HOWTO Installation Shibboleth IDP 3.2.1 on Linux Fedora 24 Server
Transcript
HOWTO Installation Shibboleth IDP 3.2.1 on Linux Fedora 24 Server
HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition HOWTO Installation Shibboleth IDP 3.2.1 on Linux Fedora 24 Server Edition 15 Settembre 2016 Autori: Alessandro Enea, Marco Malavolti Crediti: Switch AAI, Shibboleth 1 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition Indice 1) Introduzione.......................................................................................................................3 2) Requisiti Hardware.............................................................................................................3 3) Software da installare........................................................................................................3 4) Richiedere il certificato server HTTPS per l'IDP................................................................4 5) Installare i pacchetti richiesti..............................................................................................5 6) Configurare SSL su Apache2 (front-end di Tomcat 8).......................................................6 7) Installare Shibboleth Identity Provider 3.2.1......................................................................8 8) Configurare Tomcat 8.......................................................................................................10 9) Velocizzare avvio di Tomcat 8..........................................................................................11 10) Configurare IdP Shibboleth............................................................................................12 11) Appendice A: Attribute Filter R&S Entity Category compliant........................................21 12) Appendice B: Attribute Filter CoCo Entity Category compliant......................................22 13) Appendice C: Attribute Filter IDEM required .................................................................23 14) Appendice D: Importare i metadati dal precedente IDP v2.x........................................24 15) Appendice E: Importare i persistent-id da un database precedente.............................25 2 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 1 Introduzione Questo documento ha lo scopo di guidare l'utente nell'installazione di un IdP Shibboleth v3.2.1 con Apache 2.4 (come front-end) e Tomcat 8 su una distribuzione Linux Fedora 24 Server Edition. 2 Requisiti Hardware • • • 2 CPU 4 GB RAM 20 GB Disco 3 Software da installare • • • • • • • • ca-certificates ntp java-1.8.0-openjdk tomcat httpd expat vim-enhanced Shibboleth idp (http://www.shibboleth.net/downloads/identity-provider/latest/) 3 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 4 Richiedere il certificato server HTTPS per l'IDP 1) In linea con le specifiche tecniche della Federazione IDEM è necessario installare sulla porta 443 un certificato rilasciato da una CA riconosciuta. All'interno della comunità GARR è attivo il servizio di rilascio certificati server denominato TCS (TERENA Certificate Service). La caratteristica dei certificati TCS è quella di essere emessi da una CA commerciale che nello specifico consiste in DigiCert CA. • L'elenco delle organizzazioni presso le quali il servizio TCS è gia' attivo è disponibile in https://ca.garr.it/TCS/tab.php • Se il servizio non fosse ancora attivo presso la vostra organizzazione è possibile contattare GARR Certification Service per avviare il procedimento di attivazione (e-mail a [email protected]) 2) Per generare una richiesta di certificato seguire le istruzioni suggerite nelle pagine di documentazione TCS (https://ca.garr.it/TCS/doc_server.php) 3) Le richieste di certificato devono essere inviate ai referenti TCS presenti nella vostra organizzazione (denominati Contatti Amministrativi TCS). Per conoscere i nomi dei Contatti Amministrativi nominati all'interno del vostro Ente inviare una mail di richiesta a [email protected] 4) In questa guida si considera la cartella /tmp come quella che conterrà il certificato e la chiave del server e la DigiCert CA che li ha rilasciati. 4 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 5 Installare i pacchetti richiesti 1. Installare pacchetti standard: • dnf install vim-enhanced java-1.8.0-openjdk ca-certificates openssl tomcat httpd mod_ssl expat ntp 2. Disabilitare SELinux • vim /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled • sudo reboot • Controllare che il comando “getenforce” restituisca “Disabled” 3. Configurare il default di Tomcat 8: • update-alternatives --config java • update-alternatives --config javac • vim /etc/tomcat/tomcat.conf (copiare il Path senza il /bin/java) JAVA_OPTS="-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Djava.awt.headless=true -XX:+DisableExplicitGC -XX:+UseParallelOldGC -Xms256m -Xmx2g -Djava.security.egd=file:/dev/./urandom" (In questo modo si configura la memoria della JVM per soddisfare la Web Application dell'IdP. Il valore per la memoria usata dipende dalla memoria fisica del server. Impostare Xmx (massimo heap space a disposizione della JVM) ad almeno 2GB.) 4. Assicurarsi che il/i firewall siano configurati in modo da non bloccare il traffico sulle porte 443 (altrimenti non si potrà accedere al vostro IdP) 5. Muovere il Certificato e la Chiave per il Server HTTPS da /tmp/ a /root/certificates: • mkdir /root/certificates • mv /tmp/idp-cert-server.crt /root/certificates • mv /tmp/idp-key-server.key /root/certificates • mv /tmp/DigiCertCA.crt /root/certificates • chmod 400 /root/certificates/idp-key-server.key • chmod 644 /root/certificates/idp-cert-server.crt 5 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition • chmod 644 /root/certificates/DigiCertCA.crt • (FACOLTATIVO) Generare Cert e Key Autofirmati se non si hanno ancora quelli ufficiali e validi da DigiCert CA: openssl req -x509 -newkey rsa:4096 -keyout /root/certificates/idpkey-server.key -out /root/certificates/idp-cert-server.crt -nodes -days 3650 6 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 6 Configurare SSL su Apache2 (front-end di Tomcat 8) 1. Modificare il file /etc/httpd/conf.d/ssl.conf come segue: <VirtualHost _default_:443> ServerName idp.example.garr.it:443 ServerAdmin [email protected] DocumentRoot /var/www/html ... SSLEngine On SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WIT H_3DES_EDE_CBC_SHA:kEDH+AESGCM:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256SHA384:ECDHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHERSA-AES256-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHEECDSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSAAES256-GCM-SHA256:AES256-GCM-SHA384:!3DES:!DES:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSAAES256-SHA:!EDE3:!EDH-DSS-CBC-SHA:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC-SHA:!EDH-RSADES-CBC3-SHA:!EXP-EDH-DSS-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXPORT:!MD5:!PSK:!RC4SHA:!aNULL:!eNULL" SSLHonorCipherOrder on # Disable SSL Compression SSLCompression Off # Enable HTTP Strict Transport Security with a 2 year duration Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" ... SSLCertificateFile /root/certificates/idp-cert-server.crt SSLCertificateKeyFile /root/certificates/idp-key-server.key SSLCertificateChainFile /root/certificates/DigiCertCA.crt ... </VirtualHost> 2. Riavviare Apache2 per applicare le modifiche: • service httpd restart 3. Configurare Apache2 in modo che la porta 80 sia aperta solo per localhost: • vim /etc/httpd/conf/httpd.conf # If you just change the port or add more ports here, you will likely also 7 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default.conf #Listen 12.34.56.78:80 