This is an old revision of the document!


Idpv4x-c8

references

contexte

Exemple de deploiement d'un fournisseur d'IDP (V4.0.1) sur une centos8 avec les produits natifs de cette distribution ⇒ JVM openjdk 11

https://wiki.shibboleth.net/confluence/display/IDP4/SystemRequirements

[root@idpx ~]# cat /etc/redhat-release 
CentOS Linux release 8.0.1905 (Core) 

java 11 jdk

[root@idpx ~]# yum install java-11-openjdk-devel.x86_64

Installer  27 Paquets

Taille totale des téléchargements : 64 M
Taille des paquets installés : 246 M


Installé:
  java-11-openjdk-devel-1:11.0.7.10-1.el8_1.x86_64 abattis-cantarell-fonts-0.0.25-4.el8.noarch   dconf-0.28.0-3.el8.x86_64                  gtk3-3.22.30-5.el8.x86_64                          
  adwaita-cursor-theme-3.28.0-2.el8.noarch         adwaita-icon-theme-3.28.0-2.el8.noarch        at-spi2-atk-2.26.2-1.el8.x86_64            at-spi2-core-2.28.0-1.el8.x86_64                   
  cairo-gobject-1.15.12-3.el8.x86_64               colord-libs-1.4.2-1.el8.x86_64                java-11-openjdk-1:11.0.7.10-1.el8_1.x86_64 java-11-openjdk-headless-1:11.0.7.10-1.el8_1.x86_64
  lcms2-2.9-2.el8.x86_64                           libepoxy-1.5.3-1.el8.x86_64                   libwayland-client-1.17.0-1.el8.x86_64      libwayland-cursor-1.17.0-1.el8.x86_64              
  libwayland-egl-1.17.0-1.el8.x86_64               libxkbcommon-0.9.1-1.el8.x86_64               rest-0.8.1-2.el8.x86_64                    xkeyboard-config-2.28-1.el8.noarch                 
  glib-networking-2.56.1-1.1.el8.x86_64            gsettings-desktop-schemas-3.32.0-4.el8.x86_64 json-glib-1.4.4-1.el8.x86_64               libgusb-0.3.0-1.el8.x86_64                         
  libmodman-2.0.1-17.el8.x86_64                    libproxy-0.4.15-5.2.el8.x86_64                libsoup-2.62.3-1.el8.x86_64               

alternatives java-11

Passer par defaut sur java-11 si presence aussi du 1.8 avec alternatives

[root@idpx ~]# alternatives --config java

Il existe 2 programmes qui fournissent « java ».

  Sélection    Commande
-----------------------------------------------
*+ 1           java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/bin/java)
   2           java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64/bin/java)
[root@idpex ~]# alternatives --config java

Il existe 2 programmes qui fournissent « java ».

  Sélection    Commande
-----------------------------------------------
*  1           java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/bin/java)
 + 2           java-11-openjdk.x86_64 (/usr/lib/jvm/java-11-openjdk-11.0.7.10-1.el8_1.x86_64/bin/java)

test java version

[root@idpx ~]#  java -version
openjdk version "11.0.7" 2020-04-14 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.7+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.7+10-LTS, mixed mode, sharing)

tomcat

redhat et donc centos n'offre plus de package tomcat (ils mettent en avant JBoss) , donc on va installer un tomcat 9 en tar.gz :

tomcat user

[root@idpx ~]# useradd -m -d /opt/tomcat -U -s /bin/false tomcat

tomcat package tgz

[root@idpx ~]# wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.35/bin/apache-tomcat-9.0.35.tar.gz


[root@idpx ~]# cd /opt
[root@idpx opt]# tar xvfz /root/apache-tomcat-9.0.35.tar.gz

[root@idpx opt]# mv apache-tomcat-9.0.35/* ./tomcat/

resultat

[root@idpx opt]# ls -al tomcat/
total 164
drwx------ 9 tomcat tomcat  4096 Jun  4 21:56 .
drwxr-xr-x 5 root   root    4096 Jun  4 21:54 ..
-rw-r--r-- 1 tomcat tomcat    18 Oct  1  2019 .bash_logout
-rw-r--r-- 1 tomcat tomcat   141 Oct  1  2019 .bash_profile
-rw-r--r-- 1 tomcat tomcat   312 Oct  1  2019 .bashrc
-rw-r----- 1 root   root   18982 May  5 22:40 BUILDING.txt
-rw-r----- 1 root   root    5409 May  5 22:40 CONTRIBUTING.md
-rw-r----- 1 root   root   57092 May  5 22:40 LICENSE
-rw-r----- 1 root   root    2333 May  5 22:40 NOTICE
-rw-r----- 1 root   root    3255 May  5 22:40 README.md
-rw-r----- 1 root   root    6898 May  5 22:40 RELEASE-NOTES
-rw-r----- 1 root   root   16262 May  5 22:40 RUNNING.txt
drwxr-x--- 2 root   root    4096 Jun  4 21:54 bin
drwx------ 2 root   root    4096 May  5 22:40 conf
drwxr-x--- 2 root   root    4096 Jun  4 21:54 lib
drwxr-x--- 2 root   root    4096 May  5 22:36 logs
drwxr-x--- 2 root   root    4096 Jun  4 21:54 temp
drwxr-x--- 7 root   root    4096 May  5 22:37 webapps
drwxr-x--- 2 root   root    4096 May  5 22:36 work

