HOWTO Upgrade Shibboleth IdP from V2 to V3 on

Transcript

HOWTO Upgrade Shibboleth IdP from V2 to V3 on Ubuntu Linux
HOWTO Upgrade Shibboleth IdP
from V2 to V3 on Ubuntu Linux
13 Maggio 2016
Authors: Marco Malavolti
1
Indice
1) Introduzione...............................................................................................................................................3
2) Pacchetti richiesti.......................................................................................................................................3
3) Software pre-esistente................................................................................................................................3
4) Installazione...............................................................................................................................................4
4.1) Scaricare e installare il nuovo Shibboleth IdP v3.2.1........................................................................4
4.2) Configurare il nuovo IdP salvaguardando le vecchie configurazioni................................................4
2
1 Introduzione
Questo è un tutorial per gli utenti che vogliono aggiornare il proprio Identity Provider Shibboleth da una
versione 2.x a una versione 3.x su una macchina Ubuntu Linux dotata di una configurazione in cui un
server Apache2 è posto come front-end a un server Tomcat che esegue il software Shibboleth.
In particolare, in questo tutorial, verrà aggiornato uno Shibboleth Identity Provider su una macchina
Ubuntu 12.04 con il proprio sistema OpenLDAP per la gestione delle identità utente.
2 Pacchetti richiesti
•
•
•
•
ntp
vim
Java 7 JDK (Oracle o OpenJDK)
wget
3 Software pre-esistente
•
•
•
Shibboleth Identity Provider v2.x
Tomcat (7 o 8)
(Apache2)
3
4 Installazione
4.1 Scaricare e installare il nuovo Shibboleth IdP v3.2.1
1. Assicurarsi che nessuna altra istanza di Tomcat sia avviata:
• ps aux | grep tomcat
2. Nel caso vi siano processi Tomcat in esecuzione terminarli:
• service tomcat7 stop OR kill -9 #ID-ISTANZA-TOMCAT#
3. Assicurarsi di usare la JAVA ORACLE JDK o la OpenJDK Development Kit (JDK) 7 o 8:
• sudo update-alternatives --config java
4. Scaricare e installare il nuovo Shibboleth IdP v3.2.1:
•
•
•
•
•
•
cd /usr/local/src
wget http://shibboleth.net/downloads/identity-provider/latest/shibbolethidentity-provider-3.2.1.tar.gz
tar xzvf shibboleth-identity-provider-3.2.1.tar.gz
cd shibboleth-identity-provider-3.2.1
hostname -f (per tenere presente il vostro FQDN)
./bin/install.sh
(seguire le istruzioni mantenendo le locazioni di installazione dello shibboleth v2)
(I vecchi file di configurazione dello shibboleth IdP verranno salvate in una cartella “conf.v2” della cartella di installazione)
4.2 Configurare il nuovo IdP salvaguardando le vecchie configurazioni
1. L'EntityID presente nei metadati del “vecchio” IdP DEVE ESSERE UGUALE a quello inserito
nei metadati del “nuovo” IdP in idp-metadata.xml. Verificare il valore dell'EntityID dalla linea
# Set the entityID of the IdP
idp.entityID= https://...
del file di configurazione /opt/shibboleth-idp/conf/idp.properties.
2. Modificare i permessi in modo opportuno (N== 7 o 8):
• chown -R tomcatN /opt/shibboleth-idp/logs/
•
chown -R tomcatN /opt/shibboleth-idp/metadata/
•
chown -R tomcatN /opt/shibboleth-idp/credentials/
•
chown -R tomcatN /opt/shibboleth-idp/conf/
4
3. Impostare il Context Switch per il deploy dell'applicazione dell'IdP:
•
vim /etc/tomcatN/Catalina/localhost/idp.xml
<Context docBase="/opt/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
swallowOutput="true" />
4. Installare i MySQL JDBC Driver (solo se non già presente):
•
sudo apt-get install libmysql-java
5. Inserire le librerie MySQL JDBC al posto giusto:
•
•
•
•
•
cd
ln
ln
cd
ln
/opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
-s /usr/share/java/mysql-connector-java.jar
-s /usr/share/tomcatN/lib/tomcat-jdbc.jar
/usr/share/tomcatN/lib/
6. Installare le librerie Common DBCP2 utilizzate per la generazione del nuovo saml-id:
•
cd /usr/local/src/
•
wget http://mirrors.muzzy.it/apache//commons/dbcp/binaries/commonsdbcp2-2.1.1-bin.tar.gz
•
tar xzvf commons-dbcp2-2.1.1-bin.tar.gz ; cd commons-dbcp2-2.1.1/
•
cp commons-dbcp2-2.1.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
7. Installare le librerie Tomcat Common Pool utilizzate per la generazione del nuovo saml-id:
•
cd /usr/local/src/
•
wget http://mirror.nohup.it/apache//commons/pool/binaries/commons-pool22.4.2-bin.tar.gz
•
tar xzvf commons-pool2-2.4.2-bin.tar.gz ; cd commons-pool2-2.4.2/
•
cp commons-pool2-2.4.2.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
8. Buildare il nuovo idp.war con le nuove librerie:
•
cd /opt/shibboleth-idp/ ; ./bin/build.sh
9. Creare un nuovo DB MySQL compatibile con la nuova versione dell'IdP:
•
mysql -u root -p
•
mysql> SET NAMES 'utf8';
•
mysql> SET CHARACTER SET utf8;
•
mysql> CHARSET utf8;
•
mysql> CREATE DATABASE IF NOT EXISTS shibboleth CHARACTER SET=utf8;
•
mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO root@localhost IDENTIFIED BY
'yourPassword';
•
mysql> USE shibboleth;
•
mysql> CREATE TABLE shibpid
5
-> (
-> localEntity VARCHAR(255) NOT NULL,
-> peerEntity VARCHAR(255) NOT NULL,
-> persistentId VARCHAR(50) NOT NULL,
-> principalName VARCHAR(50) NOT NULL,
-> localId VARCHAR(50) NOT NULL,
-> peerProvidedId VARCHAR(50) NULL,
-> creationDate TIMESTAMP NOT NULL default CURRENT_TIMESTAMP on update
CURRENT_TIMESTAMP,
