Changes between Version 12 and Version 13 of idpiam2018

Timestamp:

Sep 3, 2018, 8:50:59 AM (6 years ago)

Author:

admin

Comment:

--

idpiam2018

@@ -781 +781 @@
        </resolver:DataConnector>
 }}}
-'''UTILITY FOR OPENLDAP ADMINISTRATOR:'''*ldapsearch -H ldap:// -x -b "dc=example,dc=it" -LLL dn`* the baseDN ==> `ou=people, dc=example,dc=org` (branch containing the registered users) * the bindDN ==> `cn=admin,dc=example,dc=org` (distinguished name for the user that can made queries on the LDAP)
+'''UTILITY FOR OPENLDAP ADMINISTRATOR:''' *`ldapsearch -H ldap:// -x -b "dc=example,dc=it" -LLL dn`* the baseDN ==> `ou=people, dc=example,dc=org` (branch containing the registered users) * the bindDN ==> `cn=admin,dc=example,dc=org` (distinguished name for the user that can made queries on the LDAP)
 
 29. Enrich IDP logs with the authentication error occurred on LDAP:
@@ -797 +797 @@
 30. Build the '''attribute-resolver.xml''' to define which attributes your IdP can manage. Here you can find the '''attribute-resolver-v1-LEARN.xml''' provided by LEARN:
 * Download the attribute resolver provided by LEARN:
-      `wget https://fr-training.ac.lk/attribute-resolver-v1-LEARN.xml -O /opt/shibboleth-idp/conf/attribute-resolver-v1-LEARN.xml`
-* Modify `services.xml` file:
-      `vim /opt/shibboleth-idp/conf/services.xml`
+{{{
+wget https://fr-training.ac.lk/attribute-resolver-v1-LEARN.xml -O /opt/shibboleth-idp/conf/attribute-resolver-v1-LEARN.xml
+}}}
+* Modify `services.xml` file: `vim /opt/shibboleth-idp/conf/services.xml`
 {{{
       <value>%{idp.home}/conf/attribute-resolver.xml</value>
@@ -812 +813 @@
 * Restart Tomcat8: `service tomcat8 restart`
 31. Enable the SAML2 support by changing the `idp-metadata.xml` and disabling the SAML v1.x deprecated support:
- *
-{{{
-   vim /opt/shibboleth-idp/metadata/metadata.xml}}}{{{
+* 
+{{{
+   vim /opt/shibboleth-idp/metadata/metadata.xml
+}}}
+{{{
       <IDPSSODescriptor> SECTION:
         – From the list of "protocolSupportEnumeration" remove:
@@ -857 +860 @@
 
         - Remove all ":8443" from the existing URL (such port is not used anymore)
-      }}}
+
+}}}
 32. Obtain your IdP metadata here:
-    *  `https://idp.YOUR-DOMAIN/idp/shibboleth}}}
+* 
+{{{
+https://idp.YOUR-DOMAIN/idp/shibboleth
+}}}
 33. Register you IdP on the test Federation:
- *
-{{{
-   https://fr-training.ac.lk/}}}    > For production enviornments please use `https://fr.ac.lk`, Also make sure to remove `-training` from all urls.
+* 
+{{{
+   https://fr-training.ac.lk/
+}}}   
+> For production enviornments please use `https://fr.ac.lk`, Also make sure to remove `-training` from all urls.
 
 34. Configure the IdP to retrieve the Federation Metadata:
- *
-{{{
-   cd /opt/shibboleth-idp/conf}}} *
-{{{
-   vim metadata-providers.xml}}}
+* 
+{{{
+   cd /opt/shibboleth-idp/conf
+}}}
+* 
+{{{
+   vim metadata-providers.xml
+}}}
 {{{
       <MetadataProvider
@@ -894 +906 @@
             </MetadataFilter>
       </MetadataProvider>
-      }}}
-    * Retrive the Federation Certificate used to verify its signed metadata:
-    *  `wget https://fr-training.ac.lk/metadata-signer -O /opt/shibboleth-idp/metadata/federation-cert.pem}}}
+}}}
+* Retrive the Federation Certificate used to verify its signed metadata:
+*  `wget https://fr-training.ac.lk/metadata-signer -O /opt/shibboleth-idp/metadata/federation-cert.pem'
     
   
 35. Reload service with id `shibboleth.MetadataResolverService` to retrieve the Federation Metadata:
-    *  `cd /opt/shibboleth-idp/bin}}}    *  `./reload-service.sh -id shibboleth.MetadataResolverService}}}
+* 
+{{{
+cd /opt/shibboleth-idp/bin
+}}}
+* 
+{{{
+./reload-service.sh -id shibboleth.MetadataResolverService
+}}}
 
 
 36. The day after the Federation Operators approval you, check if you can login with your IdP on the following services:
-    * https://sp-training.ac.lk/secure   (Service Provider provided for testing the LEARN Training Federation)
-    * https://sp-test.learn.ac.lk/secure (Service Provider provided for testing the LEARN Production Federation)
-
-
-### Configure Attribute Filters to release the mandatory attributes to the default IDEM Resources:
+* https://sp-training.ac.lk/secure   (Service Provider provided for testing the LEARN Training Federation)
+* https://sp-test.learn.ac.lk/secure (Service Provider provided for testing the LEARN Production Federation)
+
+
+== Configure Attribute Filters to release the mandatory attributes to the default IDEM Resources: ==
 
 37. Make sure that you have the "`tmp/httpClientCache`" used by "`shibboleth.FileCachingHttpClient`":
- *
-{{{
-   mkdir -p /opt/shibboleth-idp/tmp/httpClientCache ; chown tomcat8 /opt/shibboleth-idp/tmp/httpClientCache}}}
+* 
+{{{
+   mkdir -p /opt/shibboleth-idp/tmp/httpClientCache ; chown tomcat8 /opt/shibboleth-idp/tmp/httpClientCache
+}}}
 38. Modify your `services.xml`:
- *
-{{{
-   vim /opt/shibboleth-idp/conf/services.xml}}}
+* 
+{{{
+   vim /opt/shibboleth-idp/conf/services.xml
+}}}
 {{{
       <bean id="Default-Filter" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
@@ -934 +955 @@
          <ref bean="Production-Filter"/>
        </util:list>
-      }}}
+}}}
 39. Reload service with id `shibboleth.AttributeFilterService` to refresh the Attribute Filter followed by the IdP:
-    *  `cd /opt/shibboleth-idp/bin}}}    *  `./reload-service.sh -id shibboleth.AttributeFilterService}}}
+* 
+{{{
+cd /opt/shibboleth-idp/bin
+}}}
+* 
+{{{
+./reload-service.sh -id shibboleth.AttributeFilterService
+}}}
 
 
@@ -942 +970 @@
 
 1. Tomcat 8 Logs:
-*
+* 
 {{{
    cd /var/log/tomcat8
 }}}
-*
+* 
 {{{
    vim catalina.out}}}
 2. Shibboleth IdP Logs:
-*
-{{{
-   cd /opt/shibboleth-idp/logs}}}   * '''Audit Log:''' `vim idp-audit.log}}}   * '''Consent Log:''' `vim idp-consent-audit.log}}}   * '''Warn Log:''' `vim idp-warn.log}}}   * '''Process Log:''' `vim idp-process.log}}}
+* 
+{{{
+   cd /opt/shibboleth-idp/logs
+}}}
+* '''Audit Log:''' `vim idp-audit.log'   
+* '''Consent Log:''' `vim idp-consent-audit.log`   
+* '''Warn Log:''' `vim idp-warn.log`
+* '''Process Log:''' `vim idp-process.log`