====== IdP-ShibV2 ======

===== Références shib v2 =====

http://shibboleth.internet2.edu/shib-v2.0.html

https://spaces.internet2.edu/display/SHIB2/Home

mail d'annonce:
<code>
Date - Thu Mar 20 07:40:01 2008
From: Steven_Carmody AT brown.edu
Subject: Shibboleth v2.0 is Now Available
To: shibboleth-announce@internet2.edu, shibboleth-dev@internet2.edu,
   shibboleth-users@internet2.edu
</code>

===== Pre-requis =====

Logiciels nécessaires


==== Java ====

un JDK , sun de préférence:

<code>
[root@shibidp1 /]
$ yum install java-1.6.0-sun-devel java-1.6.0-sun
Installed: java-1.6.0-sun.i586 0:1.6.0.01-1.el5 java-1.6.0-sun-devel.i586 0:1.6.0.01-1.el5
Dependency Installed: compat-libstdc++-33.i386 0:3.2.3-61 filesystem.i386 0:2.4.0-1.el5.centos jpackage-utils.noarch 0:1.7.3-1jpp.2.el5 libX11.i386 0:1.0.3-8.0.1.el5 
libXau.i386 0:1.0.1-3.1 libXdmcp.i386 0:1.0.1-2.1 libXext.i386 0:1.0.1-2.1 libXi.i386 0:1.0.1-3.1 libXp.i386 0:1.0.0-8.1.el5 libXtst.i386 0:1.0.1-3.1 xorg-x11-filesystem.noarch 
0:7.1-2.fc6
Complete!

   * </code>

=== Environement java ===

Sous CEntos/redhat le JRE et JDK installent java dans */usr/lib/jvm/java*
<pre>$ rpm -qa | grep java</pre><code>java-1.6.0-sun-devel-1.6.0.01-1.el5
java-1.6.0-sun-1.6.0.01-1.el5

$ grep -i java ~/.bash_profile
#java
export JAVA_HOME=/usr/lib/jvm/java
export JAVA_OPTS="-Xmx256m -XX:MaxPermSize=512m"

  
</code>

==== Tomcat ====

un serveur d'application java, ici tomcat:

<code>
[root@shibidp1 /]
$ yum install tomcat5 tomcat5-admin-webapps tomcat5-webapps
...
Transaction Summary
=============================================================================
Install     71 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total download size: 69 M

Installed: tomcat5.i386 0:5.5.23-0jpp.3.0.2.el5 tomcat5-admin-webapps.i386 0:5.5.23-0jpp.3.0.2.el5 tomcat5-webapps.i386 0:5.5.23-0jpp.3.0.2.el5

Dependency Installed: alsa-lib.i386 0:1.0.14-1.rc4.el5 ant.i386 0:1.6.5-2jpp.2 antlr.i386 0:2.7.6-4jpp.2 atk.i386 0:1.12.2-1.fc6 axis.i386 0:1.2.1-2jpp.6 bcel.i386 0:5.1-8jpp.1 
cairo.i386 0:1.2.4-3.el5_1 classpathx-jaf.i386 0:1.0-9jpp.1 cups-libs.i386 1:1.2.4-11.14.el5_1.4 eclipse-ecj.i386 1:3.2.1-18.el5.centos.1 expat.i386 0:1.95.8-8.2.1 
fontconfig.i386 0:2.4.1-7.el5 freetype.i386 0:2.2.1-19.el5 gjdoc.i386 0:0.7.7-12.el5 gnutls.i386 0:1.4.1-2 gtk2.i386 0:2.10.4-19.el5 hicolor-icon-theme.noarch 0:0.9-2.1 
jakarta-commons-beanutils.i386 0:1.7.0-5jpp.1 jakarta-commons-collections.i386 0:3.1-6jpp.1 jakarta-commons-daemon.i386 1:1.0.1-6jpp.1 jakarta-commons-dbcp.i386 
0:1.2.1-7jpp.1 jakarta-commons-digester.i386 0:1.7-5jpp.1 jakarta-commons-discovery.i386 1:0.3-4jpp.1 jakarta-commons-el.i386 0:1.0-7jpp.1 
jakarta-commons-fileupload.i386 1:1.0-6jpp.1 jakarta-commons-httpclient.i386 1:3.0-7jpp.1 jakarta-commons-launcher.i386 0:0.9-6jpp.1 jakarta-commons-logging.i386 
0:1.0.4-6jpp.1 jakarta-commons-modeler.i386 0:1.1-8jpp.3.el5 jakarta-commons-pool.i386 0:1.3-5jpp.1 jakarta-commons-validator.i386 0:1.1.4-5jpp.1 jakarta-oro.i386 
0:2.0.8-3jpp.1 jakarta-taglibs-standard.i386 0:1.1.1-7jpp.1 java-1.4.2-gcj-compat.i386 0:1.4.2.0-40jpp.112 javamail.noarch 0:1.3.1-2jpp jta.noarch 0:1.0.1b-3jpp libICE.i386 
0:1.0.1-2.1 libSM.i386 0:1.0.1-3.1 libXcursor.i386 0:1.1.7-1.1 libXfixes.i386 0:4.0.1-2.1 libXft.i386 0:2.1.10-1.1 libXinerama.i386 0:1.0.1-2.1 libXrandr.i386 0:1.1.1-3.1 
libXrender.i386 0:0.9.1-3.1 libart_lgpl.i386 0:2.3.17-4 libgcj.i386 0:4.1.2-14.el5 libgcrypt.i386 0:1.2.3-1 libgpg-error.i386 0:1.4-2 libjpeg.i386 0:6b-37 libpng.i386 
2:1.2.10-7.1.el5_0.1 libtiff.i386 0:3.8.2-7.el5 log4j.i386 0:1.2.13-3jpp.2 mx4j.i386 1:3.0.1-6jpp.4 pango.i386 0:1.14.9-3.el5.centos regexp.i386 0:1.4-2jpp.2 struts.i386 
0:1.2.9-4jpp.5 tomcat5-common-lib.i386 0:5.5.23-0jpp.3.0.2.el5 tomcat5-jasper.i386 0:5.5.23-0jpp.3.0.2.el5 tomcat5-jsp-2.0-api.i386 0:5.5.23-0jpp.3.0.2.el5 
tomcat5-server-lib.i386 0:5.5.23-0jpp.3.0.2.el5 tomcat5-servlet-2.4-api.i386 0:5.5.23-0jpp.3.0.2.el5 wsdl4j.i386 0:1.5.2-4jpp.1 xalan-j2.i386 0:2.7.0-6jpp.1 xerces-j2.i386 
0:2.7.1-7jpp.2 xml-commons.i386 0:1.3.02-0.b2.7jpp.10 xml-commons-apis.i386 0:1.3.02-0.b2.7jpp.10 xml-commons-resolver.i386 0:1.1-1jpp.12 zip.i386 0:2.31-1.2.2

Complete!
</code>

===== IDP v2.0 =====

==== Download ====

<code> [root@shibidp1 /usr/local/src]
$ wget http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/shibboleth-identityprovider-2.1.0-bin.tar.gz


 </code>

archive

<code>[root@shibidp1 /usr/local/src]
$ tar xvzf shibboleth-identityprovider-2.1.0-bin.tar.gz
shibboleth-identityprovider-2.1.0/lib/shibboleth-jce-1.0.0.jar
...
[root@shibidp1 /usr/local/src]
$ mv shibboleth-identityprovider-2.1.0/ /usr/local/
$ ls /usr/local/shibboleth-identityprovider-2.1.0/
cpappend.bat  doc  endorsed  install.bat  install.sh  lib  LICENSE.txt  src


</code>

==== Preparation JVM ====

from https://spaces.internet2.edu/display/SHIB2/IdPPrepareJVM

=== librairie jar ===

<code>
[root@shibidp1 /etc/tomcat5]
$ ls /usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/lib/ext
dnsns.jar  localedata.jar  meta-index  sunjce_provider.jar  sunpkcs11.jar
[root@shibidp1 ~/shibIdpV2/identityprovider]
$ cp ./lib/shib-jce-1.0.jar /usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/lib/ext
</code>

=== Security provider ===

<code>
[root@shibidp1 /etc/tomcat5]
$ grep internet2 /usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/lib/security/java.security
security.provider.9=edu.internet2.middleware.shibboleth.DelegateToApplicationProvider
</code>

=== Bouncy Castle JCE Provider

<code>
[root@shibidp1 ~]
$ wget http://polydistortion.net/bc/download/bcprov-jdk16-138.jar
[root@shibidp1 ~]
$ cp bcprov-jdk16-138.jar /usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/lib/ext

