referentiel d'ID ldap , je le passe donc en Prescoped :
<AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName"> <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/> </AttributeDefinition>
on peux se contenter de reprendre et adapter si necessaire l'exemple de base attribute-filter.xml et l'etendre a tout SP (ANY)
[root@idpx conf]# diff attribute-filter.xml attribute-filter.xml.dist 18,19c18 < <!-- <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> --> < <PolicyRequirementRule xsi:type="ANY" /> --- > <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> [root@idp3 conf]# /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.AttributeFilterService Configuration reloaded.
autrement on peux aussi s'appuyer sur un filtre d'attributs communs a une federation (ancienne façon de faire, maintenant Renater privilegie de consommer la liste des attributs directement dans les metadata des entités concernées)
dans service.xml on declare un bean qui charge via http un filtre commun hebergé sur un site web (distribution au sein d'une federation locale)
<!-- filtres communs cf https://www.switch.ch/aai/guides/idp/installation/ --> <util:list id="shibboleth.AttributeFilterResources"> <ref bean="FileBackedfedeMYFEDEAttributeFilter"/> </util:list> <bean id="FileBackedfedeMYFEDEAttributeFilter" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource" c:client-ref="shibboleth.FileCachingHttpClient" c:url="http://federation.domain.fr/attributes/fede-myfede-common-attribute-filters.xml" c:backingFile="%{idp.home}/conf/fede-myfede-common-attribute-filters.xml"> </bean>
depuis la version 4 de l'IDP , la definition d'attributs (chapitre prcedent) est dissociée de l'encodage , cf reference
un ensemble de fichiers propres a chaque classe d'object est fournit pour elargir la liste d'encodage des attributs les plus communs.
ils sont chargés/importés par le fichier conf/attributes/default-rules.xml
<import resource="inetOrgPerson.xml" /> <import resource="eduPerson.xml" /> <import resource="eduCourse.xml" /> <import resource="samlSubject.xml" />
pour nos usages dans la federation locale et le besoin d'attribut de type supann, nous avons etendu cette liste en ajoutant notre propre fichier de definition pour supann à la liste d'import ci-dessus
<import resource="supann.xml" />
Pour le moment seuls les 3 attributs qui nous importent localement ont étés déclarés, un listing complet des attributs supann
pourra etre constitué ulterieurement si ncessaire
il faudra aussi s'asurer coté Service Provider de “mapper” ces attributs, non presents par defaut
exemple d'ajout a l'attribute-map.xml sur un SP3
<!-- Supann attributes... --> <Attribute name="urn:oid:1.3.6.1.4.1.7135.1.2.1.8" id="supannEntiteAffectation"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.7135.1.2.1.34" id="supannAutreMail"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute> <Attribute name="urn:oid:1.3.6.1.4.1.7135.1.2.1.55" id="supannRessourceEtat"> <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/> </Attribute>
attention quand on reprend des attribute-filter maisons de la v2 vers le v3 , les schemas ont changés, exempe “basic:OR” deviens tout simplement “OR” cf https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterLegacyNameSpaceMapping et https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterConfiguration#AttributeFilterConfiguration-SchemaName
exemple de remplacement automatique syntaxte v2 vs v3 via “vi” dans attribute-resolver.xml
:1,$s/basic:AttributeRequesterString/Requester/g :1,$s/basic:AttributeValueString/Value/g :1,$s/basic:Rule/Rule/g :1,$s/saml:AttributeRequesterInEntityGroup/InEntityGroup/g :1,$s/basic:ANY/ANY/g :1,$s/basic:OR/OR/g
