{"id":682,"date":"2012-11-04T15:18:00","date_gmt":"2012-11-04T07:18:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=682"},"modified":"2023-11-04T15:29:46","modified_gmt":"2023-11-04T07:29:46","slug":"shibboleth-with-google","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/682","title":{"rendered":"shibboleth with google"},"content":{"rendered":"\n

shibboleth idp\u8207google app\u8a8d\u8b49\u6574\u5408
ps:shibboleth idp\u5efa\u7f6e\u8207\u8a2d\u5b9a\u53ef\u53c3\u8003https:\/\/systw.net\/note\/af\/sblog\/more.php?id=255<\/a><\/p>\n\n\n\n

shibboleth idp\u90e8\u4efd,\u6b65\u9a5f\u6458\u8981<\/strong>
1\u5efa\u7acbgoogle app\u7684sp metadata
2\u900f\u904erelying-party.xml\u5c07\u8a72sp metadata\u7d0d\u5165idp
3\u900f\u904eattribute-resolver.xml\u65b0\u589eattribute\u9023\u63a5idp\u7684ldap
4\u900f\u904eattribute-policy.xml\u8a2d\u5b9a\u8a72attribute\u5b58\u53d6\u898f\u5247<\/p>\n\n\n\n

…..<\/p>\n\n\n\n

1
\u5efa\u7acbsp metadata<\/strong><\/p>\n\n\n\n

\u5728IDP_HOME\/metadata\u4e0b\u5efa\u7acbmetadata,\u4e26\u64c1\u6709\u4ee5\u4e0b\u8cc7\u6599<\/strong>
< md:EntityDescriptor entityID=”< sp_entityid><\/strong>” validUntil=”2010-01-01T00:00:00Z”>
< md:SPSSODescriptor protocolSupportEnumeration=”< value><\/strong>” >
\u3000< md:NameIDFormat>< \/md:NameIDFormat>
\u3000< md:AssertionConsumerService
Location=”< relative path><\/strong>” index=”< unsigned integer><\/strong>” Binding=”< URI><\/strong>“
\/>
< \/md:SPSSODescriptor>
< \/md:EntityDescriptor>
\u8aaa\u660e\u5982\u4e0b
EntityDescriptor<\/strong>
\u3000entityID=”< sp_entityid>” ,\u82e5\u6c92\u52fe\u9078Use a domain specific issuer,\u5247sp_entiyid\u70bagoogle.com
\u3000xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
protocolSupportEnumeration<\/strong>
\u652f\u63f4\u4ee5\u4e0b,\u82e5\u8a2d\u591a\u500b\u9700\u4ee5\u7a7a\u767d\u5206\u9694
\u3000urn:oasis:names:tc:SAML:1.1:protocol
\u3000urn:oasis:names:tc:SAML:2.0:protocol
NameIDFormat(\u9078\u64c7\u6027)<\/strong>
\u3000\u6307\u5b9asp saml name identifiers\u683c\u5f0f
AssertionConsumerService(\u81f3\u5c11\u9700\u8a2d\u5b9a\u4e00\u500b)<\/strong>
\u9700\u8a2d\u5b9alocation,binding,index
\u3000location<\/strong>
\u3000\u9700\u8a2d\u5b9asp acs\u7684url\u4f4d\u7f6e
\u3000This is the location to which an IdP sends assertions using whatever protocol and binding it shares with the SP.
\u3000Each combination of SSO protocol and binding is usually installed at a unique location to improve efficiency.
\u3000binding<\/strong>
\u3000\u652f\u63f4\u4ee5\u4e0buri
\u3000urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
\u3000urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
\u3000urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
\u3000urn:oasis:names:tc:SAML:2.0:bindings:PAOS
\u3000index<\/strong>
\u3000\u662f\u4e00\u500bacs endpoint\u7684tag,\u7528\u4f86\u53c3\u7167\u5230\u5176\u4ed6\u7d44\u614b\u5143\u7d20\u6216\u61c9\u7528,\u4e00\u822c\u90fd\u8a2d1<\/p>\n\n\n\n

ex
\u5047\u8a2d
sp_entityid=google.com
location=https:\/\/www.google.com\/a\/systw.net\/acs
\u5247
#vi $IDP_HOME\/metadata\/google-metadata.xml
< EntityDescriptor entityID=”google.com” xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”>
\u3000< SPSSODescriptor protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”>
\u3000\u3000< NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified< \/NameIDFormat>
\u3000\u3000< AssertionConsumerService
\u3000\u3000\u3000index=”1″
\u3000\u3000\u3000Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
\u3000\u3000\u3000Location=”https:\/\/www.google.com\/a\/systw.net\/acs” \/>
\u3000< \/SPSSODescriptor>
< \/EntityDescriptor><\/p>\n\n\n\n

…..
 
