This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
docpublic:systemes:shibboleth:idpv5xa9 [2024/05/18 14:54] adminjp [configuration] |
docpublic:systemes:shibboleth:idpv5xa9 [2024/06/27 16:47] (current) adminjp [Scripted Attributes] |
||
---|---|---|---|
Line 5: | Line 5: | ||
- https:// | - https:// | ||
- https:// | - https:// | ||
+ | - https:// | ||
+ | - https:// | ||
===== requirements ===== | ===== requirements ===== | ||
Line 456: | Line 458: | ||
Since V4.1, the use of XML to configure many basic features has been minimized and replaced by simpler properties, with a new file (authn/ | Since V4.1, the use of XML to configure many basic features has been minimized and replaced by simpler properties, with a new file (authn/ | ||
+ | |||
+ | A handful of authentication-related properties that were in idp.properties in older releases have been moved to the new authn.properties file in this version for better locality of reference | ||
+ | |||
+ | |||
+ | ==== auth-Password ==== | ||
+ | |||
+ | https:// | ||
+ | |||
+ | The auth | ||
+ | n/Password login flow supports an extensible set of back-ends for password-based authentication, | ||
+ | |||
+ | === ldap === | ||
+ | |||
+ | https:// | ||
+ | |||
+ | The LDAPCredentialValidator for the password authentication login flow uses native LDAP libraries for password-based authentication instead of using a JAAS module. The primary advantages are slightly better performance and more control over the process, such as the ability to extract detailed account status information from the directory during a login. | ||
+ | |||
+ | Configuring LDAP as a back-end relies on beans internally that are configured using ldap.properties (defined separately from other properties because they are sometimes shared for LDAPConnector configuration).: | ||
+ | |||
+ | fichiers de conf a modifier | ||
+ | |||
+ | < | ||
+ | [root@idp5 conf]# cp authn/ | ||
+ | [root@idp5 conf]# cp ldap.properties ldap.properties.orig | ||
+ | </ | ||
+ | |||
+ | idp.authn.LDAP.bindDNCredential => Password to bind with during search, used by bindSearchAuthenticator, | ||
+ | |||
+ | < | ||
+ | [root@idp5 conf]# cp ../ | ||
+ | [root@idp5 conf]# vim ../ | ||
+ | </ | ||
+ | |||
+ | By default, attributes will be searched for using the same connection the user authenticated on. Therefore the user must have read on any attributes for those to be returned. | ||
+ | |||
+ | If you need access to attributes that user does not have read access to, then you must configure a connection pool that is authorized to read that data. The easiest way to that is to use the idp.authn.LDAP.resolveEntryWithBindDN=true property. This will configure a separate connection pool using the bind credentials. | ||
+ | ==== MataData ===== | ||
+ | |||
+ | * https:// | ||
+ | |||
+ | The Shibboleth IdP generally requires SAML metadata to provision connectivity with SAML relying parties and inform it about their capabilities and technical specifics | ||
+ | |||
+ | you will configure metadata sources in order to use the IdP's SAML features; this is done by adding < | ||
+ | |||
+ | < | ||
+ | [root@idp5 conf]# cp metadata-providers.xml metadata-providers.xml.orig | ||
+ | [root@idp5 conf]# vim metadata-providers.xml | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== external CAS auth ===== | ||
+ | |||
+ | * https:// | ||
+ | |||
+ | utiliser le serveur CAS comme formulaire de login SSO | ||
+ | |||
+ | il faut recuperer le plugin unicon | ||
+ | |||
+ | < | ||
+ | [root@idp5 ~]# cd / | ||
+ | [root@idp5 lib]# curl -L https:// | ||
+ | [root@idp5 lib]# curl -L https:// | ||
+ | [root@idp5 lib]# curl -L https:// | ||
+ | [root@idp5 lib]# ls -ltr | ||
+ | -rw-r--r-- 1 root | ||
+ | -rw-r--r-- 1 tomcat root 3711043 Sep 29 2022 jakarta.servlet.jsp.jstl-3.0.1.jar | ||
+ | -rw-r--r-- 1 root | ||
+ | -rw-r--r-- 1 root | ||
+ | -rw-r--r-- 1 root | ||
+ | </ | ||
+ | |||
+ | on configure le point d' | ||
+ | |||
+ | < | ||
+ | [root@idp5 ]# cp / | ||