l'outil shell aacli.sh :
est bien pratique pour tester la resolution d'attributs et le filtrage, exemple :
[root@idpx conf]# ../bin/aacli.sh --requester=https://wikis.domain.fr/sp --configDir=conf/ --principal=test { "requester": "https://wikis.domain.fr/sp", "principal": "test", "attributes": [ { "name": "eduPersonPrincipalName", "values": [ "test@telecom.eu" ] }, { "name": "supannEntiteAffectation", "values": [ "TSP/IS" ] }, { "name": "displayName", "values": [ "Compte Test" ] }, { "name": "sn", "values": [ "STUDENT" ] }, { "name": "supannAutreMail", "values": [ "test@telecom.fr" ] }, { "name": "givenName", "values": [ "Test" ] }, { "name": "mail", "values": [ "test@telecom.eu" ] }, { "name": "eduPersonAffiliation", "values": [ "student", "member" ] } ] }
lister les modules et leur etat d'activation
[root@idpx bin]# ./module.sh --list Module: idp.authn.Duo [DISABLED] Module: idp.authn.External [ENABLED] Module: idp.authn.Function [DISABLED] Module: idp.authn.IPAddress [DISABLED] Module: idp.authn.MFA [DISABLED] Module: idp.authn.Password [ENABLED] Module: idp.authn.RemoteUser [DISABLED] Module: idp.authn.RemoteUserInternal [DISABLED] Module: idp.authn.SPNEGO [DISABLED] Module: idp.authn.X509 [DISABLED] Module: idp.authn.Demo [DISABLED] Module: idp.admin.Hello [ENABLED] Module: idp.admin.UnlockKeys [DISABLED] Module: idp.intercept.Consent [DISABLED] Module: idp.intercept.ContextCheck [DISABLED] Module: idp.intercept.ExpiringPassword [DISABLED] Module: idp.intercept.Impersonate [DISABLED] Module: idp.intercept.Warning [DISABLED] Module: idp.profile.CAS [DISABLED]
activer le module de consentement :
[root@idpx bin]# ./module.sh -t idp.intercept.Consent || ./module.sh -e idp.intercept.Consent Enabling idp.intercept.Consent... conf/intercept/consent-intercept-config.xml created views/intercept/attribute-release.vm created views/intercept/terms-of-use.vm created [OK]
Depuis 4.1.x
<!-- Insert bean that references the static terms-of-use from consent-messages.properties --> <bean id="shibboleth.consent.terms-of-use.Key" class="com.google.common.base.Functions" factory-method="constant"> <constructor-arg value="my-terms"/> </bean>
https://wiki.shibboleth.net/confluence/display/IDP4/Upgrading
Exemple ici du passage d'une 4.1.0 en 4.1.2
recuperer les sources
[root@idpx opt]# wget https://shibboleth.net/downloads/identity-provider/4.1.2/shibboleth-identity-provider-4.1.2.tar.gz
sauver / backup de l'existant
[root@idpx opt]# cp -a shibboleth-idp shibboleth-idp-prod-4.1.0
desarchiver et se deplacer dans l'arborescence des sources de cette nouvelle version
[root@idpx opt]# tar xvfz shibboleth-identity-provider-4.1.2.tar.gz [root@idpx opt]# cd shibboleth-identity-provider-4.1.2
Lancer l'installation vers la destination de production actuelle (ici /opt/shibboleth-idp) , ainsi il sera fait un upgrade (cela garde la configuration !)
[root@idpx shibboleth-identity-provider-4.1.2]# ./bin/install.sh Buildfile: /opt/shibboleth-identity-provider-4.1.2/bin/build.xml install: Source (Distribution) Directory (press <enter> to accept default): [/opt/shibboleth-identity-provider-4.1.2] ? Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.V4Install:162] - Update from version 4.1.0 to version 4.1.2 INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.2 INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL Total time: 31 seconds
rebuild du war
[root@idpx shibboleth-idp]# ./bin/build.sh Buildfile: /opt/shibboleth-idp/bin/build.xml build-war: Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.2 INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL Total time: 6 seconds
puis stop/start de tomcat afin de redeployer ce nouveau war .
