Changes between Version 4 and Version 5 of idpiam2018
- Timestamp:
- Sep 3, 2018, 8:09:57 AM (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
idpiam2018
v4 v5 382 382 383 383 Enable the Connector 8009 (AJP): 384 385 ```apache 384 {{{ 386 385 <!-- Define an AJP 1.3 Connector on port 8009 --> 387 386 <Connector port="8009" protocol="AJP/1.3" redirectPort="443" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false"/> 388 ``` 387 }}} 389 388 390 389 Check the integrity of XML files just edited with: 391 ```xmlwf -e UTF-8 /etc/tomcat8/server.xml``` 392 393 15. Create and change the file ```idp.xml```: 394 * 395 {{{ 396 sudo vim /etc/tomcat8/Catalina/localhost/idp.xml``` 397 398 ```apache 390 {{{ 391 xmlwf -e UTF-8 /etc/tomcat8/server.xml 392 }}} 393 394 15. Create and change the file `idp.xml`: 395 * 396 {{{ 397 sudo vim /etc/tomcat8/Catalina/localhost/idp.xml 398 }}} 399 {{{ 399 400 <Context docBase="/opt/shibboleth-idp/war/idp.war" 400 401 privileged="true" 401 402 antiResourceLocking="false" 402 403 swallowOutput="true"/> 403 ``` 404 404 }}} 405 405 16. Create the Apache2 configuration file for IdP: 406 407 408 vim /etc/apache2/sites-available/idp-proxy.conf ```409 410 ```apache 406 * 407 {{{ 408 vim /etc/apache2/sites-available/idp-proxy.conf 409 }}} 410 {{{ 411 411 <IfModule mod_proxy.c> 412 412 ProxyPreserveHost On … … 420 420 ProxyPassReverse /idp ajp://localhost:8009/idp retry=5 421 421 </IfModule> 422 ``` 423 424 17. Enable **proxy_ajp** apache2 module and the new IdP site: 425 * 426 {{{ 427 a2enmod proxy_ajp``` 428 * 429 {{{ 430 a2ensite idp-proxy.conf``` 431 * 432 {{{ 433 service apache2 restart``` 434 435 18. Modify **context.xml** to prevent error of *lack of persistence of the session objects* created by the IdP : 436 * 437 {{{ 438 vim /etc/tomcat8/context.xml``` 439 440 and remove the comment from: 441 442 ```<Manager pathname="" />``` 443 422 }}} 423 17. Enable '''proxy_ajp''' apache2 module and the new IdP site: 424 * 425 {{{ 426 a2enmod proxy_ajp 427 }}} 428 * 429 {{{ 430 a2ensite idp-proxy.conf}}} 431 * 432 {{{ 433 service apache2 restart 434 }}} 435 18. Modify '''context.xml''' to prevent error of //lack of persistence of the session objects// created by the IdP : 436 * 437 {{{ 438 vim /etc/tomcat8/context.xml 439 }}} 440 and remove the comment from: `<Manager pathname="" />` 444 441 19. Restart Tomcat8: 445 446 447 service tomcat8 restart ```448 442 * 443 {{{ 444 service tomcat8 restart 445 }}} 449 446 20. Verify if the IdP works by opening this page on your browser: 450 451 452 https://idp.YOUR-DOMAIN/idp/shibboleth ``` (you should see the IdP metadata)453 454 455 456 ### Speed up Tomcat 8 startup 447 * 448 {{{ 449 https://idp.YOUR-DOMAIN/idp/shibboleth 450 }}} 451 (you should see the IdP metadata) 452 453 == Speed up Tomcat 8 startup == 457 454 458 455 459 456 21. Find out the JARs that can be skipped from the scanning: 460 * 461 {{{ 462 cd /opt/shibboleth-idp/``` 463 * 464 {{{ 465 ls webapp/WEB-INF/lib | awk '{print $1",\\"}'``` 466 467 Insert the output list into ```/etc/tomcat8/catalina.properties``` at the tail of ```tomcat.util.scan.StandardJarScanFilter.jarsToSkip``` 468 Make sure about the ```,\``` symbols 457 * 458 {{{ 459 cd /opt/shibboleth-idp/}}} * 460 {{{ 461 ls webapp/WEB-INF/lib | awk '{print $1",\\"}'}}} 462 Insert the output list into ```/etc/tomcat8/catalina.properties``` at the tail of ```tomcat.util.scan.StandardJarScanFilter.jarsToSkip}}} Make sure about the ```,\``` symbols 469 463 470 464 Restart Tomcat 8: 471 * 472 {{{ 473 service tomcat8 restart``` 474 465 * 466 {{{ 467 service tomcat8 restart}}} 475 468 476 469 ### Configure Shibboleth