{"id":679,"date":"2012-11-10T15:17:00","date_gmt":"2012-11-10T07:17:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=679"},"modified":"2023-11-04T15:29:30","modified_gmt":"2023-11-04T07:29:30","slug":"shibboleth-sp","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/679","title":{"rendered":"shibboleth SP"},"content":{"rendered":"\n<p>SP(service provider)\u52a0\u5165IDP\u6b65\u9a5f\u5982\u4e0b<br>1SP\u8a2d\u5b9a\u90e8\u4efd\uff1a\u5b89\u88dd\u548c\u8a2d\u5b9aSP,iis\u548capache\u6709\u4e0d\u540c\u65b9\u6cd5<br>2IDP\u8a2d\u5b9a\u90e8\u4efd\uff1a\u8a2d\u5b9aIDP\u52a0\u5165SP<\/p>\n\n\n\n<p>##########################################################################<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>SP\u8a2d\u5b9a\u90e8\u4efd<\/strong><\/h2>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<p><strong>SP on IIS&nbsp;<\/strong><\/p>\n\n\n\n<p><strong>IIS6\u524d\u7f6e\u4f5c\u696d<\/strong><br>1<br>\u7db2\u9801\u6a19\u982d\u503c\u8207IP\u4f4d\u7f6e\u9700\u5148\u8a2d\u5b9a<br>ex: \u5167\u5bb9&gt;\u7db2\u7ad9&gt;IP\u4f4d\u7f6e,\u53ca\u9032\u968e&gt;\u7de8\u8f2f\u4e3b\u6a5f\u6a19\u982d\u503c<br>2<br>\u555f\u7528ssl<\/p>\n\n\n\n<p><br>&#8230;&#8230;.<br><strong>\u5b89\u88dd<\/strong><\/p>\n\n\n\n<p>1<br><strong>\u6839\u64da\u5b89\u88dd\u6a94\u4f86\u6e90\u9078\u64c7\u9069\u5408\u7684\u5b89\u88dd<\/strong><br>https:\/\/wiki.shibboleth.net\/confluence\/display\/SHIB2\/NativeSPWindowsInstall<br>ps:<br>\u9810\u8a2d\u5b89\u88dd\u8def\u5f91 C:optshibboleth-sp<br>\u5b89\u88dd\u5b8c\u5f8c\u6703\u91cd\u958b\u6a5f<\/p>\n\n\n\n<p>2<br><strong>\u6e2c\u8a66<\/strong><br>\u5728IIS\u7684ISAPI Filters\u6703\u591ashibboleth&nbsp;<br>\u555f\u52d5shibboleth<br>\u6aa2\u67e5sp metedata,\u4f4d\u7f6e\u5728<strong>http:\/\/\/Shibboleth.sso\/Metadata<\/strong><\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<p><strong>\u7d44\u614b<br><\/strong>\u7de8\u8f2fshibboleth2.xml<\/p>\n\n\n\n<p>part1<br>1<br><strong>\u8a2d\u5b9asite id<\/strong><br>&lt; Site id=&#8221;<strong>&lt; site id&gt;<\/strong>&#8221; name=&#8221;<strong>&lt; \u4e3b\u6a5f\u6a19\u982d\u503c&gt;<\/strong>&#8221; port=&#8221;443&#8243;&gt;<br>\u8aaa\u660e\u5982\u4e0b<br><strong>&lt; site id&gt;<\/strong>&nbsp;iis\u5404site\u7684\u8b58\u5225\u5143<br><strong>&lt; \u4e3b\u6a5f\u6a19\u982d\u503c&gt;<\/strong>&nbsp;iis\u5404site\u7684\u4e3b\u6a5f\u6a19\u982d\u503c<br>ex:<br>&lt; Site id=&#8221;5&#8243; name=&#8221;spiis.systw.net&#8221; port=&#8221;443&#8243;&gt;<br>PS:<br>site id\u53ef\u53c3\u8003https:\/\/wiki.shibboleth.net\/confluence\/display\/SHIB2\/NativeSPISAPI<\/p>\n\n\n\n<p>2<br><strong>\u8a2d\u5b9a\u8981\u9a57\u8b49\u7684\u76ee\u9304<\/strong><br>&lt; Host name=&#8221;<strong>&lt;\u4e3b\u6a5f\u6a19\u982d\u503c&gt;<\/strong>&#8220;&gt;<br>&nbsp; &nbsp; &nbsp;&lt; Path