il existe deux options principales :
nous presentons d'abord l'option 1)
cf readme sur l'URL: https://github.com/Unicon/shib-cas-authn
recuperer les sources et desarchiver
[root@idpx /opt]# wget https://github.com/Unicon/shib-cas-authn/archive/refs/tags/4.0.0.tar.gz [root@idpx /opt]# tar xvfz 4.0.0.tar.gz shib-cas-authn-4.0.0/ shib-cas-authn-4.0.0/.gitignore
on recupere le web.xml vers edit-webapp où on va pouvoir le personaliser avec l'integration de ce module shib-cas-authn
[root@idpx shibboleth-idp]# cp dist/webapp/WEB-INF/web.xml edit-webapp/WEB-INF/
recuperer les deux fichier .jar
[root@idpx lib]# pwd /opt/shibboleth-idp/edit-webapp/WEB-INF/lib /opt/shibboleth-idp/edit-webapp/WEB-INF/lib [root@idpx lib]# wget https://github.com/Unicon/shib-cas-authn/releases/download/4.0.0/cas-client-core-3.6.0.jar [root@idpx lib]# wget https://github.com/Unicon/shib-cas-authn/releases/download/4.0.0/shib-cas-authenticator-4.0.0.jar
on ajoute un element <servlet> pour le traitement “ShibCas Auth Servlet”
[root@idpx shibboleth-idp]# diff -ur edit-webapp/WEB-INF/web.xml dist/webapp/WEB-INF/web.xml --- edit-webapp/WEB-INF/web.xml 2021-06-02 22:02:21.834552171 +0200 +++ dist/webapp/WEB-INF/web.xml 2021-06-02 20:06:35.110728523 +0200 @@ -171,18 +171,6 @@ <servlet-name>shibboleth_jsp</servlet-name> <url-pattern>/shibboleth</url-pattern> </servlet-mapping> - - <!-- https://github.com/Unicon/shib-cas-authn --> - <!-- Servlet for receiving a callback from an external CAS Server and continues the IdP login flow --> - <servlet> - <servlet-name>ShibCas Auth Servlet</servlet-name> - <servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-class> - <load-on-startup>4</load-on-startup> - </servlet> - <servlet-mapping> - <servlet-name>ShibCas Auth Servlet</servlet-name> - <url-pattern>/Authn/External/*</url-pattern> - </servlet-mapping> <!-- Send servlet errors through the IdP's MVC error handling. --> <error-page>
on a changé le <load-on-startup> à l'index 4 , car il y a en a deja 3 avant !
si ce n'est pas deja fait, il faut activer l'usag de module “external”
[root@idpx shibboleth-idp]# bin/module.sh -t idp.authn.External || bin/module.sh -e idp.authn.External Enabling idp.authn.External... conf/authn/external-authn-config.xml created [OK]
parametrage du webflow d'authn vers de l'External dans idp.properties en 4.0.1 , puis dans conf/authn/authn.properties en 4.1.0 !
[root@idp4mt shibboleth-idp]# diff -ur authn.properties.dist authn.properties --- authn.properties.dist 2021-06-02 22:50:05.807379051 +0200 +++ authn.properties 2021-06-03 15:43:27.972786269 +0200 @@ -3,6 +3,9 @@ # Regular expression matching login flows to enable, e.g. IPAddress|Password #idp.authn.flows = Password +#begin JP +# Regular expression matching login flows to enable, e.g. IPAddress|Password +#idp.authn.flows=Password idp.authn.flows=External # CAS Client properties (usage loosely matches that of the Java CAS Client) @@ -10,6 +13,39 @@ shibcas.casServerUrlPrefix = https://ssocas6.domain.fr/cas shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login +## Shibboleth Server Properties +shibcas.serverName = https://ourIDP.domain.fr + +# By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs. +# Takes a comma separated list of fully qualified class names +# shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass +# shibcas.parameterBuilders = com.your.institution.MyParameterBuilderClass + +# Specify CAS validator to use - either 'cas10', 'cas20' or 'cas30' (default) +# shibcas.ticketValidatorName = cas30 + + +# Specify if the Relying Party/Service Provider entityId should be appended as a separate entityId query string parameter +# or embedded in the "service" querystring parameter - `append` (default) or `embed` +# shibcas.entityIdLocation = append + +# Default lifetime and timeout of various authentication methods +#idp.authn.defaultLifetime = PT60M +#idp.authn.defaultTimeout = PT30M + +# Whether to populate relying party user interface information for display +# during authentication, consent, terms-of-use. +#idp.authn.rpui = true + +# Whether to prioritize "active" results when an SP requests more than +# one possible matching login method (V2 behavior was to favor them) +#idp.authn.favorSSO = false + +# Whether to fail requests when a user identity after authentication +# doesn't match the identity in a pre-existing session. +#idp.authn.identitySwitchIsError = false +#end JP + # Default settings for most authentication methods. #idp.authn.defaultLifetime = PT1H #idp.authn.defaultTimeout = PT30M @@ -88,7 +124,8 @@ # Unset if you plan to return full Java Subject from external source #idp.authn.External.addDefaultPrincipals = true # Servlet context-relative path to wherever your implementation lives -idp.authn.External.externalAuthnPath = contextRelative:external.jsp +#idp.authn.External.externalAuthnPath = contextRelative:external.jsp +idp.authn.External.externalAuthnPath = contextRelative:Authn/External
copie de no-conversation-state.jsp (utile ?)
