{"id":684,"date":"2012-11-04T15:19:00","date_gmt":"2012-11-04T07:19:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=684"},"modified":"2023-11-04T15:29:37","modified_gmt":"2023-11-04T07:29:37","slug":"shibboleth-idp","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/684","title":{"rendered":"shibboleth IDP"},"content":{"rendered":"\n

shibboleth\u53ef\u7528\u4f86\u5efa\u7f6eWEB\u55ae\u4e00\u7c3d\u5165\uff0c\u900f\u904eIDP(identify provider)\u8fa8\u8b58\u5f9eSP(service provider)\u4f86\u7684\u4f7f\u7528\u8005\u3000 
\u5efa\u7f6e\u7bc4\u4f8b\u53c3\u8003
https:\/\/spaces.internet2.edu\/display\/ShibInstallFest\/Shibboleth+Workshop+Series+-+Linux+Identity+Provider+%28Centos+6.2%29<\/p>\n\n\n\n

………………………………………………………………………………………………………………………………….<\/p>\n\n\n\n

\u5b89\u88dd <\/strong><\/h2>\n\n\n\n


ps:\u5b89\u88ddidp\u4e4b\u524d\u8acb\u78ba\u5b9a\u53ef\u4ee5\u57f7\u884cjava
ps:centos\u548credhat\u9700\u7528openjdk\u5b89\u88dd\u8207\u57f7\u884cidp,\u900f\u904eyum makecache && yum search openjdk\u53ef\u627e\u5230\u53ef\u7528\u7684\u7248\u672c
ps:\u5b89\u88ddIDP\u53c3\u8003\u6587\u737b\u3000https:\/\/wiki.shibboleth.net\/confluence\/display\/SHIB2\/IdPInstall<\/p>\n\n\n\n

1
\u4e0b\u8f09<\/strong>
Identity Provider software package\u4e0b\u8f09\u9ede\u5982\u4e0b
http:\/\/www.shibboleth.net\/downloads\/identity-provider\/
ex:
curl -O http:\/\/shibboleth.net\/downloads\/identity-provider\/latest\/shibboleth-identityprovider-2.3.0-bin.zip<\/p>\n\n\n\n

2
\u5b89\u88dd<\/strong>
#unzip shibboleth-identityprovider-2.2.0-bin.zip
#shibboleth-identityprovider-2.2.0\/install.sh
\u6703\u554f3\u500b\u554f\u984c
Where should the Shibboleth Identity Provider software be installed? [\/opt\/shibboleth-idp]
ps:\u8a72\u4f4d\u7f6e\u6307\u7684\u662fIDP_HOME
What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp1.example.org]
ps:\u6307\u5b9afully qualified hostname
A keystore is about to be generated for you. Please enter a password that will be used to protect it
\u8f38\u5165\u81ea\u8a02\u7684\u5bc6\u78bc(\u5f85\u6703\u5728tomcat\u7684server.xml\u6a94\u4e2dkeystorePass\u6703\u7528\u5230)<\/p>\n\n\n\n

\u5b89\u88dd\u904e\u7a0bresult\u5982\u4e0b
Updating property file: \/root\/shibboleth-identityprovider-2.3.0\/src\/installer\/resources\/install.proper ties
Created dir: \/opt\/shibboleth-idp
Created dir: \/opt\/shibboleth-idp\/bin
Created dir: \/opt\/shibboleth-idp\/conf
Created dir: \/opt\/shibboleth-idp\/credentials
Created dir: \/opt\/shibboleth-idp\/lib
Created dir: \/opt\/shibboleth-idp\/lib\/endorsed
Created dir: \/opt\/shibboleth-idp\/logs
Created dir: \/opt\/shibboleth-idp\/metadata
Created dir: \/opt\/shibboleth-idp\/war
Generating signing and encryption key, certificate, and keystore.
Copying 5 files to \/opt\/shibboleth-idp\/bin
Copying 8 files to \/opt\/shibboleth-idp\/conf
Copying 1 file to \/opt\/shibboleth-idp\/metadata
Copying 51 files to \/opt\/shibboleth-idp\/lib
Copying 5 files to \/opt\/shibboleth-idp\/lib\/endorsed
Copying 1 file to \/root\/shibboleth-identityprovider-2.2.0\/src\/installer
Building war: \/root\/shibboleth-identityprovider-2.2.0\/src\/installer\/idp.war
Copying 1 file to \/opt\/shibboleth-idp\/war
Deleting: \/root\/shibboleth-identityprovider-2.2.0\/src\/installer\/web.xml
Deleting: \/root\/shibboleth-identityprovider-2.2.0\/src\/installer\/idp.war<\/p>\n\n\n\n