Listen 127.0.0.1:80 <IfModule ssl_module> Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule> 4. Verificare il grado di sicurezza ottenuto dalla propria macchina su: • https://www.ssllabs.com/ssltest/analyze.html 8 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 7 Installare Shibboleth Identity Provider 3.2.1 1) Acquisire i permessi di ROOT: • sudo su - 2) Spostarsi nella cartella /usr/local/src: • cd /usr/local/src 3) Scaricare lo Shibboleth IdP 3.2.1: • wget https://shibboleth.net/downloads/identityprovider/latest/shibboleth-identity-provider-3.2.1.tar.gz • tar -xzvf • cd shibboleth-identity-provider-3.2.1 shibboleth-identity-provider-3.2.1.tar.gz 4) Installare l’IdP v3.x.y attraverso il suo install.sh: • export JAVA_HOME="/usr/lib/jvm/jre" • ./bin/install.sh root@idp:/usr/local/src/shibboleth-identity-provider-3.2.1# ./bin/install.sh Source (Distribution) Directory: [/usr/local/src/shibboleth-identity-provider-3.2.1] Installation Directory: [/opt/shibboleth-idp] Hostname: [localhost.localdomain] idp.example.garr.it SAML EntityID: [https://idp.example.garr.it/idp/shibboleth] Attribute Scope: [localdomain] example.garr.it Backchannel PKCS12 Password: ###PASSWORD-PER-BACKCHANNEL### Re-enter password: ###PASSWORD-PER-BACKCHANNEL### Cookie Encryption Key Password: ###PASSWORD-PER-COOKIE-ENCRYPTION### Re-enter password: ###PASSWORD-PER-COOKIE-ENCRYPTION### Da questo punto in poi la variabile “idp.home” farà riferimento alla cartella: “/opt/shibboleth-idp”. 5) Importare le librerie JST per la visualizzazione della pagina “status” dell’IdP: • cd /opt/shibboleth-idp/edit-webapp/WEB-INF/lib • wget https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/j avax/servlet/jstl/1.2/jstl-1.2.jar • cd /opt/shibboleth-idp/bin ; ./build.sh -Didp.target.dir=/opt/shibboleth-idp 9 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 6) Modificare i permessi per abilitare l'utente tomcat ad accedere alle directory dell'IdP: • chown -R tomcat /opt/shibboleth-idp/logs/ • chown -R tomcat /opt/shibboleth-idp/metadata/ • chown -R tomcat /opt/shibboleth-idp/credentials/ • chown -R tomcat /opt/shibboleth-idp/conf/ 10 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 8 Configurare Tomcat 8 1) Acquisire i permessi di ROOT: • sudo su - 2) Modificare "server.xml": • vim /etc/tomcat/server.xml commentare il <Connector port=8080 (HTTP) e modificare il Connector 8009 (AJP): <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false"/> • Controllare l'integrità del file XML appena modificato con: ◦ xmlwf -e UTF-8 /etc/tomcat/server.xml 3) Informare Tomcat 8 sulla posizione del WAR file dell’IdP, localizzato in /opt/shibbolethidp/war/idp.war, attraverso un context deployment fragment: La normale procedura per il deploying delle Web Application in Tomcat è attuata mediante la copia del file WAR nella cartella webapps/ di Tomcat. Tuttavia, quando questa procedura viene eseguita, Tomcat espande il WAR file (ottenendo così il file idp/ nella cartella webapps/ ma senza cancellare il file WAR) e carica la nuova versione dell'applicazione in "$CATALINA_HOME/work/Catalina/localhost/". Questo può causare l'utilizzo di una precedente versione del WAR anche se viene copiata una versione nuova nella giusta posizione (webapps/). Per ovviare a questo inconveniente, viene raccomandato di usare un context deployment fragment. Questo significa che si userà un piccolo pezzo di XML per dire a Tomcat dove andare a prendere il WAR e fornire qualche proprietà da usare quando Tomcat caricherà l'applicazione. 4) Creare e Modificare il file "idp.xml": • vim /etc/tomcat/Catalina/localhost/idp.xml e copiarvi dentro il seguente pezzo di codice: <Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false" swallowOutput="true"/> 5) Creare il file di configurazione di Apache2 per l'IdP: • vim /etc/httpd/conf.d/idp.conf <Proxy ajp://localhost:8009> Require all granted </Proxy> 11 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition ProxyPass /idp ajp://localhost:8009/idp retry=5 ProxyPassReverse /idp ajp://localhost:8009/idp retry=5 • service httpd restart 6) Modificare il context.xml per prevenire errori di “lack of persistence of the session objects” create dall’IdP : • vim /etc/tomcat/context.xml e togliere il commento a: <Manager pathname="" /> 7) Avviare il server container Tomcat 8: • service tomcat start 8) Verificare il funzionamento dell'IdP: • https://idp.example.garr.it/idp/shibboleth (dovrebbe mostrare i suoi metadati) 9 Velocizzare avvio di Tomcat 8 1. Cercare i JAR che non servono esser scansionati con: • cd /opt/shibboleth-idp/ • ls webapp/WEB-INF/lib | awk '{print $1",\\"}' 2. Inserire l’elenco uscente dal comando precedente in “/etc/tomcat/catalina.properties” in coda alla voce “tomcat.util.scan.StandardJarScanFilter.jarsToSkip“ 3. Riavviare il container Tomcat 8 per verificarne la rapidità acquisita: • service tomcat restart 12 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 10 Configurare IdP Shibboleth 1) Acquisire i permessi di ROOT: • sudo su - 2) Installazione dell'IdP conclusa, testiamolo! Aggiungere al file /etc/hosts la seguente riga: 127.0.1.1 idp.example.garr.it idp Aprite un terminale ed eseguite i seguenti comandi per verificarne il funzionamento: • cd /opt/shibboleth-idp/bin • ./status.sh Dovreste ricevere delle informazioni sull’IdP ==> IdP funzionante su HTTPS 3) Installare un database MySQL e importare le librerie necessarie a Tomcat e a Shibboleth: • dnf install mariadb-server mysql-connector-java • cp /usr/share/java/mysql-connector-java.jar /opt/shibboleth-idp/editwebapp/WEB-INF/lib/ • cp /usr/share/java/mysql-connector-java.jar /usr/share/tomcat/lib/ • cp /usr/share/tomcat/lib/tomcat-jdbc.jar /opt/shibboleth-idp/editwebapp/WEB-INF/lib/ 4) Installare le librerie Tomcat Common Pool utilizzate per la generazione del nuovo saml-id: • cd /usr/local/src/ • wget https://www.apache.org/dist/commons/pool/binaries/commons-pool22.4.2-bin.tar.gz • tar xzvf commons-pool2-2.4.2-bin.tar.gz ; cd commons-pool2-2.4.2/ • cp commons-pool2-2.4.2.jar /opt/shibboleth-idp/edit-webapp/WEBINF/lib/ 5) Rigenerare l'idp.war di Shibboleth con le nuove librerie: • export JAVA_HOME="/usr/lib/jvm/jre" • cd /opt/shibboleth-idp/ ; ./bin/build.sh 13 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 6) Configurare il servizio MySQL: • service mariadb start • mysql_secure_installation (e seguire i passi rispondendo SI (Y) a tutte le domande) 7) Creare tabella “shibpid” per la gestione del persistent-id (ex eduPersonTargetedID) come tipo StoredID e la tabella “StorageRecords”per la gestione del consenso informato degli utenti sul rilascio dei loro attributi: • mysql -u root -p • mysql> SET NAMES 'utf8'; • mysql> SET CHARACTER SET utf8; • mysql> CHARSET utf8; • mysql> CREATE DATABASE IF NOT EXISTS shibboleth CHARACTER SET=utf8; • mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO root@localhost IDENTIFIED BY 'yourPassword'; • mysql> USE shibboleth; • mysql> CREATE TABLE shibpid -> ( -> localEntity VARCHAR(255) NOT NULL, -> peerEntity VARCHAR(255) NOT NULL, -> persistentId VARCHAR(50) NOT NULL, -> principalName VARCHAR(50) NOT NULL, -> localId VARCHAR(50) NOT NULL, -> peerProvidedId VARCHAR(50) NULL, -> creationDate TIMESTAMP NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, -> deactivationDate TIMESTAMP NULL default NULL, -> PRIMARY KEY (localEntity, peerEntity, persistentId) -> ); • mysql> CREATE TABLE StorageRecords -> ( -> context VARCHAR(255) NOT NULL, -> id VARCHAR(255) NOT NULL, -> expires BIGINT(20) DEFAULT NULL, -> value LONGTEXT NOT NULL, -> version BIGINT(20) NOT NULL, -> PRIMARY KEY (context, id) -> ); • quit; 8) Creare un utente “idem” con password “demo” in grado di accedere e modificare il DB “shibboleth”: (sia l’utente “idem” che la password “demo” vanno decisi personalmente dall’installatore) • mysql -u root -p • mysql> USE mysql; 14 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition • mysql> CREATE USER idem; • mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO 'idem'@'localhost' IDENTIFIED BY 'demo'; • mysql> FLUSH PRIVILEGES; • mysql> quit; 9) Riavviare il server mysql: • service mariadb restart 10) Decommentare il generatore di Persistent Identifiers di SAML2 in saml-nameid.xml: • vim /opt/shibboleth-idp/conf/saml-nameid.xml <!