Rozdiely

Tu môžete vidieť rozdiely medzi vybranou verziou a aktuálnou verziou danej stránky.

Odkaz na tento prehľad zmien

Obojstranná predošlá revízia Predchádzajúca revízia
Nasledujúca revízia 		Predchádzajúca revízia
install:idp:konfiguracia_idp [22. 03. 2021 11:48]
jsilaci@umb.sk 		— (aktuálne)
Riadok 1: Riadok 1:
-====== Konfigurácia IdP ====== 
  
- 
-Na začiatok si vygenerujeme "salt": 
- 
-<code> 
-openssl rand -base64 36 2>/dev/null 
-</code> 
- 
-<alert type="info" icon="glyphicon glyphicon-info-sign"> 
-Ďalej pracujeme pod používateľom "idp" 
-</alert> 
- 
-Do konfigurácie ''attribute-resolver.xml'' doplníme nový atribút: 
- 
-<code> 
-vim /opt/shibboleth-idp/conf/attribute-resolver.xml 
-</code> 
- 
-<code xml> 
-<!-- 
-Doplneny atribut. 
---> 
-<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> 
-    <InputDataConnector ref="myStoredId" attributeNames="storedId"/> 
-    <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false"/> 
-    <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false"/> 
-</AttributeDefinition> 
-</code> 
- 
-Ďalej doplníme nový konektor: 
- 
-<code xml> 
-<!-- 
-Doplneny datakonektor. 
---> 
-<DataConnector id="myStoredId"  
-    xsi:type="StoredId"  
-    generatedAttributeID="storedId"  
-    salt="Napíšeme salt, ktorý sme si na začiatku vygenerovali"  
-    queryTimeout="0"> 
-    <InputAttributeDefinition ref="uid"/> 
-    <BeanManagedConnection>shibboleth.MySQLDataSource</BeanManagedConnection> 
-</DataConnector> 
-</code> 
- 
-V konfigurácii ''global.xml'' doplníme potrebné beany: 
- 
-<code> 
-vim /opt/shibboleth-idp/conf/global.xml 
-</code> 
- 
-<code xml> 
-<!-- 
-Doplnene beany 
---> 
- 
-<bean id="shibboleth.MySQLDataSource"  
-    class="org.apache.commons.dbcp2.BasicDataSource"  
-    p:driverClassName="com.mysql.cj.jdbc.Driver"  
-    p:url="jdbc:mysql://localhost:3306/shibboleth"  
-    p:username="shibboleth"  
-    p:password="Heslo pre používateľa shibboleth" /> 
- 
-<bean id="shibboleth.JPAStorageService"  
-    class="org.opensaml.storage.impl.JPAStorageService"  
-    p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"  
-    c:factory-ref="shibboleth.JPAStorageService.EntityManagerFactory" /> 
- 
-<bean id="shibboleth.JPAStorageService.EntityManagerFactory"  
-    class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> 
-    <property name="packagesToScan" value="org.opensaml.storage.impl"/> 
-    <property name="dataSource" ref="shibboleth.MySQLDataSource"/> 
-    <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter"/> 
-    <property name="jpaDialect"> 
-        <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" /> 
-    </property> 
-</bean> 
- 
-<bean id="shibboleth.JPAStorageService.JPAVendorAdapter"  
-    class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"  
-    p:generateDdl="true"  
-    p:database="MYSQL"  
-    p:databasePlatform="org.hibernate.dialect.MySQL5Dialect" /> 
-</code> 
- 
-Doplníme atribút aj do konfigurácie filtrov ''attribute-filter.xml'': 
- 
-<code> 
-vim /opt/shibboleth-idp/conf/attribute-filter.xml 
-</code> 
- 
-<code xml> 
-<!-- Doplneny atribut - transientId to anyone --> 
-    <AttributeFilterPolicy id="releaseTransientIdToAnyone"> 
- 
-        <PolicyRequirementRule xsi:type="ANY" /> 
- 
-        <!-- transientId --> 
-        <AttributeRule attributeID="transientId"> 
