HOWTO Installation Shibboleth IDP 3.2.1 on Linux Fedora 24 Server

Transcript

HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition
HOWTO Installation Shibboleth IDP 3.2.1
on Linux Fedora 24 Server Edition
15 Settembre 2016
Autori: Alessandro Enea, Marco Malavolti
Crediti: Switch AAI, Shibboleth
1
Indice
1) Introduzione.......................................................................................................................3
2) Requisiti Hardware.............................................................................................................3
3) Software da installare........................................................................................................3
4) Richiedere il certificato server HTTPS per l'IDP................................................................4
5) Installare i pacchetti richiesti..............................................................................................5
6) Configurare SSL su Apache2 (front-end di Tomcat 8).......................................................6
7) Installare Shibboleth Identity Provider 3.2.1......................................................................8
8) Configurare Tomcat 8.......................................................................................................10
9) Velocizzare avvio di Tomcat 8..........................................................................................11
10) Configurare IdP Shibboleth............................................................................................12
11) Appendice A: Attribute Filter R&S Entity Category compliant........................................21
12) Appendice B: Attribute Filter CoCo Entity Category compliant......................................22
13) Appendice C: Attribute Filter IDEM required .................................................................23
14) Appendice D: Importare i metadati dal precedente IDP v2.x........................................24
15) Appendice E: Importare i persistent-id da un database precedente.............................25
2
1 Introduzione
Questo documento ha lo scopo di guidare l'utente nell'installazione di un IdP Shibboleth v3.2.1 con
Apache 2.4 (come front-end) e Tomcat 8 su una distribuzione Linux Fedora 24 Server Edition.
2 Requisiti Hardware
•
•
•
2 CPU
4 GB RAM
20 GB Disco
3 Software da installare
•
•
•
•
•
•
•
•
ca-certificates
ntp
java-1.8.0-openjdk
tomcat
httpd
expat
vim-enhanced
Shibboleth idp (http://www.shibboleth.net/downloads/identity-provider/latest/)
3
4 Richiedere il certificato server HTTPS per l'IDP
1) In linea con le specifiche tecniche della Federazione IDEM è necessario installare sulla
porta 443 un certificato rilasciato da una CA riconosciuta. All'interno della comunità GARR
è attivo il servizio di rilascio certificati server denominato TCS (TERENA Certificate
Service). La caratteristica dei certificati TCS è quella di essere emessi da una CA
commerciale che nello specifico consiste in DigiCert CA.
•
L'elenco delle organizzazioni presso le quali il servizio TCS è gia' attivo è
disponibile in https://ca.garr.it/TCS/tab.php
•
Se il servizio non fosse ancora attivo presso la vostra organizzazione è possibile
contattare GARR Certification Service per avviare il procedimento di attivazione
(e-mail a [email protected])
2) Per generare una richiesta di certificato seguire le istruzioni suggerite nelle pagine di
documentazione TCS (https://ca.garr.it/TCS/doc_server.php)
3) Le richieste di certificato devono essere inviate ai referenti TCS presenti nella vostra
organizzazione (denominati Contatti Amministrativi TCS). Per conoscere i nomi dei Contatti
Amministrativi nominati all'interno del vostro Ente inviare una mail di richiesta a
[email protected]
4) In questa guida si considera la cartella /tmp come quella che conterrà il certificato e la
chiave del server e la DigiCert CA che li ha rilasciati.
4
5 Installare i pacchetti richiesti
1. Installare pacchetti standard:
• dnf install vim-enhanced java-1.8.0-openjdk ca-certificates openssl
tomcat httpd mod_ssl expat ntp
2. Disabilitare SELinux
• vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#
enforcing - SELinux security policy is enforced.
#
permissive - SELinux prints warnings instead of enforcing.
#
disabled - No SELinux policy is loaded.
SELINUX=disabled
•
sudo reboot
•
Controllare che il comando “getenforce” restituisca “Disabled”
3. Configurare il default di Tomcat 8:
•
update-alternatives --config java
•
update-alternatives --config javac
•
vim /etc/tomcat/tomcat.conf
(copiare il Path senza il /bin/java)
JAVA_OPTS="-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory
-Djava.awt.headless=true -XX:+DisableExplicitGC -XX:+UseParallelOldGC -Xms256m -Xmx2g
-Djava.security.egd=file:/dev/./urandom"
(In questo modo si configura la memoria della JVM per soddisfare la Web Application dell'IdP.
Il valore per la memoria usata dipende dalla memoria fisica del server. Impostare Xmx (massimo heap space a
disposizione della JVM) ad almeno 2GB.)
4. Assicurarsi che il/i firewall siano configurati in modo da non bloccare il traffico sulle porte
443 (altrimenti non si potrà accedere al vostro IdP)
5. Muovere il Certificato e la Chiave per il Server HTTPS da /tmp/ a /root/certificates:
•
mkdir /root/certificates
•
mv /tmp/idp-cert-server.crt /root/certificates
•
mv /tmp/idp-key-server.key /root/certificates
•
mv /tmp/DigiCertCA.crt /root/certificates
•
chmod 400 /root/certificates/idp-key-server.key
•
chmod 644 /root/certificates/idp-cert-server.crt
5
•
chmod 644 /root/certificates/DigiCertCA.crt
•
(FACOLTATIVO) Generare Cert e Key Autofirmati se non si hanno ancora quelli
ufficiali e validi da DigiCert CA:
openssl req -x509 -newkey rsa:4096 -keyout /root/certificates/idpkey-server.key -out /root/certificates/idp-cert-server.crt -nodes
-days 3650
6
6 Configurare SSL su Apache2 (front-end di Tomcat 8)
1. Modificare il file /etc/httpd/conf.d/ssl.conf come segue:
<VirtualHost _default_:443>
ServerName idp.example.garr.it:443
ServerAdmin [email protected]
DocumentRoot /var/www/html
...
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WIT
H_3DES_EDE_CBC_SHA:kEDH+AESGCM:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256SHA384:ECDHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHERSA-AES256-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHEECDSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSAAES256-GCM-SHA256:AES256-GCM-SHA384:!3DES:!DES:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSAAES256-SHA:!EDE3:!EDH-DSS-CBC-SHA:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC-SHA:!EDH-RSADES-CBC3-SHA:!EXP-EDH-DSS-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXPORT:!MD5:!PSK:!RC4SHA:!aNULL:!eNULL"
SSLHonorCipherOrder on
# Disable SSL Compression
SSLCompression Off
# Enable HTTP Strict Transport Security with a 2 year duration
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
...
SSLCertificateFile /root/certificates/idp-cert-server.crt
SSLCertificateKeyFile /root/certificates/idp-key-server.key
SSLCertificateChainFile /root/certificates/DigiCertCA.crt
...
</VirtualHost>
2. Riavviare Apache2 per applicare le modifiche:
•
service httpd restart
3. Configurare Apache2 in modo che la porta 80 sia aperta solo per localhost:
•
vim /etc/httpd/conf/httpd.conf
# If you just change the port or add more ports here, you will likely also
7
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
#Listen 12.34.56.78:80
Listen 127.0.0.1:80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
4. Verificare il grado di sicurezza ottenuto dalla propria macchina su:
• https://www.ssllabs.com/ssltest/analyze.html
8
7 Installare Shibboleth Identity Provider 3.2.1
1) Acquisire i permessi di ROOT:
•
sudo su -
2) Spostarsi nella cartella /usr/local/src:
•
cd /usr/local/src
3) Scaricare lo Shibboleth IdP 3.2.1:
•
wget https://shibboleth.net/downloads/identityprovider/latest/shibboleth-identity-provider-3.2.1.tar.gz
•
tar -xzvf
•
cd shibboleth-identity-provider-3.2.1
shibboleth-identity-provider-3.2.1.tar.gz
4) Installare l’IdP v3.x.y attraverso il suo install.sh:
•
export JAVA_HOME="/usr/lib/jvm/jre"
•
./bin/install.sh
root@idp:/usr/local/src/shibboleth-identity-provider-3.2.1# ./bin/install.sh
Source (Distribution) Directory: [/usr/local/src/shibboleth-identity-provider-3.2.1]
Installation Directory: [/opt/shibboleth-idp]
Hostname: [localhost.localdomain]
idp.example.garr.it
SAML EntityID: [https://idp.example.garr.it/idp/shibboleth]
Attribute Scope: [localdomain]
example.garr.it
Backchannel PKCS12 Password:
###PASSWORD-PER-BACKCHANNEL###
Re-enter password:
###PASSWORD-PER-BACKCHANNEL###
Cookie Encryption Key Password:
###PASSWORD-PER-COOKIE-ENCRYPTION###
Re-enter password:
###PASSWORD-PER-COOKIE-ENCRYPTION###
Da questo punto in poi la variabile “idp.home” farà riferimento alla cartella:
“/opt/shibboleth-idp”.
5) Importare le librerie JST per la visualizzazione della pagina “status” dell’IdP:
•
cd /opt/shibboleth-idp/edit-webapp/WEB-INF/lib
•
wget
https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/j
avax/servlet/jstl/1.2/jstl-1.2.jar
•
cd /opt/shibboleth-idp/bin ; ./build.sh -Didp.target.dir=/opt/shibboleth-idp
9
6) Modificare i permessi per abilitare l'utente tomcat ad accedere alle directory dell'IdP:
•
chown -R tomcat /opt/shibboleth-idp/logs/
•
chown -R tomcat /opt/shibboleth-idp/metadata/
•
chown -R tomcat /opt/shibboleth-idp/credentials/
•
chown -R tomcat /opt/shibboleth-idp/conf/
10
8 Configurare Tomcat 8
•
sudo su -
2) Modificare "server.xml":
•
vim /etc/tomcat/server.xml
commentare il <Connector port=8080 (HTTP) e modificare il Connector 8009 (AJP):