$ vim /usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/lib/security/java.security
security.provider.9=edu.internet2.middleware.shibboleth.DelegateToApplicationProvider
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
</code>

==== Preparation Tomcat ====

=== Endorse Xerces and Xalan ===

https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepare

<code>
[root@shibidp1 /var/lib/tomcat5/common/endorsed]
$ ls -l
total 0
lrwxrwxrwx 1 root root 36 mar 20 15:28 [jaxp_parser_impl].jar -> /usr/share/java/jaxp_parser_impl.jar
lrwxrwxrwx 1 root root 36 mar 20 15:28 [xml-commons-apis].jar -> /usr/share/java/xml-commons-apis.jar
$ mv \[jaxp_parser_impl\].jar \[jaxp_parser_impl\].jar.dist
$ mv \[xml-commons-apis\].jar \[xml-commons-apis\].jar.dist
 [root@shibidp1 /usr/local/shibboleth-identityprovider-2.1.0]
$ cp endorsed/*.jar /var/lib/tomcat5/common/endorsed/


[root@shibidp1 /usr/local/shibboleth-identityprovider-2.1.0/endorsed]
$ ls /var/lib/tomcat5/common/endorsed
[jaxp_parser_impl].jar       xerces-2.9.1-xercesImpl.jar
[jaxp_parser_impl].jar.dist  xerces-2.9.1-xml-apis.jar
resolver-2.9.1.jar           xercesImpl-2.9.1.jar
serializer-2.9.1.jar         xml-apis-2.9.1.jar
xalan-2.7.1.jar              [xml-commons-apis].jar
xalan-2.7.1-serializer.jar   [xml-commons-apis].jar.dist
</code>

=== Memory usage ===
 
<code>
[root@shibidp1 /etc/tomcat5]
$ grep JAVA_OPTS tomcat5.conf
JAVA_OPTS="$JAVA_OPTS -Dcatalina.ext.dirs=$CATALINA_HOME/shared/lib:$CATALINA_HOME/common/lib -Xmx512m -XX:MaxPermSize=256m"
</code>

=== hostname server.xml ===

remplacement du defaut *localhost* pa le hostname .

<code>
[root@shibidp1 /etc/tomcat5]
$ grep shibipd1.int-evry.fr server.xml
    <Engine name="Catalina" defaultHost="shibipd1.int-evry.fr">
      <Host name="shibipd1.int-evry.fr" appBase="webapps"
</code>

mais probleme, car du coup les webapps déclarées dans */etc/tomcat5/Catalina/localhost/* ne sont plus lancée, ont l'idp !. bref retour a localhost finalement ...

=== Connecteur ===

<code>
[root@shibidp1 /etc/tomcat5]
$ vim server.xml

<!-- https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepare
Shibboleth IdPs and SP may communicate directly (Attribute Query, Artifact Resolution, and Logout)
-->

<Connector port="8443" 
           maxHttpHeaderSize="8192"
           maxSpareThreads="75"
           scheme="https"
           secure="true"
           clientAuth="want"
           sslProtocol="TLS" 
           keystoreFile="/usr/local/idp/credentials/idp.jks"
           keystorePass="changeit"
           truststoreFile="/usr/local/idp/credentials/idp.jks"
           truststorePass="changeit"
           truststoreAlgorithm="DelegateToApplication"/>
</code>

=== Context Deployment Fragment ===

Il s'agit d'un petit code xml qui indique a tomcat où se trouvre le WAR et fournis des proprietés de chargement de l'application par tomcat. cela evite l'auto-deployement par tomcat qui parfois pose pb avec le cache tomcat .Cette arborescence /opt/shibboleth-idp/war/ sera créée dans le chapitre suivant, lors de l'installation de shibboleth IDP ...

<code>[root@shibidp1 /etc/tomcat5/Catalina/localhost]
$ cat idp.xml 
<Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false"
         antiJARLocking="false"
         unpackWAR="false" /></code>avant ...<br /><verbatim>
[root@shibidp1 /etc/tomcat5/Catalina/localhost]
$ cat idp.xml 
<Context docBase="/usr/local/idp/war/idp.war"
         privileged="true"
         antiResourceLocking="false"
         antiJARLocking="false"
         unpackWAR="false" />
</code>

==== Connecteur AJP apache - tomcat ====

Afin de ne pas trainer les URL vers tomcat avec les :8080 ou :8433 , on met en place le proxy-ajp d'apache qui redirigera les requetes en */idp* vers les context */idp* dans tomcat

<code>
$ grep Proxy /etc/httpd/conf.d/proxy_ajp.conf 
ProxyPass /idp/ ajp://localhost:8009/idp/
ProxyPass /examples/ ajp://localhost:8009/jsp-examples/
</code>

==== Installation ====

Lancement du *install.sh* , le JAVA_HOME etant definit au préalable !.

<code>[root@shibidp1 /usr/local/shibboleth-identityprovider-2.1.0]
$ chmod +x install.sh 


[root@shibidp1 /usr/local/shibboleth-identityprovider-2.1.0]
$ ./install.sh 
Buildfile: src/installer/resources/build.xml

install:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]

What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org]
shibidp1.it-sudparis.eu
A keystore is about to be generated for you. Please enter a password that will be used to protect it.
secret
Updating property file: /usr/local/shibboleth-identityprovider-2.1.0/src/installer/resources/install.properties
Created dir: /opt/shibboleth-idp
Created dir: /opt/shibboleth-idp/bin
Created dir: /opt/shibboleth-idp/conf
Created dir: /opt/shibboleth-idp/credentials
Created dir: /opt/shibboleth-idp/lib
Created dir: /opt/shibboleth-idp/lib/endorsed
Created dir: /opt/shibboleth-idp/logs
Created dir: /opt/shibboleth-idp/metadata
Created dir: /opt/shibboleth-idp/war
Generating signing and encryption key, certificate, and keystore. 
Copying 5 files to /opt/shibboleth-idp/bin
Copying 9 files to /opt/shibboleth-idp/conf
Copying 1 file to /opt/shibboleth-idp/metadata
Copying 45 files to /opt/shibboleth-idp/lib
Copying 5 files to /opt/shibboleth-idp/lib/endorsed
Copying 1 file to /usr/local/shibboleth-identityprovider-2.1.0/src/installer
Building war: /usr/local/shibboleth-identityprovider-2.1.0/src/installer/idp.war
Copying 1 file to /opt/shibboleth-idp/war
Deleting: /usr/local/shibboleth-identityprovider-2.1.0/src/installer/web.xml
Deleting: /usr/local/shibboleth-identityprovider-2.1.0/src/installer/idp.war

BUILD SUCCESSFUL
Total time: 23 seconds</code>

Les choix réalisé sont concerver dans
<pre>[root@shibidp1 /usr/local/shibboleth-identityprovider-2.1.0]</pre><code>
$ cat /usr/local/shibboleth-identityprovider-2.1.0/src/installer/resources/install.properties 
#Thu Dec 04 09:21:59 CET 2008
idp.home=/opt/shibboleth-idp
idp.hostname=shibidp1.it-sudparis.eu</code>L'installation a créé l'arborescence de l'IdP Shibboleth sous le répertoire /opt/shibboleth-idp/. Cette arborescence doit être accessible pour l'utilisateur qui exécute le serveur Tomcat, dans notre cas l'utilisateur tomcat<br /><verbatim> $ chown -R tomcat /opt/shibboleth-idp/</verbatim>

==== Lancement ====

lors du premier lancement de tomcat une fois l'IDP deployé les log tomcat indiques:

<code>
[root@shibidp1 /]
$ /etc/init.d/tomcat5 start

$ tail -f /var/log/tomcat5/catalina.out

 Using CATALINA_BASE:   /usr/share/tomcat5
Using CATALINA_HOME:   /usr/share/tomcat5
Using CATALINA_TMPDIR: /usr/share/tomcat5/temp
Using JRE_HOME:       
Dec 4, 2008 9:44:25 AM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
Dec 4, 2008 9:44:25 AM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Dec 4, 2008 9:44:25 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
</code>


=== Log shibboleth ===

Pendant la pahese d'installation et parametrage il est oportunt de mettre en mode DEBUG l'IDP :

<code>
$ vim /opt/shibboleth-idp/conf/logging.xml

<logger name="edu.internet2.middleware.shibboleth">
        <level value="DEBUG" />
    </logger>
</code>

Lecture par

<code>
$ tail -f /opt/shibboleth-idp/logs/idp-process.log 
</code>


===== Parametrage de l'IDP =====

Les fhichiers de configuration XML se trouvent dans */opt/shibboleth-idp/conf/*

==== relying-party.xml ====

Le fichier de configuration principal (avant (1.3) s'etait idp.xml qui a été eclaté en relying-party.xml, handler.xml ...) 