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Uncommenting this bean requires configuration in samlnameid.properties. --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <!-<bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> --> </util:list> 11) Abilitare il JPAStorageService per lo StorageService e il MyDataSource per la memorizzazione degli identificatori persistenti (persistent-id) degli utenti: • vim /opt/shibboleth-idp/conf/global.xml (aggiungere in coda,prima del </beans> di chiusura, il seguente frammento di codice modificando opportunamente la username e la password di accesso al DB “shibboleth”) <bean id="shibboleth.JPAStorageService" class="org.opensaml.storage.impl.JPAStorageService" p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory"/> <bean id="shibboleth.JPAStorageService.entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> <property name="packagesToScan" value="org.opensaml.storage.impl"/> <property name="dataSource" ref="MyDataSource"/> <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter"/> <property name="jpaDialect"> <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" /> </property> </bean> <bean id="shibboleth.JPAStorageService.JPAVendorAdapter" 15 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> <property name="database" value="MYSQL" /> </bean> <!-- A DataSource bean suitable for use in the idp.persistentId.dataSource property. --> <bean id="MyDataSource" class="org.apache.commons.dbcp.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true" p:username="idem" p:password="demo" p:maxActive="10" p:maxIdle="5" p:maxWait="15000" p:testOnBorrow="true" p:validationQuery="select 1" p:validationQueryTimeout="5" /> • Modificare le proprietà dell’IdP in modo opportuno: ◦ vim /opt/shibboleth-idp/conf/idp.properties idp.session.StorageService = shibboleth.JPAStorageService idp.consent.StorageService = shibboleth.JPAStorageService idp.replayCache.StorageService = shibboleth.JPAStorageService idp.artifact.StorageService = shibboleth.JPAStorageService 12) Abilitiamo completamente il supporto SAML2 sull'idp-metadata.xml e disabilitiamo il supporto a SAML v1.x perchè deprecato: • vim /opt/shibboleth-idp/metadata/idp-metadata.xml SEZIONE <IDPSSODescriptor>: – – Dall'elenco "protocolSupportEnumeration" rimuovere: – urn:oasis:names:tc:SAML:1.1:protocol – urn:mace:shibboleth:1.0 Rimuovere l'endpoint: <ArtifcatResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" …/> (e modificare l'index del successivo in “1”) – Rimuovere l'endpoint: <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> – Aggiungere sotto a: <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> la riga: <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> (perchè l'IdP installato con questa guida rilascia SAML NameID persistenti) 16 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition – Rimuovere l'endopoint: <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" …/> – Rimuovere tutti i ":8443" dalle URL presenti (tale porta non viene più usata) SEZIONE <AttributeAuthorityDescriptor>: – Dall'elenco "protocolSupportEnumeration" sostituire il valore di: "urn:oasis:names:tc:SAML:1.1:protocol" con "urn:oasis:names:tc:SAML:2.0:protocol" – Rimuovere il commento a: <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" .../> – Rimuovere l'endpoint: <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAPbinding" .../> – Rimuovere l'endpoint: <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> – Rimuovere tutti i ":8443" dalle URL presenti (tale porta non viene più usata) 13) Configuriamo l’IdP per recuperare i metadati della IDEM Test Federation: • cd /opt/shibboleth-idp/conf • vim metadata-providers.xml <MetadataProvider id="URLMD-IDEM-Federation" xsi:type="FileBackedHTTPMetadataProvider" minRefreshDelay ="PT5M" maxRefreshDelay="PT1H" refreshDelayFactor="0.75" backingFile="%{idp.home}/metadata/idem-test-metadata-sha256.xml" metadataURL="http://www.garr.it/idem-metadata/idem-test-metadatasha256.xml"> <!-Verify the signature on the root element of the metadata aggregate using a trusted metadata signing certificate. --> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/metadata/idem_signer_2019.pem"/> <!-Require a validUntil XML attribute on the root element and make sure its value is no more than 14 days into the future. --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/> <!-- Consume all SP metadata in the aggregate --> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider> • Scaricare il certificato di firma dei metadati: ◦ wget https://idem.garr.it/documenti/doc_download/321-idem-metadatasigner-2019 -O /opt/shibboleth-idp/metadata/idem_signer_2019.pem 17 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition • Verificarne la validità: ◦ cd /opt/shibboleth-idp/metadata ◦ openssl x509 -in idem_signer_2019.pem -fingerprint -sha1 -noout deve restituire sha1: 2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8 ◦ openssl x509 -in idem_signer_2019.pem -fingerprint -md5 -noout deve restituire md5: AA:A7:CD:41:2D:3E:B7:F6:02:8A:D3:62:CD:21:F7:DE 18 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 14) Configurare l’Autenticazione per i propri utenti con un server openLDAP: • vim /opt/shibboleth-idp/conf/ldap.properties (con le soluzioni *TLS ricordarsi di inserire il certificato server dell’LDAP in /opt/shibboleth-idp/credentials e assegnargli i giusti permessi 'chown tomcat ldap-server.crt') ◦ Soluzione 1 - LDAP con STARTTLS: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldap://ldap.example.garr.it:389 idp.authn.LDAP.useStartTLS = true idp.authn.LDAP.useSSL = false idp.authn.LDAP.sslConfig = certificateTrust idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### ◦ Soluzione 2 - LDAP con TLS/SSL: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldaps://ldap.example.garr.it idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = true idp.authn.LDAP.sslConfig = certificateTrust idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### ◦ Soluzione 3 - LDAP in chiaro: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldap://ldap.example.garr.it:389 idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = false idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### Se si utilizza la Soluzione 3 “in chiaro” ricordarsi di commentare il codice che utilizza il “trustCertificates” nell' attribute-resolver-full.xml”: </dc:FilterTemplate> <!-<dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> <sec:Certificate>% {idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> </dc:StartTLSTrustCredential> --> </resolver:DataConnector> 19 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition UTILITA’ PER AMMINISTRATORI DI OPENLDAP: ◦ ldapsearch -H ldap:// -x -b "dc=example,dc=garr,dc=it" -LLL dn • ▪ il baseDN ==> ou=people, dc=example,dc=garr,dc=it (ramo contenente gli utenti registrati) ▪ il bindDN ==> cn=admin,dc=example,dc=garr,dc=it (ramo dell’utente in grado di leggere e fare query sull’LDAP) Arricchire l’ idp-process.log con gli errori di autenticazione sull’LDAP: ◦ vim /opt/shibboleth-idp/conf/logback.xml <!-- Logs LDAP related messages --> <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/> <!