English
Русский
Оглавление
SSO - Shibboleth
| 
Shibboleth is bloated and buggy. I killed a bunch of time for it and still was not able to install it to completion and make it work as I want. Keeping it here for historical reasons.1. Shibboleth
1.1. Prerequisites
Configure Apache /etc/httpd/conf/httpd.conf
ServerName server.ourdom.com:80 UseCanonicalName On
On CentOS 5, use OpenJDK 1.6.0 and Tomcat 5 from the EPEL repository.
yum install java-1.6.0-openjdk java-1.6.0-openjdk-devel tomcat5
Configure default JAVA_PATH and alternatives
echo "export JAVA_HOME=/usr/lib/jvm/java-1.6.0-openjdk" > /etc/profile.d/java.sh chmod +x /etc/profile.d/java.sh alternatives --config java alternatives --config javac
Configure Tomcat to use your java in /etc/sysconfig/tomcat5 and /etc/tomcat5/tomcat5.conf:
JAVA_HOME="/usr/lib/jvm/java-1.6.0-openjdk"
On other OSes, use Sun's Java. Install Java JRE from java.sun.com
ln -s /usr/java/jre1.6.0_14 /usr/java/default echo "export JAVA_HOME=/usr/java/default" > /etc/profile.d/java.sh /etc/profile.d/java.sh alternatives --install /usr/bin/java java /usr/java/default/bin/java 2 alternatives --config java
Install Tomcat from Apache site (TBD) and configure it to use Sun's java in /etc/sysconfig/tomcat5 and /etc/tomcat5/tomcat5.conf
JAVA_HOME="/usr/java/default"
1.2. Install IDP
Download Shibboleth IDP
cd ~ BASE=http://shibboleth.internet2.edu/downloads/shibboleth/ wget $BASE/idp/2.1.2/shibboleth-identityprovider-2.1.2-bin.tar.gz tar xzf shibboleth-identityprovider-2.1.2-bin.tar.gz mv shibboleth-identityprovider-2.1.2 shibboleth-idp-dist
Create IDP directory tree
$ cd ~/shibboleth-idp-dist $ sh install.sh Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp] /opt/shibboleth-idp What is the FQDN of the Shibboleth Identity Provider server? [idp.example.org] sso.ourdom.com A keystore is about to be generated for you. Please enter a password to protect it: secretword Generating signing and encryption key, certificate, and keystore. BUILD SUCCESSFUL
Move distribution directory to the new shibboleth directory. You will use it later to regenerate WAR file of identity provider to adjust login page etc
mv ~/shibboleth-idp-dist /opt/shibboleth-idp/dist cd /opt/shibboleth-idp/dist chmod +x install.sh vim install.sh
#! /bin/sh mydir=`dirname $0` [ -n "$mydir" ] && cd $mydir .....
Make logs appear under /var/log
rm -rf /var/log/shibboleth/idp rm -rf /opt/shibboleth-idp/logs mkdir -p /var/log/shibboleth/idp chown tomcat:tomcat /var/log/shibboleth/idp ln -sf /var/log/shibboleth/idp /opt/shibboleth-idp/logs
Configure log rotation in /etc/logrotate.d/shibboleth
/var/log/shibboleth/idp/*.log {
missingok
notifempty
create 0644 tomcat tomcat
}
/var/log/shibboleth/*.log {
missingok
notifempty
}Configure Java security providers
cp /opt/shibboleth-idp/dist/lib/shibboleth-jce-1.0.0.jar $JAVA_HOME/jre/lib/ext vim $JAVA_HOME/jre/lib/security/java.security
--- java.security.orig 2009-08-18 00:15:50.000000000 +0400 +++ java.security 2009-08-18 00:16:50.000000000 +0400 @@ -51,6 +51,7 @@ security.provider.6=com.sun.security.sasl.Provider security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.8=sun.security.smartcardio.SunPCSC + security.provider.9=edu.internet2.middleware.shibboleth.DelegateToApplicationProvider # # Select the source of seed data for SecureRandom. By default an
1.3. Configure Tomcat
Endorse Shibboleth jars in Tomcat
cd /var/lib/tomcat5/common/endorsed/ mv \[jaxp_parser_impl\].jar \[jaxp_parser_impl\].jar.disabled mv \[xml-commons-apis\].jar \[xml-commons-apis\].jar.disabled mkdir disabled mv *.disabled disabled cp /opt/shibboleth-idp/dist/endorsed/* .