<code>
[root@shibidp1 /opt/shibboleth-idp/conf]
$ diff -ur relying-party.xml relying-party.xml.orig 
--- relying-party.xml	2008-12-04 10:15:33.000000000 +0100
+++ relying-party.xml.orig	2008-12-04 10:13:32.000000000 +0100
@@ -38,7 +38,7 @@
             read the documentation).
         -->
         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" 
-                              includeAttributeStatement="true"
+                              includeAttributeStatement="false"
                               assertionLifetime="300000"
                               signResponses="conditional"
                               signAssertions="never" />
@@ -219,4 +219,4 @@
         <security:Rule xsi:type="security:MandatoryMessageAuthentication" />
     </security:SecurityPolicy>
     
-</RelyingPartyGroup>
+</RelyingPartyGroup>
</code>


==== Metadata pour Féderation Cru-Test ====

Téléchargez le certificat utilisé pour signer les méta-données du CRU :

<code>
[root@shibidp1 /opt/shibboleth-idp/credentials]
$ wget -O /opt/shibboleth-idp/credentials/federation.cru.fr.crt https://federation.cru.fr/cru/deploiement/federation.cru.fr.crt
--10:51:09--  https://federation.cru.fr/cru/deploiement/federation.cru.fr.crt
</code>

Configuration de  Cru-test comme provider de metadata toujours dans  *relying-party.xml*

<code>
...
<!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->

        <MetadataProvider id="MDCRUTEST" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" 
                          metadataURL="http://federation.cru.fr/test/deploiement/cru-test-metadata.xml
"
                          backingFile="/opt/shibboleth-idp/metadata/cru-test-metadata.xml
">
            <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
                <MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata" 
                                maxValidityInterval="604800" />
                <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                                trustEngineRef="shibboleth.MetadataTrustEngine"
                                requireSignedMetadata="true" />
                    <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
                    <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
                </MetadataFilter>
            </MetadataFilter>
        </MetadataProvider>
...

  <!-- ========================================== -->
    <!--     Security Configurations                -->
    <!-- ========================================== -->
    <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
        <security:PrivateKey>/opt/shibboleth-idp/credentials/idp.key</security:PrivateKey>
        <security:Certificate>/opt/shibboleth-idp/credentials/idp.crt</security:Certificate>
    </security:Credential>

    <!-- Trust engine used to evaluate the signature on loaded metadata. -->
    <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="CruTestCredentials" xsi:type="security:X509Filesystem">
            <security:Certificate>/opt/shibboleth-idp/credentials/federation.cru.fr.crt
</security:Certificate>
        </security:Credential>
    </security:TrustEngine>

    <!-- DO NOT EDIT BELOW THIS POINT -->

</code>

Test d'acces aux metadata de notre propre IDP:

http://shibidp1.it-sudparis.eu/idp/profile/Metadata/SAML

Test de fonctionnement (status) de l'IDP

http://shibidp1.it-sudparis.eu/idp/profile/Status

==== Metada fédération Renater ====

https://federation.renater.fr/technique/configurations

<code>
[root@shibidp1 /opt/shibboleth-idp/credentials]
$ wget https://services-federation.renater.fr/metadata/metadata-federation-renater.crt
</code>

<code>
[root@shibidp1 /opt/shibboleth-idp/conf]
$ vim relying-party.xml
...
<MetadataProvider id="renaterMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                          metadataURL="https://services-federation.renater.fr/metadata/renater-metadata.xml"
                          backingFile="/opt/shibboleth-idp/metadata/renater-metadata.xml">
            <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
                <MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata"
                                maxValidityInterval="0" />
                <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                                trustEngineRef="shibboleth.MetadataTrustEngine"
                                requireSignedMetadata="true" />
                    <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
                    <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
                </MetadataFilter>
            </MetadataFilter>
        </MetadataProvider>
...

<!--     Security Configurations                -->
    <!-- ========================================== -->
    <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
        <security:PrivateKey>/opt/shibboleth-idp/credentials/idp.key</security:PrivateKey>
        <security:Certificate>/opt/shibboleth-idp/credentials/idp.crt</security:Certificate>
    </security:Credential>

 <!-- Trust engine used to evaluate the signature on loaded metadata. -->
    <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">


    <!-- Confiance certificat metaData REnater -->
        <security:Credential id="renaterCredentials" xsi:type="security:X509Filesystem">
            <security:Certificate>/opt/shibboleth-idp/credentials/metadata-federation-renater.crt</security:Certificate>
        </security:Credential>


    <!-- Confiance certificat metaData CruTest -->
        <security:Credential id="CruTestCredentials" xsi:type="security:X509Filesystem">
            <security:Certificate>/opt/shibboleth-idp/credentials/federation.cru.fr.crt
</security:Certificate>
        </security:Credential>
    </security:TrustEngine>
...
</code>

=== Metadata JASIG ===

Exemple precedent depuis la doc jasig ... pour l'histoire ...

https://spaces.internet2.edu/display/SHIB2/FlowsAndConfig The IdP's relying-party.xml configuration file specifies most settings used in communicating with SP's. The metadata part of the configuration points to URL's or files containing trust and location information describing partners.

uncomment ligne 100 de *relying-party.xml* afin de declarer une ressource de *metadata* .

<code>
[root@shibidp1 /usr/local/idp/conf]
$ vim relying-party.xml

<MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
                          metadataFile="/usr/local/idp/metadata/IT-metadata.xml" maintainExpiredMetadata="true">
             <!-- <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" /> -->
        </MetadataProvider>
</code>

* metadata/IT-metadata.xml* à partir de l'exemple de declaration d'un IDP: https://spaces.internet2.edu/display/SHIB2/MetadataExample


==== Enregistrement fédération test Renater ====

https://federation.renater.fr/test/enregistrement
https://services-federation.renater.fr/gestion

===== Authentification Utilisateur via CAS =====

==== Installation du client CAS ====

=== Maven ===

L'utilitaire de "construction" preconisé est maintenant maven, il faut donc l'installer .

<code>
[root@shibidp1 /usr/local/src]
$ wget http://apache.crihan.fr/dist/maven/binaries/apache-maven-2.0.9-bin.tar.gz
[root@shibidp1 /usr/local]
$ tar xvfz ./src/apache-maven-2.0.9-bin.tar.gz 
apache-maven-2.0.9/conf/
apache-maven-2.0.9/LICENSE.txt
apache-maven-2.0.9/NOTICE.txt
apache-maven-2.0.9/README.txt
apache-maven-2.0.9/bin/m2.bat
apache-maven-2.0.9/bin/m2.conf
apache-maven-2.0.9/bin/mvn.bat
apache-maven-2.0.9/bin/mvnDebug.bat
apache-maven-2.0.9/bin/m2
apache-maven-2.0.9/bin/mvn
apache-maven-2.0.9/bin/mvnDebug
apache-maven-2.0.9/conf/settings.xml
apache-maven-2.0.9/lib/maven-2.0.9-uber.jar
apache-maven-2.0.9/boot/classworlds-1.1.jar

[root@shibidp1 /usr/local]
$ ln -s /usr/local/apache-maven-2.0.9 maven
</code>

Nous allons définir les chemins d'accès à Maven en créant un fichier */etc/profile.d/maven.sh* :

<code>
$ cat /etc/profile.d/maven.sh
M2_HOME=/usr/local/maven
export M2_HOME
M2=$M2_HOME/bin 
PATH=$M2:$PATH
export PATH 

[root@shibidp1 /usr/local]
$ source /etc/profile.d/maven.sh
</code>


=== Client CAS ===

Nous pouvons maintenant télécharger les sources du client CAS et le compiler:

<code>
[root@shibidp1 /usr/local/src]
$ wget -O cas-client-3.1.3-release.tar.gz http://www.ja-sig.org/downloads/cas-clients/cas-client-3.1.3-release.tar.gz
[root@shibidp1 /usr/local/src]
$ tar xvzf  cas-client-3.1.3-release.tar.gz
cas-client-3.1.3/cas-client-core/src/
...
$ cd cas-client-3.1.3/cas-client-core/

[root@shibidp1 /usr/local/src/cas-client-3.1.3/cas-client-core]
$ mvn package
[INFO] Scanning for projects... 
...
[ERROR] BUILD ERROR
[INFO] ------------------------------------------------------------------------
[INFO] Failed to resolve artifact.

Missing:
----------
1) org.opensaml:opensaml:jar:1.1b
...
</code>

La version 1.1b ne semble pas presente (erreur 404 !) , donc on peux modifier avec la prise en compte de la  version 1.1 ...

