Konfigurácia IdP

Na začiatok si vygenerujeme “salt”:

openssl rand -base64 36 2>/dev/null

Do konfigurácie attribute-resolver.xml doplníme nový atribút:

vim /opt/shibboleth-idp/conf/attribute-resolver.xml
<!--
Doplneny atribut.
-->
<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
    <InputDataConnector ref="myStoredId" attributeNames="storedId"/>
    <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false"/>
    <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false"/>
</AttributeDefinition>

Ďalej doplníme nový konektor:

<!--
Doplneny datakonektor.
-->
<DataConnector id="myStoredId" 
    xsi:type="StoredId" 
    generatedAttributeID="storedId" 
    salt="Napíšeme salt, ktorý sme si na začiatku vygenerovali" 
    queryTimeout="0">
    <InputAttributeDefinition ref="uid"/>
    <BeanManagedConnection>shibboleth.MySQLDataSource</BeanManagedConnection>
</DataConnector>

V konfigurácii global.xml doplníme potrebné beany:

vim /opt/shibboleth-idp/conf/global.xml
<!--
Doplnene beany
-->
 
<bean id="shibboleth.MySQLDataSource" 
    class="org.apache.commons.dbcp2.BasicDataSource" 
    p:driverClassName="com.mysql.cj.jdbc.Driver" 
    p:url="jdbc:mysql://localhost:3306/shibboleth" 
    p:username="shibboleth" 
    p:password="Heslo pre používateľa shibboleth" />
 
<bean id="shibboleth.JPAStorageService" 
    class="org.opensaml.storage.impl.JPAStorageService" 
    p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" 
    c:factory-ref="shibboleth.JPAStorageService.EntityManagerFactory" />
 
<bean id="shibboleth.JPAStorageService.EntityManagerFactory" 
    class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
    <property name="packagesToScan" value="org.opensaml.storage.impl"/>
    <property name="dataSource" ref="shibboleth.MySQLDataSource"/>
    <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter"/>
    <property name="jpaDialect">
        <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
    </property>
</bean>
 
<bean id="shibboleth.JPAStorageService.JPAVendorAdapter" 
    class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter" 
    p:generateDdl="true" 
    p:database="MYSQL" 
    p:databasePlatform="org.hibernate.dialect.MySQL5Dialect" />

Doplníme atribút aj do konfigurácie filtrov attribute-filter.xml:

vim /opt/shibboleth-idp/conf/attribute-filter.xml
<!-- Doplneny atribut - transientId to anyone -->
    <AttributeFilterPolicy id="releaseTransientIdToAnyone">
 
        <PolicyRequirementRule xsi:type="ANY" />
 
        <!-- transientId -->
        <AttributeRule attributeID="transientId">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
 
        <AttributeRule attributeID="eduPersonTargetedID">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
 
    </AttributeFilterPolicy>

V konfigurácii saml-nameid.properties doplníme potrebné atribúty - odkazy na beany a salt:

vim /opt/shibboleth-idp/conf/saml-nameid.properties
# Doplnene atributy
idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator
idp.persistentId.dataSource = shibboleth.MySQLDataSource
idp.persistentId.sourceAttribute = uid
idp.persistentId.salt = Napíšeme salt, ktorý sme si na začiatku vygenerovali

Upravíme konfiguráciu saml-nameid.xml odkomentovaním konkrétneho riadku v súbore:

vim /opt/shibboleth-idp/conf/saml-nameid.xml

Odkomentujeme riadok:

<ref bean="shibboleth.SAML2PersistentGenerator" />

Upravíme v konfigurácii ďalší súbor idp.properties:

vim /opt/shibboleth-idp/conf/idp.properties

V tomto súbore doplníme riadok:

idp.consent.StorageService = shibboleth.JPAStorageService

Príklad:

# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
idp.consent.StorageService = shibboleth.JPAStorageService

Ďalej upravíme súbor subject-c14n.xml:

vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml

V súbore odkomentujeme riadok:

<ref bean="c14n/SAML2Persistent" />

Príklad:

=======================================================================
Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs.
Below the list are some settings that might be useful to adjust.
=======================================================================
    -->
    <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">
 
        <!-- The next four are for handling transient IDs (in-storage and stateless variants). -->
        <ref bean="c14n/SAML2Transient" />
        <ref bean="c14n/SAML2CryptoTransient" />
        <ref bean="c14n/SAML1Transient" />
        <ref bean="c14n/SAML1CryptoTransient" />
 