name=&#8221;<strong>&lt; \u8981\u9a57\u8b49\u7684\u76ee\u9304&gt;<\/strong>&#8221; authType=&#8221;shibboleth&#8221; requireSession=&#8221;true&#8221;\/&gt;<br>&lt; \/Host&gt;<br>ex:<br>&lt; Host name=&#8221;spiis.systw.net&#8221;&gt;<br>\u3000&lt; Path name=&#8221;secure&#8221; authType=&#8221;shibboleth&#8221; requireSession=&#8221;true&#8221;\/&gt;<br>&lt; \/Host&gt;<\/p>\n\n\n\n<p>part2<br><strong>\u8abf\u6574ApplicationDefaults\u5340\u6bb5<\/strong><br>1<br><strong>\u8a2d\u5b9aentity id,<\/strong><br>An &#8220;https:\/\/hostname\/shibboleth&#8221; is recommended<br>&lt; ApplicationDefaults entityID=&#8221;<strong>https:\/\/hostname\/shibboleth<\/strong>&#8220;<br>REMOTE_USER=&#8221;eppn persistent-id targeted-id&#8221;&gt;<br>ex:<br>&lt; ApplicationDefaults entityID=&#8221;https:\/\/spiis.systw.net\/shibboleth&#8221;<br>REMOTE_USER=&#8221;eppn persistent-id targeted-id&#8221;&gt;<\/p>\n\n\n\n<p>2<br><strong>(optional)\u8a2d\u5b9asession<\/strong><br>&lt; Sessions lifetime=&#8221;28800&#8243; timeout=&#8221;3600&#8243; checkAddress=&#8221;false&#8221;<br>handlerURL=&#8221;\/Shibboleth.sso&#8221; handlerSSL=&#8221;true&#8221; cookieProps=&#8221;; path=\/; secure&#8221;<br>exportLocation=&#8221;http:\/\/localhost\/Shibboleth.sso\/GetAssertion&#8221; exportACL=&#8221;127.0.0.1&#8243;<br>idpHistory=&#8221;false&#8221; idpHistoryDays=&#8221;7&#8243;&gt;<\/p>\n\n\n\n<p>3<br><strong>\u5b9a\u7fa9\u8b80\u53d6metadata\u4f86\u6e90<\/strong><br>\u5047\u5982metadata\u653e\u5728\u672c\u5730\u6642\u8a2d\u5b9a\u5982\u4e0b<br>&lt; MetadataProvider type=&#8221;XML&#8221; file=&#8221;<strong>\/opt\/installfest\/idps\/idp#\/idp#-metadata.xml<\/strong>&#8221; \/&gt;<br>ps:<br>\u5047\u5982metadata\u653e\u5728\u9060\u7aef\u6642\u8a2d\u5b9a\u5982\u4e0b<br>&lt; MetadataProvider type=&#8221;XML&#8221; uri=&#8221;http:\/\/admin.example.org\/downloads\/ShibTrain1-metadata.xml&#8221;<br>backingFilePath=&#8221;ShibTrain1-metadata.xml&#8221; reloadInterval=&#8221;7200&#8243;&gt;<br>&lt; \/MetadataProvider&gt;<\/p>\n\n\n\n<p>4<br><strong>\u5b9a\u7fa9sessioninitiator<\/strong><br>&lt; SSO entityID=&#8221;<strong>https:\/\/testidp.example.org\/idp\/shibboleth<\/strong>&#8220;&gt;<br>SAML2 SAML1<br>&lt; \/SSO&gt;<\/p>\n\n\n\n<p>ps:<br>\u9700\u6ce8\u610f\u4ee5\u4e0b\u5169\u9ede,\u5426\u5247IIS\u6703\u51fa\u73fe\u932f\u8aa4<br>1<br>\u6aa2\u67e5shibboleth.xml\u6b63\u78ba\u6027<br>\u53ef\u4f7f\u7528\u6307\u4ee4 %SHIBSP_PREFIX%\/sbin\/shibd.exe -check<br>2<br>\u9700\u6ce8\u610f\u5230iis\u8981\u6709\u53ef\u8b80\u53d6%SHIBSP_PREFIX%\/lib\/\u7684\u6b0a\u9650<\/p>\n\n\n\n<p>ps:<br>\u8a2d\u5b9a\u65b9\u6cd5\u6982\u8981<br>https:\/\/wiki.shibboleth.net\/confluence\/display\/SHIB2\/NativeSPIISConfig<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>SP