<code>
[root@shibidp1 /usr/local/src/cas-client-3.1.3/cas-client-core]
$ diff pom.xml pom.xml.orig 
70c70
< 			<version>1.1</version>
---
> 			<version>1.1b</version>
</code>

Dans le doute, ajout aussi des librairies opensaml ...

<code>
[root@shibidp1 /usr/local]
$ yum install opensaml opensaml-devel
...
Installed: opensaml.i386 0:1.1-6 opensaml-devel.i386 0:1.1-6
Dependency Installed: curl.i386 0:7.15.5-2.el5 log4cpp.i386 0:0.3.5rc1-1 xerces-c.i386 0:2.7.0-7.el5 xml-security-c.i386 0:1.3.1-1
Complete!
</code>

Au final cela marche

<code>
[INFO] [jar:jar]
[INFO] Building jar: /usr/local/src/cas-client-3.1.3/cas-client-core/target/cas-client-core-3.1.3.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESSFUL
</code>


Ou bien on recupere a part la version 1.1b :

<code>
$ wget http://developer.ja-sig.org/maven2/org/opensaml/opensaml/1.1b/opensaml-1.1b.jar -O /usr/local/src/opensaml-1.1b.jar

[INFO] [install:install-file]
[INFO] Installing /usr/local/src/opensaml-1.1b.jar to /root/.m2/repository/org/opensaml/opensaml/1.1b/opensaml-1.1b.jar
mais echec ...
</code>

Une fois que le JAR du client a été généré, il faut le recopier parmi les autres librairies utilisées par l'IdP, dans les sources ; nous allons ensuite redéployer l'application :

<code>
$ cp target/cas-client-core-3.1.3.jar /usr/local/shibboleth-identityprovider-2.1.0/lib/

[root@shibidp1 /usr/local/src/cas-client-3.1.3/cas-client-core]
$ ls /usr/local/shibboleth-identityprovider-2.1.0/lib/
activation-1.1.jar             janino-2.5.10.jar           mail-1.4.1.jar                         spring-context-2.5.5.jar
bcprov-ext-jdk15-1.40.jar      jargs-1.0.jar               not-yet-commons-ssl-0.3.9.jar          spring-context-support-2.5.5.jar
bcprov-jdk14-1.38.jar          jcl-over-slf4j-1.5.5.jar    opensaml-2.2.2.jar                     spring-core-2.5.5.jar
beanshell-engine-20080611.jar  jgrapht-jdk1.5-0.7.3.jar    openws-1.2.1.jar                       spring-web-2.5.5.jar
c3p0-0.9.1.2.jar               joda-time-1.5.2.jar         rhino-1.7R1.jar                        spring-webmvc-2.5.5.jar
cas-client-core-3.1.3.jar      jruby-engine-20080611.jar   scripting-api-1.0.jar                  ssh2-212.jar
commons-codec-1.3.jar          js-engine-20080611.jar      servlet-api-2.4.jar                    svnkit-1.1.7.jar
commons-collections-3.1.jar    jython-engine-20080611.jar  shibboleth-common-1.1.0.jar            velocity-1.5.jar
commons-httpclient-3.1.jar     ldap-2.8.2.jar              shibboleth-identityprovider-2.1.0.jar  xmlsec-1.4.2.jar
commons-lang-2.1.jar           log4j-over-slf4j-1.5.5.jar  shibboleth-jce-1.0.0.jar               xmltooling-1.1.1.jar
commons-pool-1.2.jar           logback-classic-0.9.11.jar  slf4j-api-1.5.5.jar
groovy-engine-20080611.jar     logback-core-0.9.11.jar     spring-beans-2.5.5.jar

</code>

=== Filtre CAS ===

ajouter l'appel au filtre CAS dans le web.xml des sources de l'IdP puis regénérer le fichier idp.war.

<code>
[root@shibidp1 ~]
$ vim /usr/local/shibboleth-identityprovider-2.1.0/src/main/webapp/WEB-INF/web.xml
</code>


ensuite redéployer l'application Shibboleth ; répondez no à la question Would you like to overwrite this Shibboleth sonfiguration?

<code>
$ cd /usr/local/shibboleth-identityprovider-2.1.0/
[root@shibidp1 /usr/local/shibboleth-identityprovider-2.1.0]
$ ./install.sh 
Buildfile: src/installer/resources/build.xml

install:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]

The directory '/opt/shibboleth-idp' already exists.  Would you like to overwrite this Shibboleth configuration? (yes, [no])
no
Copying 46 files to /opt/shibboleth-idp/lib
Copying 5 files to /opt/shibboleth-idp/lib/endorsed
Copying 1 file to /usr/local/shibboleth-identityprovider-2.1.0/src/installer
Building war: /usr/local/shibboleth-identityprovider-2.1.0/src/installer/idp.war
Copying 1 file to /opt/shibboleth-idp/war
Deleting: /usr/local/shibboleth-identityprovider-2.1.0/src/installer/web.xml
Deleting: /usr/local/shibboleth-identityprovider-2.1.0/src/installer/idp.war

BUILD SUCCESSFUL
Total time: 14 seconds

</code>

=== erreur "Metadata's validity interval" ===

Il se peut qu'apres rechargement de l'idp par tomcat dans idp-porcess.log on ait cette erreur

<code>
12:23:54.064 - ERROR [org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:257] - Unable to filter metadata
org.opensaml.saml2.metadata.provider.FilterException: Metadata's validity interval, 33914165940ms, is larger than is allowed, 604800000ms.
</code>

alors il faut augmenter la tolerance du nombre de seconde/ms acceptable dans relying-party.xml

<MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata"
maxValidityInterval="604800000" /> => on a ajouter ici 3x0 

===== Distribution d'Attributs =====

=== Configuration de l'attribut resolver ===

Connecteur ldap

<code>
[root@shibidp1 /opt/shibboleth-idp/conf]
$ vim attribute-resolver.xml
<!-- Example LDAP Connector -->
    <resolver:DataConnector id="tmspLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
        ldapURL="ldap://ldapserver.int-evry.fr" baseDN="ou=people,dc=int-evry,dc=fr" principal="cn=binder,ou=system,dc=int,dc=fr"
        principalCredential="secret">
        <FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName)
            ]]>
        </FilterTemplate>
    </resolver:DataConnector>
</code>

Exemple de definition d'attribut (ici uid)

<code>
 <!-- ========================================== -->
    <!--      Attribute Definitions                 -->
    <!-- ========================================== -->

    <!-- Schema: Core schema attributes-->
    <resolver:AttributeDefinition id="uid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="uid">
        <resolver:Dependency ref="tmspLDAP" />

        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:mace:dir:attribute-def:uid" />

        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
    </resolver:AttributeDefinition>
</code>


=== Filtrage des attributs transmis ===

Attribut que l'on souhaites distribuer aux Services Provider shibboleth.

<code>
[root@shibidp1 /opt/shibboleth-idp/conf]
$ vim attribute-filter.xml 

 <!--  Release the transient ID to anyone -->
    <AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <PolicyRequirementRule xsi:type="basic:ANY" />

        <AttributeRule attributeID="transientId">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>


        <AttributeRule attributeID="supannEtablissement">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

    </AttributeFilterPolicy>

...
 <!-- 
        Release attributes to our local service provider
    -->

 <AttributeFilterPolicy>
        <PolicyRequirementRule xsi:type="basic:OR">
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://intranet.it-sudparis.eu" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://trombi.it-sudparis.eu" />
        </PolicyRequirementRule>

        <AttributeRule attributeID="email">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
...
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

        <AttributeRule attributeID="departmentNumber">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

    </AttributeFilterPolicy>

</code>

=== Test de l'attribute resolver ===

Le script *aacli.sh* permet de tester l'interrogation et la restitution d'attributs:
Avec la fédération de test de Renater et l'ajout d'edupersonAffiliation ou departmenNumber par exemple

<code>
[root@shibidp1 /opt/shibboleth-idp]
$  ./bin/aacli.sh --requester=https://trombi.it-sudparis.eu --configDir=conf/ --principal=test