-> deactivationDate TIMESTAMP NULL default NULL,
-> PRIMARY KEY (localEntity, peerEntity, persistentId)
-> );
•
mysql> CREATE TABLE StorageRecords
-> (
-> context VARCHAR(255) NOT NULL,
-> id VARCHAR(255) NOT NULL,
-> expires BIGINT(20) DEFAULT NULL,
-> value LONGTEXT NOT NULL,
-> version BIGINT(20) NOT NULL,
-> PRIMARY KEY (context, id)
-> );
•
quit;
10. Creare un utente “idem” con password “demo” in grado di accedere e modificare il DB
“shibboleth”:
(sia l’utente “idem” che la password “demo” vanno decisi personalmente dall’installatore)
•
mysql -u root -p
•
mysql> USE mysql;
•
mysql> CREATE USER idem;
•
mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO 'idem'@'localhost' IDENTIFIED
BY 'demo';
•
mysql> FLUSH PRIVILEGES;
•
mysql> quit;
11. Riavviare il server mysql:
•
service mysql restart
12. Eseguire un DUMP della tabella shibpid del DB “userdb” e del DB “shibboleth”:
•
cd /tmp
•
•
mysqldump -u root -p userdb shibpid > userdb_shibpid.sql
mysqldump -u root -p shibboleth shibpid > shibboleth_shibpid.sql
6
13. Importare i valori precedenti nel nuovo DB “shibboleth” facendo attenzione che l'ordine dei campi
della vecchia tabella “userdb.shibpid” combaci esattamente con quello della nuova
“shibboleth.shibpid” prima di eseguire l'importazione. DEVONO COMBACIARE perchè da
esso dipende la popolazione del nuovo DB “shibboleth”.
Per un facile l'importazione seguire i seguenti passi con il file “userdb_shibpid.sql”:
a) Modificare il nome del DB presente nelle prime linee del DUMP in “shibboleth”.
b) Dal DUMP “shibboleth_shibpid.sql” copiare la parte relativa a “Table structure for
table `shibpid`” e inserirla nel “userdb_shibpid.sql” sotto a quello già presente.
c) Modificare l'ordine dei campi della porzione di codice incollata di “shibboleth.shibpid” in
modo che combaci esattamente con quanto trovato nella precedente tabella “shibpid” di
“userdb”.
d) Cancellare la “Table structure for table `shibpid`” di “userdb”.
e) Salvare e importare i valori nel nuovo DB “shibboleth”:
◦ mysql -u root -p shibboleth < userdb_shibpid.sql
7
14. Abilitare il JPAStorageService per lo StorageService:
•
vim /opt/shibboleth-idp/conf/global.xml
(aggiungere in coda il seguente frammento di codice modificato opportunamente la username e la password di
accesso al DB “shibboleth”)
<bean id="shibboleth.JPAStorageService"
class="org.opensaml.storage.impl.JPAStorageService"
p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"
c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory"/>
<bean id="shibboleth.JPAStorageService.entityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="packagesToScan" value="org.opensaml.storage.impl"/>
<property name="dataSource"
ref="shibboleth.JPAStorageService.DataSource"/>
<property name="jpaVendorAdapter"
ref="shibboleth.JPAStorageService.JPAVendorAdapter"/>
<property name="jpaDialect">
<bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
</property>
</bean>
<bean id="shibboleth.JPAStorageService.JPAVendorAdapter"
class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="database" value="MYSQL"
/>
</bean>
<bean id="shibboleth.JPAStorageService.DataSource"
class="org.apache.tomcat.jdbc.pool.DataSource"
destroy-method="close"
lazy-init="true"
p:driverClassName="com.mysql.jdbc.Driver"
p:url="jdbc:mysql://localhost:3306/shibboleth?
autoReconnect=true&sessionVariables=wait_timeout=31536000"
p:validationQuery="SELECT 1;"
p:username="idem"
p:password="demo"/>
•
Modificare le proprietà dell’IdP in modo opportuno:
◦
vim /opt/shibboleth-idp/conf/idp.properties
idp.session.StorageService = shibboleth.JPAStorageService
idp.consent.StorageService = shibboleth.JPAStorageService
idp.replayCache.StorageService = shibboleth.JPAStorageService
idp.artifact.StorageService = shibboleth.JPAStorageService
8
15. Abilitare completamente il supporto SAML2 sull'idp-metadata.xml disabilitando il supporto a
SAML v1.x perchè deprecato:
•
vim /opt/shibboleth-idp/metadata/idp-metadata.xml
DA RIMUOVERE LE STRINGHE:
–
urn:oasis:names:tc:SAML:1.1:protocol
–
urn:mace:shibboleth:1.0
–
Intero endpoint con Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" (e modificare opportunamente l'index del successivo)
–
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
–
Intero endpoint con Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" (e
modificare opportunamente l'index del successivo)
–
8443 (ovunque perchè tale porta non viene più usata)
NELLA SEZIONE DEDICATA ALL'ATTRIBUTE-AUTHORITY:
–
Sostituire "urn:oasis:names:tc:SAML:1.1:protocol" con
"urn:oasis:names:tc:SAML:2.0:protocol", decommentare l'AttributeService SAML2
e commentare/rimuovere quello SAMLv1.
16. Configuriamo l’IdP per recuperare i metadati della IDEM Test Federation:
•
cd /opt/shibboleth-idp/conf
•
cp metadata-providers.xml metadata-providers.xml.old
•
cp /opt/shibboleth-idp/dist/conf/metadata-providers.xml.dist metadataproviders.xml
•
vim metadata-providers.xml
<MetadataProvider
id="URLMD-IDEM-Federation"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/idem-test-metadata-sha256.xml"
metadataURL="http://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml">
<!-Verify the signature on the root element of the metadata aggregate
using a trusted metadata signing certificate.
-->
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/metadata/idem_signer_2019.pem"/>
<!-Require a validUntil XML attribute on the root element and
make sure its value is no more than 14 days into the future.
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/>