<Connector port="8009" protocol="AJP/1.3" redirectPort="443"
address="127.0.0.1" enableLookups="false" tomcatAuthentication="false"/>
•
Controllare l'integrità del file XML appena modificato con:
◦
xmlwf -e UTF-8 /etc/tomcat/server.xml
3) Informare Tomcat 8 sulla posizione del WAR file dell’IdP, localizzato in /opt/shibbolethidp/war/idp.war, attraverso un context deployment fragment:
La normale procedura per il deploying delle Web Application in Tomcat è attuata mediante la copia
del file WAR nella cartella webapps/ di Tomcat.
Tuttavia, quando questa procedura viene eseguita, Tomcat espande il WAR file (ottenendo così il file
idp/ nella cartella webapps/ ma senza cancellare il file WAR) e carica la nuova versione
dell'applicazione in "$CATALINA_HOME/work/Catalina/localhost/".
Questo può causare l'utilizzo di una precedente versione del WAR anche se viene copiata una
versione nuova nella giusta posizione (webapps/).
Per ovviare a questo inconveniente, viene raccomandato di usare un context deployment fragment.
Questo significa che si userà un piccolo pezzo di XML per dire a Tomcat dove andare a prendere il
WAR e fornire qualche proprietà da usare quando Tomcat caricherà l'applicazione.
4) Creare e Modificare il file "idp.xml":
•
vim /etc/tomcat/Catalina/localhost/idp.xml
e copiarvi dentro il seguente pezzo di codice:
<Context docBase="/opt/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
swallowOutput="true"/>
5) Creare il file di configurazione di Apache2 per l'IdP:
•
vim /etc/httpd/conf.d/idp.conf
<Proxy ajp://localhost:8009>
Require all granted
</Proxy>
11
ProxyPass /idp ajp://localhost:8009/idp retry=5
ProxyPassReverse /idp ajp://localhost:8009/idp retry=5
•
6) Modificare il context.xml per prevenire errori di “lack of persistence of the
session objects” create dall’IdP :
•
vim /etc/tomcat/context.xml
e togliere il commento a:
<Manager pathname="" />
7) Avviare il server container Tomcat 8:
•
service tomcat start
8) Verificare il funzionamento dell'IdP:
•
https://idp.example.garr.it/idp/shibboleth (dovrebbe mostrare i suoi metadati)
9 Velocizzare avvio di Tomcat 8
1. Cercare i JAR che non servono esser scansionati con:
•
cd /opt/shibboleth-idp/
•
ls webapp/WEB-INF/lib | awk '{print $1",\\"}'
2. Inserire l’elenco uscente dal comando precedente in
“/etc/tomcat/catalina.properties” in coda alla voce
“tomcat.util.scan.StandardJarScanFilter.jarsToSkip“
3. Riavviare il container Tomcat 8 per verificarne la rapidità acquisita:
•
service tomcat restart
12
10 Configurare IdP Shibboleth
•
sudo su -
2) Installazione dell'IdP conclusa, testiamolo!
Aggiungere al file /etc/hosts la seguente riga:
127.0.1.1
idp.example.garr.it
idp
Aprite un terminale ed eseguite i seguenti comandi per verificarne il funzionamento:
•
cd /opt/shibboleth-idp/bin
•
./status.sh
Dovreste ricevere delle informazioni sull’IdP ==> IdP funzionante su HTTPS
3) Installare un database MySQL e importare le librerie necessarie a Tomcat e a Shibboleth:
•
dnf install mariadb-server mysql-connector-java
•
cp /usr/share/java/mysql-connector-java.jar /opt/shibboleth-idp/editwebapp/WEB-INF/lib/
•
cp /usr/share/java/mysql-connector-java.jar /usr/share/tomcat/lib/
•
cp /usr/share/tomcat/lib/tomcat-jdbc.jar /opt/shibboleth-idp/editwebapp/WEB-INF/lib/
4) Installare le librerie Tomcat Common Pool utilizzate per la generazione del nuovo saml-id:
•
cd /usr/local/src/
•
wget https://www.apache.org/dist/commons/pool/binaries/commons-pool22.4.2-bin.tar.gz
•
tar xzvf commons-pool2-2.4.2-bin.tar.gz ; cd commons-pool2-2.4.2/
•
cp commons-pool2-2.4.2.jar /opt/shibboleth-idp/edit-webapp/WEBINF/lib/
5) Rigenerare l'idp.war di Shibboleth con le nuove librerie:
•
•
cd /opt/shibboleth-idp/ ; ./bin/build.sh
13
6) Configurare il servizio MySQL:
•
service mariadb start
•
mysql_secure_installation
(e seguire i passi rispondendo SI (Y) a tutte le domande)
7) Creare tabella “shibpid” per la gestione del persistent-id (ex eduPersonTargetedID) come
tipo StoredID e la tabella “StorageRecords”per la gestione del consenso informato degli utenti
sul rilascio dei loro attributi:
•
mysql -u root -p
•
mysql> SET NAMES 'utf8';
•
mysql> SET CHARACTER SET utf8;
•
mysql> CHARSET utf8;
•
mysql> CREATE DATABASE IF NOT EXISTS shibboleth CHARACTER SET=utf8;
•
mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO root@localhost IDENTIFIED
BY 'yourPassword';
•
mysql> USE shibboleth;
•
mysql> CREATE TABLE shibpid
-> (
-> localEntity VARCHAR(255) NOT NULL,
-> peerEntity VARCHAR(255) NOT NULL,
-> persistentId VARCHAR(50) NOT NULL,
-> principalName VARCHAR(50) NOT NULL,
-> localId VARCHAR(50) NOT NULL,
-> peerProvidedId VARCHAR(50) NULL,
-> creationDate TIMESTAMP NOT NULL default CURRENT_TIMESTAMP on update
CURRENT_TIMESTAMP,
-> deactivationDate TIMESTAMP NULL default NULL,
-> PRIMARY KEY (localEntity, peerEntity, persistentId)
-> );
•
mysql> CREATE TABLE StorageRecords
-> (
-> context VARCHAR(255) NOT NULL,
-> id VARCHAR(255) NOT NULL,
-> expires BIGINT(20) DEFAULT NULL,
-> value LONGTEXT NOT NULL,
-> version BIGINT(20) NOT NULL,
-> PRIMARY KEY (context, id)
-> );
•
quit;
8) Creare un utente “idem” con password “demo” in grado di accedere e modificare il DB
“shibboleth”:
(sia l’utente “idem” che la password “demo” vanno decisi personalmente dall’installatore)
•
mysql -u root -p
•
mysql> USE mysql;
14
•
mysql> CREATE USER idem;
•
mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO 'idem'@'localhost'
IDENTIFIED BY 'demo';
•
mysql> FLUSH PRIVILEGES;
•
mysql> quit;
9) Riavviare il server mysql:
•
service mariadb restart
10) Decommentare il generatore di Persistent Identifiers di SAML2 in saml-nameid.xml:
•
vim /opt/shibboleth-idp/conf/saml-nameid.xml