<?xml version="1.0" encoding="UTF-8"?><saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
   <saml:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">test.test@it-sudparis.eu</saml:AttributeValue>
   </saml:Attribute>
   <saml:Attribute FriendlyName="supannEtablissement" Name="urn:oid:1.3.6.1.4.1.7135.1.2.1.14" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">INT EVRY 0911781S</saml:AttributeValue>
   </saml:Attribute>
   <saml:Attribute FriendlyName="eduPersonPrimaryAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">affiliate</saml:AttributeValue>
   </saml:Attribute>
   <saml:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">TEST</saml:AttributeValue>
   </saml:Attribute>
   <saml:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">NONE@univ-nancy2.fr</saml:AttributeValue>
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">affiliate@univ-nancy2.fr</saml:AttributeValue>
   </saml:Attribute>
   <saml:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">testeure</saml:AttributeValue>
   </saml:Attribute>
   <saml:Attribute FriendlyName="departmentNumber" Name="urn:oid:2.16.840.1.113730.3.1.2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">INTM</saml:AttributeValue>
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">MAI</saml:AttributeValue>
   </saml:Attribute>
   <saml:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">test.test@it-sudparis.eu</saml:AttributeValue>
   </saml:Attribute>
   <saml:Attribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">compte de test s2ia</saml:AttributeValue>
   </saml:Attribute>
</saml:AttributeStatement>

</code>


=== Construction d'attributs ===

== Mapped ==

Si l'annuaire n'est pas encore compatible supann/eduperson , on peux creer des attribut compatibles (ici eduPersonAffiliation) sur la base d'attributs pre-existants (ici employeeType) .
Exemple

<code>
<!-- https://spaces.internet2.edu/display/SHIB2/ResolverMappedAttributeDefinition -->
<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                             id="eduPersonAffiliation"
                             sourceAttributeID="employeeType">
   <resolver:Dependency ref="myLDAP" />
       <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
           name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
       <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
           name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" />
    <!-- default to the generic value 'affiliate' -->
    <DefaultValue>affiliate</DefaultValue>
    <!-- map internal values like 'student-worker' and 'undergraduate' to 'student' -->
    <ValueMap>
        <ReturnValue>employee</ReturnValue>
        <!--<SourceValue ignoreCase="true">CN=.*,ou=permanents,dc=people,dc=mysite,dc=fr</SourceValue> -->
        <SourceValue ignoreCase="true">permanent</SourceValue>
    </ValueMap>
       <!-- map your internal 'Institut' value to 'invite' -->
    <ValueMap>
        <ReturnValue>invite</ReturnValue>
        <SourceValue>Institut</SourceValue>
    </ValueMap>
       <!-- map your internal 'CDD' value to 'member' -->
    <ValueMap>
        <ReturnValue>member</ReturnValue>
        <SourceValue>CDD</SourceValue>
    </ValueMap>
       <!-- map your internal 'Doctorant' value to 'member' -->
    <ValueMap>
        <ReturnValue>member</ReturnValue>
        <SourceValue>Doctorant</SourceValue>
    </ValueMap>
</resolver:AttributeDefinition> 
</code>


== Expression reguliere ==

construction d'un attribut sur la base d'une dn de branche ldap => split REgex :

<code>
<!-- https://spaces.internet2.edu/display/SHIB2/ResolverRegexSplitAttributeDefinition -->
<resolver:AttributeDefinition xsi:type="RegexSplit" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              id="employeeType"
                              sourceAttributeID="distinguishedName"
                              regex=".*,OU=([^,]*),DC=people,DC=mysite,DC=fr">
        <resolver:Dependency ref="tl1AD" />
     <!-- Remaining configuration from the next step goes here -->
        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:mace:dir:attribute-def:employeeType" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" />
</resolver:AttributeDefinition>
</code>

===== Test de l'IDP =====

==== Enregistrement aupres d'une fédération ====

il faut un Service Provider pour tester notre fournisseur d'identité (IDP), pour faire simple dans un premier temps, nous allons utiliser un fournisseur de service Test  du CRU, mais il faut au préalable enregisterer notre nouvel IDP dans la federation de Test du CRU :

https://federation.cru.fr/test/gestion/enregistrement//idp

Ce formulaire requiert une authentification préalable. Vous pouvez vous authentifier avec un compte CRU ; si vous n'en avez pas, vous serez invité à vous en créer un lors de la procédure d'authentification

<code>
Nom de l'organisme : Test Telecom et Management SudParis
providerId : https://shibidp1.it-sudparis.eu/idp/shibboleth
serveur : shibidp1.it-sudparis.eu
domaine : it-sudparis.eu
URL du service SSO : https://shibidp1.it-sudparis.eu/idp/profile/Shibboleth/SSO
URL du service AA : https://shibidp1.it-sudparis.eu/idp/AA
Certificat X.509 : [contenu du fichier /opt/shibboleth-idp/credentials/idp.crt]

  </code>


==== Login sur un SP de test ====

https://federation.cru.fr/sp-test

On selection sur le Wayf du CRU notre IDP fraichement enregistré ci-dessus "Test Telecom et Management SudParis" (TMSP)
On est alors renvoyé sur le serveur CAS de TMSP .
On obtient alors un acces authentifié ainsi qu'un "push" d'attributs , ceux declaré dans l'attreibute filter !

=== Résultat dans le navigateur ===
 
<code>
-shib-
HTTP_REMOTE_USER  
HTTP_SHIB_APPLICATION_ID default 
HTTP_SHIB_ATTRIBUTES PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaX....c2U+ 
HTTP_SHIB_AUTHENTICATION_INSTANT 2008-12-04T16:19:27.886Z 
HTTP_SHIB_AUTHENTICATION_METHOD urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified 
...
HTTP_SHIB_EP_UNSCOPEDAFFILIATION  
HTTP_SHIB_IDENTITY_PROVIDER https://shibidp1.it-sudparis.eu/idp/shibboleth 
HTTP_SHIB_INETORGPERSON_DISPLAYNAME  
...
HTTP_SHIB_INETORGPERSON_TITLE  
HTTP_SHIB_INETORGPERSON_UID test 
HTTP_SHIB_ORIGIN_SITE https://shibidp1.it-sudparis.eu/idp/shibboleth 
HTTP_SHIB_PERSISTENTID 
 