-- Logs on LDAP user authentication --> <logger name="org.ldaptive.auth.Authenticator" level="INFO" /> • • Scaricare il file “attribute-resolver-v3-idem.xml” con le definizioni dei vari attributi: ◦ cd /opt/shibboleth-idp/conf ◦ wget http://www.garr.it/idem-conf/attribute-resolver-v3-idem.xml Aggiungere l'attribute-resolver della federazione tra quelli considerati dall’IdP: ◦ vim /opt/shibboleth-idp/conf/services.xml <util:list id ="shibboleth.AttributeResolverResources"> <value>%{idp.home}/conf/attribute-resolver.xml</value> <value>%{idp.home}/conf/attribute-resolver-v3-idem.xml</value> </util:list> • Rilasciare gli attributi obbligatori stabiliti dalla Federazione IDEM: ◦ Scaricare l'ARP di default “attribute-filter-v3-idem.xml” per il rilascio degli attributi obbligatori e l'utilizzo delle risorse base di IDEM : ▪ cd /opt/shibboleth-idp/conf ▪ wget http://www.garr.it/idem-conf/attribute-filter-v3-idem.xml ◦ Aggiungere l' ”attribute-filter-v3-idem.xml” della federazione tra quelli considerati dall’IdP: ▪ vim /opt/shibboleth-idp/conf/services.xml <util:list id ="shibboleth.AttributeFilterResources"> <value>%{idp.home}/conf/attribute-filter-v3-idem.xml</value> <value>%{idp.home}/conf/attribute-filter.xml</value> </util:list> • Abilitare il nuovo metodo di generazione del persistent-id (sostituto dell’attributo eduPersonTargetedID): ◦ vim /opt/shibboleth-idp/conf/saml-nameid.properties (il sourceAttribute deve essere un attributo, o una lista di attributi i cui valori sono separati da virgole, che 20 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition identifica univocamente il soggetto dell’identificatore persistente. Deve essere STABILE, PERMANENTE e NON-RIASSEGNABILE.) idp.persistentId.sourceAttribute = uid … idp.persistentId.algorithm = SHA idp.persistentId.salt = ### risultato di ‘openssl rand -base64 36’### … idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator idp.persistentId.dataSource = MyDataSource … idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator ▪ Modificare il subject-c14n per la gestione del SAML2 Persistent ID : • vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml ◦ Rimuovere il commento al bean “c14n/SAML2Persistent” ▪ Modificare il Default RelyingParty per rilasciare il persistent-id a tutti in modo predefinito: • vim /opt/shibboleth-idp/conf/relying-party.xml <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attributerelease" /> <ref bean="SAML1.AttributeQuery" /> <ref bean="SAML1.ArtifactResolution" /> <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" p:nameIDFormatPrecedence="#{{ 'urn:oasis:names:tc:SAML:2.0:nameidformat:persistent','urn:oasis:names:tc:SAML:2.0:nameid-format:transient' }}" /> <ref bean="SAML2.ECP" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> <ref bean="SAML2.ArtifactResolution" /> <ref bean="Liberty.SSOS" /> </list> </property> </bean> 15) Tradurre le pagine di Login, del Consenso Informato sul rilascio degli attributi utente, dei Termini d’Uso dell’IdP e di errore nella lingua preferita: • Aprire la pagina contenente i file tradotti: CLICCA QUI • Recuperare i 3 file della propria lingua e inserirli in /opt/shibboleth-idp/messages • Riavviare Tomcat 8: ◦ service tomcat restart 16) Registrare i metadati dell'IdP, ottenibili dalla URL “https://##idp.example.garr.it##/idp/shibboleth” 21 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition nell' IDEM Entity Registry: https://registry.idem.garr.it/rr3 (in caso di problemi contattare [email protected]) 17) Attendere la propagazione dei metadati (1 giorno). 18) Verificare che compaia la pagina di Login dopo essere acceduti al proprio IDP dalla pagina di un Service Provider di Test https://sp-test.garr.it/secure o https://sp24-test.garr.it/secure inviato da [email protected]. 22 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 11 Appendice A: Attribute Filter R&S Entity Category compliant 1. Scaricare il file “attribute-filter-v3-rs.xml” fornito da IDEM: • cd /opt/shibboleth-idp/conf • wget http://www.garr.it/idem-conf/attribute-filter-v3-rs.xml 2. Aggiungere l'attribute-filter per la R&S della federazione tra quelli considerati dall’IdP: • vim /opt/shibboleth-idp/conf/services.xml <util:list id ="shibboleth.AttributeFilterResources"> <value>%{idp.home}/conf/attribute-filter-v3-rs.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-idem.xml</value> <value>%{idp.home}/conf/attribute-filter.xml</value> </util:list> 3. Aggiornare l'attribute filter dell’IdP con: • cd /opt/shibboleth-idp/bin • ./reload-service.sh -id shibboleth.AttributeFilterService 23 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 12 Appendice B: Attribute Filter CoCo Entity Category compliant 1. Scaricare il file “attribute-filter-v3-coco.xml” fornito da IDEM: • cd /opt/shibboleth-idp/conf • wget http://www.garr.it/idem-conf/attribute-filter-v3-coco.xml 2. Aggiungere l'attribute-filter per la R&S della federazione tra quelli considerati dall’IdP: • vim /opt/shibboleth-idp/conf/services.xml <util:list id ="shibboleth.AttributeFilterResources"> <value>%{idp.home}/conf/attribute-filter-v3-coco.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-rs.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-idem.xml</value> <value>%{idp.home}/conf/attribute-filter.xml</value> </util:list> 3. Aggiornare l'attribute filter dell’IdP con: • cd /opt/shibboleth-idp/bin • ./reload-service.sh -id shibboleth.AttributeFilterService 24 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 13 Appendice C: Attribute Filter IDEM required 1. Scaricare il file “attribute-filter-v3-required.xml” fornito da IDEM: • cd /opt/shibboleth-idp/conf • wget http://www.garr.it/idem-conf/attribute-filter-v3-required.xml 2. Aggiungere l'attribute-filter per le risorse della federazione tra quelli considerati dall’IdP: • vim /opt/shibboleth-idp/conf/services.xml <util:list id ="shibboleth.AttributeFilterResources"> <value>%{idp.home}/conf/attribute-filter-v3-required.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-coco.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-rs.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-idem.xml</value> <value>%{idp.home}/conf/attribute-filter.xml</value> </util:list> 3. Aggiornare l'attribute filter dell’IdP con: • cd /opt/shibboleth-idp/bin • ./reload-service.sh -id shibboleth.AttributeFilterService 25 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 14 Appendice D: Importare i metadati dal precedente IDP v2.x Di seguito vengono presentati i passi da seguire per mantenere i metadati del precedente IdP già inserito in IDEM. Sarà necessario recuperare i seguenti file dall'IdP precedente: • idp-metadata.xml (presente in /opt/shibboleth-idp/metadata) • idp.crt • idp.key Prendendo come riferimento la cartella “/tmp”, in cui sono stati inseriti i file sopracitati, seguire i seguenti passi: • sudo su - • mv /tmp/idp-metadata.xml /opt/shibboleth-idp/metadata • cd /opt/shibboleth-idp/credentials/ • rm idp-encryption.crt idp-backchannel.crt idp-encryption.key idpsigning.crt idp-signing.key • ln -s idp.crt idp-encryption.crt • ln -s idp.key idp-encryption.key • ln -s idp.key idp-signing.key • ln -s idp.crt idp-signing.crt • ln -s idp.crt idp-backchannel.crt • openssl pkcs12 -export -in idp-encryption.crt -inkey idp-encryption.key -out idp-backchannel.p12 -password pass:#YOUR.BACKCHANNEL.CERT.PASSWORD# L'EntityID presente nei metadati del “vecchio” IdP DEVE ESSERE UGUALE a quello inserito nei metadati del “nuovo” IdP in idp-metadata.xml. Verificare il valore dell'EntityID dalla linea # Set the entityID of the IdP idp.entityID= https://... del file di configurazione /opt/shibboleth-idp/conf/idp.properties. 