positionnement des droits d'acces au comte tomcat

[root@idpx opt]# chown -R tomcat:tomcat /opt/tomcat/

parametrage tomcat

acces manager

[root@idpx opt]# diff /opt/tomcat/webapps/manager/META-INF/context.xml /opt/tomcat/webapps/manager/META-INF/context.xml.orig
20c20
<          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|157.19.19.13" />
---
>          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />

compte admin d'acces au l'appli manager/html

[root@idpx opt]# diff /opt/tomcat/conf/tomcat-users.xml /opt/tomcat/conf/tomcat-users.xml.orig
44,46d43
<   <role rolename="manager-gui"/>
<   <role rolename="admin-gui"/>
<   <user username="dsi" password="secret" roles="manager-gui,admin-gui"/>

activation par systemd

[root@idpx opt]# vim /etc/systemd/system/tomcat.service
[root@idpx opt]# cat /etc/systemd/system/tomcat.service
[Unit]
Description=Tomcat 9
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

start

[root@idpx ~]# systemctl daemon-reload
[root@idpx ~]# systemctl enable tomcat.service
[root@idpx ~]# systemctl start tomcat.service

firewall

[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/24" port port=8080 protocol=tcp log prefix="http8080" accept'
success
[root@idpx opt]# firewall-cmd --reload
success

[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="http" log prefix="http" accept'
success
[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="https" log prefix="https" accept'
success
[root@idpx opt]# firewall-cmd --reload
success

ou plus generalement

firewall-cmd –zone=public –permanent –add-port=8080/tcp

acces tomcat

le serveur est maintenant accessible , exemple

http://idpx.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)

sauf si l'adresse ip source de consultation n'est pas autorisé par le control d'acces de l'application manager , cf adresse IP dans le parametre allow :

[root@idpx ~]# vim /opt/tomcat/webapps/manager/META-INF/context.xml 

<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.0.10|10.10.10.11" />
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>

proxy et TLS via apache

https://tomcat.apache.org/tomcat-9.0-doc/proxy-howto.html https://tomcat.apache.org/tomcat-9.0-doc/connectors.html https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp (secretRequired=“false”)

mise en place d'un proxy pour une gestion de TLS et ports par defaut (80/443) par apache il faut installer le mod_ssl d'apache pour disposer d'https

[root@idpx opt]# yum install httpd mod_ssl

Total download size: 2.0 M
Is this ok [y/N]: y
                 

et le configurer avec nos certificats

[root@idpx certs]#grep ^SSL /etc/httpd/conf.d/ssl.conf | tail -3
SSLCertificateFile /etc/pki/tls/certs/idp.imtbstsp_eu.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp.imtbstsp.key
SSLCertificateChainFile /etc/pki/tls/certs/chain-dc-TR1-CA2-idp-imtbstsp.pem

enfin configurer le proxy-ajp pour rediriger les requetes https d'apache vers tomcat

[root@idpx ~]# cat /etc/httpd/conf.d/shibboleth.conf
ProxyPass /idp/ ajp://127.0.0.1:8009/idp/ retry=0
ProxyPass /manager/ ajp://127.0.0.1:8009/manager/

et l'activer coté tomcat

[root@idpx opt]# vim /opt/tomcat/conf/server.xml 
<!-- Define an AJP 1.3 Connector on port 8009 -->
 <Connector protocol="AJP/1.3"
               port="8009"
               secretRequired="false"
               address="127.0.0.1"
               redirectPort="8443" />

sans l'option secretRequired=“false” (cf https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp ) , impossible d'acceder au manager via proxy_ajp, il faudrai mieux controler cet acces en limitant les acces proxy uniquement a 127.0.0.1 entre httpd et tomcat .

