| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
docpublic:systemes:shibboleth:idpv5xa9 [2024/05/18 16:54]
adminjp [auth-Password] |
docpublic:systemes:shibboleth:idpv5xa9 [2024/06/27 16:47] (current)
adminjp [Scripted Attributes] |
| - https://shibboleth.atlassian.net/wiki/spaces/IDP5/overview | - https://shibboleth.atlassian.net/wiki/spaces/IDP5/overview |
| - https://www.ukfederation.org.uk/content/News/2023-10-24-c-Shib-IdPv5-Release | - https://www.ukfederation.org.uk/content/News/2023-10-24-c-Shib-IdPv5-Release |
| | - https://services.renater.fr/federation/documentation/guides-installation/idp5/index |
| | - https://docs.tuakiri.ac.nz/identity_providers/upgrading_a_4_x_idp_to_5_x |
| |
| ===== requirements ===== | ===== requirements ===== |
| </code> | </code> |
| |
| | By default, attributes will be searched for using the same connection the user authenticated on. Therefore the user must have read on any attributes for those to be returned. |
| |
| | If you need access to attributes that user does not have read access to, then you must configure a connection pool that is authorized to read that data. The easiest way to that is to use the idp.authn.LDAP.resolveEntryWithBindDN=true property. This will configure a separate connection pool using the bind credentials. |
| ==== MataData ===== | ==== MataData ===== |
| |
| </code> | </code> |
| |
| | |
| | ===== external CAS auth ===== |
| | |
| | * https://services.renater.fr/federation/documentation/guides-installation/idp5/chap08 |
| | |
| | utiliser le serveur CAS comme formulaire de login SSO |
| | |
| | il faut recuperer le plugin unicon shib-cas-authn d'authentification CAS pour shibboleth IDP5x, redistribué par Renater : |
| | |
| | <code> |
| | [root@idp5 ~]# cd /opt/shibboleth-idp/edit-webapp/WEB-INF/lib |
| | [root@idp5 lib]# curl -L https://github.com/Renater/shib-cas-authn/releases/download/5.0.0-RENATER/no-conversation-state.jsp -O |
| | [root@idp5 lib]# curl -L https://github.com/Renater/shib-cas-authn/releases/download/5.0.0-RENATER/shib-cas-authenticator-5.0.0-RENATER.jar -O |
| | [root@idp5 lib]# curl -L https://github.com/Renater/shib-cas-authn/releases/download/5.0.0-RENATER/cas-client-core-4.0.4.jar -O |
| | [root@idp5 lib]# ls -ltr |
| | -rw-r--r-- 1 root root 46041 Mar 4 2022 jakarta.servlet.jsp.jstl-api-3.0.0.jar |
| | -rw-r--r-- 1 tomcat root 3711043 Sep 29 2022 jakarta.servlet.jsp.jstl-3.0.1.jar |
| | -rw-r--r-- 1 root root 1261 May 29 20:31 no-conversation-state.jsp |
| | -rw-r--r-- 1 root root 22291 May 29 20:32 shib-cas-authenticator-5.0.0-RENATER.jar |
| | -rw-r--r-- 1 root root 164534 May 29 20:32 cas-client-core-4.0.4.jar |
| | </code> |
| | |
| | on configure le point d'entrée pour recevoir les requêtes du serveur CAS, on recupere le fichier de configuration web.xml par défaut, et on le met dans le dossier d'édition de l'archive web (war) + droits d'ecriture/modification: |
| | |
| | <code> |
| | [root@idp5 ]# cp /opt/shibboleth-idp/dist/webapp/WEB-INF/web.xml /opt/shibboleth-idp/edit-webapp/WEB-INF/ |
| | [root@idp5 ]# chmod 0644 /opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml |
| | </code> |
| | |
| | <code> |
| | [root@idp5]# diff -ur /opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml /opt/shibboleth-idp/dist/webapp/WEB-INF/web.xml |
| | --- /opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml 2024-05-29 22:12:58.670984337 +0200 |