[root@idpx authn]# cp /opt/shib-cas-authn-4.0.0/IDP_HOME/edit-webapp/no-conversation-state.jsp /opt/shibboleth-idp/edit-webapp/
apres avoir realisé les parametrages precedents, on rebuild le war
[root@idpx bin]# cd /opt/shibboleth-idp/bin [root@idpx bin]# ./build.sh Buildfile: /opt/shibboleth-idp/bin/build.xml build-war: Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.0 INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL Total time: 13 seconds
a suivre pour la V4 en cours de redaction
dans un premier temps dans la fédération de test Renater
ayant positionné par defaut le password scheme via ldap, l'usage d'un login/password de l'annuaire ldap d'etablissement configuré permet d'acceder à la ressource de test renater https://test.federation.renater.fr/test/ressource qui affiche la liste d'attributs envoyés et demande maintenant en v3 la consentement (addon uApprove en v2)
Information to be Provided to Service eduPersonPrincipalName teststud@int.fr mail teststud@example.org uid teststud Ask me again at next login Ask me again if information to be provided to this service changes Do not ask me again
idp-process.log :
2016-07-03 14:45:51,638 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:139] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'teststud' succeeded C2016-07-03 14:51:14,116 - INFO [Shibboleth-Consent-Audit.SSO:241] - 20160703T125114Z|https://test.federation.renater.fr/test/ressource|AttributeReleaseConsent|teststud|eduPersonPrincipalName,mail,uid||true,true,true 2016-07-03 14:51:14,861 - INFO [Shibboleth-Audit.SSO:241] - 20160703T125114Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_05d30b93263d3dbca128a0d1bdb5272d|https://test.federation.renater.fr/test/ressource|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp3.int.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_afd5c50a6363cebb0030af5e220dce18|teststud|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,mail,eduPersonPrincipalName|AAdzZWNyZXQxvKd8LuQ9/WK6sRwUecDTulilU/xNcE1LRr2tf2P8S97xNb9mu4uVLASdS+D5MlyZAWt5NYNLGBuyVeD8n441NlUDVO7uCO8B6PxjUANyWOYmM6UOP7b9jpAC9ED70JLXoz2Bztm4VKeQ9Ia5FxgKJzh37Q==|_c861303bf16b99871bcac75ecca3703b|
https://services.renater.fr/federation/docs/installation/idp3/chap08
[root@idp34 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/3.2.3/shib-cas-authn3-3.2.3.tar [root@idp34 src]# tar xvf shib-cas-authn3-3.2.3.tar ... shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/cas-client-core-3.4.1.jar shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar shib-cas-authn3-3.2.3/edit-webapp/no-conversation-state.jsp .. [root@idp34 src]# cp shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib [root@idp34 src]# cp -R shib-cas-authn3-3.2.3/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/ [root@idp34 src]# ls -ltr /opt/shibboleth-idp/flows/authn/Shibcas/ total 8 -rw-r--r-- 1 root root 2290 2 janv. 21:23 shibcas-authn-flow.xml -rw-r--r-- 1 root root 3241 2 janv. 21:23 shibcas-authn-beans.xml [root@idp34 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.5.1/cas-client-core-3.5.1.jar [root@idp34 src]# cp cas-client-core-3.5.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
Modification du Web flow pour utiliser le plugin CAS via /opt/shibboleth-idp/conf/idp.properties