<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
9
17. Inserire il certificato di firma dei metadati in /opt/shibboleth-idp/metadata/idem_signer_2019.pem
• wget https://idem.garr.it/documenti/doc_download/321-idem-metadata-signer2019 -O /opt/shibboleth-idp/metadata/idem_signer_2019.pem
18. Configurare l’Autenticazione per i propri utenti con un server openLDAP:
•
cd /opt/shibboleth-idp/conf/
•
cp ldap.properties ldap.properties.old
•
cp /opt/shibboleth-idp/dist/conf/ldap.properties.dist ldap.properties
•
vim /opt/shibboleth-idp/conf/ldap.properties
(con le soluzioni *TLS ricordarsi di inserire il certificato server dell’LDAP in
/opt/shibboleth-idp/credentials e assegnargli i giusti permessi
'chown tomcatN ldap-server.crt')
◦ Soluzione 1 - LDAP con STARTTLS:
idp.authn.LDAP.authenticator = bindSearchAuthenticator
idp.authn.LDAP.ldapURL
= ldap://ldap.example.garr.it:389
idp.authn.LDAP.useStartTLS = true
idp.authn.LDAP.useSSL = false
idp.authn.LDAP.sslConfig = certificateTrust
idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
idp.authn.LDAP.baseDN = ou=people,dc=example,dc=garr,dc=it
idp.authn.LDAP.userFilter = (uid={user})
idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=garr,dc=it
idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD###
◦ Soluzione 2 - LDAP con TLS/SSL:
= ldaps://ldap.example.garr.it
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL = true
◦ Soluzione 3 - LDAP in chiaro:
Se si utilizza la soluzione 3 “in chiaro” ricordarsi di commentare il codice che utilizza il
“trustCertificates” nell' attribute-resolver-full.xml”:
10
</dc:FilterTemplate>