| | +++ /opt/shibboleth-idp/dist/webapp/WEB-INF/web.xml 2024-04-15 17:33:48.000000000 +0200 |
| | @@ -45,17 +45,6 @@ |
| | <param-value>true</param-value> |
| | </context-param> |
| | |
| | - <!-- Servlet for receiving a callback from an external CAS Server and continues the IdP login flow --> |
| | - <servlet> |
| | - <servlet-name>ShibcasAuthServlet</servlet-name> |
| | - <servlet-class>net.unicon.idp.externalauth.ShibcasAuthServlet</servlet-class> |
| | - <load-on-startup>2</load-on-startup> |
| | - </servlet> |
| | - <servlet-mapping> |
| | - <servlet-name>ShibcasAuthServlet</servlet-name> |
| | - <url-pattern>/Authn/External/*</url-pattern> |
| | - </servlet-mapping> |
| | - |
| | <!-- Send servlet errors through the IdP's MVC error handling. --> |
| | <error-page> |
| | <exception-type>net.shibboleth.idp.authn.ExternalAuthenticationException</exception-type> |
| | </code> |
| | |
| | |
| | rebuild du war de l'IDP : |
| | |
| | <code> |
| | [root@idp5 shibboleth-idp]# /opt/shibboleth-idp/bin/build.sh |
| | INFO - net.shibboleth.idp.installer.impl.IdPBuildArguments@4cc77c2e |
| | INFO - Rebuilding /opt/shibboleth-idp/bin/../war/idp.war, Version 5.1.2 |
| | INFO - Initial populate from /opt/shibboleth-idp/bin/../dist/webapp to /opt/shibboleth-idp/bin/../webpapp.tmp |
| | INFO - Overlay from /opt/shibboleth-idp/bin/../edit-webapp to /opt/shibboleth-idp/bin/../webpapp.tmp |
| | INFO - Creating war file /opt/shibboleth-idp/bin/../war/idp.war |
| | </code> |
| | |
| | et restart tomcat |
| | |
| | <code> |
| | [root@idp5 shibboleth-idp]# systemctl restart tomcat.service |
| | </code> |
| | |
| | idp logs |
| | |
| | <code> |
| | 2024-05-29 22:34:53,922 - 192.168.210.190 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:368] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/External |
| | |
| | 2024-05-29 22:36:16,589 - 192.168.210.190 - INFO [Shibboleth-Audit.SSO:333] - 192.168.210.190|2024-05-29T20:34:53.674434215Z|2024-05-29T20:36:16.589128112Z|test|https://sptest.domain.fr/shibboleth|_2127163c458f63f67396abe333d12a55|password|2024-05-29T20:36:16.322156815Z|supannEntiteAffectation,mail,eduPersonAffiliation,displayName,givenName,eduPersonPrincipalName,supannAutreMail,sn,supannRessourceEtat|BBdzZWNyZXQxQTVwOZSwSw4CN/yGGvuC8YQ8lSpu9uiF/l/dEjizDKrFWAWLehPwrL7zRwtpep |
| | </code> |
| | |
| | ===== Attributes Definition ===== |
| | |
| | https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510514/AttributeRegistryConfiguration |
| | |
| | ==== ajout d'attributs Supann ==== |
| | |
| | nous definitions nos attributs Supann dans un fichier XML : {{ :docpublic:systemes:shibboleth:supann.xml |}} |
| | |
| | puis on les charge avec les autres (eduPerson, Schac ...) via// conf/attributes/default-rules.xml// |
| | |
| | <code> |
| | [root@idp5 attributes]# vim default-rules.xml |
| | [root@idp5 attributes]# grep supann.xml default-rules.xml |
| | <import resource="supann.xml" /> |
| | |
| | </code> |
| | |
| | ==== Attributes Filter ==== |
| | |
| | * https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510442/HttpClientConfiguration |
| | * https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199507990/HTTPResource |
| | |
| | |
| | ==== Scripted Attributes ==== |
| | |
| | * https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510349/ScriptTypeConfiguration |