BUILD SUCCESSFUL
Total time: 1 minute 5 seconds<\/p>\n\n\n\n

……….<\/p>\n\n\n\n

Preparing Apache Tomcat for the Shibboleth Identity Provider<\/strong>
(refer https:\/\/wiki.shibboleth.net\/confluence\/display\/SHIB2\/IdPApacheTomcatPrepare)
ps:centos\u548credhat\u9700\u7528openjdk\u57f7\u884ctomcat
ps:Apache Tomcat 6.0.17 or greater
ps:\u5efa\u8b70\u5728TOMCAT_HOME\/bin\/catalina.sh\u5167\u52a0 -Xmx512M -XX:MaxPermSize=128m<\/p>\n\n\n\n

3
copy endorsed<\/strong>
#cp -rf $IDP_HOME\/lib\/endorsed $CATALINA_HOME\/endorsed
or
#cp \/root\/shibboleth-identityprovider-2.3.0\/endorsed\/*.jar $CATALINA_HOME\/endorsed
ps
Endorsed libraries
Endorse Xerces and Xalan by creating the directory TOMCAT_HOME\/endorsed and copy the .jar files included in the IdP source endorsed directory into the newly created directory.
ps:
shibboleth\u8981\u6c42tomcat\u555f\u52d5\u6642\u9700\u5305\u542b\u8a72\u53c3\u6578 -Djava.endorsed.dirs=$CATALINA_HOME\/endorsed
$CATALINA_HOME\u662f\u6307TOMCAT\u7684\u5b89\u88dd\u76ee\u9304<\/p>\n\n\n\n

4
Supporting SOAP Endpoints<\/strong>
4.1
Download tomcat6-dta-ssl-1.0.0.jar (asc) in to TOMCAT_HOME\/lib\/.
#curl -o \/usr\/share\/tomcat6\/lib\/tomcat6-dta-ssl-1.0.0.jar http:\/\/shibboleth.internet2.edu\/downloads\/maven2\/edu\/internet2\/middleware\/security\/tomcat6\/tomcat6-dta-ssl\/1.0.0\/tomcat6-dta-ssl-1.0.0.jar
4.2
Configure Tomcat for endpoints on on both ports 443 and 8443
ps:443\u7528\u65bcuser agent,8443\u7528\u65bcsp
#vi TOMCAT_HOME\/conf\/server.xml file:
< Connector port=”443″
\u3000protocol=”HTTP\/1.1″
\u3000SSLEnabled=”true”
\u3000maxThreads=”150″
\u3000scheme=”https”
\u3000secure=”true”
\u3000clientAuth=”false”
\u3000sslProtocol=”TLS”
\u3000keystoreFile=”IDP_HOME\/credentials\/idp.jks”
\u3000keystorePass=”YourSecretPassword”<\/strong>
\/>
< Connector port=”8443″
\u3000protocol=”org.apache.coyote.http11.Http11Protocol”
\u3000SSLImplementation=”edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation”
\u3000scheme=”https”
\u3000SSLEnabled=”true”
\u3000clientAuth=”true”
\u3000keystoreFile=”IDP_HOME\/credentials\/idp.jks”
\u3000keystorePass=”PASSWORD”<\/strong>
\/>
ps:
IDP_HOME\u8acb\u66f4\u6539\u6210shibboleth\u5b89\u88dd\u76ee\u9304,\u4e5f\u5c31\u662f$IDP_HOME
keystoreFile\u8acb\u6307\u5b9ajks\u7684\u4f4d\u7f6e
keystorePass\u8acb\u66f4\u6539\u6210\u5b89\u88ddidp\u6642\u7684\u5bc6\u78bc
ps
\u91cd\u65b0\u555f\u52d5tomcat,\u4e26\u89c0\u67e5443\u548c8443\u662f\u5426\u6709listen
#netstat -atunlp | grep LISTEN | grep 443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN<\/p>\n\n\n\n