26 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 15 Appendice E: Importare i persistent-id da un database precedente 1. Eseguire un DUMP della tabella shibpid del DB precedente “userdb” e del nuovo DB “shibboleth”: • cd /tmp • mysqldump -u root -p userdb shibpid > userdb_shibpid.sql • mysqldump -u root -p shibboleth shibpid > shibboleth_shibpid.sql 2. Importare i valori precedenti nel nuovo DB “shibboleth” facendo attenzione che l'ordine dei campi della vecchia tabella “userdb.shibpid” combaci esattamente con quello della nuova “shibboleth.shibpid” prima di eseguire l'importazione. DEVONO COMBACIARE perchè da esso dipende la popolazione del nuovo DB “shibboleth”. Per un facile l'importazione seguire i seguenti passi con il file “userdb_shibpid.sql”: a) Modificare il nome del DB presente nelle prime linee del DUMP in “shibboleth”. b) Dal DUMP “shibboleth_shibpid.sql” copiare la parte relativa a “Table structure for table `shibpid`” e inserirla nel “userdb_shibpid.sql” sotto a quello già presente. c) Modificare l'ordine dei campi della porzione di codice incollata di “shibboleth.shibpid” in modo che combaci esattamente con quanto trovato nella precedente tabella “shibpid” di “userdb”. d) Cancellare la “Table structure for table `shibpid`” di “userdb”. e) Salvare e importare i valori nel nuovo DB “shibboleth”: ▪ mysql -u root -p shibboleth < userdb_shibpid.sql 27 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition September 15th, 2016 Authors: Alessandro Enea, Marco Malavolti Credits: Switch AAI, Shibboleth 28 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition Index 1) Introduction......................................................................................................................28 2) Hardware Requirements..................................................................................................28 3) Software Requirements...................................................................................................28 4) Request a SSL certificate for port 443 of IdP server.......................................................29 5) Install the required packages...........................................................................................30 6) Configure SSL on Apache2 (Tomcat 8 front-end)............................................................31 7) Install Shibboleth Identity Provider 3.2.1.........................................................................33 8) Configure Tomcat 8..........................................................................................................35 9) Speed up Tomcat 8 startup..............................................................................................36 10) Configure IdP Shibboleth...............................................................................................37 11) Appendix A: Attribute Filter R&S Entity Category compliant..........................................46 12) Appendix B: Attribute Filter CoCo Entity Category compliant........................................47 13) Appendix C: Attribute Filter IDEM required ...................................................................48 14) Appendix D: Import metadata from previous IDP v2.x..................................................49 15) Appendix E: Import persistent-id from a previous database..........................................50 29 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 1 Introduction This document aims to guide the user on the installation and configuration of an Identity Provider Shibboleth v3.2.1 with Tomcat 8, and Apache 2.4 in front of it, on Linux Fedora 24 Server Edition. 2 Hardware Requirements • • • 2 CPU 4 GB RAM 20 GB Storage 3 Software Requirements • • • • • • • • ca-certificates ntp java-1.8.0-openjdk tomcat httpd expat vim-enhanced Shibboleth idp (http://www.shibboleth.net/downloads/identity-provider/latest/) 30 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 4 Request a SSL certificate for port 443 of IdP server 1) According to “specifiche tecniche” of IDEM Federation you are required to get and deploy a SSL certificate from a root CA in order to protect connections to port 443. For GARR members is available TCS service (TERENA Certificate Service). Certificates issued under TCS service, as the time of writing, have Digicert as root CA. Please consider the following facts: • An up-to-date list of Organizations already part of TCS service is available in https://ca.garr.it/TCS/tab.php together with the current list of admins and users for each Institution • If your Organization needs to join TCS service please contact GARR Certification Service in order to receive further instructions(e-mail to [email protected]) 2) A technical guide to request a SSL certificate is available on the TCS website https://ca.garr.it/TCS/doc_server.php 3) Certificate Requests must be forwarded to TCS admins for your Institution or directly submitted to TCS portal (https://www.digicert.com/account) if you have a TCS user account. 4) From now on we will consider the /tmp directory as base directory for the key and certificate of the server and of the DigiCert CA certificate that has released them. 31 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 5 Install the required packages 1. Install required packages: • dnf install vim-enhanced java-1.8.0-openjdk ca-certificates openssl tomcat httpd mod_ssl expat ntp 2. Disabilitare SELinux • vim /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled • sudo reboot • check that the command “getenforce” returns “Disabled” 3. Configure /etc/default/tomcat: • update-alternatives --config java • update-alternatives --config javac • vim /etc/tomcat/tomcat.conf (copy the path without /bin/java) JAVA_OPTS="-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Djava.awt.headless=true -XX:+DisableExplicitGC -XX:+UseParallelOldGC -Xms256m -Xmx2g -Djava.security.egd=file:/dev/./urandom" 4. Be sure that your firewall doesn't block the traffic on port 443 (or you can't access to your IdP) 5. Move the Certificate and the Key file for HTTPS server from /tmp/ to /root/certificates: • mkdir /root/certificates • mv /tmp/idp-cert-server.crt /root/certificates • mv /tmp/idp-key-server.key /root/certificates • mv /tmp/DigiCertCA.crt /root/certificates • chmod 400 /root/certificates/idp-key-server.key • chmod 644 /root/certificates/idp-cert-server.crt • chmod 644 /root/certificates/DigiCertCA.crt • Create a Certificate and a Key self-signed if you don't have the official ones provided by DigiCert CA: 32 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition openssl req -x509 -newkey rsa:4096 -keyout /root/certificates/idpkey-server.key -out /root/certificates/idp-cert-server.crt -nodes -days 3650 33 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 6 Configure SSL on Apache2 (Tomcat 8 front-end) 1. Modify the file /etc/httpd/conf.d/ssl.conf as follows: • vim /etc/httpd/conf.d/ssl.conf <VirtualHost _default_:443> ServerName idp.example.garr.it:443 ServerAdmin [email protected] DocumentRoot /var/www/html ... SSLEngine On SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite "kEDH+AESGCM:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256SHA384:ECDHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-GCMSHA384:ECDHE-RSA-AES256-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSAAES256-SHA384:ECDHE-ECDSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSAAES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA256:AES256-GCM-SHA384:!3DES:!DES:! DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA:!EDE3:!EDH-DSS-CBC-SHA:!EDH-DSSDES-CBC3-SHA:!EDH-RSA-DES-CBC-SHA:!EDH-RSA-DES-CBC3-SHA:!EXP-EDH-DSS-DES-CBCSHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXPORT:!MD5:!PSK:!RC4-SHA:!aNULL:!eNULL" SSLHonorCipherOrder