Shibboleth Identity Provider
Zo stránky projektu stiahneme zdrojové kódy do adresára /opt.
wget -P /opt \
https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz \
https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz.asc \
https://shibboleth.net/downloads/identity-provider/4.0.1/shibboleth-identity-provider-4.0.1.tar.gz.sha256
Skontrolujeme SHA256 hash a GPG podpis:
cd /opt sha256sum -c shibboleth-identity-provider-4.0.1.tar.gz.sha256 gpg --verify shibboleth-identity-provider-4.0.1.tar.gz.asc
Postup inštalácie Shibboleth IdP
tar -xzf shibboleth-identity-provider-4.0.1.tar.gz cd shibboleth-identity-provider-4.0.1/
Pripravíme si heslá pre Backchannel PKCS12 a Cookie Encryption, ktoré budeme potrebovať po spustení inštalačného skriptu. Pomocou prikazu:
openssl rand -hex 20
vygenerujeme dve nové heslá a poznačíme si ich napriklad spôsobom:
1) Backchannel PKCS12 = vygenerované heslo 1
2) Cookie Encryption = vygenerované heslo 2
Spustenie inštalačného skriptu z umiestnenia v adresári /opt/shibboleth-identity-provider-4.0.1/:
./bin/install.sh
Proces inštalácie prebieha nasledovne:
Buildfile: /opt/shibboleth-identity-provider-4.0.1/bin/build.xml install: Source (Distribution) Directory (press <enter> to accept default): [/opt/shibboleth-identity-provider-4.0.1] ? Installation Directory: [/opt/shibboleth-idp] ? INFO [net.shibboleth.idp.installer.V4Install:151] - New Install. Version: 4.0.1 Host Name: [1.2.3.4] ? idp.example.org INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-signing, CN = idp.example.org URI = https://idp.example.org/idp/shibboleth, keySize=3072 INFO [net.shibboleth.idp.installer.V4Install:549] - Creating idp-encryption, CN = idp.example.org URI = https://idp.example.org/idp/shibboleth, keySize=3072 Backchannel PKCS12 Password: vygenerované heslo 1 Re-enter password: vygenerované heslo 1 INFO [net.shibboleth.idp.installer.V4Install:592] - Creating backchannel keystore, CN = idp.example.org URI = https://idp.example.org/idp/shibboleth, keySize=3072 Cookie Encryption Key Password: vygenerované heslo 2 Re-enter password: vygenerované heslo 2 INFO [net.shibboleth.idp.installer.V4Install:633] - Creating backchannel keystore, CN = idp.example.org URI = https://idp.example.org/idp/shibboleth, keySize=3072 INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool:166] - No existing versioning property, initializing... SAML EntityID: [https://idp.example.org/idp/shibboleth] ? Attribute Scope: [example.org] ? INFO [net.shibboleth.idp.installer.V4Install:433] - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1 INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war BUILD SUCCESSFUL Total time:
Postup konfigurácie Shibboleth IdP
Základné nastavenie. Konfigurácia môže byť veľmi rôznorodá.
idp.properties
V súbore /opt/shibboleth-idp/conf/idp.properties nastavíme podporu pre ukladanie súhlasov s poskytovaním užívateľských informácií (atribútov) do databázy. Ďalej vieme rozhodovať či sa majú používať cookies alebo lokálne úložidká HTML. Možeme nastaviť aj predvolený šifrovací algoritmus pre šifrovanie XML.
Staršie verzie IdP používali AES-CBC. Nový algoritmus AES-GCM podporujú aktuálne operačné systémy, na ktorých je používaná aktuálna verzia Shibboleth SP. Ostatné implementácie SAML protokolu, ako napríklad SimpleSAMLphp a dalšie tento protokol nepodporujú, nebudú fungovať.