<util:list id="shibboleth.SAML2NameIDGenerators">
<ref bean="shibboleth.SAML2TransientGenerator" />

<ref bean="shibboleth.SAML2PersistentGenerator" />
<!-<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
-->
</util:list>
11) Abilitare il JPAStorageService per lo StorageService e il MyDataSource per la
memorizzazione degli identificatori persistenti (persistent-id) degli utenti:
•
vim /opt/shibboleth-idp/conf/global.xml
(aggiungere in coda,prima del </beans> di chiusura, il seguente frammento di codice modificando
opportunamente la username e la password di accesso al DB “shibboleth”)
<bean id="shibboleth.JPAStorageService"
class="org.opensaml.storage.impl.JPAStorageService"
p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"
c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory"/>
<bean id="shibboleth.JPAStorageService.entityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="packagesToScan" value="org.opensaml.storage.impl"/>
<property name="dataSource" ref="MyDataSource"/>
<property name="jpaVendorAdapter"
ref="shibboleth.JPAStorageService.JPAVendorAdapter"/>
<property name="jpaDialect">
<bean
class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
</property>
</bean>
<bean id="shibboleth.JPAStorageService.JPAVendorAdapter"
15
class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="database" value="MYSQL" />
</bean>

<bean id="MyDataSource" class="org.apache.commons.dbcp.BasicDataSource"
p:driverClassName="com.mysql.jdbc.Driver"
p:url="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true"
p:username="idem"
p:password="demo"
p:maxActive="10"
p:maxIdle="5"
p:maxWait="15000"
p:testOnBorrow="true"
p:validationQuery="select 1"
p:validationQueryTimeout="5" />
•
Modificare le proprietà dell’IdP in modo opportuno:
◦
vim /opt/shibboleth-idp/conf/idp.properties
idp.session.StorageService = shibboleth.JPAStorageService
idp.consent.StorageService = shibboleth.JPAStorageService
idp.replayCache.StorageService = shibboleth.JPAStorageService
idp.artifact.StorageService = shibboleth.JPAStorageService
12) Abilitiamo completamente il supporto SAML2 sull'idp-metadata.xml e disabilitiamo il
supporto a SAML v1.x perchè deprecato:
•
vim /opt/shibboleth-idp/metadata/idp-metadata.xml
SEZIONE <IDPSSODescriptor>:
–
–
Dall'elenco "protocolSupportEnumeration" rimuovere:
–
urn:oasis:names:tc:SAML:1.1:protocol
–
urn:mace:shibboleth:1.0
Rimuovere l'endpoint:
<ArtifcatResolutionService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" …/>
(e modificare l'index del successivo in “1”)
–
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
–
Aggiungere sotto a:
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
la riga:
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
(perchè l'IdP installato con questa guida rilascia SAML NameID persistenti)
16
–
Rimuovere l'endopoint:
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" …/>
–
Rimuovere tutti i ":8443" dalle URL presenti (tale porta non viene più usata)
SEZIONE <AttributeAuthorityDescriptor>:
–
Dall'elenco "protocolSupportEnumeration" sostituire il valore di:
"urn:oasis:names:tc:SAML:1.1:protocol"
con
–
Rimuovere il commento a:
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" .../>
–
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAPbinding" .../>
–
–
Rimuovere tutti i ":8443" dalle URL presenti (tale porta non viene più usata)
13) Configuriamo l’IdP per recuperare i metadati della IDEM Test Federation:
•
cd /opt/shibboleth-idp/conf
•
vim metadata-providers.xml
<MetadataProvider
id="URLMD-IDEM-Federation"
xsi:type="FileBackedHTTPMetadataProvider"
minRefreshDelay ="PT5M"
maxRefreshDelay="PT1H"
refreshDelayFactor="0.75"
backingFile="%{idp.home}/metadata/idem-test-metadata-sha256.xml"
metadataURL="http://www.garr.it/idem-metadata/idem-test-metadatasha256.xml">
<!-Verify the signature on the root element of the metadata aggregate
using a trusted metadata signing certificate.
-->
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/metadata/idem_signer_2019.pem"/>
<!-Require a validUntil XML attribute on the root element and
make sure its value is no more than 14 days into the future.
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/>

