===== Idpv3x-c8 =====
==== references =====
* https://services.renater.fr/federation/docs/installation/idp3/index
* https://wiki.shibboleth.net/confluence/display/IDP30/Installation
* https://www.switch.ch/aai/guides/idp/installation/
* https://spaces.internet2.edu/pages/viewpage.action?pageId=49841792#LinuxIdentityProviderIdPv3(Centos7)-5
* https://www.testshib.org/
* https://tecadmin.net/install-tomcat-9-on-centos-8/
===== contexte =====
Exemple de deploiement d'un fournisseur d'IDP (V3.4) sur une centos8 avec les produits natifs de cette distribution ⇒ JVM openjdk 8 (11 possible mais potentiels pb LDAP: https://wiki.shibboleth.net/confluence/display/IDP30/LDAPonJava%3E8
https://wiki.shibboleth.net/confluence/display/IDP30/SystemRequirements
[root@idpx ~]# cat /etc/redhat-release
CentOS Linux release 8.0.1905 (Core)
===== java 8 jdk =====
[root@idpx ~]# yum install java-1.8.0-openjdk-devel.x86_64
Installer 54 Paquets
Mettre à niveau 1 Paquet
Taille totale des téléchargements : 56 M
Voulez-vous continuer ? [o/N] : o
Mis à niveau:
lua-libs-5.3.4-11.el8.x86_64
Installé:
java-1.8.0-openjdk-devel-1:1.8.0.252.b09-2.el8_1.x86_64 gtk2-2.24.32-4.el8.x86_64 alsa-lib-1.1.9-4.el8.x86_64
atk-2.28.1-1.el8.x86_64 cairo-1.15.12-3.el8.x86_64 copy-jdk-configs-3.7-1.el8.noarch
fribidi-1.0.4-7.el8_1.x86_64 gdk-pixbuf2-modules-2.36.12-5.el8.x86_64 giflib-5.1.4-3.el8.x86_64
graphite2-1.3.10-10.el8.x86_64 gtk-update-icon-cache-3.22.30-4.el8.x86_64 harfbuzz-1.7.5-3.el8.x86_64
hicolor-icon-theme-0.17-2.el8.noarch jasper-libs-2.0.14-4.el8.x86_64 java-1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1.x86_64
java-1.8.0-openjdk-headless-1:1.8.0.252.b09-2.el8_1.x86_64 javapackages-filesystem-5.3.0-1.module_el8.0.0+11+5b8c10bd.noarch jbigkit-libs-2.1-14.el8.x86_64
libX11-1.6.7-1.el8.x86_64 libX11-common-1.6.7-1.el8.noarch libXau-1.0.8-13.el8.x86_64
libXcomposite-0.4.4-14.el8.x86_64 libXcursor-1.1.15-3.el8.x86_64 libXdamage-1.1.4-14.el8.x86_64
libXext-1.3.3-9.el8.x86_64 libXfixes-5.0.3-7.el8.x86_64 libXft-2.3.2-10.el8.x86_64
libXi-1.7.9-7.el8.x86_64 libXinerama-1.1.4-1.el8.x86_64 libXrandr-1.5.1-7.el8.x86_64
libXrender-0.9.10-7.el8.x86_64 libXtst-1.2.3-7.el8.x86_64 libdatrie-0.2.9-7.el8.x86_64
libfontenc-1.1.3-8.el8.x86_64 libjpeg-turbo-1.5.3-10.el8.x86_64 libthai-0.1.27-2.el8.x86_64
libtiff-4.0.9-15.el8.x86_64 libxcb-1.13-5.el8.x86_64 lua-5.3.4-11.el8.x86_64
pango-1.42.4-6.el8.x86_64 pixman-0.36.0-1.el8.x86_64 ttmkfdir-3.0.9-54.el8.x86_64
tzdata-java-2019c-1.el8.noarch xorg-x11-font-utils-1:7.5-40.el8.x86_64 xorg-x11-fonts-Type1-7.5-19.el8.noarch
dejavu-fonts-common-2.35-6.el8.noarch dejavu-sans-fonts-2.35-6.el8.noarch fontconfig-2.13.1-3.el8.x86_64
fontpackages-filesystem-1.44-22.el8.noarch freetype-2.9.1-4.el8.x86_64 gdk-pixbuf2-2.36.12-5.el8.x86_64
libpng-2:1.6.34-5.el8.x86_64 lksctp-tools-1.0.18-3.el8.x86_64 shared-mime-info-1.9-3.el8.x86_64
test java version
[root@idpx ~]# java -version
openjdk version "1.8.0_252"
OpenJDK Runtime Environment (build 1.8.0_252-b09)
OpenJDK 64-Bit Server VM (build 25.252-b09, mixed mode)
===== tomcat =====
redhat et donc centos n'offre plus de package tomcat (ils mettent en avant JBoss) , donc on va installer un tomcat 9 en tar.gz :
* https://tecadmin.net/install-tomcat-9-on-centos-8/
==== tomcat user ====
