Toto je staršia verzia dokumentu!
Konfigurácia a inštalácia Shibboleth
Pred inštaláciou Shibboleth musí byť aplikácia Jetty funkčná.
https://www.shibboleth.net/
https://shibboleth.net/downloads/
Verzia Shibboleth IdP, ktorú inštalujeme v tomto návode: https://shibboleth.net/downloads/identity-provider/4.0.1/
Ďalej pracujeme pod používateľom “root”
Pomocou wget stiahneme archív “shibboleth-identity-provider” a ostatné súbory pre overenie SHA256 hashu a GPG podpisu:
URL_1: https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz
URL_2: https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz.sha256
URL_3: https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz.asc
wget URL_1 URL_2 URL_3
Kontrola SHA256 hashu a GPG podpisu:
sha256sum -c shibboleth-identity-provider-4.0.1.tar.gz.sha256 gpg --verify shibboleth-identity-provider-4.0.1.tar.gz.asc
Ďalej budeme pokračovať rozbalením archívu a spustením inštalácie.
tar -xzf shibboleth-identity-provider-4.0.1.tar.gz ./shibboleth-identity-provider-4.0.1/bin/install.sh
Proces inštalácie prebieha nasledovne:
Buildfile: /root/shibboleth-identity-provider-4.0.1/bin/build.xml install: Source (Distribution) Directory (press <enter> to accept default): [/root/shibboleth-identity-provider-4.0.1] ? Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.V4Install:151] - New Install. Version: 4.0.1 Host Name: [demoidp.sanet.sk] ? INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-signing, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-encryption, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 Backchannel PKCS12 Password: Nové_Heslo_3 Re-enter password: INFO [net.shibboleth.idp.installer.V4Install:592] - Creating backchannel keystore, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 Cookie Encryption Key Password: Nové_Heslo_4 Re-enter password: INFO [net.shibboleth.idp.installer.V4Install:633] - Creating backchannel keystore, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool:166] - No existing versioning property, initializing... SAML EntityID: [https://demoidp.sanet.sk/idp/shibboleth] ? Attribute Scope: [sanet.sk] ? INFO [net.shibboleth.idp.installer.V4Install:433] - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1 INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL
Nastavíme oprávnenia pre používateľa “idp”:
chown -R idp:idp /opt/shibboleth-idp
Reštartujeme Jetty (reštart môže trvať dlhšie):
systemctl restart jetty
Stav IdP môžeme zobraziť spustením skriptu:
/opt/shibboleth-idp/bin/status.sh
Základná konfigurácia IdP
Ďalej pracujeme pod používateľom “idp”
Nastavíme cestu k Java pre potreby prístupu z neprivilegovaného účtu:
Pod “x” sa rozumie aktuálne číselné označenie nainštalovanej verzie, ktorá sa nachádza v adresári “/usr/lib/jvm”
JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.ReloadableAccessControlService
Zmeny, ktoré zrealizujeme v konfigurácii idp.properties:
vim /opt/shibboleth-idp/conf/idp.properties
# General cookie properties (maxAge only applies to persistent cookies) idp.cookie.secure = true #idp.cookie.httpOnly = true #idp.cookie.domain = #idp.cookie.path = #idp.cookie.maxAge = 31536000 # These control operation of the SameSite filter, which is off by default. #idp.cookie.sameSite = None #idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE
Reštartujeme Jetty, reštart môže trvať dlhšie:
Ďalej pracujeme pod používateľom “root”
systemctl restart jetty
Obmedzenie prístupu IP adries k stránkam so špecifickou funkcionalitou:
Ďalej pracujeme pod používateľom “idp”
vim /opt/shibboleth-idp/conf/access-control.xml
<util:map id="shibboleth.AccessControlPolicies"> <entry key="AccessByIPAddress"> <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl" p:allowedRanges="#{ {'127.0.0.1/32', 'IP_adresa_admninistrátora_1', 'IP_adresa_admninistrátora_2', 'IP_adresa_admninistrátora_3'} }" /> </entry>
Pre načitanie konfigurácie spustíme:
JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.ReloadableAccessControlService
Následne môžeme po prístupe z IP adries nastavených v access-control.xml zobraziť napríklad informáciu o stave IdP:
Konfigurácia LDAP služieb
Ďalej pracujeme pod používateľom “idp”
Pre zabezpečené pripojenie na náš LDAP server stiahneme SSL certifikát:
openssl s_client -showcerts -connect náš.ldap.sk:636 </dev/null 2>/dev/null|openssl x509 -outform PEM > /opt/shibboleth-idp/credentials/ldap-server.crt
Konfiguračný súbor “ldap.properties” upravíme nasledovne (príklad možnej konfigurácie):
vim /opt/shibboleth-idp/conf/ldap.properties
# LDAP authentication configuration, see authn/ldap-authn-config.xml
# Note, this doesn't apply to the use of JAAS
## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