-env-

DOCUMENT_ROOT="/var/www/federation.cru.fr"
GATEWAY_INTERFACE="CGI/1.1"
HTTPS="on"
HTTP_ACCEPT="image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*"
HTTP_ACCEPT_ENCODING="gzip, deflate"
HTTP_ACCEPT_LANGUAGE="fr"
HTTP_CACHE_CONTROL="no-cache"
HTTP_CONNECTION="Keep-Alive"
...
HTTP_HOST="federation.cru.fr"
HTTP_REFERER="https://shibidp1.it-sudparis.eu/idp/Authn/RemoteUser?ticket=ST-62022-aOxDU5FqLQRqziaW6gIY"
HTTP_REMOTE_USER=""
HTTP_SHIB_APPLICATION_ID="default"
HTTP_SHIB_ATTRIBUTES="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIElzc3VlSW5zdGFudD0iMjAwOC0xMi0wNFQxNjoxOToyNy45NDBaIiBNYWpvclZlcnNpb249IjEiIE1pbm9yVmVyc2lvbj0iMSIgUmVjaXBpZW50PSJodHRwczovL2ZlZGVyYXRpb24uY3J1LmZyL3NwLXRlc3QvU2hpYmJvbGV0aC5zc28vU0FNTC9QT1NUIiBSZXNwb25zZUlEPSJfMDA4YjAyZmIzNDk3OTZjMWZlMmE5NmZmMzg0ZTkxMTEiIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgo8ZHM6UmVmZXJlbmNlIFVSST0iI18wMDhiMDJmYjM0OTc5NmMxZmUyYTk2ZmYzODRlOTExMSI+CjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0iZHMgc2FtbCBzYW1scCB4cyIvPjwvZHM6VHJhbnNmb3JtPgo8L2RzOlRyYW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU+QWhvaVRySDBHR3NTTlJxZElvMzhMaTd1b0g4PTwvZHM6RGlnZXN0VmFsdWU+CjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZEluZm8+CjxkczpTaWduYXR1cmVWYWx1ZT4KUXN2Q3FnOXlDTzdIVWdrR0ZidlZub2cxZFpMSng1c25hdzlQR0o1czNaQ0ZFVWhHVkJ5QWcycFBPUkZ3M0lOM0huQy9JYWVnNnZYcgpEVy94aHhadUlwZ3RMV2lST1p6YVpiNDlXQjVOT1NmYkc4V0pYd05CVnB6ckVPNUZtNDEwR0t3R1pTYUtxa3V4VlBPeXpjYlE2MUMxCnVYaGdpOEJwSGlUb0xGRmdkTmZ5U0MvR3U2ZVFSck1sVFhlSFd6L1JoZWdwK0ZyaFFMWmZkQ05seGd6ckVndzNpRmVvQ2hlR1JFUFkKbzVQWmtEQjJ0OWI1WDdaekJoZmFZdG9jRWpITUR1dTlJUG5JYjZsNGhkM2lsOE1BMDZrYlNsVGdKUUVpd01YTjg5S0ExWDQ1SXRIUQp4TUY1MTBJUTRvbkUxbTk2cDVYb1V1UmhEN0FXS2xrLzMzSzZCdz09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURTRENDQWpDZ0F3SUJBZ0lWQUp2Mmw2MXNLZjFWZ3pnSFBnR1JkbXZJZEJlR01BMEdDU3FHU0liM0RRRUJCUVVBTUNJeElEQWUKQmdOVkJBTVRGM05vYVdKcFpIQXhMbWwwTFhOMVpIQmhjbWx6TG1WMU1CNFhEVEE0TVRJd05EQTRNakl3TkZvWERUSTRNVEl3TkRBNApNakl3TkZvd0lqRWdNQjRHQTFVRUF4TVhjMmhwWW1sa2NERXVhWFF0YzNWa2NHRnlhWE11WlhVd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFESTZSSDYvaTFwNEZ3bnArU3hJTkRURkVTU0FCeWMzL2E3Z0w0dUlqdWZSS2FyYUpJSXVVZlEKLzhQUXVkNm1UbkttVFNZMSsxNzRFOXI3OElBVGhLVGJkWDBZODZKeGNBbFBYa2FQRmozRzJhTVpFeTdZa2p4SGc3YkVxS21ydEVtRQppNWxzNjlOUVhKYWUxL3YzUmVCZk5tc21iNGxwZkxxbnNwSHpOMGtNMng5aWV1Q1VUdXc2VW13YzY1WmE5R0s5SjBuLzhHMzcwdlZuCjlNVVdjT2J4NHFlcW1lS3ZYSzYxS3BBUVE1VlBTcm9iQjBOYWZGSHEyT0hiNEVxNk5KbWpiM3hIUTBqTnJnYTI4WU5EeEtTakxGOGgKVW9sVHI0YmRCcm9xRktxcVJLMkRPdWtYc2drWWd5Nm1Ud3hNYkhsYnpUWC9VUk03SzY1NWtGSWNvamNwQWdNQkFBR2pkVEJ6TUZJRwpBMVVkRVFSTE1FbUNGM05vYVdKcFpIQXhMbWwwTFhOMVpIQmhjbWx6TG1WMWhpNW9kSFJ3Y3pvdkwzTm9hV0pwWkhBeExtbDBMWE4xClpIQmhjbWx6TG1WMUwybGtjQzl6YUdsaVltOXNaWFJvTUIwR0ExVWREZ1FXQkJTNkVJRWxPeEN4NTZtaTY5N3dVaXBWdEVIQ3NqQU4KQmdrcWhraUc5dzBCQVFVRkFBT0NBUUVBeFNIS2xoZlozY0h1ZCs3S0pIbDBzZUFkUXB3T0MxMWpMejllT3NJempQU1ZuUEpRVzhyVQpBVUEya1dLaU1ybVFTNnQ2bkVwUEtueDVCY3lTWE1MaTV3dXZjUTQwSVdVblB0ZWJBTG1oMjZLU2hlaUU3cm1GeHE0YktaaEcrWm9PCnFZcGhsRGhxUG9ETFZwTW55NWpnZVB5cTVndkxGTzAzYTdlM0RzTGVIMVNoZjZzazE3KzF0aXhHNDFQVnh3NUxmbDhPRHZCRjJ3bVkKL2pvc1ZhWmZKM0NiSm9RaEJ5VURBR0gvQ2YzMjdDY2VmbG9QUG9MZEN5dC9ETzFhR2ZsVWRpUUEvREY5NitYbGJHRVFMN2VkSHRFcwpFTEt6NjZaOFdLNmZhc0hxTklubFRlK1NTQTM1NCtzUGV6bHpTeUltVmJZYUhINm5hTFF1RlY3Y21VTlBPUT09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0ic2FtbHA6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiBBc3NlcnRpb25JRD0iXzUyYWMwZTliZTY0OGE0YzNkNDgyZjQ2MjQyODIzMDY5IiBJc3N1ZUluc3RhbnQ9IjIwMDgtMTItMDRUMTY6MTk6MjcuOTQwWiIgSXNzdWVyPSJodHRwczovL3NoaWJpZHAxLml0LXN1ZHBhcmlzLmV1L2lkcC9zaGliYm9sZXRoIiBNYWpvclZlcnNpb249IjEiIE1pbm9yVmVyc2lvbj0iMSIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiI+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMDgtMTItMDRUMTY6MTk6MjcuOTQwWiIgTm90T25PckFmdGVyPSIyMDA4LTEyLTA0VDE2OjI0OjI3Ljk0MFoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb25Db25kaXRpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly9mZWRlcmF0aW9uLmNydS5mci9zcC10ZXN0PC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uQ29uZGl0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50IEF1dGhlbnRpY2F0aW9uSW5zdGFudD0iMjAwOC0xMi0wNFQxNjoxOToyNy44ODZaIiBBdXRoZW50aWNhdGlvbk1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6dW5zcGVjaWZpZWQiPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlkZW50aWZpZXIgRm9ybWF0PSJ1cm46bWFjZTpzaGliYm9sZXRoOjEuMDpuYW1lSWRlbnRpZmllciI+XzQ1ZWQ5ZGUwNzA0MjdmMTYyODU3M2ZiNDQ1ZDQyZmM0PC9zYW1sOk5hbWVJZGVudGlmaWVyPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24+PHNhbWw6Q29uZmlybWF0aW9uTWV0aG9kPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpjbTpiZWFyZXI8L3NhbWw6Q29uZmlybWF0aW9uTWV0aG9kPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOlN1YmplY3RMb2NhbGl0eSBJUEFkZHJlc3M9IjE1Ny4xNTkuNTAuMTk3Ii8+PC9zYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJZGVudGlmaWVyIEZvcm1hdD0idXJuOm1hY2U6c2hpYmJvbGV0aDoxLjA6bmFtZUlkZW50aWZpZXIiPl80NWVkOWRlMDcwNDI3ZjE2Mjg1NzNmYjQ0NWQ0MmZjNDwvc2FtbDpOYW1lSWRlbnRpZmllcj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjxzYW1sOkNvbmZpcm1hdGlvbk1ldGhvZD51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6Y206YmVhcmVyPC9zYW1sOkNvbmZpcm1hdGlvbk1ldGhvZD48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpBdHRyaWJ1dGUgQXR0cmlidXRlTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6dWlkIiBBdHRyaWJ1dGVOYW1lc3BhY2U9InVybjptYWNlOnNoaWJib2xldGg6MS4wOmF0dHJpYnV0ZU5hbWVzcGFjZTp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBBdHRyaWJ1dGVOYW1lPSJ1cm46bWFjZTpkaXI6YXR0cmlidXRlLWRlZjptYWlsIiBBdHRyaWJ1dGVOYW1lc3BhY2U9InVybjptYWNlOnNoaWJib2xldGg6MS4wOmF0dHJpYnV0ZU5hbWVzcGFjZTp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dGVzdC50ZXN0QGl0LXN1ZHBhcmlzLmV1PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+"
HTTP_SHIB_AUTHENTICATION_INSTANT="2008-12-04T16:19:27.886Z"
HTTP_SHIB_AUTHENTICATION_METHOD="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
...
HTTP_SHIB_IDENTITY_PROVIDER="https://shibidp1.it-sudparis.eu/idp/shibboleth"
...
HTTP_SHIB_INETORGPERSON_MAIL="test.testATit-sudparis.eu"
...
HTTP_SHIB_INETORGPERSON_UID="test"
...
HTTP_SHIB_NAMEIDENTIFIER_FORMAT="urn:mace:shibboleth:1.0:nameIdentifier"
HTTP_SHIB_ORIGIN_SITE="https://shibidp1.it-sudparis.eu/idp/shibboleth"
HTTP_SHIB_PERSISTENTID=""
HTTP_SHIB_PERSON_COMMONNAME=""
...
QUERY_STRING=""
REMOTE_ADDR="157.159.10.14"
REMOTE_HOST="proxy.int-evry.fr"
REMOTE_PORT="42422"
REQUEST_METHOD="GET"
REQUEST_URI="/sp-test"
SCRIPT_FILENAME="/usr/local/shibboleth/tools/sptest.cgi"
SCRIPT_NAME="/sp-test"
SERVER_ADDR="195.220.94.183"
SERVER_ADMIN="webmaster@cru.fr"
SERVER_NAME="federation.cru.fr"
SERVER_PORT="443"
SERVER_PROTOCOL="HTTP/1.1"
SERVER_SIGNATURE="Apache/2.2.3 (Red Hat) Server at federation.cru.fr Port 443\n"
SERVER_SOFTWARE="Apache/2.2.3 (Red Hat)"