Identity Provider v3.2.1 to release the persistent-id (Stored mode) … … 478 471 479 472 22. Test IdP by opening a terminal and running these commands: 480 * 481 {{{ 482 cd /opt/shibboleth-idp/bin``` 483 * 484 {{{ 473 * 474 {{{ 475 cd /opt/shibboleth-idp/bin}}}* 476 {{{ 485 477 ./status.sh``` (You should see some informations about the IdP installed) 486 478 487 23. Install **MySQL Connector Java** and other useful libraries used by Tomcat for MySQL DB (if you don't have them already): 488 * 489 {{{ 490 apt-get install mysql-server libmysql-java libcommons-dbcp-java libcommons-pool-java``` 491 * 492 {{{ 493 cd /usr/share/tomcat8/lib/``` 494 * 495 {{{ 496 ln -s ../../java/mysql.jar mysql-connector-java.jar``` 497 * 498 {{{ 499 ln -s ../../java/commons-pool.jar commons-pool.jar``` 500 * 501 {{{ 502 ln -s ../../java/commons-dbcp.jar commons-dbcp.jar``` 503 * 504 {{{ 505 ln -s ../../java/tomcat-jbcp.jar tomcat-jbcp.jar``` 506 Ignore if you get errors for some of the ```ln``` commands as the files might be already there. 507 508 24. Rebuild the **idp.war** of Shibboleth with the new libraries: 509 * 510 {{{ 511 cd /opt/shibboleth-idp/ ; ./bin/build.sh``` 512 You may need to press enter on `Installation Directory: [/opt/shibboleth-idp]` 513 514 25. Create and prepare the "**shibboleth**" MySQL DB to host the values of the several **persistent-id** and **StorageRecords** MySQL DB to host other useful information about user consent: 479 23. Install '''MySQL Connector Java''' and other useful libraries used by Tomcat for MySQL DB (if you don't have them already): 480 * 481 {{{ 482 apt-get install mysql-server libmysql-java libcommons-dbcp-java libcommons-pool-java}}}* 483 {{{ 484 cd /usr/share/tomcat8/lib/}}}* 485 {{{ 486 ln -s ../../java/mysql.jar mysql-connector-java.jar}}}* 487 {{{ 488 ln -s ../../java/commons-pool.jar commons-pool.jar}}}* 489 {{{ 490 ln -s ../../java/commons-dbcp.jar commons-dbcp.jar}}}* 491 {{{ 492 ln -s ../../java/tomcat-jbcp.jar tomcat-jbcp.jar}}} Ignore if you get errors for some of the ```ln``` commands as the files might be already there. 493 494 24. Rebuild the '''idp.war''' of Shibboleth with the new libraries: 495 * 496 {{{ 497 cd /opt/shibboleth-idp/ ; ./bin/build.sh}}} You may need to press enter on `Installation Directory: [/opt/shibboleth-idp]` 498 499 25. Create and prepare the "'''shibboleth'''" MySQL DB to host the values of the several '''persistent-id''' and '''StorageRecords''' MySQL DB to host other useful information about user consent: 515 500 516 501 * `mysql_secure_installation` 517 502 518 503 519 ``` 520 Securing the MySQL server deployment. 504 }}}Securing the MySQL server deployment. 521 505 522 506 Connecting to MySQL using a blank password. … … 581 565 582 566 All done! 583 ``` 584 567 }}} 585 568 * log in to your MySQL Server: 586 ```mysql -u root -p``` 587 569 ```mysql -u root -p}}} 588 570 ```sql 589 571 SET NAMES 'utf8'; … … 624 606 625 607 quit 626 ``` 627 608 }}} 628 609 629 610 * Restart mysql service: 630 ```service mysql restart``` 631 611 ```service mysql restart}}} 632 612 26. Enable the generation of the ```persistent-id``` (this replace the deprecated attribute *eduPersonTargetedID*) 633 613 634 * 635 {{{ 636 vim /opt/shibboleth-idp/conf/saml-nameid.properties``` 637 638 (the *sourceAttribute* MUST BE an attribute, or a list of comma-separated attributes, that uniquely identify the subject of the generated ```persistent-id```. It MUST BE: **Stable**, **Permanent** and **Not-reassignable**) 639 640 ```xml 614 * 615 {{{ 616 vim /opt/shibboleth-idp/conf/saml-nameid.properties}}} 617 (the *sourceAttribute* MUST BE an attribute, or a list of comma-separated attributes, that uniquely identify the subject of the generated ```persistent-id```. It MUST BE: '''Stable''', '''Permanent''' and '''Not-reassignable''') 618 619 {{{ 641 620 idp.persistentId.sourceAttribute = uid 642 621 ... … … 648 627 ... 