[root@idp3 conf]# diff idp.properties idp.properties.dist 100,114c100 < #idp.authn.flows= Password < idp.authn.flows= Shibcas < < # CAS Client properties (usage loosely matches that of the Java CAS Client) < ## CAS Server Properties < shibcas.casServerUrlPrefix = https://cas16.int.eu/cas < shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login < < ## Shibboleth Server Properties < shibcas.serverName = https://cas16.int.eu < < # La partie ci-dessous est une fonctionnalité avancée de l'extention shib-cas en question (optionnelle) < # By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs. < # Takes a comma separated list of fully qualified class names < # shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass --- > idp.authn.flows= Password
declaration du bean Shibcas dans general-auth.xml :
[root@idp34 conf]# cd /opt/shibboleth-idp/conf/authn/ [root@idp34 authn]# cp general-authn.xml general-authn.xml.dist [root@idp3 authn]# diff general-authn.xml general-authn.xml.dist 93,98d92 < <!-- https://services.renater.fr/federation/docs/installation/idp3/chap08 --> < <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow" < p:passiveAuthenticationSupported="true" < p:forcedAuthenticationSupported="true" < p:nonBrowserSupported="false" /> <
et reconstruction du idp.war + stop / start tomcat
[root@idp3 bin]# systemctl start tomcat.service [root@idp3 bin]# /opt/shibboleth-idp/bin/build.sh Installation Directory: [/opt/shibboleth-idp] RETURN (!?) Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL # on remove tout le deploiement dans l'arboresence tomcat webapps afin d'etre sur que le nouveau idp.war remplace tout [root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp [root@idp3 bin]# systemctl start tomcat.service
un nouveau test sur https://test.federation.renater.fr/test/ressource montre bien que nous passons par CAS maintenant .
https://services.renater.fr/federation/docs/installation/idp3/chap10
le nombre important de SP et leur mouvement reguliers dans une large fédération comme celle de Renater impose l'usage d'automatisme pour le gestion des filtre . “Depuis 2015 et l'IDP 2.4 , Shibboleth introduit une nouvelle règle PermitValueRule de type AttributeInMetadata utilisable dans votre fichier de configuration attribute-filter.xml. Cette fonctionnalité vous permet, pour un ensemble de SPs, d'autoriser la diffusion au plus juste des attributs utilisateur, uniquement s'ils sont déclarés comme demandés par le SP dans les méta-données de la fédération. L'option onlyIfRequired permet par ailleurs de ne diffuser l'attribut que s'il est indiqué comme obligatoire.”
on ajoute les regles proposé sur la doc renater
<!-- On fournit les attributs requis, contexte Fédération de Test --> <AttributeFilterPolicy id="releaseToAllRenaterSps"> ....
puis redeploiement
[root@idp3 conf]# vim attribute-filter.xml [root@idp3 shibboleth-idp]# cd ../bin/ [root@idp3 bin]# systemctl stop tomcat.service [root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp [root@idp3 bin]# ./build.sh Installation Directory: [/opt/shibboleth-idp] Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL Total time: 4 seconds [root@idp3 bin]# [root@idp3 bin]# systemctl start tomcat.service
un nouveau test sur https://test.federation.renater.fr/test/ressource montre maintenant plus d'attributs .