5
\u8a2d\u5b9atomcat\u57f7\u884cidp\u65b9\u5f0f<\/strong>
\u6709\u4ee5\u4e0b2\u65b9\u6cd5<\/p>\n\n\n\n

\u65b9\u6cd51
Using a Context Deployment Fragment
Create the file TOMCAT_HOME\/conf\/Catalina\/localhost\/idp.xml
#vi $CATALINA_HOME\/conf\/Catalina\/localhost\/idp.xml
< Context docBase=”IDP_HOME\/war\/idp.war”
\u3000privileged=”true”
\u3000antiResourceLocking=”false”
\u3000antiJARLocking=”false”
\u3000unpackWAR=”false”
\u3000swallowOutput=”true”
\/>
ps:IDP_HOME\u8acb\u66f4\u6539\u6210shibboleth\u5b89\u88dd\u76ee\u9304,\u4e5f\u5c31\u662f$IDP_HOME<\/p>\n\n\n\n

\u65b9\u6cd52
\u5c07idp.war\u8907\u88fd\u5230$CATALINA_HOME\/webapps\/idp\u4e0b
\u57f7\u884cjar -xvf idp.war<\/p>\n\n\n\n

…………………………………………………<\/p>\n\n\n\n

\u91cd\u555ftomcat\u4e26\u6e2c\u8a66<\/strong>
ps:\u555f\u52d5tomcat\u6642\u7684\u932f\u8aa4\u6703\u8a18\u9304\u5728\/opt\/tomcat\/logs\/catalina.out<\/p>\n\n\n\n

7
Quick Test<\/strong>
https:\/\/127.0.0.1\/idp\/profile\/Status
If everything is working correctly you should receive an “ok” page<\/p>\n\n\n\n

8
\u672c\u6a5f\u6e2c\u8a66<\/strong>
\u82e5\u5728\u672c\u6a5f\u53ef\u4e0b https:\/\/127.0.0.1\/idp\/status
\u6703\u51fa\u73fe\u72c0\u614b\u8cc7\u8a0a<\/p>\n\n\n\n

\u76f8\u95dc\u8cc7\u8a0a\u53ef\u53c3\u8003
https:\/\/wiki.shibboleth.net\/confluence\/display\/SHIB2\/IdPStatus<\/p>\n\n\n\n

#######################################################################<\/p>\n\n\n\n

\u8a2d\u5b9a<\/strong> <\/h2>\n\n\n\n

\u8a2d\u5b9aIDP(refer https:\/\/wiki.shibboleth.net\/confluence\/display\/SHIB2\/IdPUserAuthn)<\/p>\n\n\n\n