lancement httpd et verification de la presence du module AJP

[root@idpx opt]# systemctl start httpd.service 
[root@idpx opt]# httpd -M | grep ajp

 proxy_ajp_module (shared)

acces sans le port 8080 :

http://idpx.imtbstsp.eu/manager/html

puis en https via le proxy-ajp sans precision du port 443

https://idpx.imtbstsp.eu/manager/html

ntp

s'assurer que la machine est a l'heure, si VM c'est la machine hote qui fournie l'heure

shibboleth IDP

download

telechargement de la derniere version depuis http://shibboleth.net/downloads/identity-provider/

[root@idpx shibidp-src]# wget https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz
[root@idpx shibidp-src]# tar xvfz shibboleth-identity-provider-4.0.1.tar.gz 
[root@idpx shibidp-src]# cd shibboleth-identity-provider-4.0.1
[root@idpx shibboleth-identity-provider-4.0.1]# ls
bin  conf  credentials  doc  flows  LICENSE.txt  logs  messages  metadata  system  views  webapp

install

fresh install ici, attention en cas d'update ne pas tout ecraser !

[root@idpx shibboleth-identity-provider-4.0.1]# ./bin/install.sh 


Buildfile: /opt/shibidp-src/shibboleth-identity-provider-4.0.1/bin/build.xml

install:
Source (Distribution) Directory (press <enter> to accept default): [/opt/shibidp-src/shibboleth-identity-provider-4.0.1] ? 

Installation Directory: [/opt/shibboleth-idp] ? 

INFO [net.shibboleth.idp.installer.V4Install:151] - New Install.  Version: 4.0.1
Host Name: [idpx.intbstsp.fr] ? 
idpex.imtbstsp.eu
INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-signing, CN = idpx.imtbs-tsp.eu URI = https://idpx.imtbstsp.eu/idp/shibboleth, keySize=3072
INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-encryption, CN = idpx.imtbs-tsp.eu URI = https://idpx.imtbstsp.eu/idp/shibboleth, keySize=3072
Backchannel PKCS12 Password:
Re-enter password: 
INFO [net.shibboleth.idp.installer.V4Install:592] - Creating backchannel keystore, CN = idpx.imtbstsp.eu URI = https://idpx.imtbstsp.eu/idp/shibboleth, keySize=3072
Cookie Encryption Key Password:
Re-enter password: 
INFO [net.shibboleth.idp.installer.V4Install:633] - Creating backchannel keystore, CN = idpx.imtbstsp.eu URI = https://idpx.imtbstsp.eu/idp/shibboleth, keySize=3072
INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool:166] - No existing versioning property, initializing...
SAML EntityID: [https://idpx.imtbstsp.eu/idp/shibboleth] ? 

Attribute Scope: [imtbstsp.eu] ? 

INFO [net.shibboleth.idp.installer.V4Install:433] - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml
INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1
INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL
Total time: 1 minute 5 seconds

fichier de credentials créés

[root@idpx shibboleth-identity-provider-4.0.1]# ls -l /opt/shibboleth-idp/credentials/
total 36
-rw------- 1 root root 1517  4 juil. 18:13 idp-backchannel.crt
-rw------- 1 root root 3399  4 juil. 18:13 idp-backchannel.p12
-rw------- 1 root root 1517  4 juil. 18:12 idp-encryption.crt
-rw------- 1 root root 2455  4 juil. 18:12 idp-encryption.key
-rw------- 1 root root 1517  4 juil. 18:12 idp-signing.crt
-rw------- 1 root root 2459  4 juil. 18:12 idp-signing.key
-rw------- 1 root root  502  4 juil. 18:13 sealer.jks
-rw------- 1 root root   53  4 juil. 18:13 sealer.kver
-rw------- 1 root root  577  4 juil. 18:13 secrets.properties

l'arborescence d'installation doit appartenir a tomcat

[root@idpx shibboleth-identity-provider-4.0.1]# chown -R tomcat /opt/shibboleth-idp/

context tomcat pour l'IDP

see the Servlet container preparation notes

https://wiki.shibboleth.net/confluence/display/IDP30/ApacheTomcat8

le fichier idp.xml permet de déployer automatiquement la brique IdP sans avoir à recopier l'archive « .war » dans le répertoire webapps/ de Tomcat.

[root@idpx localhost]# cat /opt/tomcat/conf/Catalina/localhost/idp.xml 
<Context docBase="/opt/shibboleth-idp/war/idp.war"
         privileged="true"
         antiResourceLocking="false"
         swallowOutput="true">
 
    <!-- Work around lack of Max-Age support in IE/Edge for Tomcat 8.0.x -->
    <CookieProcessor alwaysAddExpires="true" />
 
</Context>

quelques secondes apres grace a l'auto-deploy

[root@idpx lib]# ls /opt/tomcat/webapps/idp/
css  images  index.jsp  js  META-INF  WEB-INF  x509-prompt.jsp

définition du idp.home pour prise en charge par java/tomcat .