+ | [root@idp5 ]# chmod 0644 / | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | [root@idp5]# | ||
+ | --- / | ||
+ | +++ / | ||
+ | @@ -45,17 +45,6 @@ | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | - <!-- Servlet for receiving a callback from an external CAS Server and continues the IdP login flow --> | ||
+ | - < | ||
+ | - < | ||
+ | - < | ||
+ | - < | ||
+ | - </ | ||
+ | - < | ||
+ | - < | ||
+ | - < | ||
+ | - </ | ||
+ | - | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | |||
+ | rebuild du war de l'IDP : | ||
+ | |||
+ | < | ||
+ | [root@idp5 shibboleth-idp]# | ||
+ | INFO - net.shibboleth.idp.installer.impl.IdPBuildArguments@4cc77c2e | ||
+ | INFO - Rebuilding / | ||
+ | INFO - Initial populate from / | ||
+ | INFO - Overlay from / | ||
+ | INFO - Creating war file / | ||
+ | </ | ||
+ | |||
+ | et restart tomcat | ||
+ | |||
+ | < | ||
+ | [root@idp5 shibboleth-idp]# | ||
+ | </ | ||
+ | |||
+ | idp logs | ||
+ | |||
+ | < | ||
+ | 2024-05-29 22: | ||
+ | |||
+ | 2024-05-29 22: | ||
+ | </ | ||
+ | |||
+ | ===== Attributes Definition ===== | ||
+ | |||
+ | https:// | ||
+ | |||
+ | ==== ajout d' | ||
+ | |||
+ | nous definitions nos attributs Supann dans un fichier XML : {{ : | ||
+ | |||
+ | puis on les charge avec les autres (eduPerson, Schac ...) via// conf/ | ||
+ | |||
+ | < | ||
+ | [root@idp5 attributes]# | ||
+ | [root@idp5 attributes]# | ||
+ | <import resource=" | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Attributes Filter ==== | ||
+ | |||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | |||
+ | ==== Scripted Attributes ==== | ||
+ | |||
+ | * https:// | ||
+ | |||
+ | => //Scripting Language | ||
+ | The default scripting language is JavaScript (language=”javascript”). Therefore all of the sample scripts are written in JavaScript, which is based on the ECMAScript standard. As the IdP requires Java versions new enough that no scripting engines are provided, it is required to install one of the plugins provided by the project to supply either a Nashorn or Rhino engine to implement the default language// | ||
+ | |||
+ | |||
+ | depuis les versions recentes de Java , il n'y a plus d' | ||
+ | |||
+ | < | ||
+ | Error creating bean with name ' | ||
+ | |||
+ | Caused by: org.springframework.beans.factory.BeanCreationException: | ||
+ | </ | ||
+ | |||
+ | |||
+ | il faut installer un interpreteur via un plugin, voici les 2 interpreteurs disponibles sous forme de plugin | ||
+ | |||
+ | |||
+ | < | ||
+ | [root@idp5 bin]# ./plugin.sh -L | grep -E ' | ||
+ | Plugin net.shibboleth.idp.plugin.rhino: | ||
+ | Plugin net.shibboleth.idp.plugin.nashorn: | ||
+ | </ | ||
+ | |||
+ | === installation interpreteur nashorn === | ||
+ | |||
+ | * https:// | ||
+ | |||
+ | < | ||
+ | [root@idp5 bin]# ./plugin.sh -I net.shibboleth.idp.plugin.nashorn | ||
+ | |||
+ | INFO - Downloading from HTTPResource [http:// | ||
+ | .................................... | ||
+ | INFO - Downloading from HTTPResource [http:// | ||
+ | INFO - Plugin net.shibboleth.idp.plugin.nashorn: | ||
+ | INFO - Plugin net.shibboleth.idp.plugin.nashorn: | ||
+ | INFO - TrustStore does not contain signature 0x1483F262A4B3FF0 | ||
+ | Accept this key: | ||
+ | Signature: | ||
+ | FingerPrint: | ||
+ | Username: | ||
+ | [yN] y | ||
+ | INFO - Installing Plugin ' | ||
+ | INFO - Rebuilding / | ||
+ | INFO - Initial populate from / | ||
+ | INFO - Overlay from / | ||
+ | INFO - Overlay from / | ||
+ | INFO - Creating war file / | ||
+ | </ | ||
+ | |||
+ | le re-build de idp.war provoque un auto-re-deploiement et rechargement de l' | ||
+ | |||
+ | < | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | 2024-06-23 19: | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ===== attributes Consent ===== | ||
+ | |||
+ | https:// | ||
+ | |||
+ | < | ||
+ | [root@idp5 shibboleth-idp]# | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | INFO - Including auto-located properties in bin/ | ||
+ | Enabling idp.intercept.Consent... | ||
+ | conf/ | ||
+ | views/ | ||
+ | views/ | ||
+ | [OK] | ||
+ | </ |