<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
•
Scaricare il certificato di firma dei metadati:
◦
wget https://idem.garr.it/documenti/doc_download/321-idem-metadatasigner-2019 -O /opt/shibboleth-idp/metadata/idem_signer_2019.pem
17
•
Verificarne la validità:
◦
cd /opt/shibboleth-idp/metadata
◦
openssl x509 -in idem_signer_2019.pem -fingerprint -sha1 -noout
deve restituire
sha1: 2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8
◦
openssl x509 -in idem_signer_2019.pem -fingerprint -md5 -noout
deve restituire
md5: AA:A7:CD:41:2D:3E:B7:F6:02:8A:D3:62:CD:21:F7:DE
18
14) Configurare l’Autenticazione per i propri utenti con un server openLDAP:
•
vim /opt/shibboleth-idp/conf/ldap.properties
(con le soluzioni *TLS ricordarsi di inserire il certificato server dell’LDAP in
/opt/shibboleth-idp/credentials e assegnargli i giusti permessi
'chown tomcat ldap-server.crt')
◦ Soluzione 1 - LDAP con STARTTLS:
idp.authn.LDAP.authenticator = bindSearchAuthenticator
idp.authn.LDAP.ldapURL
= ldap://ldap.example.garr.it:389
idp.authn.LDAP.useStartTLS = true
idp.authn.LDAP.useSSL = false
idp.authn.LDAP.sslConfig = certificateTrust
idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it
idp.authn.LDAP.userFilter = (uid={user})
idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it
idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD###
◦ Soluzione 2 - LDAP con TLS/SSL:
= ldaps://ldap.example.garr.it
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL = true
◦ Soluzione 3 - LDAP in chiaro:
Se si utilizza la Soluzione 3 “in chiaro” ricordarsi di commentare il codice che utilizza il
“trustCertificates” nell' attribute-resolver-full.xml”:
</dc:FilterTemplate>
<!-<dc:StartTLSTrustCredential id="LDAPtoIdPCredential"
xsi:type="sec:X509ResourceBacked">
<sec:Certificate>%
{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate>
</dc:StartTLSTrustCredential> -->
</resolver:DataConnector>
19
UTILITA’ PER AMMINISTRATORI DI OPENLDAP:
◦ ldapsearch -H ldap:// -x -b "dc=example,dc=garr,dc=it" -LLL dn
•
▪
il baseDN ==> ou=people, dc=example,dc=garr,dc=it
(ramo contenente gli utenti registrati)
▪
il bindDN ==> cn=admin,dc=example,dc=garr,dc=it
(ramo dell’utente in grado di leggere e fare query sull’LDAP)
Arricchire l’ idp-process.log con gli errori di autenticazione sull’LDAP:
◦
vim /opt/shibboleth-idp/conf/logback.xml

<logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/>

<logger name="org.ldaptive.auth.Authenticator" level="INFO" />
•
•
Scaricare il file “attribute-resolver-v3-idem.xml” con le definizioni dei vari attributi:
◦
◦
wget http://www.garr.it/idem-conf/attribute-resolver-v3-idem.xml
Aggiungere l'attribute-resolver della federazione tra quelli considerati dall’IdP:
◦
vim /opt/shibboleth-idp/conf/services.xml
<util:list id ="shibboleth.AttributeResolverResources">
<value>%{idp.home}/conf/attribute-resolver.xml</value>
<value>%{idp.home}/conf/attribute-resolver-v3-idem.xml</value>
</util:list>
•
Rilasciare gli attributi obbligatori stabiliti dalla Federazione IDEM:
◦ Scaricare l'ARP di default “attribute-filter-v3-idem.xml” per il rilascio degli
attributi obbligatori e l'utilizzo delle risorse base di IDEM :
▪
▪
wget http://www.garr.it/idem-conf/attribute-filter-v3-idem.xml
◦ Aggiungere l' ”attribute-filter-v3-idem.xml” della federazione tra quelli
considerati dall’IdP:
▪
<util:list id ="shibboleth.AttributeFilterResources">
<value>%{idp.home}/conf/attribute-filter-v3-idem.xml</value>
<value>%{idp.home}/conf/attribute-filter.xml</value>
</util:list>
•
Abilitare il nuovo metodo di generazione del persistent-id
(sostituto dell’attributo eduPersonTargetedID):
◦
vim /opt/shibboleth-idp/conf/saml-nameid.properties
(il sourceAttribute deve essere un attributo, o una lista di attributi i cui valori sono separati da virgole, che
20
identifica univocamente il soggetto dell’identificatore persistente. Deve essere STABILE,
PERMANENTE e NON-RIASSEGNABILE.)
idp.persistentId.sourceAttribute = uid
…
idp.persistentId.algorithm = SHA
idp.persistentId.salt = ### risultato di ‘openssl rand -base64 36’###
…
idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator
idp.persistentId.dataSource = MyDataSource
…
idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
▪ Modificare il subject-c14n per la gestione del SAML2 Persistent ID :
•
vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml
◦ Rimuovere il commento al bean “c14n/SAML2Persistent”
▪ Modificare il Default RelyingParty per rilasciare il persistent-id a tutti in modo
predefinito:
•
vim /opt/shibboleth-idp/conf/relying-party.xml
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attributerelease" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release"
p:nameIDFormatPrecedence="#{{ 'urn:oasis:names:tc:SAML:2.0:nameidformat:persistent','urn:oasis:names:tc:SAML:2.0:nameid-format:transient' }}" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="Liberty.SSOS" />
</list>
</property>
</bean>
15) Tradurre le pagine di Login, del Consenso Informato sul rilascio degli attributi utente, dei
Termini d’Uso dell’IdP e di errore nella lingua preferita:
•
Aprire la pagina contenente i file tradotti: CLICCA QUI
•
Recuperare i 3 file della propria lingua e inserirli in /opt/shibboleth-idp/messages
•
Riavviare Tomcat 8:
◦
16) Registrare i metadati dell'IdP, ottenibili dalla URL
“https://##idp.example.garr.it##/idp/shibboleth”
21
nell' IDEM Entity Registry: https://registry.idem.garr.it/rr3
(in caso di problemi contattare [email protected])
17) Attendere la propagazione dei metadati (1 giorno).
18) Verificare che compaia la pagina di Login dopo essere acceduti al proprio IDP dalla pagina di
un Service Provider di Test https://sp-test.garr.it/secure o
https://sp24-test.garr.it/secure inviato da [email protected].
22
11 Appendice A: Attribute Filter R&S Entity Category compliant
1. Scaricare il file “attribute-filter-v3-rs.xml” fornito da IDEM:
•
•
wget http://www.garr.it/idem-conf/attribute-filter-v3-rs.xml
2. Aggiungere l'attribute-filter per la R&S della federazione tra quelli considerati dall’IdP:
•
<value>%{idp.home}/conf/attribute-filter-v3-rs.xml</value>
</util:list>
3. Aggiornare l'attribute filter dell’IdP con:
•
•
./reload-service.sh -id shibboleth.AttributeFilterService
23
12 Appendice B: Attribute Filter CoCo Entity Category compliant
1. Scaricare il file “attribute-filter-v3-coco.xml” fornito da IDEM:
•
•
wget http://www.garr.it/idem-conf/attribute-filter-v3-coco.xml
2. Aggiungere l'attribute-filter per la R&S della federazione tra quelli considerati dall’IdP:
•
<value>%{idp.home}/conf/attribute-filter-v3-coco.xml</value>
</util:list>
•
•
24
13 Appendice C: Attribute Filter IDEM required
1. Scaricare il file “attribute-filter-v3-required.xml” fornito da IDEM:
•
•
wget http://www.garr.it/idem-conf/attribute-filter-v3-required.xml
2. Aggiungere l'attribute-filter per le risorse della federazione tra quelli considerati dall’IdP:
•
<value>%{idp.home}/conf/attribute-filter-v3-required.xml</value>
</util:list>
•
•
25
14 Appendice D: Importare i metadati dal precedente IDP v2.x
Di seguito vengono presentati i passi da seguire per mantenere i metadati del precedente IdP già
inserito in IDEM.
Sarà necessario recuperare i seguenti file dall'IdP precedente:
• idp-metadata.xml (presente in /opt/shibboleth-idp/metadata)
•
idp.crt
•
idp.key
Prendendo come riferimento la cartella “/tmp”, in cui sono stati inseriti i file sopracitati, seguire i
seguenti passi:
•
sudo su -
•
mv /tmp/idp-metadata.xml /opt/shibboleth-idp/metadata
•
cd /opt/shibboleth-idp/credentials/
•
rm idp-encryption.crt idp-backchannel.crt idp-encryption.key idpsigning.crt idp-signing.key
•
ln -s idp.crt idp-encryption.crt
•
ln -s idp.key idp-encryption.key
•
ln -s idp.key idp-signing.key
•
ln -s idp.crt idp-signing.crt
•
ln -s idp.crt idp-backchannel.crt
•
openssl pkcs12 -export -in idp-encryption.crt -inkey idp-encryption.key
-out idp-backchannel.p12 -password pass:#YOUR.BACKCHANNEL.CERT.PASSWORD#
L'EntityID presente nei metadati del “vecchio” IdP DEVE ESSERE UGUALE a quello inserito
nei metadati del “nuovo” IdP in idp-metadata.xml. Verificare il valore dell'EntityID dalla linea
# Set the entityID of the IdP
idp.entityID= https://...
del file di configurazione /opt/shibboleth-idp/conf/idp.properties.
26
15 Appendice E: Importare i persistent-id da un database
precedente
1. Eseguire un DUMP della tabella shibpid del DB precedente “userdb” e del nuovo DB
“shibboleth”:
•
cd /tmp
•
mysqldump -u root -p userdb shibpid > userdb_shibpid.sql
•
mysqldump -u root -p shibboleth shibpid > shibboleth_shibpid.sql
2. Importare i valori precedenti nel nuovo DB “shibboleth” facendo attenzione che l'ordine dei
campi della vecchia tabella “userdb.shibpid” combaci esattamente con quello della nuova
“shibboleth.shibpid” prima di eseguire l'importazione. DEVONO COMBACIARE perchè
da esso dipende la popolazione del nuovo DB “shibboleth”.
Per un facile l'importazione seguire i seguenti passi con il file “userdb_shibpid.sql”:
a) Modificare il nome del DB presente nelle prime linee del DUMP in “shibboleth”.
b) Dal DUMP “shibboleth_shibpid.sql” copiare la parte relativa a “Table structure
for table `shibpid`” e inserirla nel “userdb_shibpid.sql” sotto a quello già
presente.
c) Modificare l'ordine dei campi della porzione di codice incollata di “shibboleth.shibpid”
in modo che combaci esattamente con quanto trovato nella precedente tabella “shibpid”
di “userdb”.
d) Cancellare la “Table structure for table `shibpid`” di “userdb”.
e) Salvare e importare i valori nel nuovo DB “shibboleth”:
▪
mysql -u root -p shibboleth < userdb_shibpid.sql
27
HOWTO Installation Shibboleth Identity
Provider v3.2.1 on Linux Fedora 24 Server
Edition
September 15th, 2016
Authors: Alessandro Enea, Marco Malavolti
Credits: Switch AAI, Shibboleth
28
Index
1) Introduction......................................................................................................................28
2) Hardware Requirements..................................................................................................28
3) Software Requirements...................................................................................................28
4) Request a SSL certificate for port 443 of IdP server.......................................................29
5) Install the required packages...........................................................................................30
6) Configure SSL on Apache2 (Tomcat 8 front-end)............................................................31
7) Install Shibboleth Identity Provider 3.2.1.........................................................................33
8) Configure Tomcat 8..........................................................................................................35
9) Speed up Tomcat 8 startup..............................................................................................36
10) Configure IdP Shibboleth...............................................................................................37
11) Appendix A: Attribute Filter R&S Entity Category compliant..........................................46
12) Appendix B: Attribute Filter CoCo Entity Category compliant........................................47
13) Appendix C: Attribute Filter IDEM required ...................................................................48
14) Appendix D: Import metadata from previous IDP v2.x..................................................49
15) Appendix E: Import persistent-id from a previous database..........................................50
29
1 Introduction
This document aims to guide the user on the installation and configuration of an Identity Provider
Shibboleth v3.2.1 with Tomcat 8, and Apache 2.4 in front of it, on Linux Fedora 24 Server Edition.
2 Hardware Requirements
•
•
•
2 CPU
4 GB RAM
20 GB Storage
3 Software Requirements
•
•
•
•
•
•
•
•
ca-certificates
ntp
java-1.8.0-openjdk
tomcat
httpd
expat
vim-enhanced
Shibboleth idp (http://www.shibboleth.net/downloads/identity-provider/latest/)
30
4 Request a SSL certificate for port 443 of IdP server
1) According to “specifiche tecniche” of IDEM Federation you are required to get and deploy
a SSL certificate from a root CA in order to protect connections to port 443. For GARR
members is available TCS service (TERENA Certificate Service). Certificates issued under
TCS service, as the time of writing, have Digicert as root CA. Please consider the following
facts:
•
An up-to-date list of Organizations already part of TCS service is available in
https://ca.garr.it/TCS/tab.php together with the current list of admins and users for
each Institution
•
If your Organization needs to join TCS service please contact GARR Certification
Service in order to receive further instructions(e-mail to [email protected])
2) A technical guide to request a SSL certificate is available on the TCS website
https://ca.garr.it/TCS/doc_server.php
3) Certificate Requests must be forwarded to TCS admins for your Institution or directly
submitted to TCS portal (https://www.digicert.com/account) if you have a TCS user
account.
4) From now on we will consider the /tmp directory as base directory for the key and
certificate of the server and of the DigiCert CA certificate that has released them.
31
5 Install the required packages
1. Install required packages:
•
dnf install vim-enhanced java-1.8.0-openjdk ca-certificates openssl
tomcat httpd mod_ssl expat ntp
2. Disabilitare SELinux
• vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#
enforcing - SELinux security policy is enforced.
#
permissive - SELinux prints warnings instead of enforcing.
#
disabled - No SELinux policy is loaded.
SELINUX=disabled
•
sudo reboot
•
check that the command “getenforce” returns “Disabled”
3. Configure /etc/default/tomcat:
•
update-alternatives --config java
•
update-alternatives --config javac
•
vim /etc/tomcat/tomcat.conf
(copy the path without /bin/java)
JAVA_OPTS="-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory
-Djava.awt.headless=true -XX:+DisableExplicitGC -XX:+UseParallelOldGC -Xms256m -Xmx2g
-Djava.security.egd=file:/dev/./urandom"
4. Be sure that your firewall doesn't block the traffic on port 443 (or you can't access to your IdP)
5. Move the Certificate and the Key file for HTTPS server from /tmp/ to
/root/certificates:
•
mkdir /root/certificates
•
mv /tmp/idp-cert-server.crt /root/certificates
•
mv /tmp/idp-key-server.key /root/certificates
•
mv /tmp/DigiCertCA.crt /root/certificates
•
chmod 400 /root/certificates/idp-key-server.key
•
chmod 644 /root/certificates/idp-cert-server.crt
•
chmod 644 /root/certificates/DigiCertCA.crt
•
Create a Certificate and a Key self-signed if you don't have the official ones provided by
DigiCert CA:
32
openssl req -x509 -newkey rsa:4096 -keyout /root/certificates/idpkey-server.key -out /root/certificates/idp-cert-server.crt -nodes
-days 3650
33
6 Configure SSL on Apache2 (Tomcat 8 front-end)
1. Modify the file /etc/httpd/conf.d/ssl.conf as follows:
• vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
ServerName idp.example.garr.it:443
ServerAdmin [email protected]
DocumentRoot /var/www/html
...
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite "kEDH+AESGCM:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256SHA384:ECDHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-GCMSHA384:ECDHE-RSA-AES256-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSAAES256-SHA384:ECDHE-ECDSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSAAES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA256:AES256-GCM-SHA384:!3DES:!DES:!
DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA:!EDE3:!EDH-DSS-CBC-SHA:!EDH-DSSDES-CBC3-SHA:!EDH-RSA-DES-CBC-SHA:!EDH-RSA-DES-CBC3-SHA:!EXP-EDH-DSS-DES-CBCSHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXPORT:!MD5:!PSK:!RC4-SHA:!aNULL:!eNULL"
SSLHonorCipherOrder on
# Disable SSL Compression
SSLCompression Off
# Enable HTTP Strict Transport Security with a 2 year duration
Header always set Strict-Transport-Security "max-age=63072000;
includeSubDomains"
...
SSLCertificateFile /root/certificates/idp-cert-server.crt
SSLCertificateKeyFile /root/certificates/idp-key-server.key
SSLCertificateChainFile /root/certificates/DigiCertCA.crt
...
</VirtualHost>
2. Restart Apache2 to apply changes:
•
34
3. Configure Apache2 to open port 80 only for localhost:
•
vim /etc/httpd/conf/httpd.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
#Listen 12.34.56.78:80
Listen 127.0.0.1:80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
4. Verify the strength of your IdP's machine on:
•
https://www.ssllabs.com/ssltest/analyze.html
35
7 Install Shibboleth Identity Provider 3.2.1
1) Become ROOT:
•
sudo su -
2) Move on the directory /usr/local/src:
•
cd /usr/local/src
3) Download the Shibboleth IdP 3.2.1:
•
wget https://shibboleth.net/downloads/identityprovider/latest/shibboleth-identity-provider-3.2.1.tar.gz
•
tar -xzvf shibboleth-identity-provider-3.2.1.tar.gz
•
cd shibboleth-identity-provider-3.2.1
4) Run the installer “install.sh“:
•
./bin/install.sh
root@idp:/usr/local/src/shibboleth-identity-provider-3.2.1# ./bin/install.sh
Source (Distribution) Directory: [/usr/local/src/shibboleth-identity-provider-3.2.1]
Installation Directory: [/opt/shibboleth-idp]
Hostname: [localhost.localdomain]
idp.example.garr.it
SAML EntityID: [https://idp.example.garr.it/idp/shibboleth]
Attribute Scope: [localdomain]
example.garr.it
Backchannel PKCS12 Password:
###PASSWORD-FOR-BACKCHANNEL###
Re-enter password:
###PASSWORD-FOR-BACKCHANNEL###
Cookie Encryption Key Password:
###PASSWORD-FOR-COOKIE-ENCRYPTION###
Re-enter password:
###PASSWORD-FOR-COOKIE-ENCRYPTION###
From this point the variable “idp.home” refers to the directory: “/opt/shibboleth-idp”.
5) Import the libraries JST to visualize the IdP “status” page:
•
cd /opt/shibboleth-idp/edit-webapp/WEB-INF/lib
•
wget
https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/c
ontent/javax/servlet/jstl/1.2/jstl-1.2.jar
•
cd /opt/shibboleth-idp/bin ; ./build.sh -Didp.target.dir=/opt/shibboleth-idp
36
6) Change the rights to enable tomcat user to access on the following directories:
•
chown -R tomcat /opt/shibboleth-idp/logs/
•
chown -R tomcat /opt/shibboleth-idp/metadata/
•
chown -R tomcat /opt/shibboleth-idp/credentials/
•
chown -R tomcat /opt/shibboleth-idp/conf/
37
8 Configure Tomcat 8
1) Become ROOT:
•
sudo su -
2) Change "server.xml":
•
vim /etc/tomcat/server.xml
comment out <Connector port=8080 (HTTP) and modify the Connector 8009 (AJP):