[root@idpx conf]# grep idp /etc/systemd/system/tomcat.service
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC -Didp.home=/opt/shibboleth-idp"

relance systemct et tomcat pour prise en compte

[root@idpx conf]# systemctl daemon-reload
[root@idpx conf]# systemctl stop tomcat.service 
[root@idpx conf]# systemctl start tomcat.service 

status et jstl

test acces sur http://idp3.tem-tsp.eu:8080/idp/status

au premier abord, cette page ne s'est pas affichée

java.lang.NoClassDefFoundError: javax/servlet/jsp/jstl/core/Config
	org.springframework.web.servlet.support.JstlUtils.exposeLocalizationContext(JstlUtils.java:101)

en effet il faut ajouter la librairie jstl (cf http://stackoverflow.com/tags/jstl/info) qui n'est pas fournie par defaut (risque de conflit avec jboss) cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.13 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .

librairie jstl-1.2.jar pour la fonction status

[root@idpx war]# cd /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
[root@idpx lib]# wget https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar
--2020-07-05 11:33:02--  https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar

mais install.sh echoue

donc reconstruction de tout le package depuis les sources

[root@idpx shibboleth-identity-provider-4.0.1]# cd webapp/
[root@idpx webapp]# ls
css  images  index.jsp  js  META-INF  WEB-INF  x509-prompt.jsp
[root@idpx webapp]# cd WEB-INF/
[root@idpx WEB-INF]# ls
classes  idpui.tld  jsp  lib  spring.tld  web.xml
[root@idpx WEB-INF]# cd lib/
[root@idpx lib]#  wget https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar

puis rebuild

[root@idpx shibboleth-identity-provider-4.0.1]# ./bin/install.sh 
Buildfile: /opt/shibidp-src/shibboleth-identity-provider-4.0.1/bin/build.xml

install:
Source (Distribution) Directory (press <enter> to accept default): [/opt/shibidp-src/shibboleth-identity-provider-4.0.1] ? 

Installation Directory: [/opt/shibboleth-idp] ? 

INFO [net.shibboleth.idp.installer.V4Install:155] - Update from version 3 to version 4.0.1
INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1
INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL
Total time: 15 seconds

Pour l'acces en https au status il faut autorise l'IP source du navigateur d'admin

# vim /opt/shibboleth-idp/conf/access-control.xml
<code>
...
 <util:map id="shibboleth.AccessControlPolicies">

        <entry key="AccessByIPAddress">
            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '192.168.0.0/24'} }" />
        </entry>
        ...

maintenant accessible en https://idpx.imtbstsp.eu/idp/status

acces status possible en shell également

[root@idpx ~]# /opt/shibboleth-idp/bin/status.sh 
### Operating Environment Information
operating_system: Linux
operating_system_version: 4.18.0
operating_system_architecture: amd64
jdk_version: 11.0.7
available_cores: 12
used_memory: 87 MB
maximum_memory: 910 MB

### Identity Provider Information
idp_version: 4.0.1
start_time: 2020-07-05T10:35:55.154Z
current_time: 2020-07-05T10:42:32.622357Z
uptime: 397468 ms

NTP

il faut que le systeme soit a l'heure (echanges SAML horodaté )

si on utilise une VM openvz, cf VZ capabilities: http://unix.stackexchange.com/questions/68016/error-when-running-ntpd-on-openvz-host-cap-set-proc-failed-to-drop-root-privi

[root@hardnode ~]# vzctl set 1033 --capability sys_time:on --save
CT configuration saved to /etc/vz/conf/1033.conf

Configuration

depuis la version 3 la configuration est eclatée en plusieurs fichiers, il est préférable de faire un backup des originaux/distribution

[root@idpx conf]# cp -p metadata-providers.xml metadata-providers.xml.dist
[root@idpx conf]# cp -p relying-party.xml relying-party.xml.dist
[root@idpx conf]# cp -p attribute-resolver.xml attribute-resolver.xml.dist
[root@idpx conf]# cp -p attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist
[root@idpx conf]# cp -p attribute-filter.xml attribute-filter.xml.dist

metadata federations

enregistrement dans la fédération de test renater , recuperation du certificats de signature des metadonnées renater .

