Toto je staršia verzia dokumentu!


Konfigurácia a inštalácia Shibboleth

Pomocou wget stiahneme archív “shibboleth-identity-provider” a ostatné súbory pre overenie SHA256 hashu a GPG podpisu:

wget URL_1 URL_2 URL_3

Kontrola SHA256 hashu a GPG podpisu:

sha256sum -c shibboleth-identity-provider-4.0.1.tar.gz.sha256
gpg --verify shibboleth-identity-provider-4.0.1.tar.gz.asc

Ďalej budeme pokračovať rozbalením archívu a spustením inštalácie.

tar -xzf shibboleth-identity-provider-4.0.1.tar.gz
./shibboleth-identity-provider-4.0.1/bin/install.sh

Proces inštalácie prebieha nasledovne:

Buildfile: /root/shibboleth-identity-provider-4.0.1/bin/build.xml

install:
Source (Distribution) Directory (press <enter> to accept default): [/root/shibboleth-identity-provider-4.0.1] ?

Installation Directory: [/opt/shibboleth-idp] ?

INFO [net.shibboleth.idp.installer.V4Install:151] - New Install.  Version: 4.0.1
Host Name: [demoidp.sanet.sk] ?

INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-signing, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072
INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-encryption, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072
Backchannel PKCS12 Password: Nové_Heslo_3
Re-enter password:

INFO [net.shibboleth.idp.installer.V4Install:592] - Creating backchannel keystore, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072
Cookie Encryption Key Password: Nové_Heslo_4
Re-enter password:

INFO [net.shibboleth.idp.installer.V4Install:633] - Creating backchannel keystore, CN = demoidp.sanet.sk URI = https://demoidp.sanet.sk/idp/shibboleth, keySize=3072
INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool:166] - No existing versioning property, initializing...
SAML EntityID: [https://demoidp.sanet.sk/idp/shibboleth] ?

Attribute Scope: [sanet.sk] ?

INFO [net.shibboleth.idp.installer.V4Install:433] - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml
INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1
INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL

Nastavíme oprávnenia pre používateľa “idp”:

chown -R idp:idp /opt/shibboleth-idp

Reštartujeme Jetty (reštart môže trvať dlhšie):

systemctl restart jetty

Stav IdP môžeme zobraziť spustením skriptu:

/opt/shibboleth-idp/bin/status.sh

Základná konfigurácia IdP

Nastavíme cestu k Java pre potreby prístupu z neprivilegovaného účtu:

JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.ReloadableAccessControlService

Zmeny, ktoré zrealizujeme v konfigurácii idp.properties:

vim /opt/shibboleth-idp/conf/idp.properties
# General cookie properties (maxAge only applies to persistent cookies)
idp.cookie.secure = true
#idp.cookie.httpOnly = true
#idp.cookie.domain =
#idp.cookie.path =
#idp.cookie.maxAge = 31536000
# These control operation of the SameSite filter, which is off by default.
#idp.cookie.sameSite = None
#idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE

Reštartujeme Jetty, reštart môže trvať dlhšie:

systemctl restart jetty

Obmedzenie prístupu IP adries k stránkam so špecifickou funkcionalitou:

vim /opt/shibboleth-idp/conf/access-control.xml
<util:map id="shibboleth.AccessControlPolicies">
 
        <entry key="AccessByIPAddress">
            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
                p:allowedRanges="#{ {'127.0.0.1/32', 'IP_adresa_admninistrátora_1', 'IP_adresa_admninistrátora_2', 'IP_adresa_admninistrátora_3'} }" />
        </entry>

Pre načitanie konfigurácie spustíme:

JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.ReloadableAccessControlService

Následne môžeme po prístupe z IP adries nastavených v access-control.xml zobraziť napríklad informáciu o stave IdP:

Konfigurácia LDAP služieb

Pre zabezpečené pripojenie na náš LDAP server stiahneme SSL certifikát:

openssl s_client -showcerts -connect náš.ldap.sk:636 </dev/null 2>/dev/null|openssl x509 -outform PEM > /opt/shibboleth-idp/credentials/ldap-server.crt

Konfiguračný súbor “ldap.properties” upravíme nasledovne (príklad možnej konfigurácie):

vim /opt/shibboleth-idp/conf/ldap.properties
# LDAP authentication configuration, see authn/ldap-authn-config.xml
# Note, this doesn't apply to the use of JAAS

## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
idp.authn.LDAP.authenticator                   = bindSearchAuthenticator

## Connection properties ##
idp.authn.LDAP.ldapURL                         = ldaps://náš.ldap.sk:636
idp.authn.LDAP.useStartTLS                     = false
idp.authn.LDAP.useSSL                          = true
# Time in milliseconds that connects will block
idp.authn.LDAP.connectTimeout                  = PT3S
# Time in milliseconds to wait for responses
idp.authn.LDAP.responseTimeout                 = PT3S

## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
idp.authn.LDAP.sslConfig                       = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates               = %{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
#idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-server.truststore

## Return attributes during authentication
#idp.authn.LDAP.returnAttributes                 = passwordExpirationTime,loginGraceRemaining