Configure Shibboleth deployment in Tomcat
cat > /etc/tomcat5/Catalina/localhost/idp.xml
<Context docBase="/opt/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
antiJARLocking="false"
unpackWAR="false"
swallowOutput="true" />...
--- server.xml.orig 2009-08-18 00:19:58.000000000 +0400
+++ server.xml 2009-08-18 00:23:40.000000000 +0400
@@ -47,6 +47,22 @@
<!-- Define the Tomcat Stand-Alone Service -->
<Service name="Catalina">
+ <!-- Shibboleth Identity Provider -->
+ <Connector port="8443"
The complete snippet is
<!-- Shibboleth Identity Provider -->
<Connector port="8443"
maxHttpHeaderSize="8192"
maxSpareThreads="75"
scheme="https"
secure="true"
clientAuth="want"
SSLEnabled="true"
sslProtocol="TLS"
keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
keystorePass="'''secretword'''"
truststoreFile="/opt/shibboleth-idp/credentials/idp.jks"
truststorePass="'''secretword'''"
truststoreAlgorithm="DelegateToApplication"/>
<!-- ============================ -->
...
1.4. Configure AJP
Configure Tomcat connector
vim /etc/tomcat5/server.xml
--- server.xml.orig 2009-09-03 15:08:48.000000000 -0400
+++ server.xml 2009-09-03 15:11:54.000000000 -0400
@@ -101,3 +101,3 @@
<!-- Define an AJP 1.3 Connector on port 8009 -->
- <Connector port="8009"
- enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
+ <Connector port="8009" enableLookups="false" redirectPort="8080" protocol="AJP/1.3"
+ request.tomcatAuthentication="false" address="127.0.0.1" />Create Apache virtual host for login /etc/httpd/vhosts/sso.conf
<VirtualHost *:80> ServerName sso.ourdom.com:80 RewriteEngine On RewriteRule ^/(.*)$ https://sso.ourdom.com/$1 </VirtualHost> <VirtualHost *:443> ServerName sso.ourdom.com:443 DocumentRoot /var/www/dummy Include vhosts/ssl.inc ProxyPass /idp/ ajp://localhost:8009/idp/ ProxyPass /error.jsp ajp://localhost:8009/error.jsp </VirtualHost>
Restart Tomcat and verify that Shibboleth is working
chkconfig tomcat5 on service tomcat5 restart service httpd restart wget --no-proxy -q -O -http://localhost:8080/idp/profile/Status && echo ok wget --no-proxy --no-check-certificate -q -O -https://sso.ourdom.com/idp/profile/Status && echo ok
...
1.5. Install SP
Download Shibboleth SP
mkdir ~/shibboleth-sp-dist
cd ~/shibboleth-sp-dist
BASE=http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/archive/2.2/RPMS/i386/RHE/5
wget $BASE/log4shib-1.0.2-1.i386.rpm $BASE/xerces-c-3.0.1-1.i386.rpm
$BASE/xml-security-c-1.5.0-1.i386.rpm $BASE/xmltooling-1.2-1.i386.rpm
$BASE/opensaml-2.2-1.i386.rpm $BASE/shibboleth-2.2-3.i386.rpm
...