on Apache&nbsp;<\/strong><\/h2>\n\n\n\n<p><strong>apache\u524d\u7f6e\u4f5c\u696d<\/strong>\u3000<br>1<br>#vi httpd.conf\u4ee5\u4e0b\u8cc7\u6599<br>UseCanonicalName On<br>ServerName &lt; YourAssignedHostname&gt;:80<br>ps:<br>2<br>\u555f\u7528ssl<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>\u5b89\u88dd<\/strong><br>\u5b89\u88ddshib module<br>https:\/\/wiki.shibboleth.net\/confluence\/display\/SHIB2\/NativeSPLinuxRPMInstall<\/p>\n\n\n\n<p>1<br><strong>\u8a2d\u5b9ayum<\/strong><br>\u5728\u76ee\u9304\/etc\/yum.repos.d.\u5167\u65b0\u589eshib.repo\u6a94\u6848,\u4e26\u5305\u542b\u4ee5\u4e0bshibboleth\u7684yum\u7d44\u614b\u8a2d\u5b9a<br>[security_shibboleth]<br>name=Shibboleth (CentOS_5)<br>type=rpm-md<br>baseurl=http:\/\/download.opensuse.org\/repositories\/security:\/shibboleth\/CentOS_5\/<br>gpgcheck=1<br>gpgkey=http:\/\/download.opensuse.org\/repositories\/security:\/shibboleth\/CentOS_5\/repodata\/repomd.xml.key<br>enabled=1<br>ps:<br>\u4ee5\u4e0a\u7d44\u614b\u8a2d\u5b9a\u4f86\u81ea<br>http:\/\/download.opensuse.org\/repositories\/security:\/\/shibboleth\/CentOS_5\/security:shibboleth.repo<\/p>\n\n\n\n<p>2<br><strong>\u4ee5yum\u5b89\u88dd<\/strong><br>#yum install shibboleth<br>\u5b89\u88dd\u5b8c\u5f8c\u6709\u4ee5\u4e0b\u8cc7\u6599<br>\/usr\/sbin\/shibd #\u555f\u52d5\u6a94<br>\/usr\/lib\/shibboleth\/mod_shib #\u6a21\u7d44\u5b58\u653e\u8655<br>\/etc\/shibboleth\/ #\u7d44\u614b\u6a94\u653e\u7f6e\u8655<br>\/etc\/httpd\/conf.d\/shib.conf #apache\u7d44\u614b<br>\/etc\/shibboleth\/native.logger #\u8a2d\u5b9alog\u904b\u4f5c<br>\/var\/log\/shibboleth #\u4e3b\u8981\u8981\u7684log\u76ee\u9304<br>\/var\/log\/shibboleth\/shibd.log #\u555f\u52d5\u5f8c\u6703\u81ea\u5df1\u7522\u751f,\u627e\u554f\u984c\u5148\u770b\u8a72\u6a94\/var\/log\/httpd\/native.log #log\u6a94,\u56e0\u6b0a\u9650\u554f\u984c\u9810\u8a2d\u6c92\u6a94\u6848<\/p>\n\n\n\n<p>3<br><strong>restart service<\/strong><br>\u91cd\u958bapache(\u52d9\u5fc5\u78ba\u8a8dapache\u6709ssl)<br>#service httpd restart<br>\u555f\u52d5shib<br>#\/sbin\/service shibd start<\/p>\n\n\n\n<p>4<br><strong>\u6e2c\u8a66<\/strong><br>\u65bcsp\u672c\u6a5f\u4e0a\u958b\u555f\u4ee5\u4e0b\u7db2\u5740<br>https:\/\/localhost\/Shibboleth.sso\/Status<br>ps:<br>\u958b\u555f\u4f4d\u7f6e\u88ab\u9650\u5236\u5728\/etc\/shibboleth\/shibboleth2.xml\u5167\u7684<br>&lt; Handler type=&#8221;Status&#8221; Location=&#8221;\/Status&#8221; acl=&#8221;127.0.0.1&#8243;\/&gt;<\/p>\n\n\n\n<p><br>&#8230;<\/p>\n\n\n\n<p><strong>\u7d44\u614b\u3000<\/strong><br>\u7de8\u8f2fshibboleth2.xml<br>\/etc\/shibboleth\/shibboleth2.xml<\/p>\n\n\n\n<p><strong>\u8abf\u6574ApplicationDefaults\u5340\u6bb5<\/strong><br>1<br><strong>\u8a2d\u5b9aentity id,<\/strong><br>An &#8220;https:\/\/hostname\/shibboleth&#8221; is