| | |
| | => //Scripting Language |
| | The default scripting language is JavaScript (language=”javascript”). Therefore all of the sample scripts are written in JavaScript, which is based on the ECMAScript standard. As the IdP requires Java versions new enough that no scripting engines are provided, it is required to install one of the plugins provided by the project to supply either a Nashorn or Rhino engine to implement the default language// |
| | |
| | |
| | depuis les versions recentes de Java , il n'y a plus d'interpreteur de javascript par defaut, sans chargement d'un interpreteur, la definition d'un ScriptedAttribute provoque l'erreur: |
| | |
| | <code> |
| | Error creating bean with name 'eduPersonEntitlement': Cannot create inner bean '(inner bean)#4c69826d' of type [net.shibboleth.shared.spring.factory.EvaluableScriptFactoryBean] while setting bean property 'script' |
| | |
| | Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#4c69826d': No scripting engine associated with scripting language javascript |
| | </code> |
| | |
| | |
| | il faut installer un interpreteur via un plugin, voici les 2 interpreteurs disponibles sous forme de plugin |
| | |
| | |
| | <code> |
| | [root@idp5 bin]# ./plugin.sh -L | grep -E 'nashorn|rhino' |
| | Plugin net.shibboleth.idp.plugin.rhino: version 2.0.0 available for install |
| | Plugin net.shibboleth.idp.plugin.nashorn: version 2.0.0 available for install |
| | </code> |
| | |
| | === installation interpreteur nashorn === |
| | |
| | * https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1374027996/Nashorn |
| | |
| | <code> |
| | [root@idp5 bin]# ./plugin.sh -I net.shibboleth.idp.plugin.nashorn |
| | |
| | INFO - Downloading from HTTPResource [http://shibboleth.net/downloads/identity-provider/plugins/scripting/2.0.0/idp-plugin-nashorn-jdk-dist-2.0.0.tar.gz] |
| | .................................... |
| | INFO - Downloading from HTTPResource [http://shibboleth.net/downloads/identity-provider/plugins/scripting/2.0.0/idp-plugin-nashorn-jdk-dist-2.0.0.tar.gz.asc] |
| | INFO - Plugin net.shibboleth.idp.plugin.nashorn: Trust store folder does not exist, creating |
| | INFO - Plugin net.shibboleth.idp.plugin.nashorn: Trust store does not exist, creating |
| | INFO - TrustStore does not contain signature 0x1483F262A4B3FF0 |
| | Accept this key: |
| | Signature: 0x1483F262A4B3FF0 |
| | FingerPrint: 4AF4D83EEDDF43DA3C06CB3101483F262A4B3FF0 |
| | Username: Rod Widdowson <rdw@steadingsoftware.com> |
| | [yN] y |
| | INFO - Installing Plugin 'net.shibboleth.idp.plugin.nashorn' version 2.0.0 |
| | INFO - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.2 |
| | INFO - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp |
| | INFO - Overlay from /opt/shibboleth-idp/dist/plugin-webapp to /opt/shibboleth-idp/webpapp.tmp |
| | INFO - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp |
| | INFO - Creating war file /opt/shibboleth-idp/war/idp.war |
| | </code> |
| | |
| | le re-build de idp.war provoque un auto-re-deploiement et rechargement de l'application shibboleth-idp dans tomcat |
| | |
| | <code> |
| | 2024-06-23 19:33:37,763 - - INFO [net.shibboleth.shared.spring.service.ReloadableSpringService:426] - Service 'shibboleth.ManagedBeanService': Reload complete |