<Connector port="8009" protocol="AJP/1.3" redirectPort="443"
address="127.0.0.1" enableLookups="false" tomcatAuthentication="false"/>
•
Check the integrity of the XML modified with:
◦ xmlwf -e UTF-8 /etc/tomcat/server.xml
3) Create and change the file "idp.xml":
•
vim /etc/tomcat/Catalina/localhost/idp.xml
e copy inside this piece of code:
<Context docBase="/opt/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
swallowOutput="true"/>
4) Create the apache2 configuration file for IdP:
•
vim /etc/httpd/conf.d/idp.conf
<Proxy ajp://localhost:8009>
Require all granted
</Proxy>
ProxyPass /idp ajp://localhost:8009/idp retry=5
ProxyPassReverse /idp ajp://localhost:8009/idp retry=5
•
5) Modify context.xml to prevent error of “lack of persistence of the session
objects” created by the IdP :
•
vim /etc/tomcat/context.xml
and remove the comment from:
<Manager pathname="" />
6) Start Tomcat Server Container:
•
service tomcat start
7) Verify if the IdP works:
•
https://idp.example.garr.it/idp/shibboleth (you should see the IdP metadata)
38
9 Speed up Tomcat 8 startup
1. Find out the JARs that can be skipped from the scanning:
•
cd /opt/shibboleth-idp/
•
ls webapp/WEB-INF/lib | awk '{print $1",\\"}'
2. Insert the output list into “/etc/tomcat/catalina.properties” at the tail of
“tomcat.util.scan.StandardJarScanFilter.jarsToSkip“
3. Restart Tomcat 8:
•
39
10 Configure IdP Shibboleth
1) Become ROOT:
•
sudo su -
2) IdP installation finished, test it!
Add to the /etc/hosts file the line:
127.0.1.1
idp.example.garr.it
idp
Open a terminal and run these commands:
•
•
./status.sh
You shuold see some informations about the IdP installed
3) Install a MySQL database and import the libraries used by Tomcat and Shibboleth:
•
dnf install mariadb-server mysql-connector-java
•
cp /usr/share/java/mysql-connector-java.jar /opt/shibboleth-idp/editwebapp/WEB-INF/lib/
•
cp /usr/share/java/mysql-connector-java.jar /usr/share/tomcat/lib/
•
cp /usr/share/tomcat/lib/tomcat-jdbc.jar /opt/shibboleth-idp/editwebapp/WEB-INF/lib/
4) Install the libraries Tomcat Common Pool used for the generation of saml-id:
•
cd /usr/local/src/
•
wget https://www.apache.org/dist/commons/pool/binaries/commons-pool22.4.2-bin.tar.gz
•
tar xzvf commons-pool2-2.4.2-bin.tar.gz ; cd commons-pool2-2.4.2/
•
cp commons-pool2-2.4.2.jar /opt/shibboleth-idp/edit-webapp/WEBINF/lib/
5) Rebuild the idp.war of Shibboleth with the new libraries:
•
•
cd /opt/shibboleth-idp/ ; ./bin/build.sh
40
6) Configure MySQL service:
•
service mariadb start
•
mysql_secure_installation
(and follow the steps by answering Yes (Y) to all questions)
7) Create table “shibpid” to manage the persistent-id (ex eduPersonTargetedID) as StoredID
and the table “StorageRecords” to manage the attribute release consent of the users:
•
mysql -u root -p
•
mysql> SET NAMES 'utf8';
•
mysql> SET CHARACTER SET utf8;
•
mysql> CHARSET utf8;
•
mysql> CREATE DATABASE IF NOT EXISTS shibboleth CHARACTER SET=utf8;
•
mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO root@localhost IDENTIFIED
BY 'yourPassword';
•
mysql> USE shibboleth;
•
mysql> CREATE TABLE shibpid
-> (
-> localEntity VARCHAR(255) NOT NULL,
-> peerEntity VARCHAR(255) NOT NULL,
-> persistentId VARCHAR(50) NOT NULL,
-> principalName VARCHAR(50) NOT NULL,
-> localId VARCHAR(50) NOT NULL,
-> peerProvidedId VARCHAR(50) NULL,
-> creationDate TIMESTAMP NOT NULL default CURRENT_TIMESTAMP on update
CURRENT_TIMESTAMP,
-> deactivationDate TIMESTAMP NULL default NULL,
-> PRIMARY KEY (localEntity, peerEntity, persistentId)
-> );
•
mysql> CREATE TABLE StorageRecords
-> (
-> context VARCHAR(255) NOT NULL,
-> id VARCHAR(255) NOT NULL,
-> expires BIGINT(20) DEFAULT NULL,
-> value LONGTEXT NOT NULL,
-> version BIGINT(20) NOT NULL,
-> PRIMARY KEY (context, id)
-> );
•
quit;
41
8) Create the user “idem” with a password “demo” that can be used to manage the “shibboleth”
DB:
(change at least the password “demo” when you will create your user)
•
mysql -u root -p
•
mysql> USE mysql;
•
mysql> CREATE USER idem;
•
mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO 'idem'@'localhost'
IDENTIFIED BY 'demo';
•
mysql> FLUSH PRIVILEGES;
•
mysql> quit;
9) Restart mysql server:
•
service mariadb restart
10) Enable the SAML2 Persistent Identifiers by removing comment from the bold <bean> on the
saml-nameid.xml:
•
vim /opt/shibboleth-idp/conf/saml-nameid.xml