Upravíme konfiguračný súbor idp.properties:
nano /opt/shibboleth-idp/conf/idp.properties
V konfigurácii upravíme nasledovné položky:
# General cookie properties (maxAge only applies to persistent cookies) idp.cookie.secure = true #idp.cookie.httpOnly = true #idp.cookie.domain = #idp.cookie.path = #idp.cookie.maxAge = 31536000 # These control operation of the SameSite filter, which is off by default. #idp.cookie.sameSite = None #idp.cookie.sameSiteCondition = shibboleth.Conditions.FALSE # Set to "shibboleth.StorageService" or custom bean for alternate storage of consent #idp.consent.StorageService = shibboleth.ClientPersistentStorageService idp.consent.StorageService = shibboleth.JPAStorageService idp.storage.htmlLocalStorage = true
Pre zachovanie kompatibility s implementáciami protokolu SAML necháme zakomentovanú položku:
#idp.encryption.config=shibboleth.EncryptionConfiguration.GCM
Nastavenia LDAP
Budeme nastavovat šifrované spojenie na LDAP server.
Najskôr si stiahneme SSL certifikát z LDAP servera do potrebného umiestnenia:
openssl s_client -showcerts -connect náš.ldap.sk:636 </dev/null 2>/dev/null|openssl x509 -outform PEM > /opt/shibboleth-idp/credentials/ldap-server.crt
ldap.properties
Následne môžeme pokračovať konfiguráciou ldap.properties.
nano /opt/shibboleth-idp/conf/ldap.properties
Dôležité su najmä položky:
idp.authn.LDAP.authenticator = bindSearchAuthenticator
idp.authn.LDAP.ldapURL = ldaps://ldap.example.org:636
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.sslConfig = certificateTrust
idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org
idp.authn.LDAP.subtreeSearch = true
idp.authn.LDAP.bindDN = uid=shibboleth,ou=users,dc=example,dc=org
idp.ldaptive.provider = org.ldaptive.provider.unboundid.UnboundIDProvider
Príklad konfigurácie:
# LDAP authentication configuration, see authn/ldap-authn-config.xml
# Note, this doesn't apply to the use of JAAS
## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
idp.authn.LDAP.authenticator = bindSearchAuthenticator
## Connection properties ##
idp.authn.LDAP.ldapURL = ldaps://náš.ldap.sk:636
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL = true
# Time in milliseconds that connects will block
idp.authn.LDAP.connectTimeout = PT3S
# Time in milliseconds to wait for responses
idp.authn.LDAP.responseTimeout = PT3S
## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
idp.authn.LDAP.sslConfig = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
#idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
## Return attributes during authentication
#idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining
## DN resolution properties ##
# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN = ou=idp,dc=náš,dc=ldap,dc=sk
idp.authn.LDAP.subtreeSearch = true
idp.authn.LDAP.userFilter = (uid={user})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
idp.authn.LDAP.bindDN = cn=idp,ou=example,dc=náš,dc=ldap,dc=sk
idp.ldaptive.provider = org.ldaptive.provider.unboundid.UnboundIDProvider
# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
#idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org
# pool passivator, either none, bind or anonymousBind
#idp.authn.LDAP.bindPoolPassivator = none
# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver configurations
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout = %{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout = %{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter = (uid=$resolutionContext.principal)
# LDAP pool configuration, used for both authn and DN resolution
#idp.pool.LDAP.minSize = 3
#idp.pool.LDAP.maxSize = 10
#idp.pool.LDAP.validateOnCheckout = false
#idp.pool.LDAP.validatePeriodically = true
#idp.pool.LDAP.validatePeriod = PT5M
#idp.pool.LDAP.validateDN =
#idp.pool.LDAP.validateFilter = (objectClass=*)
#idp.pool.LDAP.prunePeriod = PT5M
#idp.pool.LDAP.idleTime = PT10M
#idp.pool.LDAP.blockWaitTime = PT3S
secrets.properties
V súbore (tento nový súbor existuje od verzie Shibboleth IdP 4.0.0) /opt/shibboleth-idp/credentials/secrets.properties, nastavujeme heslo k serveru LDAP a “salt” pre perzistentný NameID identifikátor (atribút eduPersonTargetedID).