[root@idp34]# cd /opt/shibboleth-idp/credentials/
[root@idp34 credentials]# /usr/bin/curl -O https://metadata.federation.renater.fr/certs/renater-metadata-signing-cert-2016.pem 

ajout du chargement des metadata test-renater

[root@idp3 conf]# tail -18 metadata-providers.xml
         
         <!-- Federation de test renater -->
   <MetadataProvider id="RenaterTestMetadata"
                              xsi:type="FileBackedHTTPMetadataProvider"
                      backingFile="%{idp.home}/metadata/preview-sps-renater-test-metadata.xml"
                      metadataURL="https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml">

                <MetadataFilter xsi:type="SignatureValidation"
                requireSignedRoot="true"
                certificateFile="%{idp.home}/credentials/renater-metadata-signing-cert-2016.pem">
                </MetadataFilter>
        </MetadataProvider>

          
   
 
    </MetadataProvider>
    
</MetadataProvider>

La premiere fois on recharge tomcat pour que le téléchargement initial du fichier soit réalisé

[root@idp34 conf]# systemctl restart tomcat.service 

[root@idp34 conf]#  ls -ltr ../metadata/
total 31308
-rw-r--r-- 1 tomcat root      14590  2 janv. 14:23 idp-metadata.xml
-rw-r--r-- 1 tomcat tomcat  6787283  2 janv. 14:47 preview-sps-renater-test-metadata.xml

ensuite on pourra faire un simple rechargement du service metadata pour cette federation

[root@idp3 conf]# /opt/shibboleth-idp/bin/reload-metadata.sh -id=RenaterTestMetadata
Metadata reloaded.

idp-process.log :

2019-01-02 14:48:18,248 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:574] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: New metadata successfully loaded for 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml'
2019-01-02 14:48:18,250 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:384] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: Next refresh cycle for metadata provider 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' will occur on '2019-01-02T15:33:16.891Z' ('2019-01-02T15:33:16.891Z' local time)
2019-01-02 14:48:18,268 - 127.0.0.1 - INFO [Shibboleth-Audit.Reload:275] - 20190102T144818Z||||http://shibboleth.net/ns/profiles/reload-metadata|||||||||


URL metadata idp locale

URL de visualisation des metadata de notre IDP

authentification

1er test en simple auth ldap , attention a bien activer idp.authn.LDAP.authenticator = bindSearchAuthenticator si un compte privilegier est necessaire pour se binder à l'annuaire, et au secret associé qui est par defaut dans credentials/secrets.properties

[root@idpex conf]# diff ldap.properties ldap.properties.dist 
6d5
< idp.authn.LDAP.authenticator                   = bindSearchAuthenticator
9,10c8,9
< idp.authn.LDAP.ldapURL                          = ldap://ldapfr.imtbstsp.eu:389
< idp.authn.LDAP.useStartTLS                     = true
---
> idp.authn.LDAP.ldapURL                          = ldap://localhost:10389
> #idp.authn.LDAP.useStartTLS                     = true
17c16
< idp.authn.LDAP.sslConfig                       = certificateTrust
---
> #idp.authn.LDAP.sslConfig                       = certificateTrust
19c18
< idp.authn.LDAP.trustCertificates                = /etc/pki/tls/certs/starimtbstsp_eu.pem
---
> idp.authn.LDAP.trustCertificates                = %{idp.home}/credentials/ldap-server.crt
21c20
< ##idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-server.truststore
---
> idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-server.truststore
30,31c29,30
< idp.authn.LDAP.baseDN                           = ou=people,ou=staff,dc=int,dc=fr
< idp.authn.LDAP.subtreeSearch                   = true
---
> idp.authn.LDAP.baseDN                           = ou=people,dc=example,dc=org
> #idp.authn.LDAP.subtreeSearch                   = false
35,37c34
< idp.authn.LDAP.bindDN                           = uid=binduser,ou=dsa,dc=int,dc=fr
< ##idp.authn.LDAP.bindDNCredential                 = secretNotHEre But In ../credentials/secrets.properties
< 
---
> idp.authn.LDAP.bindDN                           = uid=myservice,ou=system
41c38
< idp.authn.LDAP.dnFormat                         = uid=%s,ou=people,ou=staff,dc=int,dc=fr
---
> idp.authn.LDAP.dnFormat                         = uid=%s,ou=people,dc=example,dc=org


[root@idpx conf]# systemctl restart tomcat.service 

personnaliser la page de login interne

il est possible de personnaliser la page de login intégré a l'IDP cf:

# vim /opt/src/shibboleth-identity-provider-3.3.0/system/messages/messages.properties
...
idp.logo = /images/etablissement-logo-site.png
...
root.title = Shibboleth IdP Etablissement.fr
...

mettre le logo dans le repertoire source images, curieusement un bin/install.sh a bien deployé le nouveau messages.properties mais pas le png du logo dans /var/lib/tomcat/webapps/idp/images/ que j'ai du faire à la main (cp) .