2<\/strong>
\u5b9a\u7fa9sp metadata\u4f86\u6e90<\/strong>
\u7de8\u8f2f$IDP_HOME\/conf\/relying-party.xml,\u4e26\u8a2d\u5b9a\u4ee5\u4e0b
ex:
#vi $IDP_HOME\/conf\/relying-party.xml
ps:\u4ee5\u4e0bYOUR-ENTITY-ID\u53caIDP_HOME\u9700\u4f9d\u5be6\u969b\u74b0\u5883\u505a\u8a2d\u5b9a<\/p>\n\n\n\n

2.1\u5b9a\u7fa9\u65b0\u7684RelyingParty element<\/strong>
\u683c\u5f0f\u5982\u4e0b
< RelyingParty id=”< sp_entityid>”
\u3000provider=”< idp_entityid>”
\u3000defaultSigningCredentialRef=”IdPCredential”>
\u3000< ProfileConfiguration xsi:type=”saml:SAML2SSOProfile” encryptAssertions=”never” encryptNameIds=”never” \/>
< \/RelyingParty>
\u8aaa\u660e\u5982\u4e0b<\/strong>
relying party<\/strong>\u3000\u4e3b\u8981\u6709\u4ee5\u4e0b3\u7a2e\u985e\u578b
\u3000< AnonymousRelyingParty>\u3000\u9700\u8a2d\u5b9aprovider\u5c6c\u6027
\u3000< DefaultRelyingParty> \u9700\u8a2d\u5b9aprovider\u5c6c\u6027
\u3000< RelyingParty>\u3000\u9700\u8a2d\u5b9aid\u53caprovider\u5c6c\u6027
id<\/strong> \u8a2d\u5b9asp\u7684entityid
provider<\/strong>\u3000\u8a2d\u5b9aidp\u7684entityid
defaultSigningCredentialRef<\/strong>\u3000\u4f7f\u7528IdPCredential
xsi:type<\/strong>\u3000\u4f7f\u7528saml:SAML2SSOProfile
ps:relying party\u76f8\u95dc\u8a2d\u5b9a\u8acb\u53c3\u8003https:\/\/spaces.internet2.edu\/display\/SHIB2\/IdPRelyingParty
ps:relying party\u76f8\u95dc\u8aaa\u660ehttps:\/\/spaces.internet2.edu\/display\/SHIB2\/IdPUnderstandingRP
ex:
\u5c07\u4ee5\u4e0brelyingparty\u653e\u5165<\/strong>
< RelyingParty id=”google.com”
\u3000provider=”YOUR-ENTITY-ID”
\u3000defaultSigningCredentialRef=”IdPCredential”>
\u3000< ProfileConfiguration xsi:type=”saml:SAML2SSOProfile” encryptAssertions=”never” encryptNameIds=”never” \/>
< \/RelyingParty><\/p>\n\n\n\n

2.2\u5c07\u525b\u624d\u5efa\u7acb\u7684sp metadata\u8a2d\u5b9a\u9032\u53bb<\/strong>
\u683c\u5f0f\u5982\u4e0b
< MetadataProvider id=”< id><\/strong>” xsi:type=”FilesystemMetadataProvider” xmlns=”urn:mace:shibboleth:2.0:metadata”
metadataFile=”< sp metadata path>” maintainExpiredMetadata=”true” \/>
\u8aaa\u660e\u5982\u4e0b<\/strong>
id <\/strong>   
xsi:type<\/strong>\u4f7f\u7528”FilesystemMetadataProvider”
xmlns<\/strong>\u4f7f\u7528”urn:mace:shibboleth:2.0:metadata
metadataFile<\/strong>\u8981\u5b9a\u7fa9metadata file\u7684\u5be6\u969b\u4f4d\u7f6e
ps:
Define a New Metadata Source(\u5b9a\u7fa9\u65b0metadata\u4f86\u6e90\u8aaa\u660e)
https:\/\/spaces.internet2.edu\/display\/SHIB2\/IdPMetadataProvider
ex:
\u5c07\u4ee5\u4e0bmetadataprovider\u653e\u5165< metadata:MetadataProvider id=”ShibbolethMetadata” xsi:type=”metadata:ChainingMetadataProvider”>\u548c< \/metadata:MetadataProvider>\u4e4b\u9593<\/strong>
< !– Google Metadata –>
< MetadataProvider id=”GoogleMD” xsi:type=”FilesystemMetadataProvider” xmlns=”urn:mace:shibboleth:2.0:metadata”
metadataFile=”IDP_HOME\/metadata\/google-metadata.xml” maintainExpiredMetadata=”true” \/><\/p>\n\n\n\n