Na začiatok si vygenerujeme “salt”:
openssl rand -base64 36 2>/dev/null
Potom môžeme pristúpiť k úprave súboru:
nano /opt/shibboleth-idp/credentials/secrets.properties
Konfiguráciu upravíme nalsedovne:
# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential = Tu vložíme heslo, ktoré máme definované pre bind konto v LDAP
idp.persistentId.salt = Tu vložíme vygenerovaný salt
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}
Obmedzenie prístupu IP adries k stránkam so špecifickou funkcionalitou:
access-control.xml
nano /opt/shibboleth-idp/conf/access-control.xml
<!-- Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control. The ranges provided MUST be CIDR network expressions. To specify a single address, add "/32" or "/128" for IPv4 or IPv6 respectively. The additional examples below demonstrate how to control access by username and by attribute(s), in the case of authenticated access to admin functions. --> <util:map id="shibboleth.AccessControlPolicies"> <entry key="AccessByIPAddress"> <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl" p:allowedRanges="#{ {'127.0.0.1/32', 'IP_adresa_admninistrátora_1', 'IP_adresa_admninistrátora_2', 'IP_adresa_admninistrátora_3'} }" /> </entry>
V konfiguračnom súbore /opt/shibboleth-idp/conf/metadata-providers.xml sa nastavujú zdroje metadát.
metadata-providers.xml
Otvoríme konfiguračný súbor metadata-providers.xml:
nano /opt/shibboleth-idp/conf/metadata-providers.xml
Budeme doň vkladať blok kódu s údajmi nášho poskytovateľa metadát napríklad:
<!-- safeID test metadata <MetadataProvider id="safeid-metadata-test" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/safeid.xml" metadataURL="https://www.safeid.sk/metadata/test-metadata.safeid.sk.xml" maxRefreshDelay="PT2H"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/SAFEID_metadata_signer.pem" /> </MetadataProvider> --> <!-- safeID interfederation --> <!-- safeID & eduGAIN --> <MetadataProvider id="safeid-interfed" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/safeid-interfed.xml" metadataURL="https://metadata.safeid.sk/metadata/safeid-interfed.xml" maxRefreshDelay="PT30M"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/safeid-metadata-signing.pem" /> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D" /> <MetadataFilter xsi:type="Algorithm"> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef> </MetadataFilter> </MetadataProvider> <!-- safeID metadata --> <!-- safeID <MetadataProvider id="safeid-metadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/metadata.safeid.sk.xml" metadataURL="https://metadata.safeid.sk/metadata/metadata.safeid.sk.xml" maxRefreshDelay="PT30M"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/safeid-metadata-signing.pem" /> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D" /> <MetadataFilter xsi:type="Algorithm"> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef> </MetadataFilter> </MetadataProvider> -->
V prípade, že nebude súčasťou spomínaného už existujúceho elementu v konfigurácii, nebude fungovať.
Pre Vaše IdP potrebujete nastaviť safeID.sk metadáta.
Na stránke nájdete aj aktuálny verejný kľúč pre kontrolu podpisu metadát.
Ďalej si potrebujeme stiahnuť verejný kľúč pre kontrolu podpisu metadát a správne ho umiestniť (v návode pokračujeme s príkladom - safeID test metadata):
wget -P /opt/shibboleth-idp/credentials \
https://metadata.safeid.sk/keys/safeid-metadata-signing.pem
attribute-resolver.xml
Otvoríme konfiguráciu:
nano /opt/shibboleth-idp/conf/attribute-resolver.xml
Do konfigurácie doplníme nový atribút a nový konektor, do ktorého doplníme “salt”, ktorý už máme vygenerovaný - nevytvárame nový:
<!-- Doplneny atribut. --> <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> <InputDataConnector ref="myStoredId" attributeNames="storedId"/> <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false"/> <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false"/> </AttributeDefinition> <!-- Doplneny datakonektor. --> <DataConnector id="myStoredId" xsi:type="StoredId" generatedAttributeID="storedId" salt="Napíšeme salt, ktorý sme už vygenerovali v predchadzajúcich krokoch" queryTimeout="0"> <InputAttributeDefinition ref="uid"/> <BeanManagedConnection>shibboleth.MySQLDataSource</BeanManagedConnection> </DataConnector>
Doplníme atribút aj do konfigurácie filtrov “attribute-filter.xml”:
attribute-filter.xml
nano /opt/shibboleth-idp/conf/attribute-filter.xml
<!-- Doplneny atribut - transientId to anyone --> <AttributeFilterPolicy id="releaseTransientIdToAnyone"> <PolicyRequirementRule xsi:type="ANY" /> <!-- transientId --> <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy>
idp-metadata.xml
V metadátach sa bude oznamovať, že IdP podporuje perzistentný identifikátor. Otvoríme konfiguráciu /opt/shibboleth-idp/metadata/idp-metadata.xml:
nano /opt/shibboleth-idp/metadata/idp-metadata.xml
A doplníme element:
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
Napríklad za uvedený element:
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
Budeme pokračovať v súbore global.xml definovaním niektorých “<bean>ov”.