</code>

=== Log IDP ===

<code>
17:18:10.095 - INFO [Shibboleth-Access:72] - 20081204T161810Z|157.159.50.197|shibidp1.it-sudparis.eu:443|/profile/Shibboleth/SSO|
...
17:18:10.098 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:325] - Authenticating user with login handler of type edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler
17:18:10.098 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler:75] - Redirecting to https://shibidp1.it-sudparis.eu:443/idp/Authn/RemoteUser
...
...
17:19:27.884 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet:48] - Remote user identified as test returning control back to authentication engine
...
17:19:27.889 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler:487] - Resolving attributes for principal test of SAML request from relying party https://federation.cru.fr/sp-test
...
17:19:27.890 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:334] - Resolving data connector tmspLDAP for principal test
17:19:27.891 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:764] - Search filter: (uid=test)

Log ldap
Dec  4 17:19:27 ldapsync4 slapd[2271]: conn=104704 fd=28 ACCEPT from IP=157.159.10.217:59641 (IP=0.0.0.0:389)
Dec  4 17:19:27 ldapsync4 slapd[2271]: conn=104704 op=0 BIND dn="cn=binder,ou=system,dc=int,dc=fr" method=128
Dec  4 17:19:27 ldapsync4 slapd[2271]: conn=104704 op=0 BIND dn="cn=binder,ou=System,dc=int,dc=fr" mech=SIMPLE ssf=0
Dec  4 17:19:27 ldapsync4 slapd[2271]: conn=104704 op=0 RESULT tag=97 err=0 text=
Dec  4 17:19:27 ldapsync4 slapd[2271]: conn=104704 op=1 SRCH base="ou=people,dc=int,dc=fr" scope=2 deref=3 filter="(uid=test)"
...
17:19:27.899 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:881] - Found the following attribute: uid=[test]
17:19:27.899 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:881] - Found the following attribute: eduPersonAffiliation=[student]
...
17:19:27.920 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:316] - Resolved attribute uid containing 1 values
17:19:27.920 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:294] - Resolving attribute eduPersonAffiliation for principal test
...
17:19:27.932 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:138] - shibboleth.AttributeResolver resolved, for principal test, the attributes: [uid, eduPersonPrincipalName, eduPersonAffiliation, eduPersonPrimaryAffiliation, eduPersonScopedAffiliation, surname, givenName, eduPersonNickname, title, eduPersonOrgDN, postalCode, organizationalUnit, employeeType, commonName, transientId, eduPersonPrimaryOrgUnitDN, eduPersonOrgUnitDN, departmentNumber, email, jpegPhoto, postalAddress]
...
17:19:27.933 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:122] - Evaluating if filter policy releaseTransientIdToAnyone is active for principal test
17:19:27.933 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:131] - Filter policy releaseTransientIdToAnyone is active for principal test
17:19:27.933 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:156] - Processing permit value rule for attribute transientId for principal test
...
17:19:27.935 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:101] - Removing attribute from return set, no more values: eduPersonNickname
17:19:27.935 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:101] - Removing attribute from return set, no more values: title
...
17:19:27.937 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:106] - Filtered attributes for principal test.  The following attributes remain: [uid, transientId, email]
17:19:27.938 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOEndpointSelector:78] - Selecting endpoint from metadata corresponding to provided ACS URL: https://federation.cru.fr/sp-test/Shibboleth.sso/SAML/POST
17:19:27.938 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOEndpointSelector:82] - Relying party role contains 1 endpoints
</code>

==== Configuration du RemoteUser ====

Il faut utiliser le "handler" RemoteUser : cf https://mail.internet2.edu/wws/arc/shibboleth-users/2008-03/msg00500.html

<code>
Chad La Joie wrote:

    You shouldn't ever set the defaultAuthentication to PreviousSession, that won't ever work and I'll add a note about that to the document.

    If you are using CAS as an additional SSO service you need to use the RemoteUser authentication mechanism. The path you need to protect is <context_path>/Authn/RemoteUser.
</code>

handler.xml
<code>
 <!-- Login Handlers -->
    <LoginHandler xsi:type="RemoteUser">
        <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod>
    </LoginHandler>
</code>

relying-party.xml
<code>
<DefaultRelyingParty provider="https://shibidp1.it-sudparis.eu/idp/shibboleth"
                        defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
                         defaultSigningCredentialRef="IdPCredential">
</code>



==== Filtre d'acces /Authn/RemoteUser CAS ====

on filtre dans le *web.xml* l'acces au context * /Authn/RemoteUser* vers notre CAS local

<code>
/usr/share/tomcat5/webapps/idp/WEB-INF/web.xml

   <display-name>Shibboleth 2.0.0 Identity Provider</display-name>

<filter>
  <filter-name>CAS Validate Filter</filter-name>
  <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
  <init-param>
    <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
    <param-value>https://cas.it-sudparis.eu/cas/login</param-value>
  </init-param>
  <init-param>
    <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
    <param-value>https://cas.it-sudparis.eu/cas/serviceValidate</param-value>
  </init-param>
  <init-param>
    <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
    <param-value>shibidp1.it-sudparis.eu</param-value>
  </init-param>
  <init-param>
    <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name>
    <param-value>true</param-value>
  </init-param>
</filter>
<!-- l'acces a l'URL /SSO est filtré par la servlet nommée "CAS Validate Filter" (definie plus haut ...) qui renvoie vers CAS -->
<filter-mapping>
  <filter-name>CAS Validate Filter</filter-name>
  <url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
</code>

Il faut evidement que l'idp dispose de la librairie *casclient.jar* pour que cela marche !

<code>
[root@shibidp1 /usr/share/tomcat5/webapps/idp/WEB-INF]
$ ls lib/casclient.jar
lib/casclient.jar
</code>

===== Certification =====

Au premier abord on tombe sur des besoins de confiances (transfert securisés) entre SP et IDP . Sans aucune prise en compte des certificats/keystore, l'IDP genere alors ce type d'erreur dans ces log *idp-process.log* justement a propos de chaine de certification:

<code>
13:46:23.897 INFO [Shibboleth-Access:72] - 20080328T124623Z|157.159.50.197|shibidp1.it-sudparis.eu:443|/profile/SAML2/Redirect/SSO|
13:46:24.015 ERROR [edu.yale.its.tp.cas.client.CASReceipt:55] - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://cas.it-sudparis.eu/cas/serviceValidate] ticket=[ST-1000-SyFXxMK1TGTvYOss2vmv] service=[https%3A%2F%2Fshibidp1.it-sudparis.eu%2Fidp%2FAuthn%2FRemoteUser] renew=false]]]
13:46:24.015 ERROR [edu.yale.its.tp.cas.client.filter.CASFilter:380] - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://cas.it-sudparis.eu/cas/serviceValidate] ticket=[ST-1000-SyFXxMK1TGTvYOss2vmv] service=[https%3A%2F%2Fshibidp1.it-sudparis.eu%2Fidp%2FAuthn%2FRemoteUser] renew=false]]]
13:46:24.016 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/idp].[RemoteUserAuthHandler]:250] - Servlet.service() for servlet RemoteUserAuthHandler threw exception
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
</code>

==== Chaine de certification ====

On procede alors a la création d'un keystore qui comprend le certificat et la clé de notre serveur, ainsi que le chaine de certification (ici au format openssl pkcs12 afin de s'affranchir des commandes esoteriques JDK ...avis perso ;-) ) .

<code>
[root@shibidp1 /usr/local/idp/credentials]
$ openssl pkcs12 -export -in shibidp1-tmsp.pem -inkey shibidp1-tmsp.key -out shibidp1_tmsp_v2_0_openssl.p12 -name tomcat -CAfile ca-chain-institut-telecom.crt -caname root -chain
Enter Export Password:
Verifying - Enter Export Password:
</code>

==== tomcat sur 8443 ====

Il faut alors indiquer au serveur d'application tomcat via *server.xml* de repondre au demandes d'attribut sur une port sécurisé (8443) qui justement utilisera ce keystore.