recommended<br>&lt; ApplicationDefaults entityID=&#8221;<strong>https:\/\/hostname\/shibboleth<\/strong>&#8220;<br>REMOTE_USER=&#8221;eppn persistent-id targeted-id&#8221;&gt;<br>2<br><strong>(optional)\u8a2d\u5b9asession<\/strong><br>&lt; Sessions lifetime=&#8221;28800&#8243; timeout=&#8221;3600&#8243; checkAddress=&#8221;false&#8221;<br>handlerURL=&#8221;\/Shibboleth.sso&#8221; handlerSSL=&#8221;true&#8221; cookieProps=&#8221;; path=\/; secure&#8221;<br>exportLocation=&#8221;http:\/\/localhost\/Shibboleth.sso\/GetAssertion&#8221; exportACL=&#8221;127.0.0.1&#8243;<br>idpHistory=&#8221;false&#8221; idpHistoryDays=&#8221;7&#8243;&gt;<br>3<br><strong>\u5b9a\u7fa9\u8b80\u53d6metadata\u4f86\u6e90<\/strong><br>metadata\u653e\u5728\u672c\u5730\u6642<br>&lt; MetadataProvider type=&#8221;XML&#8221; file=&#8221;<strong>\/opt\/installfest\/idps\/idp#\/idp#-metadata.xml<\/strong>&#8221; \/&gt;<br>ps:<br>metadata\u653e\u5728\u9060\u7aef\u6642<br>&lt; MetadataProvider type=&#8221;XML&#8221; uri=&#8221;http:\/\/admin.example.org\/downloads\/ShibTrain1-metadata.xml&#8221;<br>backingFilePath=&#8221;ShibTrain1-metadata.xml&#8221; reloadInterval=&#8221;7200&#8243;&gt;<br>&lt; \/MetadataProvider&gt;<br>4<br><strong>\u5b9a\u7fa9sessioninitiator<\/strong><br>&lt; SSO entityID=&#8221;<strong>https:\/\/testidp.example.org\/idp\/shibboleth<\/strong>&#8220;&gt;<br>SAML2 SAML1<br>&lt; \/SSO&gt;<br><\/p>\n\n\n\n<p>(optional)<br><strong>\u7de8\u8f2fattribute-map.xml<\/strong><br>\/etc\/shibboleth\/attribute-map.xml<br>\u8abf\u6574attribute<br>\u53ef\u8b80\u53d6idp\u5f97\u5230\u7684\u4f7f\u7528\u8005\u8cc7\u6599,\u9810\u8a2d\u662f\u4e0d\u548cidp\u8981<br>ex:<br>&lt; Attribute name=&#8221;urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified&#8221; id=&#8221;uid&#8221;\/&gt;<br>ps:<br>\u53ef\u53c3\u8003<br>https:\/\/wiki.shibboleth.net\/confluence\/display\/SHIB2\/NativeSPAttributeExtractor<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>\u6700\u5f8c\u6aa2\u67e5<\/strong><br>1\u6aa2\u67e5\u7d44\u614b\u6a94\u662f\u5426\u6709\u932f\u8aa4<br>#\/usr\/sbin\/shibd -t<br>2\u91cd\u555fweb server\u548cshibd<br>#service httpd restart<br>#service shibd restart<br>3\u78ba\u8a8dStatus\u662f\u5426\u6b63\u5e38<br>https:\/\/localhost\/Shibboleth.sso\/Status<\/p>\n\n\n\n<p>#####################################################################<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>IDP\u8a2d\u5b9a\u90e8\u4efd<\/strong><\/h2>\n\n\n\n<p><br><strong>\u8b93idp\u53ef\u8b80\u53d6sp\u7684metadata<\/strong><br>sp\u7684metadata\u5728https:\/\/&lt; sp url&gt;\/Shibboleth.sso\/Metadata<br>ex:<br>\u5f9eidp\u53d6\u5f97sp\u7684metadata<br>curl -o Metadata.xml -k