Share via Share via... Twitter LinkedIn Facebook Pinterest Telegram WhatsApp Yammer RedditPosledné úpravySend via e-MailPrintPermalink × Konfigurácia IdP Na začiatok si vygenerujeme “salt”: openssl rand -base64 36 2>/dev/null Ďalej pracujeme pod používateľom “idp” Do konfigurácie attribute-resolver.xml doplníme nový atribút: vim /opt/shibboleth-idp/conf/attribute-resolver.xml <!-- Doplneny atribut. --> <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> <InputDataConnector ref="myStoredId" attributeNames="storedId"/> <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false"/> <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false"/> </AttributeDefinition> Príklad konfigurácie attribute-resolver.xml Ďalej doplníme nový konektor: <!-- Doplneny datakonektor. --> <DataConnector id="myStoredId" xsi:type="StoredId" generatedAttributeID="storedId" salt="Napíšeme salt, ktorý sme si na začiatku vygenerovali" queryTimeout="0"> <InputAttributeDefinition ref="uid"/> <BeanManagedConnection>shibboleth.MySQLDataSource</BeanManagedConnection> </DataConnector> V konfigurácii global.xml doplníme potrebné beany: vim /opt/shibboleth-idp/conf/global.xml <!-- Doplnene beany --> <bean id="shibboleth.MySQLDataSource" class="org.apache.commons.dbcp2.BasicDataSource" p:driverClassName="com.mysql.cj.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth" p:username="shibboleth" p:password="Heslo pre používateľa shibboleth" /> <bean id="shibboleth.JPAStorageService" class="org.opensaml.storage.impl.JPAStorageService" p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" c:factory-ref="shibboleth.JPAStorageService.EntityManagerFactory" /> <bean id="shibboleth.JPAStorageService.EntityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> <property name="packagesToScan" value="org.opensaml.storage.impl"/> <property name="dataSource" ref="shibboleth.MySQLDataSource"/> <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter"/> <property name="jpaDialect"> <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" /> </property> </bean> <bean id="shibboleth.JPAStorageService.JPAVendorAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter" p:generateDdl="true" p:database="MYSQL" p:databasePlatform="org.hibernate.dialect.MySQL5Dialect" /> Doplníme atribút aj do konfigurácie filtrov attribute-filter.xml: vim /opt/shibboleth-idp/conf/attribute-filter.xml <!-- Doplneny atribut - transientId to anyone --> <AttributeFilterPolicy id="releaseTransientIdToAnyone"> <PolicyRequirementRule xsi:type="ANY" /> <!-- transientId --> <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> Príklad konfigurácie attribute-filter.xml V konfigurácii saml-nameid.properties doplníme potrebné atribúty - odkazy na beany a salt: vim /opt/shibboleth-idp/conf/saml-nameid.properties # Doplnene atributy idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator idp.persistentId.dataSource = shibboleth.MySQLDataSource idp.persistentId.sourceAttribute = uid idp.persistentId.salt = Napíšeme salt, ktorý sme si na začiatku vygenerovali Upravíme konfiguráciu saml-nameid.xml odkomentovaním konkrétneho riadku v súbore: vim /opt/shibboleth-idp/conf/saml-nameid.xml Odkomentujeme riadok: <ref bean="shibboleth.SAML2PersistentGenerator" /> Upravíme v konfigurácii ďalší súbor idp.properties: vim /opt/shibboleth-idp/conf/idp.properties V tomto súbore doplníme riadok: idp.consent.StorageService = shibboleth.JPAStorageService Príklad: # Set to "shibboleth.StorageService" or custom bean for alternate storage of consent #idp.consent.StorageService = shibboleth.ClientPersistentStorageService idp.consent.StorageService = shibboleth.JPAStorageService Ďalej upravíme súbor subject-c14n.xml: vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml V súbore odkomentujeme riadok: <ref bean="c14n/SAML2Persistent" /> Príklad: ======================================================================= Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs. Below the list are some settings that might be useful to adjust. ======================================================================= --> <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows"> <!