</resolver:DataConnector>
UTILITA’ PER AMMINISTRATORI DI OPENLDAP:
◦ ldapsearch -H ldap:// -x -b "dc=example,dc=garr,dc=it" -LLL dn
▪ il baseDN ==> ou=people, dc=example,dc=garr,dc=it
(ramo contenente gli utenti registrati)
il bindDN ==> cn=admin,dc=example,dc=garr,dc=it
(ramo dell’utente in grado di leggere e fare query sull’LDAP)
•
Arricchire l’ idp-process.log con gli errori di autenticazione sull’LDAP:
◦
vim /opt/shibboleth-idp/conf/logback.xml

<logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/>

<logger name="org.ldaptive.auth.Authenticator" level="INFO" />
•
Definire gli attributi supportarti dall’IdP:
◦
vim /opt/shibboleth-idp/conf/services.xml
<value>%{idp.home}/conf/attribute-resolver.xml</value>
deve diventare:
<value>%{idp.home}/conf/attribute-resolver-full.xml</value>
◦
vim /opt/shibboleth-idp/conf/attribute-resolver-full.xml
▪ Decommentare le aree:
•
•
•
Schema: Core Schema attributes
Schema: InetOrgPerson attributes
Schema: eduPerson attributes
▪ Decommentare l’ LDAP Connector già configurato attraverso ldap.properties
▪ Abilitare il nuovo metodo di generazione del persistent-id
(sostituto dell’attributo eduPersonTargetedID):
•
vim /opt/shibboleth-idp/conf/saml-nameid.properties
(il sourceAttribute deve essere un attributo, o una lista di attributi i cui valori sono separati da
virgole, che identifica univocamente il soggetto dell’identificatore persistente. Deve essere
STABILE, PERMANENTE e NON-RIASSEGNABILE.)
11
# Comment out to disable legacy NameID generation via Attribute Resolver
#idp.nameid.saml2.legacyGenerator= shibboleth.LegacySAML2NameIDGenerator
#idp.nameid.saml1.legacyGenerator= shibboleth.LegacySAML1NameIdentifierGenerator
idp.persistentId.sourceAttribute = uid
…
idp.persistentId.algorithm = SHA
idp.persistentId.salt = ## VALORE SALT COPIATO DAL PRECEDENTE ATTRIBUTE RESOLVER ##
…
idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator
idp.persistentId.dataSource = PersistentIdDataSource
…
idp.persistentId.store = MyPersistentIdStore
idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
•
vim /opt/shibboleth-idp/conf/saml-nameid.xml
Rimuovere il commento a:
<ref bean="shibboleth.SAML2PersistentGenerator" />
Aggiungere in testa (subito dopo il primo commento):

<bean id="MyDataSource" class="org.apache.commons.dbcp2.BasicDataSource"
p:url="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true"
p:username="idem"
p:password="demo"
p:maxIdle="5"
p:maxWaitMillis="15000"
p:testOnBorrow="true"
p:validationQuery="select 1"
p:validationQueryTimeout="5" />

<bean id="MyPersistentIdStore" parent="shibboleth.JDBCPersistentIdStore"
p:dataSource-ref="MyDataSource"
p:queryTimeout="PT2S"
p:retryableErrors="#{{'23000'}}" />
▪ Modificare il subject-c14n per la gestione del SAML2 Persistent ID :
•
vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml
◦ Rimuovere il commento al bean “c14n/SAML2Persistent”
▪ Modificare il Default RelyingParty per rilasciare il persistent-id a tutti in modo
predefinito:
•
•
•
•
cp relying-party.xml relying-party.xml.old
cp /opt/shibboleth-idp/dist/conf/relying-party.xml.dist relying-party.xml
vim /opt/shibboleth-idp/conf/relying-party.xml
12
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release"
/>
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release"
p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="Liberty.SSOS" />
</list>
</property>
</bean>
19. Tradurre le pagine di Login, del Consenso Informato sul rilascio degli attributi utente, dei Termini
d’Uso dell’IdP e di errore nella lingua preferita:
•
Aprire la pagina contenente i file tradotti: CLICCA QUI
•
Recuperare i 3 file della propria lingua e inserirli in /opt/shibboleth-idp/messages
20. Rimuovere la cartella “endorsed” da Tomcat (se presenti):
• rm -f /usr/share/tomcatN/endorsed
21. Abilitare l'ajp connector sulla porta 8009 (se non già abilitato):
• vim /etc/tomcatN/server.xml