## DN resolution properties ##

# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN                           = ou=demoidp,dc=náš,dc=ldap,dc=sk
idp.authn.LDAP.subtreeSearch                    = true
idp.authn.LDAP.userFilter                       = (uid={user})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
idp.authn.LDAP.bindDN                           = cn=demoidp,ou=example,dc=náš,dc=ldap,dc=sk
idp.ldaptive.provider                           = org.ldaptive.provider.unboundid.UnboundIDProvider

# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
#idp.authn.LDAP.dnFormat                         = uid=%s,ou=people,dc=example,dc=org

# pool passivator, either none, bind or anonymousBind
#idp.authn.LDAP.bindPoolPassivator                  = none

# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver configurations
idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout      = %{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout     = %{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter        = (uid=$resolutionContext.principal)

# LDAP pool configuration, used for both authn and DN resolution
#idp.pool.LDAP.minSize                          = 3
#idp.pool.LDAP.maxSize                          = 10
#idp.pool.LDAP.validateOnCheckout               = false
#idp.pool.LDAP.validatePeriodically             = true
#idp.pool.LDAP.validatePeriod                   = PT5M
#idp.pool.LDAP.validateDN                       =
#idp.pool.LDAP.validateFilter                   = (objectClass=*)
#idp.pool.LDAP.prunePeriod                      = PT5M
#idp.pool.LDAP.idleTime                         = PT10M
#idp.pool.LDAP.blockWaitTime                    = PT3S

Vygenerujeme “salt”, ktorý budeme potrebovať v ďalšom kroku pomocou príkazu:

openssl rand -base64 36 2>/dev/null

Konfiguráciu secrets.properties upravíme nasledovne:

vim /opt/shibboleth-idp/credentials/secrets.properties
# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential = Heslo pre bind konto demoidp
idp.persistentId.salt = Vygenerovaný salt
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

Do konfigurácie metadata-providers.xml doplníme:

vim /opt/shibboleth-idp/conf/metadata-providers.xml
<!-- safeID test metadata
    <MetadataProvider
        id="safeid-metadata-test" 
        xsi:type="FileBackedHTTPMetadataProvider" 
        backingFile="%{idp.home}/metadata/safeid.xml" 
        metadataURL="https://www.safeid.sk/metadata/test-metadata.safeid.sk.xml" 
        maxRefreshDelay="PT2H">
        <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" 
            certificateFile="%{idp.home}/credentials/SAFEID_metadata_signer.pem" />
    </MetadataProvider>
    -->
 
<!-- safeID interfederation -->
    <!-- safeID & eduGAIN -->
    <MetadataProvider
        id="safeid-interfed"
        xsi:type="FileBackedHTTPMetadataProvider"
        backingFile="%{idp.home}/metadata/safeid-interfed.xml"
        metadataURL="https://www.safeid.sk/metadata/safeid-interfed.xml"
        maxRefreshDelay="PT30M">
 
        <MetadataFilter
            xsi:type="SignatureValidation"
            requireSignedRoot="true"
            certificateFile="%{idp.home}/credentials/safeid-metadata-signing.pem" />
 
        <MetadataFilter
            xsi:type="RequiredValidUntil"
            maxValidityInterval="P30D" />
 
        <MetadataFilter
            xsi:type="Algorithm">
 
            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
            <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef>
        </MetadataFilter>
    </MetadataProvider>
 
    <!-- safeID metadata -->
    <!-- safeID
    <MetadataProvider
        id="safeid-metadata"
        xsi:type="FileBackedHTTPMetadataProvider"
        backingFile="%{idp.home}/metadata/metadata.safeid.sk.xml"
        metadataURL="https://metadata.safeid.sk/metadata/metadata.safeid.sk.xml"
        maxRefreshDelay="PT30M">
 
        <MetadataFilter
            xsi:type="SignatureValidation"
            requireSignedRoot="true"
            certificateFile="%{idp.home}/credentials/safeid-metadata-signing.pem" />
 
        <MetadataFilter
            xsi:type="RequiredValidUntil"
            maxValidityInterval="P30D" />
 
        <MetadataFilter
            xsi:type="Algorithm">
 
            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
            <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef>
        </MetadataFilter>
    </MetadataProvider>
    -->

Stiahnutie verejného kľúča pre kontrolu podpisu metadát:

cd /opt/shibboleth-idp/credentials
wget https://metadata.safeid.sk/keys/safeid-metadata-signing.pem

Pre načitenie metadát reštartujeme službu:

JAVA_HOME=/usr/lib/jvm/java-11-openjdk-11.0.x.x-x.el8_2.x86_64 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.MetadataResolverService

Kontrola stiahnutých metadát:

ls -l /opt/shibboleth-idp/metadata/

Vo výpise by sa mal nachádzať súbor safeid.xml s aktuálnym časom vytvorenia.

Môžete pokračovať Konfigurácia a inštalácia databázy MySQL

  • install/idp/konfiguracia_a_instalacia_shibboleth.1622029941
  • Posledná úprava: 26. 05. 2021 13:52