649 628 idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator 650 ``` 651 652 * Enable the **SAML2PersistentGenerator**: 653 * 654 {{{ 655 vim /opt/shibboleth-idp/conf/saml-nameid.xml``` 656 629 }}} 630 * Enable the '''SAML2PersistentGenerator''': 631 * 632 {{{ 633 vim /opt/shibboleth-idp/conf/saml-nameid.xml}}} 657 634 Remove the comment from the line containing: 658 635 659 ```xml 636 {{{ 660 637 <ref bean="shibboleth.SAML2PersistentGenerator" /> 661 ``` 662 663 * 664 {{{ 665 vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml``` 666 667 Remove the comment to the bean called "**c14n/SAML2Persistent**". 638 }}} 639 * 640 {{{ 641 vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml}}} 642 Remove the comment to the bean called "'''c14n/SAML2Persistent'''". 668 643 669 ```xml 644 {{{ 670 645 <ref bean="c14n/SAML2Persistent" /> 671 ``` 672 673 27. Enable **JPAStorageService** for the **StorageService** of the user consent: 674 * 675 {{{ 646 }}} 647 27. Enable '''JPAStorageService''' for the '''StorageService''' of the user consent: 648 * 649 {{{ 676 650 vim /opt/shibboleth-idp/conf/global.xml``` and add this piece of code to the tail before the ending \</beans\>: 677 651 678 ```xml 652 {{{ 679 653 <!-- A DataSource bean suitable for use in the idp.persistentId.dataSource property. --> 680 654 <bean id="MyDataSource" class="org.apache.commons.dbcp.BasicDataSource" … … 707 681 <property name="database" value="MYSQL" /> 708 682 </bean> 709 ``` 710 (and modify the "**USER_DB_NAME**" and "**PASSWORD**" for your "**shibboleth**" DB) 683 }}} (and modify the "'''USER_DB_NAME'''" and "'''PASSWORD'''" for your "'''shibboleth'''" DB) 711 684 712 685 * Modify the IdP configuration file: 713 * 714 {{{ 715 vim /opt/shibboleth-idp/conf/idp.properties``` 716 717 ```xml 686 * 687 {{{ 688 vim /opt/shibboleth-idp/conf/idp.properties}}} 689 {{{ 718 690 idp.session.StorageService = shibboleth.JPAStorageService 719 691 idp.consent.StorageService = shibboleth.JPAStorageService … … 724 696 # Support lookup by SP for SAML logout 725 697 idp.session.secondaryServiceIndex = true 726 ``` 727 728 (This will indicate to IdP to store the data collected by User Consent into the "**StorageRecords**" table) 698 }}} 699 (This will indicate to IdP to store the data collected by User Consent into the "'''StorageRecords'''" table) 729 700 730 701 … … 732 703 * use ```openssl x509 -outform der -in /etc/ssl/certs/ldap_server.pem -out /opt/shibboleth-idp/credentials/ldap_server.crt``` to load the ldap certificate. 733 704 734 If you host ldap in a seperate machine, copy the ldap_server.crt to ```/opt/shibboleth-idp/credentials``` 735 * 736 {{{ 737 vim /opt/shibboleth-idp/conf/ldap.properties``` 738 705 If you host ldap in a seperate machine, copy the ldap_server.crt to ```/opt/shibboleth-idp/credentials}}} * 706 {{{ 707 vim /opt/shibboleth-idp/conf/ldap.properties}}} 739 708 740 709 * Solution 1: LDAP + STARTTLS: 741 710 742 ```xml 711 {{{ 743 712 idp.authn.LDAP.authenticator = bindSearchAuthenticator 744 713 idp.authn.LDAP.ldapURL = ldap://ldap.example.org:389 … … 752 721 idp.authn.LDAP.bindDNCredential = ###LDAP_ADMIN_PASSWORD### 753 722 idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined} 754 ``` 755 723 }}} 756 724 * Solution 2: LDAP + TLS: 757 725 758 ```xml 726 {{{ 759 727 idp.authn.LDAP.authenticator = bindSearchAuthenticator 760 728 