on # Disable SSL Compression SSLCompression Off # Enable HTTP Strict Transport Security with a 2 year duration Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" ... SSLCertificateFile /root/certificates/idp-cert-server.crt SSLCertificateKeyFile /root/certificates/idp-key-server.key SSLCertificateChainFile /root/certificates/DigiCertCA.crt ... </VirtualHost> 2. Restart Apache2 to apply changes: • service httpd restart 34 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 3. Configure Apache2 to open port 80 only for localhost: • vim /etc/httpd/conf/httpd.conf # If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default.conf #Listen 12.34.56.78:80 Listen 127.0.0.1:80 <IfModule ssl_module> Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule> 4. Verify the strength of your IdP's machine on: • https://www.ssllabs.com/ssltest/analyze.html 35 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 7 Install Shibboleth Identity Provider 3.2.1 1) Become ROOT: • sudo su - 2) Move on the directory /usr/local/src: • cd /usr/local/src 3) Download the Shibboleth IdP 3.2.1: • wget https://shibboleth.net/downloads/identityprovider/latest/shibboleth-identity-provider-3.2.1.tar.gz • tar -xzvf shibboleth-identity-provider-3.2.1.tar.gz • cd shibboleth-identity-provider-3.2.1 4) Run the installer “install.sh“: • ./bin/install.sh root@idp:/usr/local/src/shibboleth-identity-provider-3.2.1# ./bin/install.sh Source (Distribution) Directory: [/usr/local/src/shibboleth-identity-provider-3.2.1] Installation Directory: [/opt/shibboleth-idp] Hostname: [localhost.localdomain] idp.example.garr.it SAML EntityID: [https://idp.example.garr.it/idp/shibboleth] Attribute Scope: [localdomain] example.garr.it Backchannel PKCS12 Password: ###PASSWORD-FOR-BACKCHANNEL### Re-enter password: ###PASSWORD-FOR-BACKCHANNEL### Cookie Encryption Key Password: ###PASSWORD-FOR-COOKIE-ENCRYPTION### Re-enter password: ###PASSWORD-FOR-COOKIE-ENCRYPTION### From this point the variable “idp.home” refers to the directory: “/opt/shibboleth-idp”. 5) Import the libraries JST to visualize the IdP “status” page: • cd /opt/shibboleth-idp/edit-webapp/WEB-INF/lib • wget https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/c ontent/javax/servlet/jstl/1.2/jstl-1.2.jar • cd /opt/shibboleth-idp/bin ; ./build.sh -Didp.target.dir=/opt/shibboleth-idp 36 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 6) Change the rights to enable tomcat user to access on the following directories: • chown -R tomcat /opt/shibboleth-idp/logs/ • chown -R tomcat /opt/shibboleth-idp/metadata/ • chown -R tomcat /opt/shibboleth-idp/credentials/ • chown -R tomcat /opt/shibboleth-idp/conf/ 37 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 8 Configure Tomcat 8 1) Become ROOT: • sudo su - 2) Change "server.xml": • vim /etc/tomcat/server.xml comment out <Connector port=8080 (HTTP) and modify the Connector 8009 (AJP): <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false"/> • Check the integrity of the XML modified with: ◦ xmlwf -e UTF-8 /etc/tomcat/server.xml 3) Create and change the file "idp.xml": • vim /etc/tomcat/Catalina/localhost/idp.xml e copy inside this piece of code: <Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false" swallowOutput="true"/> 4) Create the apache2 configuration file for IdP: • vim /etc/httpd/conf.d/idp.conf <Proxy ajp://localhost:8009> Require all granted </Proxy> ProxyPass /idp ajp://localhost:8009/idp retry=5 ProxyPassReverse /idp ajp://localhost:8009/idp retry=5 • service httpd restart 5) Modify context.xml to prevent error of “lack of persistence of the session objects” created by the IdP : • vim /etc/tomcat/context.xml and remove the comment from: <Manager pathname="" /> 6) Start Tomcat Server Container: • service tomcat start 7) Verify if the IdP works: • https://idp.example.garr.it/idp/shibboleth (you should see the IdP metadata) 38 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 9 Speed up Tomcat 8 startup 1. Find out the JARs that can be skipped from the scanning: • cd /opt/shibboleth-idp/ • ls webapp/WEB-INF/lib | awk '{print $1",\\"}' 2. Insert the output list into “/etc/tomcat/catalina.properties” at the tail of “tomcat.util.scan.StandardJarScanFilter.jarsToSkip“ 3. Restart Tomcat 8: • service tomcat restart 39 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 10 Configure IdP Shibboleth 1) Become ROOT: • sudo su - 2) IdP installation finished, test it! Add to the /etc/hosts file the line: 127.0.1.1 idp.example.garr.it idp Open a terminal and run these commands: • cd /opt/shibboleth-idp/bin • ./status.sh You shuold see some informations about the IdP installed 3) Install a MySQL database and import the libraries used by Tomcat and Shibboleth: • dnf install mariadb-server mysql-connector-java • cp /usr/share/java/mysql-connector-java.jar /opt/shibboleth-idp/editwebapp/WEB-INF/lib/ • cp /usr/share/java/mysql-connector-java.jar /usr/share/tomcat/lib/ • cp /usr/share/tomcat/lib/tomcat-jdbc.jar /opt/shibboleth-idp/editwebapp/WEB-INF/lib/ 4) Install the libraries Tomcat Common Pool used for the generation of saml-id: • cd /usr/local/src/ • wget https://www.apache.org/dist/commons/pool/binaries/commons-pool22.4.2-bin.tar.gz • tar xzvf commons-pool2-2.4.2-bin.tar.gz ; cd commons-pool2-2.4.2/ • cp commons-pool2-2.4.2.jar /opt/shibboleth-idp/edit-webapp/WEBINF/lib/ 5) Rebuild the idp.war of Shibboleth with the new libraries: • export JAVA_HOME="/usr/lib/jvm/jre" • cd /opt/shibboleth-idp/ ; ./bin/build.sh 40 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 6) Configure MySQL service: • service mariadb start • mysql_secure_installation (and follow the steps by answering Yes (Y) to all questions) 7) Create table “shibpid” to manage the persistent-id (ex eduPersonTargetedID) as StoredID and the table “StorageRecords” to manage the attribute release consent of the users: • mysql -u root -p • mysql> SET NAMES 'utf8'; • mysql> SET CHARACTER SET utf8; • mysql> CHARSET utf8; • mysql> CREATE DATABASE IF NOT EXISTS shibboleth CHARACTER SET=utf8; • mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO root@localhost IDENTIFIED BY 'yourPassword'; • mysql> USE shibboleth; • mysql> CREATE TABLE shibpid -> ( -> localEntity VARCHAR(255) NOT NULL, -> peerEntity VARCHAR(255) NOT NULL, -> persistentId VARCHAR(50) NOT NULL, -> principalName VARCHAR(50) NOT NULL, -> localId VARCHAR(50) NOT NULL, -> peerProvidedId VARCHAR(50) NULL, -> creationDate TIMESTAMP NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, -> deactivationDate TIMESTAMP NULL default NULL, -> PRIMARY KEY (localEntity, peerEntity, persistentId) -> ); • mysql> CREATE TABLE StorageRecords -> ( -> context VARCHAR(255) NOT NULL, -> id VARCHAR(255) NOT NULL, -> expires BIGINT(20) DEFAULT NULL, -> value LONGTEXT NOT NULL, -> version BIGINT(20) NOT NULL, -> PRIMARY KEY (context, id) -> ); • quit; 41 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 8) Create the user “idem” with a password “demo” that can be used to manage the “shibboleth” DB: (change at least the password “demo” when you will create your user) • mysql -u root -p • mysql> USE mysql; • mysql> CREATE USER idem; • mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO 'idem'@'localhost' IDENTIFIED BY 'demo'; • mysql> FLUSH PRIVILEGES; • mysql> quit; 9) Restart mysql server: • service mariadb restart 10) Enable the SAML2 Persistent Identifiers by removing comment from the bold <bean> on the saml-nameid.xml: • vim /opt/shibboleth-idp/conf/saml-nameid.xml <!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Uncommenting this bean requires configuration in samlnameid.properties. --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <!-<bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> --> </util:list> 11) Enable the JPAStorageService for the StorageService and MyDataSource for storing the persistent identifier of the users: • vim /opt/shibboleth-idp/conf/global.xml (add the following code, with the right parameters for the database “shibboleth”, at the tail before the last </beans>) <bean id="shibboleth.JPAStorageService" class="org.opensaml.storage.impl.JPAStorageService" p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory"/> <bean id="shibboleth.JPAStorageService.entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> <property name="packagesToScan" value="org.opensaml.storage.impl"/> <property name="dataSource" ref="MyDataSource"/> 42 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter"/> <property name="jpaDialect"> <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" /> </property> </bean> <bean id="shibboleth.JPAStorageService.JPAVendorAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> <property name="database" value="MYSQL" /> </bean> <!-- A DataSource bean suitable for use in the idp.persistentId.dataSource property. --> <bean id="MyDataSource" class="org.apache.commons.dbcp.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true" p:username="idem" p:password="demo" p:maxActive="10" p:maxIdle="5" p:maxWait="15000" p:testOnBorrow="true" p:validationQuery="select 1" p:validationQueryTimeout="5" /> • Change the IdP properties in the right way: ◦ vim /opt/shibboleth-idp/conf/idp.properties idp.session.StorageService = shibboleth.JPAStorageService idp.consent.StorageService = shibboleth.JPAStorageService idp.replayCache.StorageService = shibboleth.JPAStorageService idp.artifact.StorageService = shibboleth.JPAStorageService 12) Enable the SAML2 support by changing the idp-metadata.xml and disable the SAML v1.x deprecated support: • vim /opt/shibboleth-idp/metadata/idp-metadata.xml <IDPSSODescriptor> SECTION: – – From the list of "protocolSupportEnumeration" remove: – urn:oasis:names:tc:SAML:1.1:protocol – urn:mace:shibboleth:1.0 Remove the endpoint: <ArtifcatResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" …/> (and modify the index value of the next one to “1”) – Remove the endpoint: 43 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> – Add under the endpoint: <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> the new endpoint: <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> (because the IdP installed with this guide releases persistent SAML NameIDs) – Remove the endpoint: <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" …/> – Remove all ":8443" from the existing URL (such port is not used anymore) <AttributeAuthorityDescriptor> Section: – From the list "protocolSupportEnumeration" replace the value of: "urn:oasis:names:tc:SAML:1.1:protocol" with "urn:oasis:names:tc:SAML:2.0:protocol" – Remove the comment from: <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" .../> – Remove the endpoint: <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAPbinding" .../> – Remove the endpoint: <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> – Remove all ":8443" from the existing URL (such port is not used anymore) 13) Configure the IdP to retrieve the IDEM Test Federation metadata: • cd /opt/shibboleth-idp/conf • vim metadata-providers.xml <MetadataProvider id="URLMD-IDEM-Federation" xsi:type="FileBackedHTTPMetadataProvider" minRefreshDelay ="PT5M" maxRefreshDelay="PT1H" refreshDelayFactor="0.75" backingFile="%{idp.home}/metadata/idem-test-metadata-sha256.xml" metadataURL="http://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml"> <!-Verify the signature on the root element of the metadata aggregate using a trusted metadata signing certificate. --> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/metadata/idem_signer_2019.pem"/> <!-Require a validUntil XML attribute on the root element and make sure its value is no more than 5 days into the future. --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P5D"/> <!-- Consume all SP metadata in the aggregate --> <MetadataFilter xsi:type="EntityRoleWhiteList"> 44 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider> • Download the certificate file that signs IDEM metadata: ◦ • wget https://idem.garr.it/documenti/doc_download/321-idem-metadatasigner-2019 -O /opt/shibboleth-idp/metadata/idem_signer_2019.pem Verify its validity: ◦ cd /opt/shibboleth-idp/metadata ◦ openssl x509 -in idem_signer_2019.pem -fingerprint -sha1 -noout must give sha1: 2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8 ◦ openssl x509 -in idem_signer_2019.pem -fingerprint -md5 -noout must give md5: AA:A7:CD:41:2D:3E:B7:F6:02:8A:D3:62:CD:21:F7:DE 14) Configure the Autentication for the openLDAP server: • vim /opt/shibboleth-idp/conf/ldap.properties (with the *TLS solution, remember to put the LDAP certificate into /opt/shibboleth-idp/credentials and to give the right privilegies to tomcat user 'chown tomcat ldap-server.crt') ◦ Solution 1: LDAP with STARTTLS: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldap://ldap.example.garr.it:389 idp.authn.LDAP.useStartTLS = true idp.authn.LDAP.useSSL = false idp.authn.LDAP.sslConfig = certificateTrust idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### ◦ Solution 2: LDAP with TLS/SSL: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldaps://ldap.example.garr.it idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = true idp.authn.LDAP.sslConfig = certificateTrust idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### 45 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition ◦ Solution 3: LDAP plain: idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldap://ldap.example.garr.it:389 idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = false idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD### If you decide to use the solution 3, you have to remove the following code from your attribute-resolver-full.xml”: </dc:FilterTemplate> <!-- <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> <sec:Certificate>% {idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> </dc:StartTLSTrustCredential> --> </resolver:DataConnector> UTILITY FOR OPENLDAP ADMINISTRATOR: ◦ ldapsearch -H ldap:// -x -b "dc=example,dc=garr,dc=it" -LLL dn • ▪ baseDN ==> ou=people, dc=example,dc=garr,dc=it (branch containing the registered users) ▪ bindDN ==> cn=admin,dc=example,dc=garr,dc=it (distinguished name for the user that can made queries on the LDAP) Enrich idp-process.log with the authentication error produced on the LDAP: ◦ vim /opt/shibboleth-idp/conf/logback.xml <!-- Logs LDAP related messages --> <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/> <!