https:\/\/&lt; YourAssignedHostname&gt;\/Shibboleth.sso\/Metadata<\/p>\n\n\n\n<p><strong>\u8b93idp\u4ee5\u8b80\u53d6\u672c\u5730\u6a94\u65b9\u5f0f\u6307\u5b9ametadata\u4f4d\u7f6e<\/strong><br>1<br><strong>\u53d6\u5f97metadata<\/strong><br>\u5c07\u8a72metadata\u653e\u5728\/opt\/shibboleth-idp\/metadata\u4e26\u547d\u540d\u70basp.metadata.xml<br>2<br><strong>\u52a0\u5165relying-party.xml,<\/strong><br>\u8a2d\u5b9a\u5982\u4e0b<br>#vi \/opt\/shibboleth-idp\/conf\/relying-party.xml<br>\u52a0\u5165\u4ee5\u4e0b\u5340\u6bb5<br>&lt; RelyingParty id=&#8221;<strong>https:\/\/spurl\/shibboleth<\/strong>&#8220;<br>provider=&#8221;<strong>https:\/\/idpurl\/shibboleth<\/strong>&#8220;<br>defaultSigningCredentialRef=&#8221;IdPCredential&#8221;&gt;<br>&lt; ProfileConfiguration xsi:type=&#8221;saml:SAML2SSOProfile&#8221; encryptAssertions=&#8221;never&#8221; encryptNameIds=&#8221;never&#8221; \/&gt;<br>&lt; \/RelyingParty&gt;<br>\u52a0\u5165\u4ee5\u4e0b\u5340\u6bb5<br>&lt; MetadataProvider id=&#8221;sptest&#8221; xsi:type=&#8221;FilesystemMetadataProvider&#8221; xmlns=&#8221;urn:mace:shibboleth:2.0:metadata&#8221;<br>metadataFile=&#8221;<strong>\/opt\/shibboleth-idp\/metadata\/sp.metadata.xml<\/strong>&#8221; \/&gt;<br>ps:\u6b64id\u4e0d\u53ef\u548c\u5176\u4ed6\u7684\u91cd\u8986,\u9700\u4f7f\u7528\u8a72sp\u4e4bmetadata\u5167\u7684entityID<\/p>\n\n\n\n<p>#####################################################################<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u5176\u4ed6\u88dc\u5145&nbsp;<\/strong><\/h2>\n\n\n\n<p><strong>\u4f7f\u7528aacli\u6aa2\u67e5attribute<\/strong><br>\u8a72\u5de5\u5177\u6703\u6aa2\u67e5resolver,filters,metadata<br>\u57f7\u884cbin\/aacli.sh &#8211;configDir=conf\/ &#8211;principal=principal<br>\u8a2d\u5b9a\u6b63\u78ba\u6703\u51fa\u73fe<br>&lt; ?xml version=&#8221;1.0&#8243; encoding=&#8221;UTF-8&#8243;?&gt;&lt; saml2:AttributeStatement xmlns:saml2=&#8221;urn:oasis:names:tc:SAML:2.0:assertion&#8221;&gt;<br>&lt; saml2:Attribute Name=&#8221;attri1&#8243; NameFormat=&#8221;urn:oasis:names:tc:SAML:2.0:attrname-format:uri&#8221;&gt;<br>&lt; saml2:AttributeValue xmlns:xs=&#8221;http:\/\/www.w3.org\/2001\/XMLSchema&#8221; xmlns:xsi=&#8221;http:\/\/www.w3.org\/2001\/XMLSchema-instance&#8221; xsi:type=&#8221;xs:string&#8221;&gt;principal<br>&lt; \/saml2:Attribute&gt;<br>&lt; \/saml2:AttributeStatement&gt;<br>\u5931\u6557\u6703\u51fa\u73fe<br>No attribute statement.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SP(service provider)\u52a0\u5165IDP\u6b65\u9a5f\u5982\u4e0b1 &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[21],"tags":[],"class_list":["post-679","post","type-post","status-publish","format-standard","hentry","category-linuxservice"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=679"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/679\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}