<Connector port="8009"
protocol="AJP/1.3"
redirectPort="443"
address="127.0.0.1"
enableLookups="false"
tomcatAuthentication="false" />
22. Abilitare l'uso dei più recente file “relying-party.xml” e “metadata-providers.xml”:
• vim $IDP_HOME/conf/services.properties
...
idp.service.relyingparty.resources= shibboleth.RelyingPartyResolverResources
...
23. Sistemare il nome dei certificati usati dall'IdP nei metadati:
•
•
•
•
•
cd
ln
ln
ln
ln
/opt/shibboleth-idp/credentials
-s idp.crt idp-signing.crt
-s idp.crt idp-encryption.crt
-s idp.key idp-signing.key
-s idp.key idp-encryption.key
13
24. Avviare Tomcat e controllare che la pagina dei metadati dell'IdP appaia:
• service tomcatN start
• https://#YOUR.IDP.FQDN#/idp/shibboleth
25. Provate ad eseguire una login su https://sp24-test.garr.it/secure e, se tutto vi torna, potete
cancellare il vecchio DB “userdb” dal server mysql.
14
HOWTO Upgrade Shibboleth IdP
from V2 to V3 on Ubuntu Linux
31 Luglio 2015
Authors: Marco Malavolti, Andrea Biancini
15
Index
1) Introduction.............................................................................................................................................17
2) Packages required ...................................................................................................................................17
3) Software required.....................................................................................................................................17
4) Installtion.................................................................................................................................................18
4.1) Download and install the new Shibboleth IdP v3.2.1......................................................................18
4.2) Configure the new IdP without break the previous IdP...................................................................18
16
1 Introduction
This is an HOWTO for that users that want upgrade their Identity Provider Shibboleth from version 2.x to
version 3.x on a Ubuntu Linux machine provided by a configuration where the Apache2 server is placed
as frontend of a Tomcat Server that deploies the IdP application.
In this HOWTO we will upgrade a Shibboleth Identity Provider on a Ubuntu 12.04 machine with its own
local OpenLDAP system used to manage the users.
2 Packages required
•
•
•
•
ntp
vim
Java 7 JDK (Oracle o OpenJDK)
wget
3 Software required
•
•
•
Shibboleth Identity Provider v2.x
Tomcat (7 o 8)
(Apache2)
17
4 Installtion
4.1 Download and install the new Shibboleth IdP v3.2.1
1. Be sure that any other Tomcat instance is running:
• ps aux | grep tomcat
2. If Tomcat is running, stop it with:
• service tomcat7 stop OR kill -9 #ID-ISTANZA-TOMCAT#
3. Be sure to use JAVA ORACLE JDK or OpenJDK Development Kit (JDK) 7 or 8:
• sudo update-alternatives --config java
4. Download and install Shibboleth IdP v3.2.1:
•
•
•
•
•
•
cd /usr/local/src
wget http://shibboleth.net/downloads/identity-provider/latest/shibbolethidentity-provider-3.2.1.tar.gz
tar xzvf shibboleth-identity-provider-3.2.1.tar.gz
cd shibboleth-identity-provider-3.2.1
hostname -f (to remember your FQDN)
./bin/install.sh
(follow the instructions and maintain the same installation's location of the IdP v2.x)
(The old configuration's files will be stored in the directory “conf.v2” inside the IdP installation path)
4.2 Configure the new IdP without break the previous IdP
1. The EntityID of the new IdP MUST BE EQUAL to the older IdP. Verify it on idpmetadata.xml and on idp.properties file:
# Set the entityID of the IdP
idp.entityID= https://...
2. Change the privileges in the right way (N== 7 o 8):
• chown -R tomcatN /opt/shibboleth-idp/logs/
•
chown -R tomcatN /opt/shibboleth-idp/metadata/
•
chown -R tomcatN /opt/shibboleth-idp/credentials/
•
chown -R tomcatN /opt/shibboleth-idp/conf/
18
3. Set the Context Switch to deploy IdP application:
•
vim /etc/tomcatN/Catalina/localhost/idp.xml
<Context docBase="/opt/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
swallowOutput="true" />
4. Install MySQL JDBC Driver (only if present):
•
sudo apt-get install libmysql-java
5. Insert the MySQL JDBC libraries at the right place:
•
•
•
•
•
cd
ln
ln
cd
ln
/opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
-s /usr/share/tomcatN/lib/tomcat-jdbc.jar
/usr/share/tomcatN/lib/
6. Install the Common DBCP2 libraries useful to generate saml-id:
•
cd /usr/local/src/
•
wget http://mirrors.muzzy.it/apache//commons/dbcp/binaries/commonsdbcp2-2.1.1-bin.tar.gz
•
tar xzvf commons-dbcp2-2.1.1-bin.tar.gz ; cd commons-dbcp2-2.1.1/
•
cp commons-dbcp2-2.1.1.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
7. Install Tomcat Common Pool libraries useful to generate saml-id:
•
cd /usr/local/src/
•
wget http://mirror.nohup.it/apache//commons/pool/binaries/commons-pool22.4.2-bin.tar.gz
•
tar xzvf commons-pool2-2.4.2-bin.tar.gz ; cd commons-pool2-2.4.2/
•
cp commons-pool2-2.4.2.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
8. Build idp.war with the new libraries:
•
cd /opt/shibboleth-idp/ ; ./bin/build.sh
9. Create a new DB MySQL compliant with the new IdP:
•
mysql -u root -p
•
mysql> SET NAMES 'utf8';
•
mysql> SET CHARACTER SET utf8;
•
mysql> CHARSET utf8;
•
mysql> CREATE DATABASE IF NOT EXISTS shibboleth CHARACTER SET=utf8;
•
mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO root@localhost IDENTIFIED BY
'yourPassword';
•
mysql> USE shibboleth;
•