\u4f7f\u7528jaas\u8a2d\u5b9a\u8a8d\u8b49<\/strong>
1
\u7de8\u8f2fhandler.xml\u4ee5\u8a2d\u5b9a\u767b\u5165\u65b9\u5f0f<\/strong>
1.1
\u5b9a\u7fa9LoginHandler\u7684xsi:type\u70ba”UsernamePassword”
1.2
\u5b9a\u7fa9\u8a72\u5143\u7d20\u4e4b\u5fc5\u8a2d\u53c3\u6578 jaasConfigurationLocation
1.3
(\u9078\u64c7\u6027)\u5176\u4ed6\u984d\u5916\u7684\u53c3\u6578
authenticationDuration
authenticationServletURL
\u505a\u6cd5\u5927\u81f4\u5982\u4e0b<\/strong>
$vi $IDP_HOME\/conf\/handler.xml
< !– Username\/password login handler –>
< ph:LoginHandler xsi:type=”ph:UsernamePassword”<\/strong>
jaasConfigurationLocation=”file:\/\/\/opt\/shibboleth-idp\/conf\/login.config”<\/strong>>
 < ph:AuthenticationMethod>
 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
 < \/ph:AuthenticationMethod>
< \/ph:LoginHandler>
ps:\u8a2d\u5b9a\u6642,\u5efa\u8b70loginhandler\u50c5\u7559\u4e00\u500b\u5728\u7528\u7684\u548cPrevious Session,\u5176\u4ed6\u7684\u90fd\u8981\u8a3b\u89e3\u6389,\u4ee5\u514d\u767b\u5165\u6642\u51fa\u554f\u984c
ps:Previous Session\u7528\u4f86\u8b93\u4e4b\u524d\u5df2\u8a8d\u8b49\u7684user\u5230\u4e0d\u540csp\u6642\u4e0d\u7528\u5728\u53e6\u5916\u8a8d\u8b49<\/p>\n\n\n\n


2
\u7de8\u8f2flogin.conf\u4ee5\u8a2d\u5b9aldap<\/strong>
\u505a\u6cd5\u5982\u4e0b
#vi $IDP_HOME\/conf\/login.config
ShibUserPassAuth {
\u3000edu.vt.middleware.ldap.jaas.LdapLoginModule required
\u3000\u3000ldapUrl=”ldap:\/\/ldaphost:389″
\u3000\u3000baseDn=”ou=people,dc=example,dc=org”
\u3000\u3000subtreeSearch=”true”
\u3000\u3000userField=”uid”
\u3000\u3000userFilter=”uid={0}”;
};<\/p>\n\n\n\n

3(optional)
3.1
\u7de8\u8f2fattribute-resolver.xml\u4ee5\u8a2d\u5b9a\u8981\u6293\u53d6\u7684\u5c6c\u6027<\/strong>
\u65b0\u589e\u539f\u59cb\u5c6c\u6027\u9023\u63a5ldap\u8cc7\u6599,\u4e26\u8a2d\u5b9a\u9023\u63a5id\u70bamyldap
#vi $IDP_HOME\/conf\/attribute-resolver.xml
< !– part1 define –><\/strong>
< resolver:AttributeDefinition id=”principal”<\/strong> xsi:type=”PrincipalName”
\u3000xmlns=”urn:mace:shibboleth:2.0:resolver:ad”>
\u3000\u3000< resolver:Dependency ref=”myldap”<\/strong> \/>
\u3000\u3000< resolver:AttributeEncoder
\u3000\u3000\u3000xsi:type=”SAML2StringNameID”
\u3000\u3000\u3000xmlns=”urn:mace:shibboleth:2.0:attribute:encoder”
\u3000\u3000\u3000nameFormat=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”<\/strong>
\u3000\u3000\/>
< \/resolver:AttributeDefinition>
< !– part2 data connectors –><\/strong>
< resolver:DataConnector id=”myldap”<\/strong> xsi:type=”dc:LDAPDirectory”
\u3000ldapURL=”ldap:\/\/ldap.example.org”
\u3000baseDN=”ou=people,dc=example,dc=org”
\u3000principal=”uid=myservice,ou=system”
\u3000principalCredential=”myServicePassword”>
\u3000< dc:FilterTemplate>
\u3000\u3000< ![CDATA[
\u3000\u3000\u3000(uid=$requestContext.principalName)
\u3000\u3000]]>
\u3000< \/dc:FilterTemplate>
< \/resolver:DataConnector>
\u8aaa\u660e\u5982\u4e0b
AttributeDefinition id \u7528\u65bc\u5b58\u53d6\u6b0a\u9650\u7684\u7ba1\u63a7,\u8981\u65bcattribute-filter.xml\u5167\u7684id\u4e00\u81f4
nameFormat \u5c6c\u6027\u7684\u683c\u5f0f,sp\u9700\u65bc\u8a72\u683c\u5f0f\u76f8\u540c\u624d\u53ef\u89e3\u6790
DataConnector id \u7528\u65bc\u8cc7\u6599\u9023\u63a5\u7528\u7684\u552f\u4e00\u7de8\u865f,\u8981\u548cresolver:Dependency\u7684ref\u4e00\u81f4
ldapURL ldap\u4e3b\u6a5f\u7684\u4f4d\u7f6e
baseDN \u8a2d\u5b9a\u7bc4basedn
principal \u7528\u65bc\u641c\u5c0buser\u7528\u7684dn
principalCredential principal\u6240\u6307\u5b9adn\u7684\u5bc6\u78bc
 
