Toto je staršia verzia dokumentu!
Konfigurácia a inštalácia Shibboleth
https://www.shibboleth.net/
https://shibboleth.net/downloads/
Verzia Shibboleth IdP, ktorú inštalujeme v tomto návode: https://shibboleth.net/downloads/identity-provider/4.0.1/
Pomocou wget stiahneme archív “shibboleth-identity-provider” a ostatné súbory pre overenie SHA256 hashu a GPG podpisu:
URL_1: https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz
URL_2: https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz.sha256
URL_3: https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz.asc
wget URL_1 URL_2 URL_3
Kontrola SHA256 hashu a GPG podpisu:
sha256sum -c shibboleth-identity-provider-4.0.1.tar.gz.sha256 gpg --verify shibboleth-identity-provider-4.0.1.tar.gz.asc
Ďalej budeme pokračovať rozbalením archívu a spustením inštalácie.
tar -xzf shibboleth-identity-provider-4.0.1.tar.gz ./shibboleth-identity-provider-4.0.1/bin/install.sh
Proces inštalácie prebieha nasledovne:
Buildfile: /root/shibboleth-identity-provider-4.0.1/bin/build.xml install: Source (Distribution) Directory (press <enter> to accept default): [/root/shibboleth-identity-provider-4.0.1] ? Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.V4Install:151] - New Install. Version: 4.0.1 Host Name: [demoidp.sanet.sk] ? INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-signing, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-encryption, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 Backchannel PKCS12 Password: Nové_Heslo_3 Re-enter password: INFO [net.shibboleth.idp.installer.V4Install:592] - Creating backchannel keystore, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 Cookie Encryption Key Password: Nové_Heslo_4 Re-enter password: INFO [net.shibboleth.idp.installer.V4Install:633] - Creating backchannel keystore, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072 INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool:166] - No existing versioning property, initializing... SAML EntityID: [https://demoidp.sanet.sk/idp/shibboleth] ? Attribute Scope: [sanet.sk] ? INFO [net.shibboleth.idp.installer.V4Install:433] - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1 INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL
Nastavíme oprávnenia pre používateľa “idp”:
chown -R idp:idp /opt/shibboleth-idp
Reštartujeme Jetty (reštart môže trvať dlhšie):
systemctl restart jetty
Stav IdP môžeme zobraziť spustením skriptu:
/opt/shibboleth-idp/bin/status.sh
Základná konfigurácia IdP
Nastavíme cestu k Java pre potreby prístupu z neprivilegovaného účtu:
JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.ReloadableAccessControlService
Zmeny, ktoré zrealizujeme v konfigurácii idp.properties
:
vim /opt/shibboleth-idp/conf/idp.properties
# General cookie properties (maxAge only applies to persistent cookies) idp.cookie.secure = true #idp.cookie.httpOnly = true #idp.cookie.domain = #idp.cookie.path = #idp.cookie.maxAge = 31536000 # These control operation of the SameSite filter, which is off by default. #idp.cookie.sameSite = None #idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE
Reštartujeme Jetty, reštart môže trvať dlhšie:
systemctl restart jetty
Obmedzenie prístupu IP adries k stránkam so špecifickou funkcionalitou:
vim /opt/shibboleth-idp/conf/access-control.xml
<util:map id="shibboleth.AccessControlPolicies"> <entry key="AccessByIPAddress"> <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl" p:allowedRanges="#{ {'127.0.0.1/32', 'IP_adresa_admninistrátora_1', 'IP_adresa_admninistrátora_2', 'IP_adresa_admninistrátora_3'} }" /> </entry>
Pre načitanie konfigurácie spustíme:
JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.ReloadableAccessControlService
Následne môžeme po prístupe z IP adries nastavených v access-control.xml
zobraziť napríklad informáciu o stave IdP:
Konfigurácia LDAP služieb
Pre zabezpečené pripojenie na náš LDAP server stiahneme SSL certifikát:
openssl s_client -showcerts -connect náš.ldap.sk:636 </dev/null 2>/dev/null|openssl x509 -outform PEM > /opt/shibboleth-idp/credentials/ldap-server.crt
Konfiguračný súbor “ldap.properties” upravíme nasledovne (príklad možnej konfigurácie):
vim /opt/shibboleth-idp/conf/ldap.properties