[root@idpx ~]# useradd -m -d /opt/tomcat -U -s /bin/false tomcat
==== tomcat package tgz ====
[root@idpx ~]# wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.35/bin/apache-tomcat-9.0.35.tar.gz
[root@idpx ~]# cd /opt
[root@idpx opt]# tar xvfz /root/apache-tomcat-9.0.35.tar.gz
[root@idpx opt]# mv apache-tomcat-9.0.35/* ./tomcat/
resultat
[root@idpx opt]# ls -al tomcat/
total 164
drwx------ 9 tomcat tomcat 4096 Jun 4 21:56 .
drwxr-xr-x 5 root root 4096 Jun 4 21:54 ..
-rw-r--r-- 1 tomcat tomcat 18 Oct 1 2019 .bash_logout
-rw-r--r-- 1 tomcat tomcat 141 Oct 1 2019 .bash_profile
-rw-r--r-- 1 tomcat tomcat 312 Oct 1 2019 .bashrc
-rw-r----- 1 root root 18982 May 5 22:40 BUILDING.txt
-rw-r----- 1 root root 5409 May 5 22:40 CONTRIBUTING.md
-rw-r----- 1 root root 57092 May 5 22:40 LICENSE
-rw-r----- 1 root root 2333 May 5 22:40 NOTICE
-rw-r----- 1 root root 3255 May 5 22:40 README.md
-rw-r----- 1 root root 6898 May 5 22:40 RELEASE-NOTES
-rw-r----- 1 root root 16262 May 5 22:40 RUNNING.txt
drwxr-x--- 2 root root 4096 Jun 4 21:54 bin
drwx------ 2 root root 4096 May 5 22:40 conf
drwxr-x--- 2 root root 4096 Jun 4 21:54 lib
drwxr-x--- 2 root root 4096 May 5 22:36 logs
drwxr-x--- 2 root root 4096 Jun 4 21:54 temp
drwxr-x--- 7 root root 4096 May 5 22:37 webapps
drwxr-x--- 2 root root 4096 May 5 22:36 work
positionnement des droits d'acces au comte tomcat
[root@idpx opt]# chown -R tomcat:tomcat /opt/tomcat/
==== parametrage tomcat =====
acces manager
[root@idpx opt]# diff /opt/tomcat/webapps/manager/META-INF/context.xml /opt/tomcat/webapps/manager/META-INF/context.xml.orig
20c20
< allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|157.19.19.13" />
---
> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
compte admin d'acces au l'appli manager/html
[root@idpx opt]# diff /opt/tomcat/conf/tomcat-users.xml /opt/tomcat/conf/tomcat-users.xml.orig
44,46d43
<
<
<
==== activation par systemd ====
[root@idpx opt]# vim /etc/systemd/system/tomcat.service
[root@idpx opt]# cat /etc/systemd/system/tomcat.service
[Unit]
Description=Tomcat 9
After=network.target
[Service]
Type=forking
User=tomcat
Group=tomcat
Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
[Install]
WantedBy=multi-user.target
==== start ====
[root@idpx ~]# systemctl daemon-reload
[root@idpx ~]# systemctl enable tomcat.service
[root@idpx ~]# systemctl start tomcat.service
===== firewall =====
[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/24" port port=8080 protocol=tcp log prefix="http8080" accept'
success
[root@idpx opt]# firewall-cmd --reload
success
[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="http" log prefix="http" accept'
success
[root@idpx opt]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.19.19.0/16" service name="https" log prefix="https" accept'
success
[root@idpx opt]# firewall-cmd --reload
success
ou plus generalement
firewall-cmd --zone=public --permanent --add-port=8080/tcp
==== acces tomcat ====
le serveur est maintenant accessible , exemple
http://idpx.tem-tsp.eu:8080/manager/html (login/pass definit plus haut)
sauf si l'adresse ip source de consultation n'est pas autorisé par le control d'acces de l'application manager , cf adresse IP dans le parametre allow :
[root@idpx ~]# vim /opt/tomcat/webapps/manager/META-INF/context.xml