mysql> CREATE TABLE shibpid
19
-> (
-> localEntity VARCHAR(255) NOT NULL,
-> peerEntity VARCHAR(255) NOT NULL,
-> persistentId VARCHAR(50) NOT NULL,
-> principalName VARCHAR(50) NOT NULL,
-> localId VARCHAR(50) NOT NULL,
-> peerProvidedId VARCHAR(50) NULL,
-> creationDate TIMESTAMP NOT NULL default CURRENT_TIMESTAMP on update
CURRENT_TIMESTAMP,
-> deactivationDate TIMESTAMP NULL default NULL,
-> PRIMARY KEY (localEntity, peerEntity, persistentId)
-> );
•
mysql> CREATE TABLE StorageRecords
-> (
-> context VARCHAR(255) NOT NULL,
-> id VARCHAR(255) NOT NULL,
-> expires BIGINT(20) DEFAULT NULL,
-> value LONGTEXT NOT NULL,
-> version BIGINT(20) NOT NULL,
-> PRIMARY KEY (context, id)
-> );
•
quit;
10. Create a new “idem” user with password “demo” useful to access and modify the “shibboleth”
DB:
(the user “idem” and the password “demo” MUST BE CHANGED)
•
mysql -u root -p
•
mysql> USE mysql;
•
mysql> CREATE USER idem;
•
mysql> GRANT ALL PRIVILEGES ON shibboleth.* TO 'idem'@'localhost' IDENTIFIED
BY 'demo';
•
mysql> FLUSH PRIVILEGES;
•
mysql> quit;
11. Restart mysql server:
•
service mysql restart
12. Save a DUMP of the “shibpid” table of the “userdb” DB and of the “shibboleth” DB:
•
cd /tmp
•
•
mysqldump -u root -p userdb shibpid > userdb_shibpid.sql
mysqldump -u root -p shibboleth shibpid > shibboleth_shibpid.sql
20
13. Import the previous values of userdb.shibpid table to the new one shibboleth.shibpid. Be careful
on the order of the fields! They MUST BE IN THE SAME ORDER!
Follow these instructions to help yourself to avoid mistakes:
a) vim userdb_shibpid.sql
b) Change the DB name into “shibboleth”. You can find it at the first lines of the DUMP.
c) From the “shibboleth_shibpid.sql” DUMP copy all the code for “Table structure for
table `shibpid`” and put it into “userdb_shibpid.sql” under that already existing.
d) Change the order of the fields of the code just pasted in the way that the fields of
“userdb_shibpid” e “shibboleth_shibpid” are in the same order.
e) Delete the “Table structure for table `shibpid`” of “userdb”.
f) Save and import the values into the new “shibboleth” DB:
◦ mysql -u root -p shibboleth < userdb_shibpid.sql
21
14. Enable JPAStorageService for StorageService:
•
vim /opt/shibboleth-idp/conf/global.xml
(add the following code, with the right parameters for the database “shibboleth”, at the tail)
<bean id="shibboleth.JPAStorageService"
class="org.opensaml.storage.impl.JPAStorageService"
p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"
c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory"/>
<bean id="shibboleth.JPAStorageService.entityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="packagesToScan" value="org.opensaml.storage.impl"/>
<property name="dataSource"
ref="shibboleth.JPAStorageService.DataSource"/>
<property name="jpaVendorAdapter"
ref="shibboleth.JPAStorageService.JPAVendorAdapter"/>
<property name="jpaDialect">
<bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
</property>
</bean>
<bean id="shibboleth.JPAStorageService.JPAVendorAdapter"
class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="database" value="MYSQL"
/>
</bean>
<bean id="shibboleth.JPAStorageService.DataSource"
class="org.apache.tomcat.jdbc.pool.DataSource"
destroy-method="close"
lazy-init="true"
p:url="jdbc:mysql://localhost:3306/shibboleth?
autoReconnect=true&sessionVariables=wait_timeout=31536000"
p:validationQuery="SELECT 1;"
p:username="idem"
p:password="demo"/>
•
Change the IdP properties in the right way:
◦
vim /opt/shibboleth-idp/conf/idp.properties
idp.session.StorageService = shibboleth.JPAStorageService
idp.consent.StorageService = shibboleth.JPAStorageService
idp.replayCache.StorageService = shibboleth.JPAStorageService
idp.artifact.StorageService = shibboleth.JPAStorageService
22
15. Enable the SAML2 support by changing the idp-metadata.xml and disable the SAML v1.x deprecated support:
•
vim /opt/shibboleth-idp/metadata/idp-metadata.xml
DA RIMUOVERE LE STRINGHE:
–
urn:oasis:names:tc:SAML:1.1:protocol
–
urn:mace:shibboleth:1.0
–
Intero endpoint con Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" (e modificare opportunamente l'index del successivo)
–
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
–
Intero endpoint con Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" (e
modificare opportunamente l'index del successivo)
–
8443 (ovunque perchè tale porta non viene più usata)
NELLA SEZIONE DEDICATA ALL'ATTRIBUTE-AUTHORITY:
–
Sostituire "urn:oasis:names:tc:SAML:1.1:protocol" con
"urn:oasis:names:tc:SAML:2.0:protocol", decommentare l'AttributeService SAML2
e commentare/rimuovere quello SAMLv1.
16. Configure the IdP to retrieve the IDEM Test Federation metadata:
•
•
cp metadata-providers.xml metadata-providers.xml.old
•
cp /opt/shibboleth-idp/dist/conf/metadata-providers.xml.dist metadataproviders.xml
•
vim metadata-providers.xml
<MetadataProvider
id="URLMD-IDEM-Federation"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/idem-test-metadata-sha256.xml"
metadataURL="http://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml">
<!-Verify the signature on the root element of the metadata aggregate
using a trusted metadata signing certificate.
-->
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/metadata/idem_signer_2019.pem"/>
<!-Require a validUntil XML attribute on the root element and
make sure its value is no more than 14 days into the future.
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/>