-            <PermitValueRule xsi:type="ANY" /> 
-        </AttributeRule> 
- 
-        <AttributeRule attributeID="eduPersonTargetedID"> 
-                <PermitValueRule xsi:type="ANY" /> 
-        </AttributeRule> 
- 
-    </AttributeFilterPolicy> 
-</code> 
- 
-V konfigurácii ''saml-nameid.properties'' doplníme potrebné atribúty - odkazy na beany a salt: 
- 
-<code> 
-vim /opt/shibboleth-idp/conf/saml-nameid.properties 
-</code> 
- 
-<code xml> 
-# Doplnene atributy 
-idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator 
-idp.persistentId.dataSource = shibboleth.MySQLDataSource 
-idp.persistentId.sourceAttribute = uid 
-idp.persistentId.salt = Napíšeme salt, ktorý sme si na začiatku vygenerovali 
-</code> 
- 
-Upravíme konfiguráciu ''saml-nameid.xml'' odkomentovaním konkrétneho riadku v súbore: 
- 
-<code> 
-vim /opt/shibboleth-idp/conf/saml-nameid.xml 
-</code> 
- 
-Odkomentujeme riadok: 
- 
-<code xml> 
-<ref bean="shibboleth.SAML2PersistentGenerator" /> 
-</code> 
- 
-Upravíme v konfigurácii ďalší súbor ''idp.properties'': 
- 
-<code> 
-vim /opt/shibboleth-idp/conf/idp.properties 
-</code> 
- 
-V tomto súbore doplníme riadok: 
- 
-<code> 
-idp.consent.StorageService = shibboleth.JPAStorageService 
-</code> 
- 
-Príklad: 
- 
-<code> 
-# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent 
-#idp.consent.StorageService = shibboleth.ClientPersistentStorageService 
-idp.consent.StorageService = shibboleth.JPAStorageService 
-</code> 
- 
-Ďalej upravíme súbor ''subject-c14n.xml'': 
- 
-<code> 
-vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml 
-</code> 
- 
-V súbore odkomentujeme riadok: 
- 
-<code xml> 
-<ref bean="c14n/SAML2Persistent" /> 
-</code> 
- 
-Príklad: 
- 
-<code xml> 
-======================================================================= 
-Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs. 
-Below the list are some settings that might be useful to adjust. 
-======================================================================= 
-    --> 
-    <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows"> 
- 
-        <!-- The next four are for handling transient IDs (in-storage and stateless variants). --> 
-        <ref bean="c14n/SAML2Transient" /> 
-        <ref bean="c14n/SAML2CryptoTransient" /> 
-        <ref bean="c14n/SAML1Transient" /> 
-        <ref bean="c14n/SAML1CryptoTransient" /> 
- 
-        <!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. --> 
-        <ref bean="c14n/SAML2Persistent" /> 
-</code> 
- 
-V metadátach sa bude oznamovať, že IdP podporuje perzistentný identifikátor, do ''idp-metadata.xml'' doplníme: 
- 
-<code> 
-vim /opt/shibboleth-idp/metadata/idp-metadata.xml 
-</code> 
- 
-<code xml> 
-<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> 
-</code> 
- 
-Príklad - do elementu IDPSSODescriptor pridáme element napríklad za uvedený element: 
- 
-<code xml> 
-<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/> 
-<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://demoidp.sanet.sk:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/> 
- 
-<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> 
-</code> 
- 
-Vygenerujeme nový WAR súbor: 
- 
-<code> 
-/opt/shibboleth-idp/bin/build.sh 
-</code> 
- 
-Spustí sa proces: 
- 
-<code> 
-Buildfile: /opt/shibboleth-idp/bin/build.xml 
- 
-build-war: 
-Installation Directory: [/opt/shibboleth-idp] ? 