==== proxy et TLS via apache =====
https://tomcat.apache.org/tomcat-9.0-doc/proxy-howto.html
https://tomcat.apache.org/tomcat-9.0-doc/connectors.html
https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp (secretRequired="false")
mise en place d'un proxy pour une gestion de TLS et ports par defaut (80/443) par apache
il faut installer le mod_ssl d'apache pour disposer d'https
[root@idpx opt]# yum install httpd mod_ssl
Total download size: 2.0 M
Is this ok [y/N]: y
et le configurer avec nos certificats
[root@idpx certs]#grep ^SSL /etc/httpd/conf.d/ssl.conf | tail -3
SSLCertificateFile /etc/pki/tls/certs/idp.imtbstsp_eu.pem
SSLCertificateKeyFile /etc/pki/tls/private/idp.imtbstsp.key
SSLCertificateChainFile /etc/pki/tls/certs/chain-dc-TR1-CA2-idp-imtbstsp.pem
enfin configurer le proxy-ajp pour rediriger les requetes https d'apache vers tomcat
[root@idpx ~]# cat /etc/httpd/conf.d/shibboleth.conf
ProxyPass /idp/ ajp://127.0.0.1:8009/idp/ retry=0
ProxyPass /manager/ ajp://127.0.0.1:8009/manager/
et l'activer coté tomcat
[root@idpx opt]# vim /opt/tomcat/conf/server.xml
sans l'option secretRequired="false" (cf https://rimuhosting.com/mod_jk2_and_mod_proxy_ajp.jsp ) , impossible d'acceder au manager via proxy_ajp, il faudrai mieux controler cet acces en limitant les acces proxy uniquement a 127.0.0.1 entre httpd et tomcat .
lancement httpd et verification de la presence du module AJP
[root@idpx opt]# systemctl start httpd.service
[root@idpx opt]# httpd -M | grep ajp
proxy_ajp_module (shared)
acces sans le port 8080 :
http://idpx.imtbstsp.eu/manager/html
puis en https via le proxy-ajp sans precision du port 443
https://idpx.imtbstsp.eu/manager/html
===== ntp ====
s'assurer que la machine est a l'heure, si VM c'est la machine hote qui fournie l'heure
===== shibboleth IDP ======
ref https://services.renater.fr/federation/docs/installation/idp3/chap03
==== download ====
telechargement de la derniere version depuis http://shibboleth.net/downloads/identity-provider/
[root@idp34 ~]# wget https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.2.tar.gz
--2019-01-02 14:18:15-- https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.4.2.tar.gz
[root@idp34 ~]# mkdir /opt/src
[root@idp34 ~]# mv shibboleth-identity-provider-3.4.2.tar.gz /opt/src/
[root@idp34 ~]# cd /opt/src/ ; tar xvfz shibboleth-identity-provider-3.4.2.tar.gz
[root@idp34 src]# cd shibboleth-identity-provider-3.4.2
[root@idp34 shibboleth-identity-provider-3.4.2]# ls
bin conf credentials doc flows LICENSE.txt logs messages metadata system views webapp
==== install ====
fresh install ici, attention en cas d'update ne pas tout ecraser !
[root@idp34 shibboleth-identity-provider-3.4.2]# export JAVA_HOME=/usr/lib/jvm/java
[root@idp34 shibboleth-identity-provider-3.4.2]# ./bin/install.sh
Source (Distribution) Directory (press to accept default): [/opt/src/shibboleth-identity-provider-3.4.2]
Installation Directory: [/opt/shibboleth-idp]
Hostname: [idp34.int-evry.fr]
idp3.imtbstsp.eu
SAML EntityID: [https://idp3.imtbstsp.eu/idp/shibboleth]
Attribute Scope: [int-evry.fr]
imtbstsp.eu
Backchannel PKCS12 Password: O gl Back d
Re-enter password:
Cookie Encryption Key Password: O gl Cookie d
Re-enter password:
Warning: /opt/shibboleth-idp/bin does not exist.