idp.authn.LDAP.ldapURL = ldaps://ldap.example.org:636 … … 768 736 idp.authn.LDAP.bindDNCredential = ###LDAP_ADMIN_PASSWORD### 769 737 idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates:undefined} 770 ``` 771 738 }}} 772 739 * Solution 3: plain LDAP 773 740 774 ```xml 741 {{{ 775 742 idp.authn.LDAP.authenticator = bindSearchAuthenticator 776 743 idp.authn.LDAP.ldapURL = ldap://ldap.example.org:389 … … 781 748 idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=org 782 749 idp.authn.LDAP.bindDNCredential = ###LDAP_ADMIN_PASSWORD### 783 ``` 784 (If you decide to use the Solution 3, you have to remove (or comment out) the following code from your Attribute Resolver file: 750 }}} (If you decide to use the Solution 3, you have to remove (or comment out) the following code from your Attribute Resolver file: 785 751 786 ```xml 752 {{{ 787 753 </dc:FilterTemplate> 788 754 <!-- … … 793 759 --> 794 760 </resolver:DataConnector> 795 ``` 796 797 **UTILITY FOR OPENLDAP ADMINISTRATOR:** 798 * 799 {{{ 800 ldapsearch -H ldap:// -x -b "dc=example,dc=it" -LLL dn``` 801 * the baseDN ==> ```ou=people, dc=example,dc=org``` (branch containing the registered users) 761 }}} 762 '''UTILITY FOR OPENLDAP ADMINISTRATOR:''' 763 * 764 {{{ 765 ldapsearch -H ldap:// -x -b "dc=example,dc=it" -LLL dn}}} * the baseDN ==> ```ou=people, dc=example,dc=org``` (branch containing the registered users) 802 766 * the bindDN ==> ```cn=admin,dc=example,dc=org``` (distinguished name for the user that can made queries on the LDAP) 803 767 804 768 805 769 29. Enrich IDP logs with the authentication error occurred on LDAP: 806 * 807 {{{ 808 vim /opt/shibboleth-idp/conf/logback.xml``` 809 810 ```xml 770 * 771 {{{ 772 vim /opt/shibboleth-idp/conf/logback.xml}}} 773 {{{ 811 774 <!-- Logs LDAP related messages --> 812 775 <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/> … … 814 777 <!-- Logs on LDAP user authentication --> 815 778 <logger name="org.ldaptive.auth.Authenticator" level="INFO" /> 816 ``` 817 818 30. Build the **attribute-resolver.xml** to define which attributes your IdP can manage. Here you can find the **attribute-resolver-v1-LEARN.xml** provided by LEARN: 779 }}} 780 30. Build the '''attribute-resolver.xml''' to define which attributes your IdP can manage. Here you can find the '''attribute-resolver-v1-LEARN.xml''' provided by LEARN: 819 781 * Download the attribute resolver provided by LEARN: 820 ```wget https://fr-training.ac.lk/attribute-resolver-v1-LEARN.xml -O /opt/shibboleth-idp/conf/attribute-resolver-v1-LEARN.xml``` 821 782 ```wget https://fr-training.ac.lk/attribute-resolver-v1-LEARN.xml -O /opt/shibboleth-idp/conf/attribute-resolver-v1-LEARN.xml}}} 822 783 * Modify ```services.xml``` file: 823 ```vim /opt/shibboleth-idp/conf/services.xml``` 824 825 ```xml 784 ```vim /opt/shibboleth-idp/conf/services.xml}}} 785 {{{ 826 786 <value>%{idp.home}/conf/attribute-resolver.xml</value> 827 ``` 828 787 }}} 829 788 must become: 830 789 831 ```xml 790 {{{ 832 791 <value>%{idp.home}/conf/attribute-resolver-v1-LEARN.xml</value> 833 ``` 834 792 }}} 835 793 * Configure the LDAP Data Connector to be compliant to the values put on ```ldap.properties```. (See above suggestions) 836 794 837 795 * Restart Tomcat8: 838 ```service tomcat8 restart``` 839 796 ```service tomcat8 restart}}} 840 797 31. Enable the SAML2 support by changing the ```idp-metadata.xml``` and disabling the SAML v1.x deprecated support: 841 * 842 {{{ 843 vim /opt/shibboleth-idp/metadata/metadata.xml``` 844 ```bash 798 * 799 {{{ 800 vim /opt/shibboleth-idp/metadata/metadata.xml}}}{{{ 845 801 <IDPSSODescriptor> SECTION: 846 802 – From the list of "protocolSupportEnumeration" remove: … … 885 841 886 842 - Remove all ":8443" from the existing URL (such port is not used anymore) 887 ``` 888 843 }}} 889 844 32. Obtain your IdP metadata here: 890 * ```https://idp.YOUR-DOMAIN/idp/shibboleth``` 891 845 * ```https://idp.YOUR-DOMAIN/idp/shibboleth}}} 892 846 33. Register you IdP on the test Federation: 893 * 894 {{{ 895 https://fr-training.ac.lk/``` 896 > For production enviornments please use `https://fr.ac.lk`, Also make sure to remove `-training` from all urls. 847 * 848 {{{ 849 https://fr-training.ac.lk/}}} > For production enviornments please use `https://fr.ac.lk`, Also make sure to remove `-training` from all urls. 897 850 898 851 34. Configure the IdP to retrieve the Federation Metadata: 899 * 900 {{{ 901 cd /opt/shibboleth-idp/conf``` 902 * 903 {{{ 904 vim metadata-providers.xml``` 905 906 ```xml 852 * 853 {{{ 854 cd /opt/shibboleth-idp/conf}}} * 855 {{{ 856 vim metadata-providers.xml}}} 857 {{{ 907 858 <MetadataProvider 908 859 id="HTTPMD-LEARN-Federation" … … 927 878 </MetadataFilter> 928 879 </MetadataProvider> 929 ``` 930 880 }}} 931 881 * Retrive the Federation Certificate used to verify its signed metadata: 932 * ```wget https://fr-training.ac.lk/metadata-signer -O /opt/shibboleth-idp/metadata/federation-cert.pem``` 933 882 * ```wget https://fr-training.ac.lk/metadata-signer -O /opt/shibboleth-idp/metadata/federation-cert.pem}}} 934 883 935 884 936 885 35. Reload service with id ```shibboleth.MetadataResolverService``` to retrieve the Federation Metadata: 937 * ```cd /opt/shibboleth-idp/bin``` 938 * ```./reload-service.sh -id shibboleth.MetadataResolverService``` 939 886 * ```cd /opt/shibboleth-idp/bin}}} * ```./reload-service.sh -id shibboleth.MetadataResolverService}}} 940 887 941 888 … … 948 895 949 896 37. Make sure that you have the "```tmp/httpClientCache```" used by "```shibboleth.FileCachingHttpClient```": 950 * 951 {{{ 952 mkdir -p /opt/shibboleth-idp/tmp/httpClientCache ; chown tomcat8 /opt/shibboleth-idp/tmp/httpClientCache``` 953 897 * 898 {{{ 899 mkdir -p /opt/shibboleth-idp/tmp/httpClientCache ; chown tomcat8 /opt/shibboleth-idp/tmp/httpClientCache}}} 954 900 38. Modify your ```services.xml```: 955 * 956 {{{ 957 vim /opt/shibboleth-idp/conf/services.xml``` 958 959 ```xml 901 * 902 {{{ 903 vim /opt/shibboleth-idp/conf/services.xml}}} 904 {{{ 960 905 <bean id="Default-Filter" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource" 961 906 c:client-ref="shibboleth.FileCachingHttpClient" … … 973 918 <ref bean="Production-Filter"/> 974 919 </util:list> 975 ``` 976 920 }}} 977 921 39. Reload service with id ```shibboleth.AttributeFilterService``` to refresh the Attribute Filter followed by the IdP: 978 * ```cd /opt/shibboleth-idp/bin``` 979 * ```./reload-service.sh -id shibboleth.AttributeFilterService``` 980 922 * ```cd /opt/shibboleth-idp/bin}}} * ```./reload-service.sh -id shibboleth.AttributeFilterService}}} 981 923 982 924 … … 984 926 985 927 1. Tomcat 8 Logs: 986 * 987 {{{ 988 cd /var/log/tomcat8``` 989 * 990 {{{ 991 vim catalina.out``` 992 928 * 929 {{{ 930 cd /var/log/tomcat8}}}* 931 {{{ 932 vim catalina.out}}} 993 933 2. Shibboleth IdP Logs: 994 * 995 {{{ 996 cd /opt/shibboleth-idp/logs``` 997 * **Audit Log:** ```vim idp-audit.log``` 998 * **Consent Log:** ```vim idp-consent-audit.log``` 999 * **Warn Log:** ```vim idp-warn.log``` 1000 * **Process Log:** ```vim idp-process.log``` 934 * 935 {{{ 936 cd /opt/shibboleth-idp/logs}}} * '''Audit Log:''' ```vim idp-audit.log}}} * '''Consent Log:''' ```vim idp-consent-audit.log}}} * '''Warn Log:''' ```vim idp-warn.log}}} * '''Process Log:''' ```vim idp-process.log}}}
