Table des matières

Wiki sur un serveur différent que celui de sympa

Connexion sur la fédération d'identité marche, pas encore sur IDP INP

Shibboleth

Installation du package

Configuration de shibboleth sur /etc/shibboleth

Connexion :

http://wiki-dokuwiki.grenoble-inp.fr/wiki/sso_login/federation_renater/Shibboleth.sso/Metadata

/etc/shibboleth/attribute-map.xml

# cp -p attribute-map.xml attribute-map.xml.orig

décommenter l'attribut mail ( 2 lignes ) 

  -->
    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
  <!--  
  ............... 
  -->
  <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
  <!--

/etc/shibboleth/shibboleth2.xml

Indiquer l'application

<ApplicationDefaults id="default"
   entityID="http://dokuwiki.grenoble-inp.fr/"
        homeURL="http://dokuwiki.grenoble-inp.fr/sso_login/federation_renater"
             signing="false" encryption="false">

Configuration commune

<Sessions lifetime="28800" timeout="3600" checkAddress="false"
    handlerURL="/sso_login/federation_renater/Shibboleth.sso" handlerSSL="false"
          exportLocation="http://localhost/sso_login/federation_renater/Shibboleth.sso/GetAssertion"
                idpHistory="false" idpHistoryDays="7">

Connexion

par la fédération Renater
<SSO  discoveryProtocol="SAMLDS" discoveryURL="http://federation.renater.fr/wayf">
        SAML2 SAML1
  </SSO>
<SessionInitiator type="Chaining" Location="/wayf" id="WAYF" relayState="cookie">
            <SessionInitiator type="WAYF" defaultACSIndex="5" URL="https://federation.renater.fr/wayf"/>
</SessionInitiator>
Connexion directement sur l'IDP de Grenoble INP
<SSO entityID="https://shibboleth.grenoble-inp.fr/idp/shibboleth">
            SAML2 SAML1
</SSO>

Configuration commune

      <md:AssertionConsumerService Location="/SAML/POST" index="1"
                     Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
      <md:AssertionConsumerService Location="/SAML2/POST" index="2"
                     Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

      <LogoutInitiator type="Chaining" Location="/Logout">
        <LogoutInitiator type="Local"/>
      </LogoutInitiator>

      <md:ManageNameIDService Location="/NIM/SOAP"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
      <md:ManageNameIDService Location="/NIM/Redirect" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
      <md:ManageNameIDService Location="/NIM/POST" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
      <md:ManageNameIDService Location="/NIM/Artifact" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
      <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
                       Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

           <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <!--
        Allows overriding of error template information/filenames. You can
        also add attributes with values that can be plugged into the templates.
        -->
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>

MetadataProvider

par la fédération Renater
<MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-metadata.xml"
            backingFilePath="/etc/shibboleth/renater-metadata.xml" reloadInterval="7200">
          <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
          <MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
</MetadataProvider>
Connexion directement sur l'IDP de Grenoble INP

à tester comment récupérer les metadonnées sur l'idp, pour l'instant cela a marché parceque que l'on a configuré d'abord par la fede, puis par l'idp en s'appuyant sur le fichier fourni par la fede

Configuration commune

       <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <!-- Simple file-based resolver for using a single keypair. -->
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
        
    </ApplicationDefaults>

    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/

Fichier xml des metadonnées

Pour la fédération Renater

/etc/shibboleth/renater-metadata.xml 

# wget https://services-federation.renater.fr/metadata/renater-metadata.xml

Pour l'IDP

????

Déclaration

Soit à la fédération Renater

https://services-federation.renater.fr/gestion?federation=renater

Soit sur l'IDP de Grenoble INP

attribute-filter-test.xml: 

<basic:Rule xsi:type="basic:AttributeRequesterString" value="http://wiki-dokuwiki.grenoble-inp.fr/wiki" />

service.xml: 

<srv:ConfigurationResource file="/usr/local/inp/shibboleth-idp/conf/attribute-filter-test.xml" 
                           xsi:type="resource:FilesystemResource"/>

Apache : httpd.conf

Utiliser Location et non pas Directory : sinon à la connexion on ne se retrouve pas en mode connecté, il faut recliquer sur connexion 

<VirtualHost xxx>
   ServerName dokuwiki.grenoble-inp.fr
    
    ...
  <Location />
    AuthType shibboleth
    require shibboleth
  </Location>

  <Location /wiki1>
    AuthType shibboleth
    require shibboleth
  </Location>

</VirtualHost>

dokuwiki

version de dokuwiki fourni lors de la formation sympa

conf/local.php

$conf['title'] = 'test';
$conf['updatecheck'] = 0;
$conf['start'] = 'index';
$conf['youarehere'] = 1;
$conf['useacl'] = 1;
$conf['userewrite'] = '1';
$conf['useslash'] = 1;
$conf['resendpasswd'] = '0';

$conf['authtype'] = 'shibboleth2';

$conf['plugin']['shibbolethauth2']['emailAttribute'] = 'mail';
$conf['plugin']['shibbolethauth2']['loginURL'] = 'https://dokuwiki.grenoble-inp.fr/sso_login/federation_renater/Shibboleth.sso/Login';
$conf['plugin']['shibbolethauth2']['logoutURL'] = 'https://dokuwiki.grenoble-inp.fr/sso_login/federation_renater/Shibboleth.sso/Logout';

$conf['plugin']['sympagroups']['enabled'] = 1;
$conf['plugin']['sympagroups']['soapService'] = 'https://listes.grenoble-inp.fr/sympa/wsdl';
$conf['plugin']['sympagroups']['applicationId'] = 'XXXX';
$conf['plugin']['sympagroups']['applicationPwd'] = 'XXXX';

/.htaccess

# RewriteBase /wiki/ 
#RewriteBase /wiki/
RewriteBase /wiki1/

Installation en ferme