Warning: /opt/shibboleth-idp/edit-webapp does not exist.
Warning: /opt/shibboleth-idp/dist does not exist.
Warning: /opt/shibboleth-idp/doc does not exist.
Warning: /opt/shibboleth-idp/system does not exist.
Generating Signing Key, CN = idp3.imtbstsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ...
...done
Creating Encryption Key, CN = idp3.imtbstsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ...
...done
Creating Backchannel keystore, CN = idpr3.imtbs-tsp.eu URI = https://idp3.imtbstsp.eu/idp/shibboleth ...
...done
Creating cookie encryption key files...
...done
Rebuilding /opt/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
Total time: 2 minutes 14 seconds
fichier de credentials créés
[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /opt/shibboleth-idp/credentials/
total 32
-rw-r--r-- 1 root root 1517 2 janv. 14:23 idp-backchannel.crt
-rw-r--r-- 1 root root 3399 2 janv. 14:23 idp-backchannel.p12
-rw-r--r-- 1 root root 1517 2 janv. 14:23 idp-encryption.crt
-rw------- 1 root root 2455 2 janv. 14:23 idp-encryption.key
-rw-r--r-- 1 root root 1517 2 janv. 14:23 idp-signing.crt
-rw------- 1 root root 2459 2 janv. 14:23 idp-signing.key
-rw-r--r-- 1 root root 502 2 janv. 14:23 sealer.jks
-rw-r--r-- 1 root root 47 2 janv. 14:23 sealer.kver
l'arborescence d'installation doit appartenir a tomcat
[root@idp34 shibboleth-identity-provider-3.4.2]# chown -R tomcat /opt/shibboleth-idp/
==== context tomcat pour l'IDP ====
le fichier idp.xml permet de déployer automatiquement la brique IdP sans avoir à recopier l'archive « .war » dans le répertoire webapps/ de Tomcat.
[root@idp3 localhost]# cat /etc/tomcat/Catalina/localhost/idp.xml
quelques secondes apres grace a l'auto-deploy
[root@idp34 shibboleth-identity-provider-3.4.2]# ls -l /var/lib/tomcat/webapps/idp/
total 32
drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 css
drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 images
-rw-r--r-- 1 tomcat tomcat 1008 2 janv. 14:23 index.jsp
drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 js
drwxr-xr-x 2 tomcat tomcat 4096 2 janv. 14:28 META-INF
drwxr-xr-x 5 tomcat tomcat 4096 2 janv. 14:28 WEB-INF
-rw-r--r-- 1 tomcat tomcat 5389 2 janv. 14:23 x509-prompt.jsp
==== status et jstl ====
test acces sur http://idp3.tem-tsp.eu:8080/idp/status
au premier abord, cette page ne s'est pas affichée
java.lang.NoClassDefFoundError: javax/servlet/jsp/jstl/core/Config
org.springframework.web.servlet.support.JstlUtils.exposeLocalizationContext(JstlUtils.java:101)
en effet il faut ajouter la librairie jstl (cf http://stackoverflow.com/tags/jstl/info) qui n'est pas fournie par defaut (risque de conflit avec jboss)
cf aussi https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp sous chapitre 6.13 IdP status URL configuration ou https://services.renater.fr/federation/docs/installation/idp3/chap02#installation_d_un_serveur_d_applications_java jstl .
[root@idp34 shibboleth-identity-provider-3.4.2]# cd /var/lib/tomcat/webapps/idp/WEB-INF/lib/
[root@idp34 lib]# wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar
2019-01-02 14:34:08 (9,27 MB/s) - «jstl-1.2.jar» sauvegardé [414240/414240]
[root@idp34 lib]# systemctl restart tomcat
Pour l'acces en https au status il faut autorise l'IP source du navigateur d'admin
# vim /opt/shibboleth-idp/conf/access-control.xml
...
