Rozdiely

Tu môžete vidieť rozdiely medzi vybranou verziou a aktuálnou verziou danej stránky.

--- install:idp:konfiguracia_idp [22. 03. 2021 11:48] – jsilaci@umb.sk
+++ install:idp:konfiguracia_idp [Unknown date] (aktuálne) – odstránené - externá úprava (Unknown date) 127.0.0.1
@@ Riadok 1: / Riadok 1: @@
-====== Konfigurácia IdP ======
-Na začiatok si vygenerujeme "salt":
-<code>
-openssl rand -base64 36 2>/dev/null
-</code>
-<alert type="info" icon="glyphicon glyphicon-info-sign">
-Ďalej pracujeme pod používateľom "idp"
-</alert>
-Do konfigurácie ''attribute-resolver.xml'' doplníme nový atribút:
-<code>
-vim /opt/shibboleth-idp/conf/attribute-resolver.xml
-</code>
-<code xml>
-<!--
-Doplneny atribut.
--->
-<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
-    <InputDataConnector ref="myStoredId" attributeNames="storedId"/>
-    <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false"/>
-    <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false"/>
-</AttributeDefinition>
-</code>
-Ďalej doplníme nový konektor:
-<code xml>
-<!--
-Doplneny datakonektor.
--->
-<DataConnector id="myStoredId"
-    xsi:type="StoredId"
-    generatedAttributeID="storedId"
-    salt="Napíšeme salt, ktorý sme si na začiatku vygenerovali"
-    queryTimeout="0">
-    <InputAttributeDefinition ref="uid"/>
-    <BeanManagedConnection>shibboleth.MySQLDataSource</BeanManagedConnection>
-</DataConnector>
-</code>
-V konfigurácii ''global.xml'' doplníme potrebné beany:
-<code>
-vim /opt/shibboleth-idp/conf/global.xml
-</code>
-<code xml>
-<!--
-Doplnene beany
--->
-<bean id="shibboleth.MySQLDataSource"
-    class="org.apache.commons.dbcp2.BasicDataSource"
-    p:driverClassName="com.mysql.cj.jdbc.Driver"
-    p:url="jdbc:mysql://localhost:3306/shibboleth"
-    p:username="shibboleth"
-    p:password="Heslo pre používateľa shibboleth" />
-<bean id="shibboleth.JPAStorageService"
-    class="org.opensaml.storage.impl.JPAStorageService"
-    p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"
-    c:factory-ref="shibboleth.JPAStorageService.EntityManagerFactory" />
-<bean id="shibboleth.JPAStorageService.EntityManagerFactory"
-    class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
-    <property name="packagesToScan" value="org.opensaml.storage.impl"/>
-    <property name="dataSource" ref="shibboleth.MySQLDataSource"/>
-    <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter"/>
-    <property name="jpaDialect">
-        <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
-    </property>
-</bean>
-<bean id="shibboleth.JPAStorageService.JPAVendorAdapter"
-    class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"
-    p:generateDdl="true"
-    p:database="MYSQL"
-    p:databasePlatform="org.hibernate.dialect.MySQL5Dialect" />
-</code>
-Doplníme atribút aj do konfigurácie filtrov ''attribute-filter.xml'':
-<code>
-vim /opt/shibboleth-idp/conf/attribute-filter.xml
-</code>
-<code xml>
-<!-- Doplneny atribut - transientId to anyone -->
-    <AttributeFilterPolicy id="releaseTransientIdToAnyone">
-        <PolicyRequirementRule xsi:type="ANY" />
-        <!-- transientId -->
-        <AttributeRule attributeID="transientId">
-            <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-        <AttributeRule attributeID="eduPersonTargetedID">
-                <PermitValueRule xsi:type="ANY" />
-        </AttributeRule>
-    </AttributeFilterPolicy>
-</code>
-V konfigurácii ''saml-nameid.properties'' doplníme potrebné atribúty - odkazy na beany a salt:
-<code>
-vim /opt/shibboleth-idp/conf/saml-nameid.properties
-</code>
-<code xml>
-# Doplnene atributy
-idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator
-idp.persistentId.dataSource = shibboleth.MySQLDataSource
-idp.persistentId.sourceAttribute = uid
-idp.persistentId.salt = Napíšeme salt, ktorý sme si na začiatku vygenerovali
-</code>
-Upravíme konfiguráciu ''saml-nameid.xml'' odkomentovaním konkrétneho riadku v súbore:
-<code>
-vim /opt/shibboleth-idp/conf/saml-nameid.xml
-</code>
-Odkomentujeme riadok:
-<code xml>
-<ref bean="shibboleth.SAML2PersistentGenerator" />
-</code>
-Upravíme v konfigurácii ďalší súbor ''idp.properties'':
-<code>
-vim /opt/shibboleth-idp/conf/idp.properties
-</code>
-V tomto súbore doplníme riadok:
-<code>
-idp.consent.StorageService = shibboleth.JPAStorageService
-</code>
-Príklad:
-<code>
-# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
-#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
-idp.consent.StorageService = shibboleth.JPAStorageService
-</code>
-Ďalej upravíme súbor ''subject-c14n.xml'':
-<code>
-vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml
-</code>
-V súbore odkomentujeme riadok:
-<code xml>
-<ref bean="c14n/SAML2Persistent" />
-</code>
-Príklad:
-<code xml>
-=======================================================================
-Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs.