…..
3<\/strong>
\u65b0\u589eattribute\u9023\u63a5idp\u7684ldap<\/strong>
 <\/p>\n\n\n\n

\u8a2d\u5b9aAttribute Definition\u548cAttribute Encoding<\/strong>
#vi $IDP_HOME\/conf\/attribute-resolver.xml
< resolver:AttributeDefinition id=”principal” xsi:type=”PrincipalName” xmlns=”urn:mace:shibboleth:2.0:resolver:ad”>
\u3000< resolver:Dependency ref=”myldap” \/>
\u3000< resolver:AttributeEncoder
\u3000\u3000xsi:type=”SAML2StringNameID”
\u3000\u3000xmlns=”urn:mace:shibboleth:2.0:attribute:encoder”
\u3000\u3000nameFormat=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” \/>
< \/resolver:AttributeDefinition>
\u8aaa\u660e\u5982\u4e0b<\/strong>
AttributeDefinition\u90e8\u4efd<\/strong>
\u3000id<\/strong> \u7528\u65bc\u548cAttributeRule attributeID\u5c0d\u61c9\u7684\u7de8\u865f
\u3000xsi:type<\/strong>\u4f7f\u7528principal name attribute definition  
\u3000resolver:Dependency ref<\/strong> \u7528\u65bc\u548cdataconnector\u5c0d\u61c9\u7684\u7de8\u865f
AttributeEncoder\u90e8\u4efd<\/strong>
\u3000xsi:type<\/strong>\u4f7f\u7528”SAML2StringNameID”<\/p>\n\n\n\n

ex:
\u65b0\u589eprincipal\u5c6c\u6027,\u4e26\u7528myldap\u9023\u63a5idp<\/strong>
#vi $IDP_HOME\/conf\/attribute-resolver.xml
< resolver:AttributeDefinition id=”principal” xsi:type=”PrincipalName” xmlns=”urn:mace:shibboleth:2.0:resolver:ad”>
\u3000< resolver:Dependency ref=”myldap” \/>
\u3000< resolver:AttributeEncoder
\u3000\u3000xsi:type=”SAML2StringNameID”
\u3000\u3000xmlns=”urn:mace:shibboleth:2.0:attribute:encoder”
\u3000\u3000nameFormat=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” \/>
< \/resolver:AttributeDefinition><\/p>\n\n\n\n

ps:
release the attribute
\u4fee\u6539attribute-filter.xml\u4ee5\u8a2d\u5b9aattribute filter policy,\u624d\u53ef\u4f7f\u7528\u65b0\u7684attribute,\u5982\u4e0b\u6b65\u9a5f4<\/p>\n\n\n\n

…..
4<\/strong>
\u8a2d\u5b9aattribute\u5b58\u53d6\u898f\u5247<\/strong>
<\/p>\n\n\n\n

\u900f\u904epolicy\u8a2d\u5b9aattribute\u7684\u5b58\u53d6\u898f\u5247<\/strong>
#vi IDP_HOME\/conf\/attribute-filter.xml
< afp:AttributeFilterPolicy id=”unique name”>
\u3000< afp:PolicyRequirementRule xsi:type=”< type>” \/>
\u3000< afp:AttributeRule attributeID=”< attributeid>”>
\u3000\u3000< afp:PermitValueRule xsi:type=”< type>” \/>
\u3000< \/afp:AttributeRule>
< \/afp:AttributeFilterPolicy>
\u8aaa\u660e\u5982\u4e0b
AttributeFilterPolicy id<\/strong> \u81ea\u884c\u8a2d\u5b9a\u4e00\u500b\u4e0d\u8981\u91cd\u8986\u7684\u552f\u4e00\u540d\u7a31 
AttributeRule attributeID<\/strong> \u7528\u65bc\u548cAttributeDefinition id\u5c0d\u61c9\u7684\u7de8\u865f<\/p>\n\n\n\n

ex:
\u8a2d\u5b9aprincipal\u5c6c\u6027\u4f7f\u7528\u7684policy<\/strong>
< afp:AttributeFilterPolicy id=”releasetoanyone”>
\u3000< afp:PolicyRequirementRule xsi:type=”basic:AttributeRequesterString” value=”google.com” \/>
\u3000< afp:AttributeRule attributeID=”principal”>
\u3000\u3000< afp:PermitValueRule xsi:type=”basic:ANY” \/>
\u3000< \/afp:AttributeRule>
< \/afp:AttributeFilterPolicy><\/p>\n","protected":false},"excerpt":{"rendered":"

shibboleth idp\u8207google app\u8a8d\u8b49\u6574\u5408p …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[21],"tags":[],"class_list":["post-682","post","type-post","status-publish","format-standard","hentry","category-linuxservice"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/682","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=682"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/682\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=682"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=682"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=682"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}