...
maintenant accessible en https://idp3.imtbstsp.eu/idp/status
acces status possible en shell également
[root@idp34 bin]# /opt/shibboleth-idp/bin/status.sh
### Operating Environment Information
operating_system: Linux
operating_system_version: 3.10.0
operating_system_architecture: amd64
jdk_version: 1.8.0_191
available_cores: 12
used_memory: 137 MB
maximum_memory: 455 MB
### Identity Provider Information
idp_version: 3.4.2
start_time: 2019-01-02T14:35:21Z
current_time: 2019-01-02T14:36:42Z
uptime: 80907 ms
==== NTP ====
il faut que le systeme soit a l'heure (echanges SAML horodaté )
si on utilise une VM openvz, cf VZ capabilities: http://unix.stackexchange.com/questions/68016/error-when-running-ntpd-on-openvz-host-cap-set-proc-failed-to-drop-root-privi
[root@hardnode ~]# vzctl set 1033 --capability sys_time:on --save
CT configuration saved to /etc/vz/conf/1033.conf
===== Configuration =====
* ref: https://services.renater.fr/federation/docs/installation/idp3/chap04
depuis la version 3 la configuration est eclatée en plusieurs fichiers, il est recommandé de faire un backup des originaux/distribution
[root@idp3 conf]# cp -p relying-party.xml relying-party.xml.dist
[root@idp3 conf]# cp -p attribute-resolver.xml attribute-resolver.xml.dist
[root@idp3 conf]# cp -p attribute-filter.xml attribute-filter.xml.dist
==== metadata federations =====
* ref : https://services.renater.fr/federation/docs/installation/idp3/chap04#gestion_des_meta-donnees
enregistrement dans la fédération de test renater , recuperation du certificats de signature des metadonnées renater .
[root@idp34]# cd /opt/shibboleth-idp/credentials/
[root@idp34 credentials]# /usr/bin/curl -O https://metadata.federation.renater.fr/certs/renater-metadata-signing-cert-2016.pem
ajout du chargement des metadata test-renater
[root@idp3 conf]# tail -18 metadata-providers.xml
La premiere fois on recharge tomcat pour que le téléchargement initial du fichier soit réalisé
[root@idp34 conf]# systemctl restart tomcat.service
[root@idp34 conf]# ls -ltr ../metadata/
total 31308
-rw-r--r-- 1 tomcat root 14590 2 janv. 14:23 idp-metadata.xml
-rw-r--r-- 1 tomcat tomcat 6787283 2 janv. 14:47 preview-sps-renater-test-metadata.xml
ensuite on pourra faire un simple rechargement du service metadata pour cette federation
[root@idp3 conf]# /opt/shibboleth-idp/bin/reload-metadata.sh -id=RenaterTestMetadata
Metadata reloaded.
idp-process.log :
2019-01-02 14:48:18,248 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:574] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: New metadata successfully loaded for 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml'
2019-01-02 14:48:18,250 - 127.0.0.1 - INFO [org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver:384] - Metadata Resolver FileBackedHTTPMetadataResolver RenaterTestMetadata: Next refresh cycle for metadata provider 'https://metadata.federation.renater.fr/test/preview/preview-sps-renater-test-metadata.xml' will occur on '2019-01-02T15:33:16.891Z' ('2019-01-02T15:33:16.891Z' local time)
2019-01-02 14:48:18,268 - 127.0.0.1 - INFO [Shibboleth-Audit.Reload:275] - 20190102T144818Z||||http://shibboleth.net/ns/profiles/reload-metadata|||||||||
==== URL metadata idp locale ====
URL de visualisation des metadata de notre IDP
* http://idp3.domain.fr/idp/shibboleth
==== authentification =====
* ref https://services.renater.fr/federation/docs/installation/idp3/chap05
1er test en simple auth ldap
[root@idp3 conf]# diff ldap.properties ldap.properties.dist
8,9c8,9
< idp.authn.LDAP.ldapURL = ldap://ldap.int.eu:389
< idp.authn.LDAP.useStartTLS = true
---
> idp.authn.LDAP.ldapURL = ldap://localhost:10389
> #idp.authn.LDAP.useStartTLS = true
16c16
< idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/chain-29966-_.int.eu.pem
---
> idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
18c18
< #idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
---
> idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
28c28
< idp.authn.LDAP.baseDN = ou=people,dc=int,dc=fr
---
> idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org
33,34c33,34
< idp.authn.LDAP.bindDN = uid=binduser,dc=int,dc=fr
< idp.authn.LDAP.bindDNCredential = secret
---
> idp.authn.LDAP.bindDN = uid=myservice,ou=system
> idp.authn.LDAP.bindDNCredential = myServicePassword
38c38
< idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=int,dc=fr
---
> idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org
[root@idp3 conf]# systemctl restart tomcat.service
==== personnaliser la page de login interne ====
il est possible de personnaliser la page de login intégré a l'IDP cf:
* https://wiki.shibboleth.net/confluence/display/IDP30/PasswordAuthnConfiguration
* https://spaces.internet2.edu/pages/viewpage.action?pageId=49841792#LinuxIdentityProviderIdPv3(RHEL7)-1.CustomizetheIdP'sLoginPage
* http://shibboleth.1660669.n2.nabble.com/Customising-login-page-in-IdP-v3-td7616265.html
# vim /opt/src/shibboleth-identity-provider-3.3.0/system/messages/messages.properties
...
