Share via Share via... Twitter LinkedIn Facebook Pinterest Telegram WhatsApp Yammer RedditPosledné úpravySend via e-MailPrintPermalink × Konfigurácia a inštalácia Shibboleth Pred inštaláciou Shibboleth musí byť aplikácia Jetty funkčná. https://www.shibboleth.net/ https://shibboleth.net/downloads/ Verzia Shibboleth IdP, ktorú inštalujeme v tomto návode: https://shibboleth.net/downloads/identity-provider/4.0.1/ Ďalej pracujeme pod používateľom “root” Pomocou wget stiahneme archív “shibboleth-identity-provider” a ostatné súbory pre overenie SHA256 hashu a GPG podpisu: URL_1: https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz URL_2: https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz.sha256 URL_3: https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz.asc wget URL_1 URL_2 URL_3 Kontrola SHA256 hashu a GPG podpisu: sha256sum -c shibboleth-identity-provider-4.0.1.tar.gz.sha256 gpg --verify shibboleth-identity-provider-4.0.1.tar.gz.asc Ďalej budeme pokračovať rozbalením archívu a spustením inštalácie. tar -xzf shibboleth-identity-provider-4.0.1.tar.gz ./shibboleth-identity-provider-4.0.1/bin/install.sh Proces inštalácie prebieha nasledovne: Buildfile: /root/shibboleth-identity-provider-4.0.1/bin/build.xml install: Source (Distribution) Directory (press <enter> to accept default): [/root/shibboleth-identity-provider-4.0.1] ? Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.V4Install:151] - New Install. Version: 4.0.1 Host Name: [demoidp.sanet.sk] ? INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-signing, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-encryption, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 Backchannel PKCS12 Password: Nové_Heslo_3 Re-enter password: INFO [net.shibboleth.idp.installer.V4Install:592] - Creating backchannel keystore, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 Cookie Encryption Key Password: Nové_Heslo_4 Re-enter password: INFO [net.shibboleth.idp.installer.V4Install:633] - Creating backchannel keystore, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool:166] - No existing versioning property, initializing... SAML EntityID: [https://demoidp.sanet.sk/idp/shibboleth] ? Attribute Scope: [sanet.sk] ? INFO [net.shibboleth.idp.installer.V4Install:433] - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1 INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL Nastavíme oprávnenia pre používateľa “idp”: chown -R idp:idp /opt/shibboleth-idp Reštartujeme Jetty (reštart môže trvať dlhšie): systemctl restart jetty Stav IdP môžeme zobraziť spustením skriptu: /opt/shibboleth-idp/bin/status.sh Základná konfigurácia IdP Ďalej pracujeme pod používateľom “idp” Nastavíme cestu k Java pre potreby prístupu z neprivilegovaného účtu: Pod “x” sa rozumie aktuálne číselné označenie nainštalovanej verzie, ktorá sa nachádza v adresári “/usr/lib/jvm” JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.ReloadableAccessControlService Zmeny, ktoré zrealizujeme v konfigurácii idp.properties: vim /opt/shibboleth-idp/conf/idp.properties # General cookie properties (maxAge only applies to persistent cookies) idp.cookie.secure = true #idp.cookie.httpOnly = true #idp.cookie.domain = #idp.cookie.path = #idp.cookie.maxAge = 31536000 # These control operation of the SameSite filter, which is off by default. #idp.cookie.sameSite = None #idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE Reštartujeme Jetty, reštart môže trvať dlhšie: Ďalej pracujeme pod používateľom “root” systemctl restart jetty Obmedzenie prístupu IP adries k stránkam so špecifickou funkcionalitou: Ďalej pracujeme pod používateľom “idp” vim /opt/shibboleth-idp/conf/access-control.xml <util:map id="shibboleth.AccessControlPolicies"> <entry key="AccessByIPAddress"> <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl" p:allowedRanges="#{ {'127.0.0.1/32', 'IP_adresa_admninistrátora_1', 'IP_adresa_admninistrátora_2', 'IP_adresa_admninistrátora_3'} }" /> </entry> Pre načitanie konfigurácie spustíme: JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.ReloadableAccessControlService Následne môžeme po prístupe z IP adries nastavených v access-control.xml zobraziť napríklad informáciu o stave IdP: https://demoidp.sanet.sk/idp/status Konfigurácia LDAP služieb Ďalej pracujeme pod používateľom “idp” Pre zabezpečené pripojenie na náš LDAP server stiahneme SSL certifikát: openssl s_client -showcerts -connect náš.ldap.sk:636 </dev/null 2>/dev/null|openssl x509 -outform PEM > /opt/shibboleth-idp/credentials/ldap-server.crt Konfiguračný súbor “ldap.properties” upravíme nasledovne (príklad možnej konfigurácie): vim /opt/shibboleth-idp/conf/ldap.properties # LDAP authentication configuration, see authn/ldap-authn-config.xml # Note, this doesn't apply to the use of JAAS ## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator idp.authn.LDAP.authenticator = bindSearchAuthenticator ## Connection properties ## idp.authn.LDAP.ldapURL = ldaps://náš.ldap.sk:636 idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = true # Time in milliseconds that connects will block idp.authn.LDAP.connectTimeout = PT3S # Time in milliseconds to wait for responses idp.authn.LDAP.responseTimeout = PT3S ## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust idp.authn.LDAP.sslConfig = certificateTrust ## If using certificateTrust above, set to the trusted certificate's path idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt ## If using keyStoreTrust above, set to the truststore path #idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore ## Return attributes during authentication #idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining ## DN resolution properties ## # Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator # for AD: CN=Users,DC=example,DC=org idp.authn.LDAP.baseDN = ou=demoidp,dc=náš,dc=ldap,dc=sk idp.authn.LDAP.subtreeSearch = true idp.authn.LDAP.userFilter = (uid={user}) # bind search configuration # for AD: idp.authn.LDAP.bindDN=adminuser@domain.com idp.authn.LDAP.bindDN = cn=demoidp,ou=example,dc=náš,dc=ldap,dc=sk idp.ldaptive.provider = org.ldaptive.provider.unboundid.UnboundIDProvider # Format DN resolution, used by directAuthenticator, adAuthenticator # for AD use idp.authn.LDAP.dnFormat=%s@domain.com #idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org # pool passivator, either none, bind or anonymousBind #idp.authn.LDAP.bindPoolPassivator = none # LDAP attribute configuration, see attribute-resolver.xml # Note, this likely won't apply to the use of legacy V2 resolver configurations idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL} idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S} idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S} idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined} idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined} idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true} idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined} idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal) # LDAP pool configuration, used for both authn and DN resolution #idp.pool.LDAP.minSize = 3 #idp.pool.LDAP.maxSize = 10 #idp.pool.LDAP.validateOnCheckout = false #idp.pool.LDAP.validatePeriodically = true #idp.pool.LDAP.validatePeriod = PT5M #idp.pool.LDAP.validateDN = #idp.pool.LDAP.validateFilter = (objectClass=*) #idp.pool.LDAP.prunePeriod = PT5M #idp.pool.LDAP.idleTime = PT10M #idp.pool.LDAP.blockWaitTime = PT3S Vygenerujeme “salt”, ktorý budeme potrebovať v ďalšom kroku pomocou príkazu: openssl rand -base64 36 2>/dev/null Konfiguráciu secrets.properties upravíme nasledovne: vim /opt/shibboleth-idp/credentials/secrets.properties # Default access to LDAP authn and attribute stores. idp.authn.LDAP.bindDNCredential = Heslo pre bind konto demoidp idp.persistentId.salt = Vygenerovaný salt idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined} Do konfigurácie metadata-providers.xml doplníme: vim /opt/shibboleth-idp/conf/metadata-providers.xml <!-- safeID test metadata <MetadataProvider id="safeid-metadata-test" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/safeid.xml" metadataURL="https://www.safeid.sk/metadata/test-metadata.safeid.sk.xml" maxRefreshDelay="PT2H"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/SAFEID_metadata_signer.pem" /> </MetadataProvider> --> <!-- safeID interfederation --> <!-- safeID & eduGAIN --> <MetadataProvider id="safeid-interfed" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/safeid-interfed.xml" metadataURL="https://www.safeid.sk/metadata/safeid-interfed.xml" maxRefreshDelay="PT30M"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/safeid-metadata-signing.pem" /> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D" /> <MetadataFilter xsi:type="Algorithm"> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef> </MetadataFilter> </MetadataProvider> <!-- safeID metadata --> <!-- safeID <MetadataProvider id="safeid-metadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/metadata.safeid.sk.xml" metadataURL="https://metadata.safeid.sk/metadata/metadata.safeid.sk.xml" maxRefreshDelay="PT30M"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/safeid-metadata-signing.pem" /> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D" /> <MetadataFilter xsi:type="Algorithm"> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef> </MetadataFilter> </MetadataProvider> --> Blok kódu musíme vložiť tak, že ho umiestnime do elementu <MetadataProvider> v konfiguračnom súbore metadata-providers.xml. V prípade, že nebude súčasťou spomínaného už existujúceho elementu v konfigurácii, nebude fungovať. “safeID test metadata” slúžia iba ako príklad! Pre Vaše IdP potrebujete nastaviť safeID.sk metadáta. Na stránke nájdete aj aktuálny verejný kľúč pre kontrolu podpisu metadát. Stiahnutie verejného kľúča pre kontrolu podpisu metadát: cd /opt/shibboleth-idp/credentials wget https://metadata.safeid.sk/keys/safeid-metadata-signing.pem Pre načitenie metadát reštartujeme službu: JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.MetadataResolverService Kontrola stiahnutých metadát: ls -l /opt/shibboleth-idp/metadata/ Vo výpise by sa mal nachádzať súbor safeid.xml s aktuálnym časom vytvorenia. Môžete pokračovať Konfigurácia a inštalácia databázy MySQL install/idp/konfiguracia_a_instalacia_shibboleth Posledná úprava: 26. 05. 2021 13:52 Prihlásiť sa