global.xml
Táto konfigurácia zabezpečí správnu konektivitu na databázu (MariaDB) pre ukladanie perzistentných identifikátorov a pre ukladanie súhlasov s vydávaním atribútov.
nano /opt/shibboleth-idp/conf/global.xml
<bean id="shibboleth.MySQLDataSource" class="org.apache.commons.dbcp2.BasicDataSource" p:driverClassName="org.mariadb.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth" p:username="shibboleth" p:password="doplníme heslo pre používateľa shibboleth" /> <bean id="shibboleth.JPAStorageService" class="org.opensaml.storage.impl.JPAStorageService" p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory" /> <bean id="shibboleth.JPAStorageService.entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> <property name="packagesToScan" value="org.opensaml.storage.impl"/> <property name="dataSource" ref="shibboleth.MySQLDataSource"/> <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter"/> <property name="jpaDialect"> <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" /> </property> </bean> <bean id="shibboleth.JPAStorageService.JPAVendorAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter" p:generateDdl="true" p:database="MYSQL" p:databasePlatform="org.hibernate.dialect.MariaDBDialect" />
Musíme upraviť konfiguračný súbor saml-nameid.properties, v ktorom definujeme odkazy na vyššie uvedené “<bean>y” a atribút pre výpočet perzistentného identifikátora.
saml-nameid.properties
Otvoríme súbor:
nano /opt/shibboleth-idp/conf/saml-nameid.properties
A upravíme ho nasledovne:
# For computed IDs, set a source attribute, and a secret salt in secrets.properties idp.persistentId.sourceAttribute = uid #idp.persistentId.useUnfilteredAttributes = true #idp.persistentId.algorithm = SHA # BASE64 will match V2 values, we recommend BASE32 encoding for new installs. # Nové IdP (BASE32) idp.persistentId.encoding = BASE32 # Migrované IdP (BASE64) #idp.persistentId.encoding = BASE64 # To use a database, use shibboleth.StoredPersistentIdGenerator idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator # For basic use, set this to a JDBC DataSource bean name: idp.persistentId.dataSource = shibboleth.MySQLDataSource # For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore #idp.persistentId.store = MyPersistentIdStore # Set to an empty property to skip hash-based generation of first stored ID #idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
Podporu perzistentných identifikátorov musíme aktivovať v konfiguračnom súbore saml-nameid.xml.
saml-nameid.xml
Otvoríme konfiguračný súbor:
nano /opt/shibboleth-idp/conf/saml-nameid.xml
A odkomentujeme v ňom riadok:
<!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <ref bean="shibboleth.SAML2PersistentGenerator" />
Finalizujeme konfiguráciu upravením súboru subject-c14n.xml.