<util:list id="shibboleth.SAML2NameIDGenerators">
<ref bean="shibboleth.SAML2TransientGenerator" />

<ref bean="shibboleth.SAML2PersistentGenerator" />
<!-<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
-->
</util:list>
11) Enable the JPAStorageService for the StorageService and MyDataSource for storing the
persistent identifier of the users:
•
vim /opt/shibboleth-idp/conf/global.xml
(add the following code, with the right parameters for the database “shibboleth”, at the tail before the last
</beans>)
<bean id="shibboleth.JPAStorageService"
class="org.opensaml.storage.impl.JPAStorageService"
p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"
c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory"/>
<bean id="shibboleth.JPAStorageService.entityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="packagesToScan" value="org.opensaml.storage.impl"/>
<property name="dataSource" ref="MyDataSource"/>
42
<property name="jpaVendorAdapter"
ref="shibboleth.JPAStorageService.JPAVendorAdapter"/>
<property name="jpaDialect">
<bean
class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
</property>
</bean>
<bean id="shibboleth.JPAStorageService.JPAVendorAdapter"
class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="database" value="MYSQL"
/>
</bean>

<bean id="MyDataSource" class="org.apache.commons.dbcp.BasicDataSource"
p:driverClassName="com.mysql.jdbc.Driver"
p:url="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true"
p:username="idem"
p:password="demo"
p:maxActive="10"
p:maxIdle="5"
p:maxWait="15000"
p:testOnBorrow="true"
p:validationQuery="select 1"
p:validationQueryTimeout="5" />
•
Change the IdP properties in the right way:
◦
vim /opt/shibboleth-idp/conf/idp.properties
idp.session.StorageService = shibboleth.JPAStorageService
idp.consent.StorageService = shibboleth.JPAStorageService
idp.replayCache.StorageService = shibboleth.JPAStorageService
idp.artifact.StorageService = shibboleth.JPAStorageService
12) Enable the SAML2 support by changing the idp-metadata.xml and disable the SAML v1.x
deprecated support:
•
vim /opt/shibboleth-idp/metadata/idp-metadata.xml
<IDPSSODescriptor> SECTION:
–
–
From the list of "protocolSupportEnumeration" remove:
–
urn:oasis:names:tc:SAML:1.1:protocol
–
urn:mace:shibboleth:1.0
Remove the endpoint:
<ArtifcatResolutionService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" …/>
(and modify the index value of the next one to “1”)
–
43
–
Add under the endpoint:
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
the new endpoint:
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
(because the IdP installed with this guide releases persistent SAML NameIDs)
–
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" …/>
–
Remove all ":8443" from the existing URL (such port is not used anymore)
<AttributeAuthorityDescriptor> Section:
–
From the list "protocolSupportEnumeration" replace the value of:
with
–
Remove the comment from:
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" .../>
–
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAPbinding" .../>
–
–
Remove all ":8443" from the existing URL (such port is not used anymore)
13) Configure the IdP to retrieve the IDEM Test Federation metadata:
•
•
vim metadata-providers.xml
<MetadataProvider
id="URLMD-IDEM-Federation"
xsi:type="FileBackedHTTPMetadataProvider"
minRefreshDelay ="PT5M"
maxRefreshDelay="PT1H"
refreshDelayFactor="0.75"
backingFile="%{idp.home}/metadata/idem-test-metadata-sha256.xml"
metadataURL="http://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml">
<!-Verify the signature on the root element of the metadata aggregate
using a trusted metadata signing certificate.
-->
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/metadata/idem_signer_2019.pem"/>
<!-Require a validUntil XML attribute on the root element and
make sure its value is no more than 5 days into the future.
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P5D"/>

<MetadataFilter xsi:type="EntityRoleWhiteList">
44
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
•
Download the certificate file that signs IDEM metadata:
◦
•
wget https://idem.garr.it/documenti/doc_download/321-idem-metadatasigner-2019 -O /opt/shibboleth-idp/metadata/idem_signer_2019.pem
Verify its validity:
◦
cd /opt/shibboleth-idp/metadata
◦
openssl x509 -in idem_signer_2019.pem -fingerprint -sha1 -noout
must give
sha1: 2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8
◦
openssl x509 -in idem_signer_2019.pem -fingerprint -md5 -noout
must give
md5: AA:A7:CD:41:2D:3E:B7:F6:02:8A:D3:62:CD:21:F7:DE
14) Configure the Autentication for the openLDAP server:
•
vim /opt/shibboleth-idp/conf/ldap.properties
(with the *TLS solution, remember to put the LDAP certificate into
/opt/shibboleth-idp/credentials and to give the right privilegies to tomcat user
'chown tomcat ldap-server.crt')
◦ Solution 1: LDAP with STARTTLS:
idp.authn.LDAP.useStartTLS = true
◦ Solution 2: LDAP with TLS/SSL:
= ldaps://ldap.example.garr.it
idp.authn.LDAP.useSSL = true
45
◦ Solution 3: LDAP plain:
If you decide to use the solution 3, you have to remove the following code from your
attribute-resolver-full.xml”:
</dc:FilterTemplate>

</resolver:DataConnector>
UTILITY FOR OPENLDAP ADMINISTRATOR:
◦ ldapsearch -H ldap:// -x -b "dc=example,dc=garr,dc=it" -LLL dn
•
▪
baseDN ==> ou=people, dc=example,dc=garr,dc=it
(branch containing the registered users)
▪
bindDN ==> cn=admin,dc=example,dc=garr,dc=it
(distinguished name for the user that can made queries on the LDAP)
Enrich idp-process.log with the authentication error produced on the LDAP:
◦
vim /opt/shibboleth-idp/conf/logback.xml

<logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/>

<logger name="org.ldaptive.auth.Authenticator" level="INFO" />
•
•
Download the “attribute-resolver-v3-idem.xml” from IDEM GARR AAI:
◦
◦
wget http://www.garr.it/idem-conf/attribute-resolver-v3-idem.xml
Replace the default attribute-resolver.xml with the federation one:
◦
<util:list id ="shibboleth.AttributeResolverResources">
</util:list>
46
•
Enable the new Attribute-Resolver on the IdP:
◦
<value>%{idp.home}/conf/attribute-resolver.xml</value>
must become:
•
Support the Default ARP for IDEM Federation:
◦ Download the Default ARP “attribute-filter-v3-idem.xml” to release the attributes
mandatory and to use the essential resources of IDEM:
▪
▪
wget http://www.garr.it/idem-conf/attribute-filter-v3-idem.xml
◦ Add the Default ARP for IDEM federation to those that are considered by the IdP:
▪
</util:list>
•
Enable the generation of persistent-id :
◦
vim /opt/shibboleth-idp/conf/saml-nameid.properties
(the sourceAttribute MUST BE an attribute, or a list of attributes where its values are comma-separated,
that univocally identify the user. Its value MUST BE STABLE, PERMANENT and NOTREASSIGNABLE.)
idp.persistentId.sourceAttribute = uid
…
idp.persistentId.algorithm = SHA
idp.persistentId.salt = ### output of ‘openssl rand -base64 36’###
…
idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator
idp.persistentId.dataSource = MyDataSource
…
idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
▪ Change the subject-c14n for the managemente of the SAML2 PersistentID :
•
vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml
◦ Remove the comment from the bean “c14n/SAML2Persistent”
47
▪ Change the Default RelyingParty to be able to release the persistent-id to all
without limitation:
•
vim /opt/shibboleth-idp/conf/relying-party.xml
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attributerelease" />
<bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release"
p:nameIDFormatPrecedence="#{{ 'urn:oasis:names:tc:SAML:2.0:nameidformat:persistent','urn:oasis:names:tc:SAML:2.0:nameid-format:transient' }}" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="Liberty.SSOS" />
</list>
</property>
</bean>
15) Translate the Login, the Consent, and the Term Of Use pages in your preferred language:
•
Open the page containing the translated files: CLICK HERE
•
Retrieve the 3 file for your language and insert them into /opt/shibboleth-idp/messages
•
Restart Tomcat 8:
◦
16) Register the IdP metadata provided by this URL:
“https://##idp.example.garr.it##/idp/shibboleth”
into the IDEM Entity Registry: https://registry.idem.garr.it/rr3
(contact [email protected] if you have problems) and wait the metadata propagation.
17) Verify that appears the Login Page when you try to access on a Test Service Provider
https://sp-test.garr.it/secure or https://sp24-test.garr.it/secure
provided by [email protected].
48
11 Appendix A: Attribute Filter R&S Entity Category compliant
1. Download the file “attribute-filter-v3-rs.xml” provided by IDEM:
•
•
wget http://www.garr.it/idem-conf/attribute-filter-v3-rs.xml
2. Add the federation attribute-filter for R&S to those that are considered by the IdP:
•
</util:list>
3. Update the IdP attribute filter with:
•
•
49
12 Appendix B: Attribute Filter CoCo Entity Category compliant
1. Download the file “attribute-filter-v3-coco.xml” provided by IDEM:
•
•
wget http://www.garr.it/idem-conf/attribute-filter-v3-coco.xml
2. Add the federation attribute-filter for R&S to those that are considered by the IdP:
•
</util:list>
•
•
50
13 Appendix C: Attribute Filter IDEM required
1. Download the file “attribute-filter-v3-required.xml” provided by IDEM:
•
•
wget http://www.garr.it/idem-conf/attribute-filter-v3-required.xml
2. Add the federation attribute-filter for IDEM resources to those considered by the IdP:
•
<value>%{idp.home}/conf/attribute-filter-v3-required.xml</value>
</util:list>
•
•
51
14 Appendix D: Import metadata from previous IDP v2.x
You have to retrieve from the previous IdP these files:
• idp-metadata.xml (inside /opt/shibboleth-idp/metadata)
•
idp.crt
•
idp.key
By taking as position for those file the directory “/tmp”, follow the steps:
•
sudo su -
•
mv /tmp/idp-metadata.xml /opt/shibboleth-idp/metadata
•
cd /opt/shibboleth-idp/credentials/
•
rm idp-encryption.crt idp-backchannel.crt idp-encryption.key idpsigning.crt idp-signing.key
•
ln -s idp.crt idp-encryption.crt
•
ln -s idp.key idp-encryption.key
•
ln -s idp.key idp-signing.key
•
ln -s idp.crt idp-signing.crt
•
ln -s idp.crt idp-backchannel.crt
•
openssl pkcs12 -export -in idp-encryption.crt -inkey idp-encryption.key
-out idp-backchannel.p12 -password pass:#YOUR.BACKCHANNEL.CERT.PASSWORD#
The EntityID used into the “old” IdP metadata MUST BE EQUAL to that inserted into the “new”
IdP metadata (idp-metadata.xml). Verify this line:
# Set the entityID of the IdP
idp.entityID= https://...
inside the file /opt/shibboleth-idp/conf/idp.properties
52
15 Appendix E: Import persistent-id from a previous database
1. Create one DUMP of “shibpid” table from the previous DB “userdb” and also one of
“shibpid” table from the new DB “shibboleth”:
•
cd /tmp
•
mysqldump -u root -p userdb shibpid > userdb_shibpid.sql
•
mysqldump -u root -p shibboleth shibpid > shibboleth_shibpid.sql
2. Import the previous values on the new DB “shibboleth” by paying attention on the order of
the fields of the old table “userdb.shibpid”. They have to be in the same order of the fields
provided by the new “shibboleth.shibpid” before doing the import. THEY MUST BE IN
THE SAME ORDER because, if they will not be aligned, the import will fail the the
population on the new DB “shibboleth”.
To make easier this process, follow these steps with the “userdb_shibpid.sql”:
a) Modify the name of the DB found on the DUMP into “shibboleth”.
b) From DUMP of “shibboleth_shibpid.sql” copy the part on “Table structure for
table `shibpid`” and inserirt it into “userdb_shibpid.sql” under that already present.
c) Modify the order of the fields on the piece of code of “shibboleth.shibpid” pasted in a
way that the order of the fields is the same of that found on the table “shibpid” of the
old “userdb”.
d) Delete the section “Table structure for table `shibpid`” di “userdb”.
e) Save and import the values on the new DB “shibboleth”:
▪
mysql -u root -p shibboleth < userdb_shibpid.sql
53

HOWTO Installation Shibboleth IDP 3.2.1 on Linux Fedora 24 Server

Transcript

Documenti analoghi

IDP e Thermaltake insieme alle qualificazioni italiane dei World

IDP e HW Mania sostengono il lan party CRYMANIA di Malpensa

IDP annuncia la distribuzione dei prodotti Antec

IDP presenta Thermaltake iXoft Notebook Cooling Pad

IDP presenta i case Thermaltake a

IDP presenta il nuovo sistema di raffreddamento a liquido Zalman

Shibboleth IdP v3.2.1

IDP presenta i sistemi di raffreddamento Thermaltake a

Presentazione C.Marotta

Installazione Shibboleth IDP 2.4.0 per Debian Linux - Idem