l'attribut “entitlement” est construit a partir d'un script , cela change entre idp v2 et v3 sur plusieurs points en terme de schema et moteur de script java 1.7 (Rhino) vs 1.8 (Nashorn)
ref :
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPJava1.8 https://wiki.shibboleth.net/confluence/display/IDP30/ScriptedAttributeDefinition
exemple
<!-- jehan eduPersonEntitlement --> <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" > <resolver:Dependency ref="myLDAP" /> <resolver:Dependency ref="schacUserStatus" /> <resolver:Dependency ref="mail" /> <resolver:Dependency ref="eduPersonPrimaryOrgUnitDN" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:eduPersonEntitlement" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="entitlement" /> <Script> <![CDATA[ logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute"); var BasicAttribute = Java.type("edu.internet2.middleware.shibboleth.common.attribute.provider.BasicAttribute"); if (eduPersonEntitlement == null) { eduPersonEntitlement = new BasicAttribute("eduPersonEntitlement"); } if (schacUserStatus != null && mail != null ) { for ( i = 0; schacUserStatus != null && i < schacUserStatus.getValues().size(); i++ ){ value = schacUserStatus.getValues().get(i); if (schacUserStatus.getValues().get(i).matches(".*cert.*")) { eduPersonEntitlement.getValues().add("urn:mace:terena.org:tcs:perso-user"); }//if else if (schacUserStatus.getValues().get(i).matches(".*pubhtml.*")) { eduPersonEntitlement.getValues().add("urn:mace:imt:employee:int.fr:perso-webspace"); }//if } if (eduPersonPrimaryOrgUnitDN != null ) { if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*DSI.*")) { eduPersonEntitlement.getValues().add("urn:mace:int:it:int.fr:dsi-user"); }//if else if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*INTM.*")) { eduPersonEntitlement.getValues().add("urn:mace:int:staff:int.fr:intm-user"); }//if } else eduPersonEntitlement.getValues().add(""); logger.info("Values of scriptTest were: {} ", eduPersonEntitlement.getValues()); ]]> </Script> </resolver:AttributeDefinition>
nouvelle generation de certificats de metadata (autosignés) en cas de changement de hostname et/ou de clonage de VM afin de publier des metadata avec les bon certificats internes pour SAML .
ref
[root@idp3 credentials]# openssl req -x509 -new -out idp3-signing.crt -keyout idp3-signing.key -days 3650 writing new private key to 'idp3-signing.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Country Name (2 letter code) [XX]:FR State or Province Name (full name) []:Essonne Locality Name (eg, city) [Default City]:Evry Organization Name (eg, company) [Default Company Ltd]:IMT Organizational Unit Name (eg, section) []:DISI Common Name (eg, your name or your server's hostname) []:idp3.int.eu Email Address []:admin@int.eu
retrait passphrase
[root@idp3 credentials]# openssl rsa -in idp3-signing.key -out idp3-signing-np.key Enter pass phrase for idp3-signing.key: writing RSA key
idem avec l'encryption et backchannel
[root@idp3 credentials]# openssl req -x509 -new -out idp3-encryption.crt -keyout idp3-encryption.key -days 3650 # openssl rsa -in idp3-encryption.key -out idp3-encryption-np.key [root@idp3 credentials]# openssl req -x509 -new -out idp3-backchannel.crt -keyout idp3-backchannel.key -days 3650 # openssl rsa -in idp3-backchannel.key -out idp3-backchannel-np.key
retrait de passphrase du p12 : http://blog.armbruster-it.de/2010/03/remove-the-passphrase-from-a-pkcs12-certificate/
[root@idp3 credentials]# openssl pkcs12 -in idp3-backchannel.p12 -nodes -out idp3-p12-p-temp.pem Enter Import Password: MAC verified OK [root@idp3 credentials]# openssl pkcs12 -export -in idp3-p12-p-temp.pem -out idp3-backchannel-np.p12 Enter Export Password: rien Verifying - Enter Export Password: rien
bien que cela ne semble pas tres utile dans le cadre de la federation, il convient de mettre a jour le fichier local metadata/idp-metadata.xml afin d'etre consistent avec ces nouveau certificat et entityID + hostname d'URL de services