-- The next four are for handling transient IDs (in-storage and stateless variants). --> <ref bean="c14n/SAML2Transient" /> <ref bean="c14n/SAML2CryptoTransient" /> <ref bean="c14n/SAML1Transient" /> <ref bean="c14n/SAML1CryptoTransient" /> <!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. --> <ref bean="c14n/SAML2Persistent" /> V metadátach sa bude oznamovať, že IdP podporuje perzistentný identifikátor, do idp-metadata.xml doplníme: vim /opt/shibboleth-idp/metadata/idp-metadata.xml <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> Príklad - do elementu IDPSSODescriptor pridáme element napríklad za uvedený element: <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> Vygenerujeme nový WAR súbor: /opt/shibboleth-idp/bin/build.sh Spustí sa proces: Buildfile: /opt/shibboleth-idp/bin/build.xml build-war: Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1 INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL Ďalej pracujeme pod používateľom “root” Reštartujeme Jetty: systemctl restart jetty Logy môžeme kontrolovať v umiestneniach: /opt/shibboleth-idp/logs /opt/jetty/logs Testovanie funkčnosti môžeme realizovať pomocou: IdP Webová stránka https://idp.example.org/idp IdP Status https://idp.example.org/idp/status IdP Metadáta https://idp.example.org/idp/shibboleth Priklad - IdP Status: ### Operating Environment Information operating_system: Linux operating_system_version: 4.18.0-193.19.1.el8_2.x86_64 operating_system_architecture: amd64 jdk_version: 11.0.8 available_cores: 6 used_memory: 123 MB maximum_memory: 1444 MB ### Identity Provider Information idp_version: 4.0.1 start_time: 2020-11-04T13:25:22.927Z current_time: 2020-11-04T14:14:12.623114Z uptime: 2929696 ms service: shibboleth.LoggingService last successful reload attempt: 2020-11-04T13:23:45.112536Z last reload attempt: 2020-11-04T13:23:45.112536Z service: shibboleth.AttributeFilterService last successful reload attempt: 2020-11-04T13:23:47.859013Z last reload attempt: 2020-11-04T13:23:47.859013Z service: shibboleth.AttributeResolverService last successful reload attempt: 2020-11-04T13:23:48.074989Z last reload attempt: 2020-11-04T13:23:48.074989Z No Data Connector has ever failed service: shibboleth.AttributeRegistryService last successful reload attempt: 2020-11-04T13:23:48.456582Z last reload attempt: 2020-11-04T13:23:48.456582Z service: shibboleth.NameIdentifierGenerationService last successful reload attempt: 2020-11-04T13:23:48.741862Z last reload attempt: 2020-11-04T13:23:48.741862Z service: shibboleth.RelyingPartyResolverService last successful reload attempt: 2020-11-04T13:23:48.912172Z last reload attempt: 2020-11-04T13:23:48.912172Z service: shibboleth.MetadataResolverService last successful reload attempt: 2020-11-04T13:23:49.609433Z last reload attempt: 2020-11-04T13:23:49.609433Z metadata source: ShibbolethMetadata last refresh attempt: 2020-11-04T14:08:55.321108Z last successful refresh: 2020-11-04T14:08:55.321108Z last update: 2020-11-04T14:08:55.321108Z metadata source: safeid-metadata-test last refresh attempt: 2020-11-04T14:08:55.321108Z last successful refresh: 2020-11-04T14:08:55.321108Z last update: 2020-11-04T14:08:55.321108Z root validUntil: 2020-11-18T13:48:01Z service: shibboleth.ReloadableAccessControlService last successful reload attempt: 2020-11-04T13:23:50.349279Z last reload attempt: 2020-11-04T13:23:50.349279Z service: shibboleth.ReloadableCASServiceRegistry last successful reload attempt: 2020-11-04T13:23:50.403851Z last reload attempt: 2020-11-04T13:23:50.403851Z service: shibboleth.ManagedBeanService last successful reload attempt: 2020-11-04T13:23:50.453898Z last reload attempt: 2020-11-04T13:23:50.453898Z V prípade úprav v adresári /opt/shibboleth-idp/edit-webapp/ je potrebné aktualizovať idp.war a reštartovať Jetty. /opt/shibboleth-idp/bin/build.sh systemctl restart jetty install/idp/konfiguracia_idp Posledná úprava: 09. 06. 2021 10:41 Prihlásiť sa