- 
-INFO [net.shibboleth.idp.installer.BuildWar:72] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.0.1 
-INFO [net.shibboleth.idp.installer.BuildWar:81] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp 
-INFO [net.shibboleth.idp.installer.BuildWar:90] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp 
-INFO [net.shibboleth.idp.installer.BuildWar:99] - Creating war file /opt/shibboleth-idp/war/idp.war 
- 
-BUILD SUCCESSFUL 
-</code> 
- 
-<alert type="info" icon="glyphicon glyphicon-info-sign"> 
-Ďalej pracujeme pod používateľom "root" 
-</alert> 
- 
-Reštartujeme Jetty: 
- 
-<code> 
-systemctl restart jetty 
-</code> 
- 
-Logy môžeme kontrolovať v umiestneniach: 
- 
-<code> 
-/opt/shibboleth-idp/logs 
-/opt/jetty/logs 
-</code> 
- 
-Testovanie funkčnosti môžeme realizovať pomocou: 
- 
-> IdP Webová stránka 
->> https://IdP_URL/idp 
- 
-> IdP Status 
->> https://IdP_URL/idp/status 
- 
-> IdP Metadáta 
->> https://IdP_URL/idp/shibboleth 
- 
-> IdP Prihlásenie 
->> https://IdP_URL/idp/profile/Shibboleth/SSO 
- 
-> IdP Odhlásenie 
->> https://IdP_URL/idp/profile/Logout 
- 
-Priklad - IdP Status: 
- 
-<code> 
-### Operating Environment Information 
-operating_system: Linux 
-operating_system_version: 4.18.0-193.19.1.el8_2.x86_64 
-operating_system_architecture: amd64 
-jdk_version: 11.0.8 
-available_cores: 6 
-used_memory: 123 MB 
-maximum_memory: 1444 MB 
- 
-### Identity Provider Information 
-idp_version: 4.0.1 
-start_time: 2020-11-04T13:25:22.927Z 
-current_time: 2020-11-04T14:14:12.623114Z 
-uptime: 2929696 ms 
- 
-service: shibboleth.LoggingService 
-last successful reload attempt: 2020-11-04T13:23:45.112536Z 
-last reload attempt: 2020-11-04T13:23:45.112536Z 
- 
-service: shibboleth.AttributeFilterService 
-last successful reload attempt: 2020-11-04T13:23:47.859013Z 
-last reload attempt: 2020-11-04T13:23:47.859013Z 
- 
-service: shibboleth.AttributeResolverService 
-last successful reload attempt: 2020-11-04T13:23:48.074989Z 
-last reload attempt: 2020-11-04T13:23:48.074989Z 
- 
- No Data Connector has ever failed 
- 
-service: shibboleth.AttributeRegistryService 
-last successful reload attempt: 2020-11-04T13:23:48.456582Z 
-last reload attempt: 2020-11-04T13:23:48.456582Z 
- 
-service: shibboleth.NameIdentifierGenerationService 
-last successful reload attempt: 2020-11-04T13:23:48.741862Z 
-last reload attempt: 2020-11-04T13:23:48.741862Z 
- 
-service: shibboleth.RelyingPartyResolverService 
-last successful reload attempt: 2020-11-04T13:23:48.912172Z 
-last reload attempt: 2020-11-04T13:23:48.912172Z 
- 
-service: shibboleth.MetadataResolverService 
-last successful reload attempt: 2020-11-04T13:23:49.609433Z 
-last reload attempt: 2020-11-04T13:23:49.609433Z 
- 
- metadata source: ShibbolethMetadata 
- last refresh attempt: 2020-11-04T14:08:55.321108Z 
- last successful refresh: 2020-11-04T14:08:55.321108Z 
- last update: 2020-11-04T14:08:55.321108Z 
- 
- metadata source: safeid-metadata 
- last refresh attempt: 2020-11-04T14:08:55.321108Z 
- last successful refresh: 2020-11-04T14:08:55.321108Z 
- last update: 2020-11-04T14:08:55.321108Z 
- root validUntil: 2020-11-18T13:48:01Z 
- 
-service: shibboleth.ReloadableAccessControlService 
-last successful reload attempt: 2020-11-04T13:23:50.349279Z 
-last reload attempt: 2020-11-04T13:23:50.349279Z 
- 
-service: shibboleth.ReloadableCASServiceRegistry 
-last successful reload attempt: 2020-11-04T13:23:50.403851Z 
-last reload attempt: 2020-11-04T13:23:50.403851Z 
- 
-service: shibboleth.ManagedBeanService 
-last successful reload attempt: 2020-11-04T13:23:50.453898Z 
-last reload attempt: 2020-11-04T13:23:50.453898Z 
-</code> 
  • install/idp/konfiguracia_idp.1616410118
  • Posledná úprava: 22. 03. 2021 11:48