# LDAP authentication configuration, see authn/ldap-authn-config.xml # Note, this doesn't apply to the use of JAAS ## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator idp.authn.LDAP.authenticator = bindSearchAuthenticator ## Connection properties ## idp.authn.LDAP.ldapURL = ldaps://náš.ldap.sk:636 idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = true # Time in milliseconds that connects will block idp.authn.LDAP.connectTimeout = PT3S # Time in milliseconds to wait for responses idp.authn.LDAP.responseTimeout = PT3S ## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust idp.authn.LDAP.sslConfig = certificateTrust ## If using certificateTrust above, set to the trusted certificate's path idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt ## If using keyStoreTrust above, set to the truststore path #idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore ## Return attributes during authentication #idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining ## DN resolution properties ## # Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator # for AD: CN=Users,DC=example,DC=org idp.authn.LDAP.baseDN = ou=demoidp,dc=náš,dc=ldap,dc=sk idp.authn.LDAP.subtreeSearch = true idp.authn.LDAP.userFilter = (uid={user}) # bind search configuration # for AD: idp.authn.LDAP.bindDN=adminuser@domain.com idp.authn.LDAP.bindDN = cn=demoidp,ou=example,dc=náš,dc=ldap,dc=sk idp.ldaptive.provider = org.ldaptive.provider.unboundid.UnboundIDProvider # Format DN resolution, used by directAuthenticator, adAuthenticator # for AD use idp.authn.LDAP.dnFormat=%s@domain.com #idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org # pool passivator, either none, bind or anonymousBind #idp.authn.LDAP.bindPoolPassivator = none # LDAP attribute configuration, see attribute-resolver.xml # Note, this likely won't apply to the use of legacy V2 resolver configurations idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL} idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S} idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S} idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined} idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined} idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true} idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined} idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal) # LDAP pool configuration, used for both authn and DN resolution #idp.pool.LDAP.minSize = 3 #idp.pool.LDAP.maxSize = 10 #idp.pool.LDAP.validateOnCheckout = false #idp.pool.LDAP.validatePeriodically = true #idp.pool.LDAP.validatePeriod = PT5M #idp.pool.LDAP.validateDN = #idp.pool.LDAP.validateFilter = (objectClass=*) #idp.pool.LDAP.prunePeriod = PT5M #idp.pool.LDAP.idleTime = PT10M #idp.pool.LDAP.blockWaitTime = PT3S
Vygenerujeme “salt”, ktorý budeme potrebovať v ďalšom kroku pomocou príkazu:
openssl rand -base64 36 2>/dev/null
Konfiguráciu secrets.properties
upravíme nasledovne:
vim /opt/shibboleth-idp/credentials/secrets.properties
# Default access to LDAP authn and attribute stores. idp.authn.LDAP.bindDNCredential = Heslo pre bind konto demoidp idp.persistentId.salt = Vygenerovaný salt idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}
Do konfigurácie metadata-providers.xml
doplníme:
vim /opt/shibboleth-idp/conf/metadata-providers.xml
<!-- safeID test metadata <MetadataProvider id="safeid-metadata-test" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/safeid.xml" metadataURL="https://www.safeid.sk/metadata/test-metadata.safeid.sk.xml" maxRefreshDelay="PT2H"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/SAFEID_metadata_signer.pem" /> </MetadataProvider> --> <!-- safeID interfederation --> <!-- safeID & eduGAIN --> <MetadataProvider id="safeid-interfed" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/safeid-interfed.xml" metadataURL="https://www.safeid.sk/metadata/safeid-interfed.xml" maxRefreshDelay="PT30M"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/safeid-metadata-signing.pem" /> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D" /> <MetadataFilter xsi:type="Algorithm"> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef> </MetadataFilter> </MetadataProvider> <!-- safeID metadata --> <!-- safeID <MetadataProvider id="safeid-metadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/metadata.safeid.sk.xml" metadataURL="https://metadata.safeid.sk/metadata/metadata.safeid.sk.xml" maxRefreshDelay="PT30M"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/safeid-metadata-signing.pem" /> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D" /> <MetadataFilter xsi:type="Algorithm"> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef> </MetadataFilter> </MetadataProvider> -->
V prípade, že nebude súčasťou spomínaného už existujúceho elementu v konfigurácii, nebude fungovať.
Pre Vaše IdP potrebujete nastaviť safeID.sk metadáta.
Na stránke nájdete aj aktuálny verejný kľúč pre kontrolu podpisu metadát.
Stiahnutie verejného kľúča pre kontrolu podpisu metadát:
cd /opt/shibboleth-idp/credentials wget https://metadata.safeid.sk/keys/safeid-metadata-signing.pem
Pre načitenie metadát reštartujeme službu:
JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.MetadataResolverService
Kontrola stiahnutých metadát:
ls -l /opt/shibboleth-idp/metadata/
Vo výpise by sa mal nachádzať súbor safeid.xml
s aktuálnym časom vytvorenia.
Môžete pokračovať Konfigurácia a inštalácia databázy MySQL