Toto je staršia verzia dokumentu!
Konfigurácia IdP
Na začiatok si vygenerujeme “salt”:
openssl rand -base64 36 2>/dev/null
Do konfigurácie attribute-resolver.xml
doplníme nový atribút:
vim /opt/shibboleth-idp/conf/attribute-resolver.xml
<!-- Doplneny atribut. --> <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> <InputDataConnector ref="myStoredId" attributeNames="storedId"/> <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false"/> <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false"/> </AttributeDefinition>
Ďalej doplníme nový konektor:
<!-- Doplneny datakonektor. --> <DataConnector id="myStoredId" xsi:type="StoredId" generatedAttributeID="storedId" salt="Napíšeme salt, ktorý sme si na začiatku vygenerovali" queryTimeout="0"> <InputAttributeDefinition ref="uid"/> <BeanManagedConnection>shibboleth.MySQLDataSource</BeanManagedConnection> </DataConnector>
V konfigurácii global.xml
doplníme potrebné beany:
vim /opt/shibboleth-idp/conf/global.xml
<!-- Doplnene beany --> <bean id="shibboleth.MySQLDataSource" class="org.apache.commons.dbcp2.BasicDataSource" p:driverClassName="com.mysql.cj.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth" p:username="shibboleth" p:password="Heslo pre používateľa shibboleth" /> <bean id="shibboleth.JPAStorageService" class="org.opensaml.storage.impl.JPAStorageService" p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" c:factory-ref="shibboleth.JPAStorageService.EntityManagerFactory" /> <bean id="shibboleth.JPAStorageService.EntityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> <property name="packagesToScan" value="org.opensaml.storage.impl"/> <property name="dataSource" ref="shibboleth.MySQLDataSource"/> <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter"/> <property name="jpaDialect"> <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" /> </property> </bean> <bean id="shibboleth.JPAStorageService.JPAVendorAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter" p:generateDdl="true" p:database="MYSQL" p:databasePlatform="org.hibernate.dialect.MySQL5Dialect" />
Doplníme atribút aj do konfigurácie filtrov attribute-filter.xml
:
vim /opt/shibboleth-idp/conf/attribute-filter.xml
<!-- Doplneny atribut - transientId to anyone --> <AttributeFilterPolicy id="releaseTransientIdToAnyone"> <PolicyRequirementRule xsi:type="ANY" /> <!-- transientId --> <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy>
V konfigurácii saml-nameid.properties
doplníme potrebné atribúty - odkazy na beany a salt:
vim /opt/shibboleth-idp/conf/saml-nameid.properties
# Doplnene atributy idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator idp.persistentId.dataSource = shibboleth.MySQLDataSource idp.persistentId.sourceAttribute = uid idp.persistentId.salt = Napíšeme salt, ktorý sme si na začiatku vygenerovali
Upravíme konfiguráciu saml-nameid.xml
odkomentovaním konkrétneho riadku v súbore:
vim /opt/shibboleth-idp/conf/saml-nameid.xml
Odkomentujeme riadok:
<ref bean="shibboleth.SAML2PersistentGenerator" />
Upravíme v konfigurácii ďalší súbor idp.properties
:
vim /opt/shibboleth-idp/conf/idp.properties
V tomto súbore doplníme riadok:
idp.consent.StorageService = shibboleth.JPAStorageService
Príklad:
# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent #idp.consent.StorageService = shibboleth.ClientPersistentStorageService idp.consent.StorageService = shibboleth.JPAStorageService
Ďalej upravíme súbor subject-c14n.xml
:
vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml
V súbore odkomentujeme riadok:
<ref bean="c14n/SAML2Persistent" />
Príklad:
======================================================================= Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs. Below the list are some settings that might be useful to adjust. ======================================================================= --> <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows"> <!-- The next four are for handling transient IDs (in-storage and stateless variants). --> <ref bean="c14n/SAML2Transient" /> <ref bean="c14n/SAML2CryptoTransient" /> <ref bean="c14n/SAML1Transient" /> <ref bean="c14n/SAML1CryptoTransient" /> <!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. --> <ref bean="c14n/SAML2Persistent" />
V metadátach sa bude oznamovať, že IdP podporuje perzistentný identifikátor, do idp-metadata.xml
doplníme:
vim /opt/shibboleth-idp/metadata/idp-metadata.xml
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
Príklad - do elementu IDPSSODescriptor pridáme element napríklad za uvedený element:
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
Vygenerujeme nový WAR súbor:
/opt/shibboleth-idp/bin/build.sh
Spustí sa proces:
Buildfile: /opt/shibboleth-idp/bin/build.xml build-war: Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1 INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL
Reštartujeme Jetty:
systemctl restart jetty
Logy môžeme kontrolovať v umiestneniach:
/opt/shibboleth-idp/logs /opt/jetty/logs
Testovanie funkčnosti môžeme realizovať pomocou:
IdP Webová stránka https://idp.example.org/idp
IdP Status https://idp.example.org/idp/status
IdP Metadáta https://idp.example.org/idp/shibboleth
Priklad - IdP Status:
### Operating Environment Information operating_system: Linux operating_system_version: 4.18.0-193.19.1.el8_2.x86_64 operating_system_architecture: amd64 jdk_version: 11.0.8 available_cores: 6 used_memory: 123 MB maximum_memory: 1444 MB ### Identity Provider Information idp_version: 4.0.1 start_time: 2020-11-04T13:25:22.927Z current_time: 2020-11-04T14:14:12.623114Z uptime: 2929696 ms service: shibboleth.LoggingService last successful reload attempt: 2020-11-04T13:23:45.112536Z last reload attempt: 2020-11-04T13:23:45.112536Z service: shibboleth.AttributeFilterService last successful reload attempt: 2020-11-04T13:23:47.859013Z last reload attempt: 2020-11-04T13:23:47.859013Z service: shibboleth.AttributeResolverService last successful reload attempt: 2020-11-04T13:23:48.074989Z last reload attempt: 2020-11-04T13:23:48.074989Z No Data Connector has ever failed service: shibboleth.AttributeRegistryService last successful reload attempt: 2020-11-04T13:23:48.456582Z last reload attempt: 2020-11-04T13:23:48.456582Z service: shibboleth.NameIdentifierGenerationService last successful reload attempt: 2020-11-04T13:23:48.741862Z last reload attempt: 2020-11-04T13:23:48.741862Z service: shibboleth.RelyingPartyResolverService last successful reload attempt: 2020-11-04T13:23:48.912172Z last reload attempt: 2020-11-04T13:23:48.912172Z service: shibboleth.MetadataResolverService last successful reload attempt: 2020-11-04T13:23:49.609433Z last reload attempt: 2020-11-04T13:23:49.609433Z metadata source: ShibbolethMetadata last refresh attempt: 2020-11-04T14:08:55.321108Z last successful refresh: 2020-11-04T14:08:55.321108Z last update: 2020-11-04T14:08:55.321108Z metadata source: safeid-metadata-test last refresh attempt: 2020-11-04T14:08:55.321108Z last successful refresh: 2020-11-04T14:08:55.321108Z last update: 2020-11-04T14:08:55.321108Z root validUntil: 2020-11-18T13:48:01Z service: shibboleth.ReloadableAccessControlService last successful reload attempt: 2020-11-04T13:23:50.349279Z last reload attempt: 2020-11-04T13:23:50.349279Z service: shibboleth.ReloadableCASServiceRegistry last successful reload attempt: 2020-11-04T13:23:50.403851Z last reload attempt: 2020-11-04T13:23:50.403851Z service: shibboleth.ManagedBeanService last successful reload attempt: 2020-11-04T13:23:50.453898Z last reload attempt: 2020-11-04T13:23:50.453898Z
V prípade úprav v adresári /opt/shibboleth-idp/edit-webapp/ je potrebné aktualizovať idp.war a reštartovať Jetty.
/opt/shibboleth-idp/bin/build.sh systemctl restart jetty