idp.authn.LDAP.authenticator = bindSearchAuthenticator
## Connection properties ##
idp.authn.LDAP.ldapURL = ldaps://náš.ldap.sk:636
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL = true
# Time in milliseconds that connects will block
idp.authn.LDAP.connectTimeout = PT3S
# Time in milliseconds to wait for responses
idp.authn.LDAP.responseTimeout = PT3S
## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
idp.authn.LDAP.sslConfig = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
#idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
## Return attributes during authentication
#idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining
## DN resolution properties ##
# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN = ou=demoidp,dc=náš,dc=ldap,dc=sk
idp.authn.LDAP.subtreeSearch = true
idp.authn.LDAP.userFilter = (uid={user})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
idp.authn.LDAP.bindDN = cn=demoidp,ou=example,dc=náš,dc=ldap,dc=sk
idp.ldaptive.provider = org.ldaptive.provider.unboundid.UnboundIDProvider
# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
#idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org
# pool passivator, either none, bind or anonymousBind
#idp.authn.LDAP.bindPoolPassivator = none
# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver configurations
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal)
# LDAP pool configuration, used for both authn and DN resolution
#idp.pool.LDAP.minSize = 3
#idp.pool.LDAP.maxSize = 10
#idp.pool.LDAP.validateOnCheckout = false
#idp.pool.LDAP.validatePeriodically = true
#idp.pool.LDAP.validatePeriod = PT5M
#idp.pool.LDAP.validateDN =
#idp.pool.LDAP.validateFilter = (objectClass=*)
#idp.pool.LDAP.prunePeriod = PT5M
#idp.pool.LDAP.idleTime = PT10M
#idp.pool.LDAP.blockWaitTime = PT3S
Vygenerujeme “salt”, ktorý budeme potrebovať v ďalšom kroku pomocou príkazu:
openssl rand -base64 36 2>/dev/null
Konfiguráciu secrets.properties upravíme nasledovne:
vim /opt/shibboleth-idp/credentials/secrets.properties
# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential = Heslo pre bind konto demoidp
idp.persistentId.salt = Vygenerovaný salt
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}
Do konfigurácie metadata-providers.xml doplníme:
vim /opt/shibboleth-idp/conf/metadata-providers.xml
<!-- safeID test metadata <MetadataProvider id="safeid-metadata-test" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/safeid.xml" metadataURL="https://www.safeid.sk/metadata/test-metadata.safeid.sk.xml" maxRefreshDelay="PT2H"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/SAFEID_metadata_signer.pem" /> </MetadataProvider> --> <!-- safeID interfederation --> <!-- safeID & eduGAIN --> <MetadataProvider id="safeid-interfed" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/safeid-interfed.xml" metadataURL="https://www.safeid.sk/metadata/safeid-interfed.xml" maxRefreshDelay="PT30M"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/safeid-metadata-signing.pem" /> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D" /> <MetadataFilter xsi:type="Algorithm"> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef> </MetadataFilter> </MetadataProvider> <!-- safeID metadata --> <!-- safeID <MetadataProvider id="safeid-metadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/metadata.safeid.sk.xml" metadataURL="https://metadata.safeid.sk/metadata/metadata.safeid.sk.xml" maxRefreshDelay="PT30M"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/safeid-metadata-signing.pem" /> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D" /> <MetadataFilter xsi:type="Algorithm"> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef> </MetadataFilter> </MetadataProvider> -->
Blok kódu musíme vložiť tak, že ho umiestnime do elementu <MetadataProvider> v konfiguračnom súbore metadata-providers.xml.
V prípade, že nebude súčasťou spomínaného už existujúceho elementu v konfigurácii, nebude fungovať.
“safeID test metadata” slúžia iba ako príklad!
Pre Vaše IdP potrebujete nastaviť safeID.sk metadáta.
Na stránke nájdete aj aktuálny verejný kľúč pre kontrolu podpisu metadát.
Stiahnutie verejného kľúča pre kontrolu podpisu metadát:
cd /opt/shibboleth-idp/credentials wget https://metadata.safeid.sk/keys/safeid-metadata-signing.pem
Pre načitenie metadát reštartujeme službu:
JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.MetadataResolverService
Kontrola stiahnutých metadát:
ls -l /opt/shibboleth-idp/metadata/
Vo výpise by sa mal nachádzať súbor safeid.xml s aktuálnym časom vytvorenia.
Môžete pokračovať Konfigurácia a inštalácia databázy MySQL