idp.logo = /images/etablissement-logo-site.png
...
root.title = Shibboleth IdP Etablissement.fr
...
mettre le logo dans le repertoire source images, curieusement un bin/install.sh a bien deployé le nouveau messages.properties mais pas le png du logo dans /var/lib/tomcat/webapps/idp/images/ que j'ai du faire à la main (cp) .
===== Attribute resolver =====
attribute-resolver-ldap.xml s'appui sur le varaible definit plus haut dans ldap.properties , ici one ne fait qu'une simple deactivation de StartTLSTrustCredential (commentaires)
[root@idp3 conf]# cp attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist
[root@idp3 conf]# diff attribute-resolver-ldap.xml attribute-resolver-ldap.xml.dist
92d91
<
et declaration de l'usage de l'attribute-resolver-ldap dans services.xml
[root@idp3 conf]# diff services.xml services.xml.dist
113c113
< %{idp.home}/conf/attribute-resolver-ldap.xml
---
> %{idp.home}/conf/attribute-resolver.xml
==== attribute-filter ====
on reprend l'exemple et on l'etend a tout SP (ANY)
[root@idp3 conf]# diff attribute-filter.xml attribute-filter.xml.dist
18,19c18
<
<
---
>
[root@idp3 conf]# /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.AttributeFilterService
Configuration reloaded.
==== schema name change v2/v3 ====
attention quand on reprend des attribute-filter maisons de la v2 vers le v3 , les schemas ont changés, exempe "basic:OR" deviens tout simplement "OR" cf https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterLegacyNameSpaceMapping et https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterConfiguration#AttributeFilterConfiguration-SchemaName
exemple de remplacement automatique syntaxte v2 vs v3 via "vi" dans attribute-resolver.xml
:1,$s/basic:AttributeRequesterString/Requester/g
:1,$s/basic:AttributeValueString/Value/g
:1,$s/basic:Rule/Rule/g
:1,$s/saml:AttributeRequesterInEntityGroup/InEntityGroup/g
:1,$s/basic:ANY/ANY/g
:1,$s/basic:OR/OR/g
=== service.xml ====
* https://www.switch.ch/aai/guides/idp/installation/#shibbolethidp 6.2
* https://portal.nordu.net/display/SWAMID/Example+of+a+standard+attribute+filter+for+Shibboleth+IdP
==== test attributes cli =====
[root@idp3 shibboleth-idp]# ./bin/aacli.sh --requester=https://test.federation.renater.fr/test/ressource --configDir=conf/ --principal=etudiant1
{
"requester": "https://test.federation.renater.fr/test/ressource",
"principal": "etudiant1",
"attributes": [
{
"name": "uid",
"values": [
"StringAttributeValue{value=etudiant1}" ]
},
{
"name": "mail",
"values": [
"StringAttributeValue{value=etudiant1@example.org}" ]
},
{
"name": "eduPersonPrincipalName",
"values": [
"ScopedStringAttributeValue{value=etudiant1, scope=int.eu}" ]
}
]
}
===== Enregistrement dans une federation =====
dans un premier temps dans la fédération de test Renater
https://federation.renater.fr/registry
===== Test login ldap interne =====
ayant positionné par defaut le password scheme via ldap, l'usage d'un login/password de l'annuaire ldap d'etablissement configuré permet d'acceder à la ressource de test renater https://test.federation.renater.fr/test/ressource qui affiche la liste d'attributs envoyés et demande maintenant en v3 la consentement (addon uApprove en v2)
Information to be Provided to Service
eduPersonPrincipalName teststud@int.fr
mail teststud@example.org
uid teststud
Ask me again at next login
Ask me again if information to be provided to this service changes
Do not ask me again
idp-process.log :
2016-07-03 14:45:51,638 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:139] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'teststud' succeeded