<code>
<!-- https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepare
Shibboleth IdPs and SP may communicate directly (Attribute Query, Artifact Resolution, and Logout)
-->

<Connector port="8443" 
           maxHttpHeaderSize="8192"
           maxSpareThreads="75"
           scheme="https"
           secure="true"
           clientAuth="want"
           sslProtocol="TLS" 
           keystoreFile="/usr/local/idp/credentials/shibidp1_tmsp_v2_0_openssl.p12"
           keystorePass="secret"
           keystoreType="pkcs12"
           truststoreAlgorithm="DelegateToApplication"/>
</code>

==== SunJVM truststore ====

enfin il faut que le JVM qui tourne tomcat ait confiance en notre autorité qui a signée notre serveur, ici tmsp_ca à signé shibidp1.it-sudparis.eu (shibidp1_tmsp.pem !), on ajoute donc cette autorité a celles bien connus deja presentes dans le *cacerts* livré avec la JVM sun:

<code>
[root@shibidp1 /usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/lib/security]
$ keytool -import -keystore cacerts -file /etc/pki/tls/certs/tmsp_ca.crt -alias TeMSudParis
</code>

Alors, les log d'acces via le SP de testshib (https://sp.testshib.org/ vers l'IDP https://shibidp1.it-sudparis.eu/idp/shibboleth) sont positifs:

<code>
13:58:09.904 INFO [Shibboleth-Access:72] - 20080328T125809Z|157.159.50.197|shibidp1.it-sudparis.eu:443|/profile/SAML2/Redirect/SSO|
13:58:17.523 INFO [Shibboleth-Access:72] - 20080328T125817Z|157.159.50.197|shibidp1.it-sudparis.eu:443|/profile/SAML2/Redirect/SSO|
13:58:17.767 INFO [Shibboleth-Audit:557] - 20080328T125817Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_64727b9822abbb6ccf19d28fa1e618fc|https://sp.testshib.org/shibboleth-sp|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://shibidp1.it-sudparis.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_010a91ef682d99661d6e41e046e50aaa|test|urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified||
</code>

===== SSO shibboleth et AD ====

pour un site ne disposant au préalable d'un SSO (CAS souvent !) , shibboleth offre un service interne de SSO.
dans cet exemple nous montrons un IDP sur un site disposant d'un Active Directory comme base de compte .

Nous utiliserons alors le systeme SSO interne a shibboleth plutot que de s'appuyer sur une SSO externe comme CAS.

==== doc de reference ====

https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass et pour AD https://spaces.internet2.edu/display/SHIB2/IdPADConfigIssues

==== LoginHandler UsernamePassword ====

il faut activer le LoginHandler UsernamePassword dans handler.xml et commenter le LoginHnadler RemoteUser, autrement c'est ce dernier qui prend la main .

cf http://marc.info/?l=shibboleth-users&m=125606962922962&w=2

<code>
[root@idp /opt/shibboleth-idp/conf]
$ vim handler.xml

<!--    <LoginHandler xsi:type="RemoteUser">

<LoginHandler xsi:type="UsernamePassword" 
                  jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
</code>

=== JAAS configuration file ===

c'est ici qu'on definit le moyen d'aller rechercher une authentification sur AD
cf https://spaces.internet2.edu/display/SHIB2/IdPADConfigIssues 

il y est recommender d'utiliser le Global Catalogue (port 3268) plutot qu'un acces directe en 389 pour des raison de referrals .

<code>
[root@idp /opt/shibboleth-idp/conf]
$ cat login.config

ShibUserPassAuth {
  edu.vt.middleware.ldap.jaas.LdapLoginModule required
      host="ldap://ad1.mysite.fr"
      port="3268"
      base="dc=people,dc=mysite,dc=fr"
      ssl="false"
      subtreeSearch="true"
      serviceUser="cn=testshib,ou=users,dc=people,dc=mysite,dc=fr"
      serviceCredential="secret"
      userField="samaccountname";
</code>

==== Attributes resolver ====

Il faut definir un resolver pour recuperer les attributs

=== connecteur ===

<code>
[root@idp /opt/shibboleth-idp/conf]
$ vim attribute-resolver.xml

<!-- Example LDAP Connector -->
    <resolver:DataConnector id="tl1AD" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
        ldapURL="ldap://ad1.mysite.fr:389" baseDN="ou=users,dc=people,dc=mysite,dc=fr" principal="cn=testshib,ou=users,dc=people,dc=mysite,dc=fr"
        principalCredential="wayfrom">
        <FilterTemplate>
            <![CDATA[
                (samaccountname=$requestContext.principalName)
            ]]>
        </FilterTemplate>
    </resolver:DataConnector>
</code>

=== definition des attributs ===

<code>
[root@idp /opt/shibboleth-idp/conf]
$ vim attribute-resolver.xml
<!-- Schema: Core schema attributes-->
    <resolver:AttributeDefinition id="uid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="sAMAccountName">
        <resolver:Dependency ref="tl1AD" />

        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:mace:dir:attribute-def:uid" />

        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition id="email" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="mail">
        <resolver:Dependency ref="tl1AD" />

        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:mace:dir:attribute-def:mail" />

        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
    </resolver:AttributeDefinition>
</code>

=== Filtres ===

A partir des attributs resolus ci-dessus on peut definir des politiques de diffusion de ces derniers, par liste de Service Provider par exemple :

<code>
[root@idp /opt/shibboleth-idp/conf]
$ vim attribute-filter.xml
<!--  Release the transient ID to anyone -->
    <AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <PolicyRequirementRule xsi:type="basic:ANY" />

        <AttributeRule attributeID="transientId">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

        <AttributeRule attributeID="displayName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>


    </AttributeFilterPolicy>

<!-- release email pour certains SP de le fédération --> 
<AttributeFilterPolicy>
        <PolicyRequirementRule xsi:type="basic:OR">
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.nancy-universite.fr" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://federation.cru.fr/cru/gestion" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.cru.fr/shibboleth" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.jres.org/shibboleth" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www.sympa.org/shibboleth" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://sec.cru.fr/shibboleth" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.csiesr.fr/sympa" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="http://listes.esup-portail.org/sympa" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://cori.recherche.gouv.fr" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.cru.fr/sympa" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.renater.fr/sympa" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.adrisi.fr/sympa" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://2009.jres.org/shibboleth" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://listes.jres.org/sympa" />
        </PolicyRequirementRule>

        <AttributeRule attributeID="email">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>

<!-- SP Institut Telecom + test renater -->
  <AttributeFilterPolicy>
        <PolicyRequirementRule xsi:type="basic:OR">
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://trombi.it-sudparis.eu" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://trombi.it-sudparis.eu/" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://annu.it-sudparis.eu/" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://blog.it-sudparis.eu/" />
           <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://services-federation.renater.fr/test/ressource" />
        </PolicyRequirementRule>

        <AttributeRule attributeID="email">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

        <AttributeRule attributeID="surname">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

        <AttributeRule attributeID="uid">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

    </AttributeFilterPolicy>
</code>

==== Attributs calculés

=== Expression Reguliere

Definition d'un attribut basé sur une expression reguliere

<code>
<!-- https://spaces.internet2.edu/display/SHIB2/ResolverRegexSplitAttributeDefinition -->
<resolver:AttributeDefinition xsi:type="RegexSplit" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              id="employeeType"
                              sourceAttributeID="distinguishedName"
                              regex=".*,OU=([^,]*),DC=people,DC=mysite,DC=fr">
        <resolver:Dependency ref="tl1AD" />
     <!-- Remaining configuration from the next step goes here -->
        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:mace:dir:attribute-def:employeeType" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" />
</resolver:AttributeDefinition>
</code>

=== Attribut mappé

<code>
<!-- https://spaces.internet2.edu/display/SHIB2/ResolverMappedAttributeDefinition -->
<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              id="StatusTL1"
                              sourceAttributeID="distinguishedName">
    <resolver:Dependency ref="tl1AD" />
        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:mace:dir:attribute-def:StatusTL1" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:1.3.6.1.4.1.7391.4.1.1.2" friendlyName="StatusTL1" />
     <!-- default to the generic value 'affiliate' -->
     <DefaultValue>affiliate</DefaultValue>
     <!-- map internal values like 'student-worker' and 'undergraduate' to 'student' -->
     <ValueMap>
         <ReturnValue>permanents</ReturnValue>
         <SourceValue ignoreCase="true">CN=.*,ou=permanents,dc=people,dc=mysite,dc=fr</SourceValue>
     </ValueMap>
</resolver:AttributeDefinition>
</code>

=== test

http://trombi.it-sudparis.eu/secure/printenv.pl

<code>
Variables d'environnement positionnées par le SP shibboleth :

employeeType=permanents
StatusTL1=permanents
Shib_Authentication_Instant=2009-10-28T08:57:19.836Z
Shib_Application_ID=trombi
Shib_Session_ID=_0a9cff9b168c31bb183887572681058a
Shib_Identity_Provider=https://idp.telecom-lille1.eu/idp/shibboleth
sn=Shib-tl1-int
REMOTE_USER=testhib@telecom-lille1.eu
mail=testshib@telecom-lille1.eu
displayName=Shib-tl1-int
Shib_AuthnContext_Class=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Shib_Authentication_Method=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</code>

création JehanProcaccia - 20 Mar 2008