-- Logs on LDAP user authentication --> <logger name="org.ldaptive.auth.Authenticator" level="INFO" /> • • Download the “attribute-resolver-v3-idem.xml” from IDEM GARR AAI: ◦ cd /opt/shibboleth-idp/conf ◦ wget http://www.garr.it/idem-conf/attribute-resolver-v3-idem.xml Replace the default attribute-resolver.xml with the federation one: ◦ vim /opt/shibboleth-idp/conf/services.xml <util:list id ="shibboleth.AttributeResolverResources"> <value>%{idp.home}/conf/attribute-resolver-v3-idem.xml</value> </util:list> 46 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition • Enable the new Attribute-Resolver on the IdP: ◦ vim /opt/shibboleth-idp/conf/services.xml <value>%{idp.home}/conf/attribute-resolver.xml</value> must become: <value>%{idp.home}/conf/attribute-resolver-v3-idem.xml</value> • Support the Default ARP for IDEM Federation: ◦ Download the Default ARP “attribute-filter-v3-idem.xml” to release the attributes mandatory and to use the essential resources of IDEM: ▪ cd /opt/shibboleth-idp/conf ▪ wget http://www.garr.it/idem-conf/attribute-filter-v3-idem.xml ◦ Add the Default ARP for IDEM federation to those that are considered by the IdP: ▪ vim /opt/shibboleth-idp/conf/services.xml <util:list id ="shibboleth.AttributeFilterResources"> <value>%{idp.home}/conf/attribute-filter-v3-idem.xml</value> <value>%{idp.home}/conf/attribute-filter.xml</value> </util:list> • Enable the generation of persistent-id : ◦ vim /opt/shibboleth-idp/conf/saml-nameid.properties (the sourceAttribute MUST BE an attribute, or a list of attributes where its values are comma-separated, that univocally identify the user. Its value MUST BE STABLE, PERMANENT and NOTREASSIGNABLE.) idp.persistentId.sourceAttribute = uid … idp.persistentId.algorithm = SHA idp.persistentId.salt = ### output of ‘openssl rand -base64 36’### … idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator idp.persistentId.dataSource = MyDataSource … idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator ▪ Change the subject-c14n for the managemente of the SAML2 PersistentID : • vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml ◦ Remove the comment from the bean “c14n/SAML2Persistent” 47 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition ▪ Change the Default RelyingParty to be able to release the persistent-id to all without limitation: • vim /opt/shibboleth-idp/conf/relying-party.xml <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attributerelease" /> <ref bean="SAML1.AttributeQuery" /> <ref bean="SAML1.ArtifactResolution" /> <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" p:nameIDFormatPrecedence="#{{ 'urn:oasis:names:tc:SAML:2.0:nameidformat:persistent','urn:oasis:names:tc:SAML:2.0:nameid-format:transient' }}" /> <ref bean="SAML2.ECP" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> <ref bean="SAML2.ArtifactResolution" /> <ref bean="Liberty.SSOS" /> </list> </property> </bean> 15) Translate the Login, the Consent, and the Term Of Use pages in your preferred language: • Open the page containing the translated files: CLICK HERE • Retrieve the 3 file for your language and insert them into /opt/shibboleth-idp/messages • Restart Tomcat 8: ◦ service tomcat restart 16) Register the IdP metadata provided by this URL: “https://##idp.example.garr.it##/idp/shibboleth” into the IDEM Entity Registry: https://registry.idem.garr.it/rr3 (contact [email protected] if you have problems) and wait the metadata propagation. 17) Verify that appears the Login Page when you try to access on a Test Service Provider https://sp-test.garr.it/secure or https://sp24-test.garr.it/secure provided by [email protected]. 48 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 11 Appendix A: Attribute Filter R&S Entity Category compliant 1. Download the file “attribute-filter-v3-rs.xml” provided by IDEM: • cd /opt/shibboleth-idp/conf • wget http://www.garr.it/idem-conf/attribute-filter-v3-rs.xml 2. Add the federation attribute-filter for R&S to those that are considered by the IdP: • vim /opt/shibboleth-idp/conf/services.xml <util:list id ="shibboleth.AttributeFilterResources"> <value>%{idp.home}/conf/attribute-filter-v3-rs.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-idem.xml</value> <value>%{idp.home}/conf/attribute-filter.xml</value> </util:list> 3. Update the IdP attribute filter with: • cd /opt/shibboleth-idp/bin • ./reload-service.sh -id shibboleth.AttributeFilterService 49 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 12 Appendix B: Attribute Filter CoCo Entity Category compliant 1. Download the file “attribute-filter-v3-coco.xml” provided by IDEM: • cd /opt/shibboleth-idp/conf • wget http://www.garr.it/idem-conf/attribute-filter-v3-coco.xml 2. Add the federation attribute-filter for R&S to those that are considered by the IdP: • vim /opt/shibboleth-idp/conf/services.xml <util:list id ="shibboleth.AttributeFilterResources"> <value>%{idp.home}/conf/attribute-filter-v3-coco.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-rs.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-idem.xml</value> <value>%{idp.home}/conf/attribute-filter.xml</value> </util:list> 3. Update the IdP attribute filter with: • cd /opt/shibboleth-idp/bin • ./reload-service.sh -id shibboleth.AttributeFilterService 50 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 13 Appendix C: Attribute Filter IDEM required 1. Download the file “attribute-filter-v3-required.xml” provided by IDEM: • cd /opt/shibboleth-idp/conf • wget http://www.garr.it/idem-conf/attribute-filter-v3-required.xml 2. Add the federation attribute-filter for IDEM resources to those considered by the IdP: • vim /opt/shibboleth-idp/conf/services.xml <util:list id ="shibboleth.AttributeFilterResources"> <value>%{idp.home}/conf/attribute-filter-v3-required.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-coco.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-rs.xml</value> <value>%{idp.home}/conf/attribute-filter-v3-idem.xml</value> <value>%{idp.home}/conf/attribute-filter.xml</value> </util:list> 3. Update the IdP attribute filter with: • cd /opt/shibboleth-idp/bin • ./reload-service.sh -id shibboleth.AttributeFilterService 51 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 14 Appendix D: Import metadata from previous IDP v2.x You have to retrieve from the previous IdP these files: • idp-metadata.xml (inside /opt/shibboleth-idp/metadata) • idp.crt • idp.key By taking as position for those file the directory “/tmp”, follow the steps: • sudo su - • mv /tmp/idp-metadata.xml /opt/shibboleth-idp/metadata • cd /opt/shibboleth-idp/credentials/ • rm idp-encryption.crt idp-backchannel.crt idp-encryption.key idpsigning.crt idp-signing.key • ln -s idp.crt idp-encryption.crt • ln -s idp.key idp-encryption.key • ln -s idp.key idp-signing.key • ln -s idp.crt idp-signing.crt • ln -s idp.crt idp-backchannel.crt • openssl pkcs12 -export -in idp-encryption.crt -inkey idp-encryption.key -out idp-backchannel.p12 -password pass:#YOUR.BACKCHANNEL.CERT.PASSWORD# The EntityID used into the “old” IdP metadata MUST BE EQUAL to that inserted into the “new” IdP metadata (idp-metadata.xml). Verify this line: # Set the entityID of the IdP idp.entityID= https://... inside the file /opt/shibboleth-idp/conf/idp.properties 52 HOWTO Installation Shibboleth Identity Provider v3.2.1 on Linux Fedora 24 Server Edition 15 Appendix E: Import persistent-id from a previous database 1. Create one DUMP of “shibpid” table from the previous DB “userdb” and also one of “shibpid” table from the new DB “shibboleth”: • cd /tmp • mysqldump -u root -p userdb shibpid > userdb_shibpid.sql • mysqldump -u root -p shibboleth shibpid > shibboleth_shibpid.sql 2. Import the previous values on the new DB “shibboleth” by paying attention on the order of the fields of the old table “userdb.shibpid”. They have to be in the same order of the fields provided by the new “shibboleth.shibpid” before doing the import. THEY MUST BE IN THE SAME ORDER because, if they will not be aligned, the import will fail the the population on the new DB “shibboleth”. To make easier this process, follow these steps with the “userdb_shibpid.sql”: a) Modify the name of the DB found on the DUMP into “shibboleth”. b) From DUMP of “shibboleth_shibpid.sql” copy the part on “Table structure for table `shibpid`” and inserirt it into “userdb_shibpid.sql” under that already present. c) Modify the order of the fields on the piece of code of “shibboleth.shibpid” pasted in a way that the order of the fields is the same of that found on the table “shibpid” of the old “userdb”. d) Delete the section “Table structure for table `shibpid`” di “userdb”. e) Save and import the values on the new DB “shibboleth”: ▪ mysql -u root -p shibboleth < userdb_shibpid.sql 53