Changes between Version 17 and Version 18 of idpiam2018


Ignore:
Timestamp:
Sep 12, 2018, 10:43:34 AM (7 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • idpiam2018

    v17 v18  
    610610    quit
    611611}}}     
    612 * Restart mysql service: `service mysql restart'
    613 26. Enable the generation of the `persistent-id` (this replace the deprecated attribute //eduPersonTargetedID//)
     612* Restart mysql service: `service mysql restart`
     61326. Enable the generation of the `persistent-id`
    614614*
    615615{{{
     
    647647     <ref bean="c14n/SAML2Persistent" />
    648648}}}       
    649 27. Enable '''JPAStorageService''' for the '''StorageService''' of the user consent:
     64927. Enable '''JPAStorageService''' for the '''!StorageService''' of the user consent:
    650650* `vim /opt/shibboleth-idp/conf/global.xml` and add this piece of code to the tail before the ending \</beans\>:
    651651
     
    726726}}}
    727727
    728 * Solution 2: LDAP + TLS:
    729 
    730 {{{
    731        idp.authn.LDAP.authenticator = bindSearchAuthenticator
    732        idp.authn.LDAP.ldapURL = ldaps://ldap.example.org:636
    733        idp.authn.LDAP.useStartTLS = false
    734        idp.authn.LDAP.useSSL = true
    735        idp.authn.LDAP.sslConfig = certificateTrust
    736        idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
    737        idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org
    738        idp.authn.LDAP.userFilter = (uid={user})
    739        idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=org
    740        idp.authn.LDAP.bindDNCredential = ###LDAP_ADMIN_PASSWORD###
    741        idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
    742 }}}
    743 * Solution 3: plain LDAP
     728
     729* Solution 2: plain LDAP
    744730 
    745731{{{
     
    753739       idp.authn.LDAP.bindDNCredential = ###LDAP_ADMIN_PASSWORD###
    754740}}}       
    755 (If you decide to use the Solution 3, you have to remove (or comment out) the following code from your Attribute Resolver file:
     741(If you decide to use the Solution 2, you have to remove (or comment out) the following code from your Attribute Resolver file:
    756742     
    757743{{{
     
    765751       </resolver:DataConnector>
    766752}}}
    767 '''UTILITY FOR OPENLDAP ADMINISTRATOR:''' *`ldapsearch -H ldap:// -x -b "dc=example,dc=it" -LLL dn`* the baseDN ==> `ou=people, dc=example,dc=org` (branch containing the registered users) * the bindDN ==> `cn=admin,dc=example,dc=org` (distinguished name for the user that can made queries on the LDAP)
     753'''UTILITY FOR OPENLDAP ADMINISTRATOR:'''
     754`ldapsearch -H ldap:// -x -b "dc=instXY,dc=ac,dc=lk" -LLL dn`
     755* the baseDN ==> `ou=people, dc=instXY,dc=ac,dc=lk` (branch containing the registered users)
     756* the bindDN ==> `cn=admin,dc=instXY,dc=ac,dc=lk` (distinguished name for the user that can made queries on the LDAP)
    768757
    76975829. Enrich IDP logs with the authentication error occurred on LDAP:
     
    826815        - Uncomment SingleLogoutService:
    827816       
    828           <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://identity.thilinapathirana.xyz/idp/profile/SAML2/Redirect/SLO"/>
    829           <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://identity.thilinapathirana.xyz/idp/profile/SAML2/POST/SLO"/>
    830           <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://identity.thilinapathirana.xyz/idp/profile/SAML2/POST-SimpleSign/SLO"/>
    831           <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://identity.thilinapathirana.xyz/idp/profile/SAML2/SOAP/SLO"/>
     817          <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.YOUR-DOMAIN/idp/profile/SAML2/Redirect/SLO"/>
     818          <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.YOUR-DOMAIN/idp/profile/SAML2/POST/SLO"/>
     819          <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.YOUR-DOMAIN/idp/profile/SAML2/POST-SimpleSign/SLO"/>
     820          <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.YOUR-DOMAIN/idp/profile/SAML2/SOAP/SLO"/>
    832821
    833822
     
    911900
    912901
    913 == Configure Attribute Filters to release the mandatory attributes to the default IDEM Resources: ==
     902== Configure Attribute Filters to release the mandatory attributes to the default LEARN Resources: ==
    914903
    91590437. Make sure that you have the "`tmp/httpClientCache`" used by "`shibboleth.FileCachingHttpClient`":