subject-c14n.xml
Otvoríme konfiguračný súbor:
nano /opt/shibboleth-idp/conf/c14n/subject-c14n.xml
A odkomentujeme v ňom riadok:
<!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. --> <ref bean="c14n/SAML2Persistent" />
Finálna príprava a spustenie
1) Nastavenie oprávnení v adresári /opt/shibboleth-idp:
chown jetty /opt/shibboleth-idp/{logs,metadata}
chgrp -R jetty /opt/shibboleth-idp/{conf,credentials}
chmod -R g+r /opt/shibboleth-idp/conf
chmod 750 /opt/shibboleth-idp/credentials
chmod 640 /opt/shibboleth-idp/credentials/*
2) Upravenie služby jetty9 v systemd:
systemctl edit jetty9
nano /etc/systemd/system/multi-user.target.wants/jetty9.service
Nastavenie oprávnení pre zápis do adresárov /opt/shibboleth-idp/{logs,metadata}:
[Service] ReadWritePaths=/opt/shibboleth-idp/logs/ ReadWritePaths=/opt/shibboleth-idp/metadata/
3) Posledným krokom je aktualizácia konfigurácie pre službu Jetty a jej reštart:
systemctl daemon-reload systemctl restart jetty9
Stav IdP môžeme skontrolovať príkazom:
/opt/shibboleth-idp/bin/status.sh
V prípade správnej konfigurácie a funkčnosti služieb sa može zobraziť podobný výstup ako je uvedený v príklade:
### Operating Environment Information
operating_system: Linux
operating_system_version: 4.19.0-13-amd64
operating_system_architecture: amd64
jdk_version: 11.0.9.1
available_cores: 4
used_memory: 226 MB
maximum_memory: 1500 MB
### Identity Provider Information
idp_version: 4.0.1
start_time: 2021-01-27T13:41:24.161Z
current_time: 2021-01-27T13:41:25.463251Z
uptime: 1302 ms
service: shibboleth.LoggingService
last successful reload attempt: 2021-01-27T13:30:27.829470Z
last reload attempt: 2021-01-27T13:30:27.829470Z
service: shibboleth.AttributeFilterService
last successful reload attempt: 2021-01-27T13:30:30.431247Z
last reload attempt: 2021-01-27T13:30:30.431247Z
service: shibboleth.AttributeResolverService
last successful reload attempt: 2021-01-27T13:30:30.563391Z
last reload attempt: 2021-01-27T13:30:30.563391Z
No Data Connector has ever failed
service: shibboleth.AttributeRegistryService
last successful reload attempt: 2021-01-27T13:30:30.790140Z
last reload attempt: 2021-01-27T13:30:30.790140Z
service: shibboleth.NameIdentifierGenerationService
last successful reload attempt: 2021-01-27T13:30:31.094916Z
last reload attempt: 2021-01-27T13:30:31.094916Z
service: shibboleth.RelyingPartyResolverService
last successful reload attempt: 2021-01-27T13:30:31.185237Z
last reload attempt: 2021-01-27T13:30:31.185237Z
service: shibboleth.MetadataResolverService
last successful reload attempt: 2021-01-27T13:30:31.553387Z
last reload attempt: 2021-01-27T13:30:31.553387Z
metadata source: ShibbolethMetadata
last refresh attempt: 2021-01-27T13:30:37.139408Z
last successful refresh: 2021-01-27T13:30:37.139408Z
last update: 2021-01-27T13:30:37.139408Z
metadata source: safeid-metadata-test
last refresh attempt: 2021-01-27T13:30:37.139408Z
last successful refresh: 2021-01-27T13:30:37.139408Z
last update: 2021-01-27T13:30:37.139408Z
root validUntil: 2021-02-10T13:18:01Z
service: shibboleth.ReloadableAccessControlService
last successful reload attempt: 2021-01-27T13:30:32.250946Z
last reload attempt: 2021-01-27T13:30:32.250946Z
service: shibboleth.ReloadableCASServiceRegistry
last successful reload attempt: 2021-01-27T13:30:32.310935Z
last reload attempt: 2021-01-27T13:30:32.310935Z
service: shibboleth.ManagedBeanService
last successful reload attempt: 2021-01-27T13:30:32.341383Z
last reload attempt: 2021-01-27T13:30:32.341383Z
V prípade úprav v adresári /opt/shibboleth-idp/edit-webapp/ je potrebné aktualizovať idp.war a reštartovať Jetty.
cd /opt/shibboleth-idp ./bin/build.sh systemctl restart jetty9
Testovanie funkčnosti môžeme realizovať pomocou:
IdP Webová stránka https://idp.example.org/idp
IdP Status https://idp.example.org/idp/status
IdP Metadáta https://idp.example.org/idp/shibboleth