Attribute resolver

attribute-resolver-ldap.xml s'appui sur le varaible definit plus haut dans ldap.properties , ici one ne fait qu'une simple deactivation de StartTLSTrustCredential (commentaires)

[root@idp3 conf]# cp attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist
[root@idp3 conf]# diff attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist 
92d91
< 	  <!--
97d95
< 	  --> 

<code>


et declaration de l'usage de l'attribute-resolver-ldap dans services.xml 

<code>
[root@idp3 conf]# diff services.xml services.xml.dist
113c113
<         <value>%{idp.home}/conf/attribute-resolver-ldap.xml</value>
---
>         <value>%{idp.home}/conf/attribute-resolver.xml</value>

attribute-filter

on reprend l'exemple et on l'etend a tout SP (ANY)

[root@idp3 conf]# diff attribute-filter.xml attribute-filter.xml.dist 
18,19c18
< <!--         <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> -->
< 	 <PolicyRequirementRule xsi:type="ANY" />
---
>         <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />

[root@idp3 conf]# /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.AttributeFilterService
Configuration reloaded.

schema name change v2/v3

attention quand on reprend des attribute-filter maisons de la v2 vers le v3 , les schemas ont changés, exempe “basic:OR” deviens tout simplement “OR” cf https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterLegacyNameSpaceMapping et https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterConfiguration#AttributeFilterConfiguration-SchemaName

exemple de remplacement automatique syntaxte v2 vs v3 via “vi” dans attribute-resolver.xml

:1,$s/basic:AttributeRequesterString/Requester/g

:1,$s/basic:AttributeValueString/Value/g

:1,$s/basic:Rule/Rule/g

:1,$s/saml:AttributeRequesterInEntityGroup/InEntityGroup/g

:1,$s/basic:ANY/ANY/g

:1,$s/basic:OR/OR/g


service.xml

test attributes cli

[root@idp3 shibboleth-idp]# ./bin/aacli.sh --requester=https://test.federation.renater.fr/test/ressource --configDir=conf/ --principal=etudiant1

{
"requester": "https://test.federation.renater.fr/test/ressource",
"principal": "etudiant1",
"attributes": [


  {
    "name": "uid",
    "values": [
              "StringAttributeValue{value=etudiant1}"          ]
  },  

  {
    "name": "mail",
    "values": [
              "StringAttributeValue{value=etudiant1@example.org}"          ]
  },  

  {
    "name": "eduPersonPrincipalName",
    "values": [
              "ScopedStringAttributeValue{value=etudiant1, scope=int.eu}"          ]
  }  

]
}

Enregistrement dans une federation

dans un premier temps dans la fédération de test Renater

https://federation.renater.fr/registry

Test login ldap interne

ayant positionné par defaut le password scheme via ldap, l'usage d'un login/password de l'annuaire ldap d'etablissement configuré permet d'acceder à la ressource de test renater https://test.federation.renater.fr/test/ressource qui affiche la liste d'attributs envoyés et demande maintenant en v3 la consentement (addon uApprove en v2)

Information to be Provided to Service
eduPersonPrincipalName 	teststud@int.fr
mail 	teststud@example.org
uid 	teststud

Ask me again at next login 
Ask me again if information to be provided to this service changes 
Do not ask me again 

idp-process.log :

2016-07-03 14:45:51,638 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:139] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'teststud' succeeded
C2016-07-03 14:51:14,116 - INFO [Shibboleth-Consent-Audit.SSO:241] - 20160703T125114Z|https://test.federation.renater.fr/test/ressource|AttributeReleaseConsent|teststud|eduPersonPrincipalName,mail,uid||true,true,true
2016-07-03 14:51:14,861 - INFO [Shibboleth-Audit.SSO:241] - 20160703T125114Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_05d30b93263d3dbca128a0d1bdb5272d|https://test.federation.renater.fr/test/ressource|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp3.int.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_afd5c50a6363cebb0030af5e220dce18|teststud|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,mail,eduPersonPrincipalName|AAdzZWNyZXQxvKd8LuQ9/WK6sRwUecDTulilU/xNcE1LRr2tf2P8S97xNb9mu4uVLASdS+D5MlyZAWt5NYNLGBuyVeD8n441NlUDVO7uCO8B6PxjUANyWOYmM6UOP7b9jpAC9ED70JLXoz2Bztm4VKeQ9Ia5FxgKJzh37Q==|_c861303bf16b99871bcac75ecca3703b|

SSO CAS

https://services.renater.fr/federation/docs/installation/idp3/chap08

[root@idp34 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/3.2.3/shib-cas-authn3-3.2.3.tar
[root@idp34 src]# tar xvf shib-cas-authn3-3.2.3.tar
...
shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/cas-client-core-3.4.1.jar
shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar
shib-cas-authn3-3.2.3/edit-webapp/no-conversation-state.jsp
..