C2016-07-03 14:51:14,116 - INFO [Shibboleth-Consent-Audit.SSO:241] - 20160703T125114Z|https://test.federation.renater.fr/test/ressource|AttributeReleaseConsent|teststud|eduPersonPrincipalName,mail,uid||true,true,true
2016-07-03 14:51:14,861 - INFO [Shibboleth-Audit.SSO:241] - 20160703T125114Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_05d30b93263d3dbca128a0d1bdb5272d|https://test.federation.renater.fr/test/ressource|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp3.int.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_afd5c50a6363cebb0030af5e220dce18|teststud|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,mail,eduPersonPrincipalName|AAdzZWNyZXQxvKd8LuQ9/WK6sRwUecDTulilU/xNcE1LRr2tf2P8S97xNb9mu4uVLASdS+D5MlyZAWt5NYNLGBuyVeD8n441NlUDVO7uCO8B6PxjUANyWOYmM6UOP7b9jpAC9ED70JLXoz2Bztm4VKeQ9Ia5FxgKJzh37Q==|_c861303bf16b99871bcac75ecca3703b|
===== SSO CAS =====
https://services.renater.fr/federation/docs/installation/idp3/chap08
[root@idp34 src]# wget https://github.com/Unicon/shib-cas-authn3/releases/download/3.2.3/shib-cas-authn3-3.2.3.tar
[root@idp34 src]# tar xvf shib-cas-authn3-3.2.3.tar
...
shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/cas-client-core-3.4.1.jar
shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar
shib-cas-authn3-3.2.3/edit-webapp/no-conversation-state.jsp
..
[root@idp34 src]# cp shib-cas-authn3-3.2.3/edit-webapp/WEB-INF/lib/shib-cas-authenticator-3.2.3.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib
[root@idp34 src]# cp -R shib-cas-authn3-3.2.3/flows/authn/Shibcas/ /opt/shibboleth-idp/flows/authn/
[root@idp34 src]# ls -ltr /opt/shibboleth-idp/flows/authn/Shibcas/
total 8
-rw-r--r-- 1 root root 2290 2 janv. 21:23 shibcas-authn-flow.xml
-rw-r--r-- 1 root root 3241 2 janv. 21:23 shibcas-authn-beans.xml
[root@idp34 src]# wget http://central.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.5.1/cas-client-core-3.5.1.jar
[root@idp34 src]# cp cas-client-core-3.5.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
Modification du Web flow pour utiliser le plugin CAS via /opt/shibboleth-idp/conf/idp.properties
[root@idp3 conf]# diff idp.properties idp.properties.dist
100,114c100
< #idp.authn.flows= Password
< idp.authn.flows= Shibcas
<
< # CAS Client properties (usage loosely matches that of the Java CAS Client)
< ## CAS Server Properties
< shibcas.casServerUrlPrefix = https://cas16.int.eu/cas
< shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login
<
< ## Shibboleth Server Properties
< shibcas.serverName = https://cas16.int.eu
<
< # La partie ci-dessous est une fonctionnalité avancée de l'extention shib-cas en question (optionnelle)
< # By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs.
< # Takes a comma separated list of fully qualified class names
< # shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass
---
> idp.authn.flows= Password
declaration du bean Shibcas dans general-auth.xml :
[root@idp34 conf]# cd /opt/shibboleth-idp/conf/authn/
[root@idp34 authn]# cp general-authn.xml general-authn.xml.dist
[root@idp3 authn]# diff general-authn.xml general-authn.xml.dist
93,98d92
<
<
<
et reconstruction du idp.war + stop / start tomcat
[root@idp3 bin]# systemctl start tomcat.service
[root@idp3 bin]# /opt/shibboleth-idp/bin/build.sh
Installation Directory: [/opt/shibboleth-idp]
RETURN (!?)
Rebuilding /opt/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
# on remove tout le deploiement dans l'arboresence tomcat webapps afin d'etre sur que le nouveau idp.war remplace tout
[root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp
[root@idp3 bin]# systemctl start tomcat.service
un nouveau test sur https://test.federation.renater.fr/test/ressource montre bien que nous passons par CAS maintenant .
