shibboleth IDP

shibboleth可用來建置WEB單一簽入,透過IDP(identify provider)辨識從SP(service provider)來的使用者  
建置範例參考
https://spaces.internet2.edu/display/ShibInstallFest/Shibboleth+Workshop+Series+-+Linux+Identity+Provider+%28Centos+6.2%29

………………………………………………………………………………………………………………………………….

安裝 


ps:安裝idp之前請確定可以執行java
ps:centos和redhat需用openjdk安裝與執行idp,透過yum makecache && yum search openjdk可找到可用的版本
ps:安裝IDP參考文獻 https://wiki.shibboleth.net/confluence/display/SHIB2/IdPInstall

1
下載
Identity Provider software package下載點如下
http://www.shibboleth.net/downloads/identity-provider/
ex:
curl -O http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identityprovider-2.3.0-bin.zip

2
安裝
#unzip shibboleth-identityprovider-2.2.0-bin.zip
#shibboleth-identityprovider-2.2.0/install.sh
會問3個問題
Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]
ps:該位置指的是IDP_HOME
What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp1.example.org]
ps:指定fully qualified hostname
A keystore is about to be generated for you. Please enter a password that will be used to protect it
輸入自訂的密碼(待會在tomcat的server.xml檔中keystorePass會用到)

安裝過程result如下
Updating property file: /root/shibboleth-identityprovider-2.3.0/src/installer/resources/install.proper ties
Created dir: /opt/shibboleth-idp
Created dir: /opt/shibboleth-idp/bin
Created dir: /opt/shibboleth-idp/conf
Created dir: /opt/shibboleth-idp/credentials
Created dir: /opt/shibboleth-idp/lib
Created dir: /opt/shibboleth-idp/lib/endorsed
Created dir: /opt/shibboleth-idp/logs
Created dir: /opt/shibboleth-idp/metadata
Created dir: /opt/shibboleth-idp/war
Generating signing and encryption key, certificate, and keystore.
Copying 5 files to /opt/shibboleth-idp/bin
Copying 8 files to /opt/shibboleth-idp/conf
Copying 1 file to /opt/shibboleth-idp/metadata
Copying 51 files to /opt/shibboleth-idp/lib
Copying 5 files to /opt/shibboleth-idp/lib/endorsed
Copying 1 file to /root/shibboleth-identityprovider-2.2.0/src/installer
Building war: /root/shibboleth-identityprovider-2.2.0/src/installer/idp.war
Copying 1 file to /opt/shibboleth-idp/war
Deleting: /root/shibboleth-identityprovider-2.2.0/src/installer/web.xml
Deleting: /root/shibboleth-identityprovider-2.2.0/src/installer/idp.war

BUILD SUCCESSFUL
Total time: 1 minute 5 seconds

……….

Preparing Apache Tomcat for the Shibboleth Identity Provider
(refer https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare)
ps:centos和redhat需用openjdk執行tomcat
ps:Apache Tomcat 6.0.17 or greater
ps:建議在TOMCAT_HOME/bin/catalina.sh內加 -Xmx512M -XX:MaxPermSize=128m

3
copy endorsed
#cp -rf $IDP_HOME/lib/endorsed $CATALINA_HOME/endorsed
or
#cp /root/shibboleth-identityprovider-2.3.0/endorsed/*.jar $CATALINA_HOME/endorsed
ps
Endorsed libraries
Endorse Xerces and Xalan by creating the directory TOMCAT_HOME/endorsed and copy the .jar files included in the IdP source endorsed directory into the newly created directory.
ps:
shibboleth要求tomcat啟動時需包含該參數 -Djava.endorsed.dirs=$CATALINA_HOME/endorsed
$CATALINA_HOME是指TOMCAT的安裝目錄

4
Supporting SOAP Endpoints
4.1
Download tomcat6-dta-ssl-1.0.0.jar (asc) in to TOMCAT_HOME/lib/.
#curl -o /usr/share/tomcat6/lib/tomcat6-dta-ssl-1.0.0.jar http://shibboleth.internet2.edu/downloads/maven2/edu/internet2/middleware/security/tomcat6/tomcat6-dta-ssl/1.0.0/tomcat6-dta-ssl-1.0.0.jar
4.2
Configure Tomcat for endpoints on on both ports 443 and 8443
ps:443用於user agent,8443用於sp
#vi TOMCAT_HOME/conf/server.xml file:
< Connector port=”443″
 protocol=”HTTP/1.1″
 SSLEnabled=”true”
 maxThreads=”150″
 scheme=”https”
 secure=”true”
 clientAuth=”false”
 sslProtocol=”TLS”
 keystoreFile=”IDP_HOME/credentials/idp.jks”
 keystorePass=”YourSecretPassword”

/>
< Connector port=”8443″
 protocol=”org.apache.coyote.http11.Http11Protocol”
 SSLImplementation=”edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation”
 scheme=”https”
 SSLEnabled=”true”
 clientAuth=”true”
 keystoreFile=”IDP_HOME/credentials/idp.jks”
 keystorePass=”PASSWORD”

/>
ps:
IDP_HOME請更改成shibboleth安裝目錄,也就是$IDP_HOME
keystoreFile請指定jks的位置
keystorePass請更改成安裝idp時的密碼
ps
重新啟動tomcat,並觀查443和8443是否有listen
#netstat -atunlp | grep LISTEN | grep 443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN

5
設定tomcat執行idp方式
有以下2方法

方法1
Using a Context Deployment Fragment
Create the file TOMCAT_HOME/conf/Catalina/localhost/idp.xml
#vi $CATALINA_HOME/conf/Catalina/localhost/idp.xml
< Context docBase=”IDP_HOME/war/idp.war”
 privileged=”true”
 antiResourceLocking=”false”
 antiJARLocking=”false”
 unpackWAR=”false”
 swallowOutput=”true”
/>
ps:IDP_HOME請更改成shibboleth安裝目錄,也就是$IDP_HOME

方法2
將idp.war複製到$CATALINA_HOME/webapps/idp下
執行jar -xvf idp.war

…………………………………………………

重啟tomcat並測試
ps:啟動tomcat時的錯誤會記錄在/opt/tomcat/logs/catalina.out

7
Quick Test
https://127.0.0.1/idp/profile/Status
If everything is working correctly you should receive an “ok” page

8
本機測試
若在本機可下 https://127.0.0.1/idp/status
會出現狀態資訊

相關資訊可參考
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPStatus

#######################################################################

設定 

設定IDP(refer https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUserAuthn)

使用jaas設定認證
1
編輯handler.xml以設定登入方式
1.1
定義LoginHandler的xsi:type為”UsernamePassword”
1.2
定義該元素之必設參數 jaasConfigurationLocation
1.3
(選擇性)其他額外的參數
authenticationDuration
authenticationServletURL
做法大致如下
$vi $IDP_HOME/conf/handler.xml
< !– Username/password login handler –>
< ph:LoginHandler xsi:type=”ph:UsernamePassword”
jaasConfigurationLocation=”file:///opt/shibboleth-idp/conf/login.config”>
 < ph:AuthenticationMethod>
 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
 < /ph:AuthenticationMethod>
< /ph:LoginHandler>
ps:設定時,建議loginhandler僅留一個在用的和Previous Session,其他的都要註解掉,以免登入時出問題
ps:Previous Session用來讓之前已認證的user到不同sp時不用在另外認證


2
編輯login.conf以設定ldap
做法如下
#vi $IDP_HOME/conf/login.config
ShibUserPassAuth {
 edu.vt.middleware.ldap.jaas.LdapLoginModule required
  ldapUrl=”ldap://ldaphost:389″
  baseDn=”ou=people,dc=example,dc=org”
  subtreeSearch=”true”
  userField=”uid”
  userFilter=”uid={0}”;
};

3(optional)
3.1
編輯attribute-resolver.xml以設定要抓取的屬性
新增原始屬性連接ldap資料,並設定連接id為myldap
#vi $IDP_HOME/conf/attribute-resolver.xml
< !– part1 define –>
< resolver:AttributeDefinition id=”principal” xsi:type=”PrincipalName”
 xmlns=”urn:mace:shibboleth:2.0:resolver:ad”>
  < resolver:Dependency ref=”myldap” />
  < resolver:AttributeEncoder
   xsi:type=”SAML2StringNameID”
   xmlns=”urn:mace:shibboleth:2.0:attribute:encoder”
   nameFormat=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
  />
< /resolver:AttributeDefinition>
< !– part2 data connectors –>
< resolver:DataConnector id=”myldap” xsi:type=”dc:LDAPDirectory”
 ldapURL=”ldap://ldap.example.org”
 baseDN=”ou=people,dc=example,dc=org”
 principal=”uid=myservice,ou=system”
 principalCredential=”myServicePassword”>
 < dc:FilterTemplate>
  < ![CDATA[
   (uid=$requestContext.principalName)
  ]]>
 < /dc:FilterTemplate>
< /resolver:DataConnector>
說明如下
AttributeDefinition id 用於存取權限的管控,要於attribute-filter.xml內的id一致
nameFormat 屬性的格式,sp需於該格式相同才可解析
DataConnector id 用於資料連接用的唯一編號,要和resolver:Dependency的ref一致
ldapURL ldap主機的位置
baseDN 設定範basedn
principal 用於搜尋user用的dn
principalCredential principal所指定dn的密碼
 
3.2
編輯attribute-policy.xml以設定屬性的存取控制
#vi $IDP_HOME/conf/attribute-filter.xml
< afp:AttributeFilterPolicy>
 < afp:PolicyRequirementRule xsi:type=”basic:ANY” />
  < afp:AttributeRule attributeID=”principal”>
  < afp:PermitValueRule xsi:type=”basic:ANY” />
 < /afp:AttributeRule>
< /afp:AttributeFilterPolicy>
說明如下
attributeID 控制attribute-resolver.xml內AttributeDefinition id的存取權限
 

4
基本IDP設定完成
可使用以下參數設定SP部份
idp entity id= https://< yourdomain>/idp/shibboleth
resolver:Dependency ref=”myldap” (attribute-resolver.xml)

登入位置
https://< yourdomain>/idp/profile/SAML2/Redirect/SSO.


………………………………………………………………

客制化login.jsp
ps:login.jsp在idp.war內
取得相關變數值需使用
ex:<%=request.getAttribute(“actionUrl”)%>
username輸入欄位的名稱一定要用j_username
ex:< input name=”j_username” type=”text” tabindex=”1″ />
password輸入欄位的名稱一定要用j_password
ex:< input name=”j_password” type=”password” tabindex=”2″ />