[root@idp34 src]# cp shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib

[root@idp34 src]# cp -R shib-cas-authn3-3.2.3/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/
[root@idp34 src]# ls -ltr /opt/shibboleth-idp/flows/authn/Shibcas/
total 8
-rw-r--r-- 1 root root 2290  2 janv. 21:23 shibcas-authn-flow.xml
-rw-r--r-- 1 root root 3241  2 janv. 21:23 shibcas-authn-beans.xml

[root@idp34 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.5.1/cas-client-core-3.5.1.jar
[root@idp34 src]# cp cas-client-core-3.5.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/

Modification du Web flow pour utiliser le plugin CAS via /opt/shibboleth-idp/conf/idp.properties

[root@idp3 conf]# diff idp.properties idp.properties.dist 
100,114c100
< #idp.authn.flows= Password
< idp.authn.flows= Shibcas
< 
< # CAS Client properties (usage loosely matches that of the Java CAS Client)
< ## CAS Server Properties
< shibcas.casServerUrlPrefix = https://cas16.int.eu/cas
< shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login
<  
< ## Shibboleth Server Properties
< shibcas.serverName = https://cas16.int.eu
< 
< # La partie ci-dessous est une fonctionnalité avancée de l'extention shib-cas en question (optionnelle)
< # By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs.
< # Takes a comma separated list of fully qualified class names
< # shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass
---
> idp.authn.flows= Password

declaration du bean Shibcas dans general-auth.xml :

[root@idp34 conf]# cd /opt/shibboleth-idp/conf/authn/
[root@idp34 authn]# cp general-authn.xml general-authn.xml.dist

[root@idp3 authn]# diff general-authn.xml general-authn.xml.dist 
93,98d92
< 	<!-- https://services.renater.fr/federation/docs/installation/idp3/chap08 -->
< 	 <bean id="authn/Shibcas" parent="shibboleth.AuthenticationFlow"
<                 p:passiveAuthenticationSupported="true"
<                 p:forcedAuthenticationSupported="true"
<                 p:nonBrowserSupported="false" />
< 

et reconstruction du idp.war + stop / start tomcat

[root@idp3 bin]# systemctl start tomcat.service

[root@idp3 bin]# /opt/shibboleth-idp/bin/build.sh
Installation Directory: [/opt/shibboleth-idp]

RETURN (!?)

Rebuilding /opt/shibboleth-idp/war/idp.war ...

...done

BUILD SUCCESSFUL

# on remove tout le deploiement dans l'arboresence tomcat webapps afin d'etre sur que le nouveau idp.war remplace tout

[root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp

[root@idp3 bin]# systemctl start tomcat.service

un nouveau test sur https://test.federation.renater.fr/test/ressource montre bien que nous passons par CAS maintenant .

attribute filter

https://services.renater.fr/federation/docs/installation/idp3/chap10

le nombre important de SP et leur mouvement reguliers dans une large fédération comme celle de Renater impose l'usage d'automatisme pour le gestion des filtre . “Depuis 2015 et l'IDP 2.4 , Shibboleth introduit une nouvelle règle PermitValueRule de type AttributeInMetadata utilisable dans votre fichier de configuration attribute-filter.xml. Cette fonctionnalité vous permet, pour un ensemble de SPs, d'autoriser la diffusion au plus juste des attributs utilisateur, uniquement s'ils sont déclarés comme demandés par le SP dans les méta-données de la fédération. L'option onlyIfRequired permet par ailleurs de ne diffuser l'attribut que s'il est indiqué comme obligatoire.”

on ajoute les regles proposé sur la doc renater

<!-- On fournit les attributs requis, contexte Fédération de Test -->
  <AttributeFilterPolicy id="releaseToAllRenaterSps">
  ....
  

puis redeploiement

[root@idp3 conf]# vim attribute-filter.xml
[root@idp3 shibboleth-idp]# cd ../bin/
[root@idp3 bin]# systemctl stop tomcat.service 
[root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp
[root@idp3 bin]# ./build.sh 
Installation Directory: [/opt/shibboleth-idp]

Rebuilding /opt/shibboleth-idp/war/idp.war ...