3.2
\u7de8\u8f2fattribute-policy.xml\u4ee5\u8a2d\u5b9a\u5c6c\u6027\u7684\u5b58\u53d6\u63a7\u5236
#vi $IDP_HOME\/conf\/attribute-filter.xml
< afp:AttributeFilterPolicy>
\u3000< afp:PolicyRequirementRule xsi:type=”basic:ANY” \/>
\u3000\u3000< afp:AttributeRule attributeID=”principal”<\/strong>>
\u3000\u3000< afp:PermitValueRule xsi:type=”basic:ANY” \/>
\u3000< \/afp:AttributeRule>
< \/afp:AttributeFilterPolicy>
\u8aaa\u660e\u5982\u4e0b
attributeID \u63a7\u5236attribute-resolver.xml\u5167AttributeDefinition id\u7684\u5b58\u53d6\u6b0a\u9650
 <\/p>\n\n\n\n

4
\u57fa\u672cIDP\u8a2d\u5b9a\u5b8c\u6210<\/strong>
\u53ef\u4f7f\u7528\u4ee5\u4e0b\u53c3\u6578\u8a2d\u5b9aSP\u90e8\u4efd
idp entity id= https:\/\/< yourdomain>\/idp\/shibboleth
resolver:Dependency ref=”myldap” (attribute-resolver.xml)<\/p>\n\n\n\n

\u767b\u5165\u4f4d\u7f6e
https:\/\/< yourdomain>\/idp\/profile\/SAML2\/Redirect\/SSO.<\/p>\n\n\n\n


………………………………………………………………<\/p>\n\n\n\n

\u5ba2\u5236\u5316login.jsp<\/strong>
ps:login.jsp\u5728idp.war\u5167
\u53d6\u5f97\u76f8\u95dc\u8b8a\u6578\u503c\u9700\u4f7f\u7528
ex:<%=request.getAttribute(“actionUrl”)%>
username\u8f38\u5165\u6b04\u4f4d\u7684\u540d\u7a31\u4e00\u5b9a\u8981\u7528j_username
ex:< input name=”j_username” type=”text” tabindex=”1″ \/>
password\u8f38\u5165\u6b04\u4f4d\u7684\u540d\u7a31\u4e00\u5b9a\u8981\u7528j_password
ex:< input name=”j_password” type=”password” tabindex=”2″ \/><\/p>\n","protected":false},"excerpt":{"rendered":"

shibboleth\u53ef\u7528\u4f86\u5efa\u7f6eWEB\u55ae\u4e00\u7c3d\u5165\uff0c\u900f\u904eIDP(i …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[21],"tags":[],"class_list":["post-684","post","type-post","status-publish","format-standard","hentry","category-linuxservice"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/684","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=684"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/684\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=684"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=684"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=684"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}