mkdir ~/shibboleth-sp-dist
cd ~/shibboleth-sp-dist
BASE=http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5
wget $BASE/log4shib-1.0.3-1.1.i386.rpm $BASE/xerces-c-3.0.1-5.1.i386.rpm
$BASE/xml-security-c-1.5.1-3.2.i386.rpm $BASE/xmltooling-1.2.2-1.i386.rpm
$BASE/opensaml-2.2.1-1.i386.rpm $BASE/shibboleth-2.2.1-2.i386.rpm Install RPMs and dependencies (libicu)
yum -y --nogpgcheck localinstall *.rpm
1.6. Configure SP (version 1)
Configure entity references
vim /etc/shibboleth/shibboleth2.xml
--- shibboleth2.xml.orig 2009-08-18 02:34:01.000000000 +0400
+++ shibboleth2.xml 2009-08-18 03:33:03.000000000 +0400
@@ -82,4 +82,4 @@
<ApplicationDefaults id="default" policyId="default"
- entityID="https://sp.example.org/shibboleth"
+ entityID="https://sso.ourdom.com/sp/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id"
signing="false" encryption="false">
@@ -109,6 +109,6 @@
<!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
- relayState="cookie" entityID="https://idp.example.org/shibboleth">
+ relayState="cookie" entityID="https://sso.ourdom.net/idp/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator> Restart shibd daemon
chkconfig shibd on service shibd restart
Write SP metadata in a file
wget --no-proxy --no-check-certificate -q -O sp-metadata.xml
https://sso.ourdom.com/Shibboleth.sso/MetadataPoint IDP to this metadata using the /opt/shibboleth-idp/conf/relying-party.xml
--- relying-party.xml.orig 2009-09-03 17:42:51.000000000 +0400
+++ relying-party.xml 2009-09-03 17:44:36.000000000 +0400
@@ -89,6 +89,10 @@
<MetadataResource xsi:type="resource:FilesystemResource"
file="/opt/shibboleth-idp/metadata/idp-metadata.xml" />
</MetadataProvider>
+ <MetadataProvider id="SPMD" xsi:type="ResourceBackedMetadataProvider"
+ xmlns="urn:mace:shibboleth:2.0:metadata" >
+ <MetadataResource xsi:type="resource:FilesystemResource" file="/etc/shibboleth/sp-metadata.xml" />
+ </MetadataProvider>
1.7. Configure SP (version 2)
Configure Shibboleth SP metadata
cd /etc/shibboleth
./metagen.sh -c sp-cert.pem -h sso.ourdom.com
-e https://sso.ourdom.com/sp/shibboleth > sp-metadata.xmlMain Shibboleth SP configuration
vim /etc/shibboleth/shibboleth2.xml
1.8. Configure more...
Configure IDP metadata providers
1.9. Configure Apache
Create virtual host for login /etc/httpd/vhosts/sso.conf
<VirtualHost *:80> ServerName sso.ourdom.com:80 RewriteEngine On RewriteRule ^/(.*)$ https://sso.ourdom.com/$1 </VirtualHost> <VirtualHost *:443> ServerName sso.ourdom.com:443 DocumentRoot /var/www/dummy Include vhosts/ssl.inc ProxyPass /idp/ ajp://localhost:8009/idp/ ProxyPass /error.jsp ajp://localhost:8009/error.jsp #SSLProxyEngine On #ProxyRequests Off #ProxyPass /idp/ https://localhost:8442/idp/ keepAlive=On #ProxyPassReverse /idp/ https://localhost:8442/idp/ #<Location /idp/Authn/RemoteUser> # SSLRequireSSL # AuthType Basic # AuthName "SSO Authentication" # AuthUserFile /etc/httpd/vhosts/htpasswd # require valid-user #</Location> </VirtualHost>
Reconfigure authorization in /etc/httpd/authorize.inc
SSLRequireSSL AuthType shibboleth ShibRequireSession On require valid-user
Protect locations in virtual hosts
<Location "/"> Include vhosts/authorize.inc
1.10. Run IDP and SP
Adjust Apache-Shibboleth integration in /etc/httpd/conf.d/shibboleth.conf
Restart Shibboleth SP and Apache daemons
chkconfig tomcat5 on chkconfig shibd on /etc/init.d/tomcat5 restart /etc/init.d/shibd restart /etc/init.d/httpd restart
Consult logs
/var/log/tomcat5/catalina.out /var/log/httpd/access_log /var/log/httpd/error_log /var/log/shibboleth/shibd.log /var/log/shibboleth/idp/idp-access.log /var/log/shibboleth/idp/idp-audit.log /var/log/shibboleth/idp/idp-process.log
1.11. Extras
1.11.1. Session Timeout
Configure IDP session timeout: 1 hour
cd /opt/shibboleth-idp vim ./conf/internal.xml
--- ./conf/internal.xml.orig 2009-08-18 00:55:31.000000000 +0400
+++ ./conf/internal.xml 2009-08-18 00:56:45.000000000 +0400
@@ -91,7 +91,8 @@
class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl"
depends-on="shibboleth.LogbackLogging">
<constructor-arg ref="shibboleth.StorageService" />
- <constructor-arg value="1800000" type="long" />
+ <!-- session lifetime is 3600 seconds -->
+ <constructor-arg value="3600000" type="long" />
</bean>...