...done

BUILD SUCCESSFUL
Total time: 4 seconds
[root@idp3 bin]# 
[root@idp3 bin]# systemctl start tomcat.service 

un nouveau test sur https://test.federation.renater.fr/test/ressource montre maintenant plus d'attributs .

script attibute definition entitlement

l'attribut “entitlement” est construit a partir d'un script , cela change entre idp v2 et v3 sur plusieurs points en terme de schema et moteur de script java 1.7 (Rhino) vs 1.8 (Nashorn)

ref :

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPJava1.8 https://wiki.shibboleth.net/confluence/display/IDP30/ScriptedAttributeDefinition

exemple

  <!-- jehan  eduPersonEntitlement -->
  <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" >
     <resolver:Dependency ref="myLDAP" />
     <resolver:Dependency ref="schacUserStatus" />
     <resolver:Dependency ref="mail" />
  <resolver:Dependency ref="eduPersonPrimaryOrgUnitDN" />

      <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                  name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
      <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                  name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="entitlement" />

        <Script>
             <![CDATA[  
                logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");        
                var BasicAttribute = Java.type("edu.internet2.middleware.shibboleth.common.attribute.provider.BasicAttribute");
        if (eduPersonEntitlement == null) {
                        eduPersonEntitlement = new BasicAttribute("eduPersonEntitlement");
                        }

        if (schacUserStatus != null && mail != null ) {

                for ( i = 0; schacUserStatus != null && i < schacUserStatus.getValues().size(); i++ ){
                          value = schacUserStatus.getValues().get(i);

                         if (schacUserStatus.getValues().get(i).matches(".*cert.*")) {
                            eduPersonEntitlement.getValues().add("urn:mace:terena.org:tcs:perso-user");
                         }//if
                         else if (schacUserStatus.getValues().get(i).matches(".*pubhtml.*")) {
                                eduPersonEntitlement.getValues().add("urn:mace:imt:employee:int.fr:perso-webspace");
                         }//if
                       }
            if (eduPersonPrimaryOrgUnitDN != null ) {
                if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*DSI.*")) {
                 eduPersonEntitlement.getValues().add("urn:mace:int:it:int.fr:dsi-user");
                }//if
                else if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*INTM.*")) {
                 eduPersonEntitlement.getValues().add("urn:mace:int:staff:int.fr:intm-user");
                }//if
               }
             else eduPersonEntitlement.getValues().add("");
        logger.info("Values of scriptTest were: {} ", eduPersonEntitlement.getValues());
            ]]>
         </Script>

 </resolver:AttributeDefinition>

newcerts

nouvelle generation de certificats de metadata (autosignés) en cas de changement de hostname et/ou de clonage de VM afin de publier des metadata avec les bon certificats internes pour SAML .

ref

[root@idp3 credentials]# openssl req -x509 -new -out idp3-signing.crt -keyout idp3-signing.key -days 3650
writing new private key to 'idp3-signing.key'
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase: 
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:Essonne
Locality Name (eg, city) [Default City]:Evry
Organization Name (eg, company) [Default Company Ltd]:IMT
Organizational Unit Name (eg, section) []:DISI
Common Name (eg, your name or your server's hostname) []:idp3.int.eu
Email Address []:admin@int.eu

retrait passphrase

[root@idp3 credentials]# openssl rsa -in idp3-signing.key -out idp3-signing-np.key
Enter pass phrase for idp3-signing.key:
writing RSA key

idem avec l'encryption et backchannel

[root@idp3 credentials]# openssl req -x509 -new -out idp3-encryption.crt -keyout idp3-encryption.key -days 3650
# openssl rsa -in idp3-encryption.key -out idp3-encryption-np.key

[root@idp3 credentials]# openssl req -x509 -new -out idp3-backchannel.crt -keyout idp3-backchannel.key -days 3650
# openssl rsa -in idp3-backchannel.key -out idp3-backchannel-np.key

retrait de passphrase du p12 : http://blog.armbruster-it.de/2010/03/remove-the-passphrase-from-a-pkcs12-certificate/

[root@idp3 credentials]# openssl pkcs12 -in idp3-backchannel.p12 -nodes -out idp3-p12-p-temp.pem
Enter Import Password:
MAC verified OK
[root@idp3 credentials]# openssl pkcs12 -export -in idp3-p12-p-temp.pem  -out idp3-backchannel-np.p12
Enter Export Password: rien
Verifying - Enter Export Password: rien

bien que cela ne semble pas tres utile dans le cadre de la federation, il convient de mettre a jour le fichier local metadata/idp-metadata.xml afin d'etre consistent avec ces nouveau certificat et entityID + hostname d'URL de services

docpublic/systemes/shibboleth/idpv4xc8.1594027145.txt.gz · Last modified: 2020/07/06 09:19 by procacci@tem-tsp.eu
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0