        <!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. -->
        <ref bean="c14n/SAML2Persistent" />

V metadátach sa bude oznamovať, že IdP podporuje perzistentný identifikátor, do idp-metadata.xml doplníme:

vim /opt/shibboleth-idp/metadata/idp-metadata.xml
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

Príklad - do elementu IDPSSODescriptor pridáme element napríklad za uvedený element:

<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
 
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

Vygenerujeme nový WAR súbor:

/opt/shibboleth-idp/bin/build.sh

Spustí sa proces:

Buildfile: /opt/shibboleth-idp/bin/build.xml

build-war:
Installation Directory: [/opt/shibboleth-idp] ?

INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1
INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL

Reštartujeme Jetty:

systemctl restart jetty

Logy môžeme kontrolovať v umiestneniach:

/opt/shibboleth-idp/logs
/opt/jetty/logs

Testovanie funkčnosti môžeme realizovať pomocou:

IdP Webová stránka https://idp.example.org/idp

IdP Status https://idp.example.org/idp/status

IdP Metadáta https://idp.example.org/idp/shibboleth

Priklad - IdP Status:

### Operating Environment Information
operating_system: Linux
operating_system_version: 4.18.0-193.19.1.el8_2.x86_64
operating_system_architecture: amd64
jdk_version: 11.0.8
available_cores: 6
used_memory: 123 MB
maximum_memory: 1444 MB

### Identity Provider Information
idp_version: 4.0.1
start_time: 2020-11-04T13:25:22.927Z
current_time: 2020-11-04T14:14:12.623114Z
uptime: 2929696 ms

service: shibboleth.LoggingService
last successful reload attempt: 2020-11-04T13:23:45.112536Z
last reload attempt: 2020-11-04T13:23:45.112536Z

service: shibboleth.AttributeFilterService
last successful reload attempt: 2020-11-04T13:23:47.859013Z
last reload attempt: 2020-11-04T13:23:47.859013Z

service: shibboleth.AttributeResolverService
last successful reload attempt: 2020-11-04T13:23:48.074989Z
last reload attempt: 2020-11-04T13:23:48.074989Z

	No Data Connector has ever failed

service: shibboleth.AttributeRegistryService
last successful reload attempt: 2020-11-04T13:23:48.456582Z
last reload attempt: 2020-11-04T13:23:48.456582Z

service: shibboleth.NameIdentifierGenerationService
last successful reload attempt: 2020-11-04T13:23:48.741862Z
last reload attempt: 2020-11-04T13:23:48.741862Z

service: shibboleth.RelyingPartyResolverService
last successful reload attempt: 2020-11-04T13:23:48.912172Z
last reload attempt: 2020-11-04T13:23:48.912172Z

service: shibboleth.MetadataResolverService
last successful reload attempt: 2020-11-04T13:23:49.609433Z
last reload attempt: 2020-11-04T13:23:49.609433Z

	metadata source: ShibbolethMetadata
	last refresh attempt: 2020-11-04T14:08:55.321108Z
	last successful refresh: 2020-11-04T14:08:55.321108Z
	last update: 2020-11-04T14:08:55.321108Z

	metadata source: safeid-metadata-test
	last refresh attempt: 2020-11-04T14:08:55.321108Z
	last successful refresh: 2020-11-04T14:08:55.321108Z
	last update: 2020-11-04T14:08:55.321108Z
	root validUntil: 2020-11-18T13:48:01Z

service: shibboleth.ReloadableAccessControlService
last successful reload attempt: 2020-11-04T13:23:50.349279Z
last reload attempt: 2020-11-04T13:23:50.349279Z

service: shibboleth.ReloadableCASServiceRegistry
last successful reload attempt: 2020-11-04T13:23:50.403851Z
last reload attempt: 2020-11-04T13:23:50.403851Z

service: shibboleth.ManagedBeanService
last successful reload attempt: 2020-11-04T13:23:50.453898Z
last reload attempt: 2020-11-04T13:23:50.453898Z

V prípade úprav v adresári /opt/shibboleth-idp/edit-webapp/ je potrebné aktualizovať idp.war a reštartovať Jetty.

/opt/shibboleth-idp/bin/build.sh

systemctl restart jetty
  • install/idp/konfiguracia_idp
  • Posledná úprava: 09. 06. 2021 10:41