1.12. Run IDP on port 8442
vim /etc/tomcat4/server.xml
Change 8443 to 8442
vim /opt/shibboleth-idp/metadata/idp-metadata.xml
--- ./metadata/idp-metadata.xml.orig 2009-08-18 00:38:57.000000000 +0400
+++ ./metadata/idp-metadata.xml 2009-08-18 00:39:11.000000000 +0400
@@ -38,11 +38,11 @@
</KeyDescriptor>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://sso.ourdom.com:8443/idp/profile/SAML1/SOAP/ArtifactResolution"
+ Location="https://sso.ourdom.com:8442/idp/profile/SAML1/SOAP/ArtifactResolution"
index="1"/>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
- Location="https://sso.ourdom.com:8443/idp/profile/SAML2/SOAP/ArtifactResolution"
+ Location="https://sso.ourdom.com:8442/idp/profile/SAML2/SOAP/ArtifactResolution"
index="2"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
@@ -95,14 +95,14 @@
</KeyDescriptor>
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://sso.ourdom.com:8443/idp/profile/SAML1/SOAP/AttributeQuery" />
+ Location="https://sso.ourdom.com:8442/idp/profile/SAML1/SOAP/AttributeQuery" />
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
- Location="https://sso.ourdom.com:8443/idp/profile/SAML2/SOAP/AttributeQuery" />
+ Location="https://sso.ourdom.com:8442/idp/profile/SAML2/SOAP/AttributeQuery" />
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>...
1.13. Configuring Unix login
Configure IDP login handlers: disable "RemoteUser" and enable "UsernamePassword"
vim ./conf/handler.xml
--- ./conf/handler.xml.orig 2009-08-18 00:41:12.000000000 +0400
+++ ./conf/handler.xml 2009-08-18 01:34:38.000000000 +0400
@@ -76,17 +76,17 @@
</ProfileHandler>
<!-- Login Handlers -->
+ <!--
<LoginHandler xsi:type="RemoteUser">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod>
</LoginHandler>
+ -->
<!-- Username/password login handler -->
- <!--
<LoginHandler xsi:type="UsernamePassword"
jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod>
</LoginHandler>
- -->
<!--
Removal of this login handler will disable SSO support, that is it will require the userConfigure username/password method to use Unix authentication
vim ./conf/login.config
--- ./conf/login.config.orig 2009-08-18 00:42:24.000000000 +0400
+++ ./conf/login.config 2009-08-18 00:51:19.000000000 +0400
@@ -42,4 +42,8 @@
keyTab="/path/to/idp/keytab/file";
*/
+ com.sun.security.auth.module.UnixLoginModule required
+ debug="true";
+
};
1.14. Shibboleth Links
- Local Installation Recipe IdP + SP
- IdP Troubleshooting Common Errors
- Native SP Troubleshooting Common Errors
- Native SP Request Map
- Native SP Application
- Add Separate Application
- Google search for Shibboleth error: SSL Certificate Proble
- something at groups.google.com
- apache mod_ssl
Bookmark this post on:
Комментарии
Отправить комментарий