===== attribute filter =====
https://services.renater.fr/federation/docs/installation/idp3/chap10
le nombre important de SP et leur mouvement reguliers dans une large fédération comme celle de Renater impose l'usage d'automatisme pour le gestion des filtre . "Depuis 2015 et l'IDP 2.4 , Shibboleth introduit une nouvelle règle PermitValueRule de type AttributeInMetadata utilisable dans votre fichier de configuration attribute-filter.xml. Cette fonctionnalité vous permet, pour un ensemble de SPs, d'autoriser la diffusion au plus juste des attributs utilisateur, uniquement s'ils sont déclarés comme demandés par le SP dans les méta-données de la fédération. L'option onlyIfRequired permet par ailleurs de ne diffuser l'attribut que s'il est indiqué comme obligatoire."
on ajoute les regles proposé sur la doc renater
....
puis redeploiement
[root@idp3 conf]# vim attribute-filter.xml
[root@idp3 shibboleth-idp]# cd ../bin/
[root@idp3 bin]# systemctl stop tomcat.service
[root@idp3 bin]# rm -rf /var/lib/tomcat/webapps/idp
[root@idp3 bin]# ./build.sh
Installation Directory: [/opt/shibboleth-idp]
Rebuilding /opt/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
Total time: 4 seconds
[root@idp3 bin]#
[root@idp3 bin]# systemctl start tomcat.service
un nouveau test sur https://test.federation.renater.fr/test/ressource montre maintenant plus d'attributs .
==== script attibute definition entitlement ====
l'attribut "entitlement" est construit a partir d'un script , cela change entre idp v2 et v3 sur plusieurs points en terme de schema et moteur de script java 1.7 (Rhino) vs 1.8 (Nashorn)
ref :
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPJava1.8
https://wiki.shibboleth.net/confluence/display/IDP30/ScriptedAttributeDefinition
exemple
===== newcerts =====
nouvelle generation de certificats de metadata (autosignés) en cas de changement de hostname et/ou de clonage de VM afin de publier des metadata avec les bon certificats internes pour SAML .
ref
* https://shib.kuleuven.be/docs/ssl_commands.shtml
* https://www.switch.ch/aai/guides/idp/certificate-rollover/
* https://wiki.umbc.edu/display/MW/Updating+the+Shibboleth+IdP's+SSL+Certificate
[root@idp3 credentials]# openssl req -x509 -new -out idp3-signing.crt -keyout idp3-signing.key -days 3650
writing new private key to 'idp3-signing.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:Essonne
Locality Name (eg, city) [Default City]:Evry
Organization Name (eg, company) [Default Company Ltd]:IMT
Organizational Unit Name (eg, section) []:DISI
Common Name (eg, your name or your server's hostname) []:idp3.int.eu
Email Address []:admin@int.eu
retrait passphrase
[root@idp3 credentials]# openssl rsa -in idp3-signing.key -out idp3-signing-np.key
Enter pass phrase for idp3-signing.key:
writing RSA key
idem avec l'encryption et backchannel
[root@idp3 credentials]# openssl req -x509 -new -out idp3-encryption.crt -keyout idp3-encryption.key -days 3650
# openssl rsa -in idp3-encryption.key -out idp3-encryption-np.key
[root@idp3 credentials]# openssl req -x509 -new -out idp3-backchannel.crt -keyout idp3-backchannel.key -days 3650
# openssl rsa -in idp3-backchannel.key -out idp3-backchannel-np.key
retrait de passphrase du p12 : http://blog.armbruster-it.de/2010/03/remove-the-passphrase-from-a-pkcs12-certificate/
[root@idp3 credentials]# openssl pkcs12 -in idp3-backchannel.p12 -nodes -out idp3-p12-p-temp.pem
Enter Import Password:
MAC verified OK
[root@idp3 credentials]# openssl pkcs12 -export -in idp3-p12-p-temp.pem -out idp3-backchannel-np.p12
Enter Export Password: rien
Verifying - Enter Export Password: rien
bien que cela ne semble pas tres utile dans le cadre de la federation, il convient de mettre a jour le fichier local metadata/idp-metadata.xml afin d'etre consistent avec ces nouveau certificat et entityID + hostname d'URL de services