-Below the list are some settings that might be useful to adjust.
-=======================================================================
-    -->
-    <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">
-        <!-- The next four are for handling transient IDs (in-storage and stateless variants). -->
-        <ref bean="c14n/SAML2Transient" />
-        <ref bean="c14n/SAML2CryptoTransient" />
-        <ref bean="c14n/SAML1Transient" />
-        <ref bean="c14n/SAML1CryptoTransient" />
-        <!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. -->
-        <ref bean="c14n/SAML2Persistent" />
-</code>
-V metadátach sa bude oznamovať, že IdP podporuje perzistentný identifikátor, do ''idp-metadata.xml'' doplníme:
-<code>
-vim /opt/shibboleth-idp/metadata/idp-metadata.xml
-</code>
-<code xml>
-<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
-</code>
-Príklad - do elementu IDPSSODescriptor pridáme element napríklad za uvedený element:
-<code xml>
-<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
-<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
-<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
-</code>
-Vygenerujeme nový WAR súbor:
-<code>
-/opt/shibboleth-idp/bin/build.sh
-</code>
-Spustí sa proces:
-<code>
-Buildfile: /opt/shibboleth-idp/bin/build.xml
-build-war:
-Installation Directory: [/opt/shibboleth-idp] ?
-INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1
-INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
-INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
-INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war
-BUILD SUCCESSFUL
-</code>
-<alert type="info" icon="glyphicon glyphicon-info-sign">
-Ďalej pracujeme pod používateľom "root"
-</alert>
-Reštartujeme Jetty:
-<code>
-systemctl restart jetty
-</code>
-Logy môžeme kontrolovať v umiestneniach:
-<code>
-/opt/shibboleth-idp/logs
-/opt/jetty/logs
-</code>
-Testovanie funkčnosti môžeme realizovať pomocou:
-> IdP Webová stránka
->> https://IdP_URL/idp
-> IdP Status
->> https://IdP_URL/idp/status
-> IdP Metadáta
->> https://IdP_URL/idp/shibboleth
-> IdP Prihlásenie
->> https://IdP_URL/idp/profile/Shibboleth/SSO
-> IdP Odhlásenie
->> https://IdP_URL/idp/profile/Logout
-Priklad - IdP Status:
-<code>
-### Operating Environment Information
-operating_system: Linux
-operating_system_version: 4.18.0-193.19.1.el8_2.x86_64
-operating_system_architecture: amd64
-jdk_version: 11.0.8
-available_cores: 6
-used_memory: 123 MB
-maximum_memory: 1444 MB
-### Identity Provider Information
-idp_version: 4.0.1
-start_time: 2020-11-04T13:25:22.927Z
-current_time: 2020-11-04T14:14:12.623114Z
-uptime: 2929696 ms
-service: shibboleth.LoggingService
-last successful reload attempt: 2020-11-04T13:23:45.112536Z
-last reload attempt: 2020-11-04T13:23:45.112536Z
-service: shibboleth.AttributeFilterService
-last successful reload attempt: 2020-11-04T13:23:47.859013Z
-last reload attempt: 2020-11-04T13:23:47.859013Z
-service: shibboleth.AttributeResolverService
-last successful reload attempt: 2020-11-04T13:23:48.074989Z
-last reload attempt: 2020-11-04T13:23:48.074989Z
-	No Data Connector has ever failed
-service: shibboleth.AttributeRegistryService
-last successful reload attempt: 2020-11-04T13:23:48.456582Z
-last reload attempt: 2020-11-04T13:23:48.456582Z
-service: shibboleth.NameIdentifierGenerationService
-last successful reload attempt: 2020-11-04T13:23:48.741862Z
-last reload attempt: 2020-11-04T13:23:48.741862Z
-service: shibboleth.RelyingPartyResolverService
-last successful reload attempt: 2020-11-04T13:23:48.912172Z
-last reload attempt: 2020-11-04T13:23:48.912172Z
-service: shibboleth.MetadataResolverService
-last successful reload attempt: 2020-11-04T13:23:49.609433Z
-last reload attempt: 2020-11-04T13:23:49.609433Z
-	metadata source: ShibbolethMetadata
-	last refresh attempt: 2020-11-04T14:08:55.321108Z
-	last successful refresh: 2020-11-04T14:08:55.321108Z
-	last update: 2020-11-04T14:08:55.321108Z
-	metadata source: safeid-metadata
-	last refresh attempt: 2020-11-04T14:08:55.321108Z
-	last successful refresh: 2020-11-04T14:08:55.321108Z
-	last update: 2020-11-04T14:08:55.321108Z
-	root validUntil: 2020-11-18T13:48:01Z
-service: shibboleth.ReloadableAccessControlService
-last successful reload attempt: 2020-11-04T13:23:50.349279Z
-last reload attempt: 2020-11-04T13:23:50.349279Z
-service: shibboleth.ReloadableCASServiceRegistry
-last successful reload attempt: 2020-11-04T13:23:50.403851Z
-last reload attempt: 2020-11-04T13:23:50.403851Z
-service: shibboleth.ManagedBeanService
-last successful reload attempt: 2020-11-04T13:23:50.453898Z
-last reload attempt: 2020-11-04T13:23:50.453898Z
-</code>