<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
23
17. Insert IDEM's signing certificate in /opt/shibboleth-idp/metadata/idem_signer_2019.pem
• wget https://idem.garr.it/documenti/doc_download/321-idem-metadata-signer2019 -O /opt/shibboleth-idp/metadata/idem_signer_2019.pem
18. Configure the Autentication for the openLDAP server:
•
cd /opt/shibboleth-idp/conf/
•
cp ldap.properties ldap.properties.old
•
cp /opt/shibboleth-idp/dist/conf/ldap.properties.dist ldap.properties
•
vim /opt/shibboleth-idp/conf/ldap.properties
(with the *TLS solution, remember to put the LDAP certificate into
/opt/shibboleth-idp/credentials and to give the right privilegies to tomcat8 user
'chown tomcatN ldap-server.crt')
◦ Solution 1: LDAP with STARTTLS:
idp.authn.LDAP.useStartTLS = true
◦ Solution 2: LDAP with TLS/SSL:
= ldaps://ldap.example.garr.it
idp.authn.LDAP.useSSL = true
◦ Solution 3: LDAP plain:
If you decide to use the solution 3, you have to remove the following code from your
attribute-resolver-full.xml”:
24
</dc:FilterTemplate>

</resolver:DataConnector>
UTILITY FOR OPENLDAP ADMINISTRATOR:
◦ ldapsearch -H ldap:// -x -b "dc=example,dc=garr,dc=it" -LLL dn
▪ baseDN ==> ou=people, dc=example,dc=garr,dc=it
(branch containing the registered users)
▪ il bindDN ==> cn=admin,dc=example,dc=garr,dc=it
(distinguished name for the user that can made queries on the LDAP)
•
Enrich idp-process.log with the authentication error produced on the LDAP:
◦
vim /opt/shibboleth-idp/conf/logback.xml

<logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/>

<logger name="org.ldaptive.auth.Authenticator" level="INFO" />
•
Define the attributes supported by the IdP:
◦
vim /opt/shibboleth-idp/conf/services.xml
<value>%{idp.home}/conf/attribute-resolver.xml</value>
deve diventare:
<value>%{idp.home}/conf/attribute-resolver-full.xml</value>
◦
vim /opt/shibboleth-idp/conf/attribute-resolver-full.xml
▪ Remove the comment from this section:
•
•
•
Schema: Core Schema attributes
Schema: InetOrgPerson attributes
Schema: eduPerson attributes
▪ Remove the comment on the LDAP Connector that you can configure with
ldap.properties
▪ Enable the generation of persistent-id :
•
vim /opt/shibboleth-idp/conf/saml-nameid.properties
(the sourceAttribute MUST BE an attribute, or a list of attributes where its values are commaseparated, that univocally identify the user. Its value MUST BE STABLE, PERMANENT and NOTREASSIGNABLE.)
25
# Comment out to disable legacy NameID generation via Attribute Resolver
#idp.nameid.saml2.legacyGenerator= shibboleth.LegacySAML2NameIDGenerator
#idp.nameid.saml1.legacyGenerator= shibboleth.LegacySAML1NameIdentifierGenerator
idp.persistentId.sourceAttribute = uid
…
idp.persistentId.algorithm = SHA
idp.persistentId.salt = ## SALT TOOK FROM THE PREVIOUS ATTRIBUTE RESOLVER ##
…
idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator
idp.persistentId.dataSource = PersistentIdDataSource
…
idp.persistentId.store = MyPersistentIdStore
idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
•
vim /opt/shibboleth-idp/conf/saml-nameid.xml
Remove the comment from:
<ref bean="shibboleth.SAML2PersistentGenerator" />
Add at the head (after the first comment):

<bean id="MyDataSource" class="org.apache.commons.dbcp2.BasicDataSource"
p:url="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true"
p:username="idem"
p:password="demo"
p:maxIdle="5"
p:maxWaitMillis="15000"
p:testOnBorrow="true"
p:validationQuery="select 1"
p:validationQueryTimeout="5" />

<bean id="MyPersistentIdStore" parent="shibboleth.JDBCPersistentIdStore"
p:dataSource-ref="MyDataSource"
p:queryTimeout="PT2S"
p:retryableErrors="#{{'23000'}}" />
▪ Change the subject-c14n for the managemente of the SAML2 PersistentID :
•
vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml
◦ Remove the comment from the bean “c14n/SAML2Persistent”
▪ Change the Default RelyingParty to be able to release the persistent-id to all
without limitation:
•
•
•
•
cp relying-party.xml relying-party.xml.old
cp /opt/shibboleth-idp/dist/conf/relying-party.xml.dist relying-party.xml
vim /opt/shibboleth-idp/conf/relying-party.xml
26
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release"
/>
<bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release"
p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="Liberty.SSOS" />
</list>
</property>
</bean>
19. Translate the Login, the Consent, and the Term Of Use pages in your preferred language:
•
Open the page containing the translated files: CLICK HERE
•
Retrieve the 3 file for your language and insert them into /opt/shibboleth-idp/messages
•
Restart Tomcat8:
◦ service tomcat8 restart
20. Delete the “endorsed” directory from Tomcat (if present):
• rm -f /usr/share/tomcatN/endorsed
21. Enable ajp connector on port 8009 (if not already enabled):
• vim /etc/tomcatN/server.xml

<Connector port="8009"
protocol="AJP/1.3"
redirectPort="443"
address="127.0.0.1"
enableLookups="false"
tomcatAuthentication="false" />
22. Enable the usage of the new version of “relying-party.xml” and “metadata-providers.xml”:
• vim $IDP_HOME/conf/services.properties
...
idp.service.relyingparty.resources= shibboleth.RelyingPartyResolverResources
...
23. Recover the metadata' certificates:
•
•
•
•
•
cd
ln
ln
ln
ln
/opt/shibboleth-idp/credentials
-s idp.crt idp-signing.crt
-s idp.crt idp-encryption.crt
-s idp.key idp-signing.key
-s idp.key idp-encryption.key
27
24. Start Tomcat and check that the IdP Metadata Page appears:
• service tomcatN start
• https://#YOUR.IDP.FQDN#/idp/shibboleth
25. Try to access on https://sp24-test.garr.it/secure and, if all is OK, delete the old “userdb” from your
mysql server.
28

HOWTO Upgrade Shibboleth IdP from V2 to V3 on

Transcript

Documenti analoghi

IDP e Thermaltake insieme alle qualificazioni italiane dei World

IDP e HW Mania sostengono il lan party CRYMANIA di Malpensa

Innovation – Design – Performance

IDP annuncia la distribuzione dei prodotti Antec

IDP presenta Thermaltake V1

IDP presenta Thermaltake iXoft Notebook Cooling Pad

Innovation – Design – Performance IDP presenta Raven 01 di

IDP presenta i case Thermaltake a

Design – Performance IDP presenta il nuovo dissipatore Zalman

IDP presenta il nuovo sistema di raffreddamento a liquido Zalman