| | 2024-06-23 19:33:37,763 - - INFO [net.shibboleth.shared.service.AbstractReloadableService:198] - Service 'shibboleth.ManagedBeanService': Reload interval set to: PT15M, starting refresh thread |
| | 2024-06-23 19:33:37,884 - - DEBUG [net.shibboleth.idp.admin.impl.ReportModuleStatus:86] - Checking required modules for plugin net.shibboleth.idp.plugin.nashorn |
| | 2024-06-23 19:33:37,928 - - INFO [net.shibboleth.idp.admin.impl.LogImplementationDetails:57] - Shibboleth IdP Version 5.1.2 |
| | 2024-06-23 19:33:37,929 - - INFO [net.shibboleth.idp.admin.impl.LogImplementationDetails:58] - Java version='17.0.11' vendor='Red Hat, Inc.' |
| | 2024-06-23 19:33:37,930 - - INFO [net.shibboleth.idp.admin.impl.LogImplementationDetails:73] - Plugins: |
| | 2024-06-23 19:33:37,931 - - INFO [net.shibboleth.idp.admin.impl.LogImplementationDetails:75] - net.shibboleth.idp.plugin.nashorn : v2.0.0 |
| | 2024-06-23 19:33:37,934 - - INFO [net.shibboleth.idp.admin.impl.LogImplementationDetails:93] - Enabled Modules: |
| | 2024-06-23 19:33:37,935 - - INFO [net.shibboleth.idp.admin.impl.LogImplementationDetails:95] - Core IdP Functions (Required) |
| | 2024-06-23 19:33:37,935 - - INFO [net.shibboleth.idp.admin.impl.LogImplementationDetails:95] - Command Line Scripts |
| | 2024-06-23 19:33:37,935 - - INFO [net.shibboleth.idp.admin.impl.LogImplementationDetails:95] - Overlay Tree for WAR Build |
| | 2024-06-23 19:33:37,935 - - INFO [net.shibboleth.idp.admin.impl.LogImplementationDetails:95] - Password Authentication |
| | 2024-06-23 19:33:37,935 - - INFO [net.shibboleth.idp.admin.impl.LogImplementationDetails:95] - Hello World |
| | 2024-06-23 19:33:38,409 - - INFO [net.shibboleth.idp.admin.impl.ReportUpdateStatus:136] - No upgrade available from 5.1.2 |
| | 2024-06-23 19:33:38,410 - - INFO [net.shibboleth.idp.admin.impl.ReportUpdateStatus:147] - Version 5.1.2 is current |
| | </code> |
| | |
| | |
| | |
| | ===== attributes Consent ===== |
| | |
| | https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199509862/ConsentConfiguration |
| | |
| | <code> |
| | [root@idp5 shibboleth-idp]# bin/module.sh -t idp.intercept.Consent || bin/module.sh -e idp.intercept.Consent |
| | INFO - Including auto-located properties in bin/../conf/services.properties |
| | INFO - Including auto-located properties in bin/../conf/authn/authn.properties |
| | INFO - Including auto-located properties in bin/../conf/admin/admin.properties |
| | INFO - Including auto-located properties in bin/../conf/c14n/subject-c14n.properties |
| | INFO - Including auto-located properties in bin/../conf/ldap.properties |
| | INFO - Including auto-located properties in bin/../conf/saml-nameid.properties |
| | INFO - Including auto-located properties in bin/../conf/services.properties |
| | INFO - Including auto-located properties in bin/../conf/authn/authn.properties |
| | INFO - Including auto-located properties in bin/../conf/admin/admin.properties |
| | INFO - Including auto-located properties in bin/../conf/c14n/subject-c14n.properties |
| | INFO - Including auto-located properties in bin/../conf/ldap.properties |
| | INFO - Including auto-located properties in bin/../conf/saml-nameid.properties |
| | Enabling idp.intercept.Consent... |
| | conf/intercept/consent-intercept-config.xml created |
| | views/intercept/attribute-release.vm created |
| | views/intercept/terms-of-use.vm created |
| | [OK] |
| | </code> |
