Wiki sur un serveur différent que celui de sympa

Connexion sur la fédération d'identité marche, pas encore sur IDP INP

Installation du package

Configuration de shibboleth sur /etc/shibboleth

Connexion :

• soit par la fédération Renater : permet la connexion par d'autres établissement
• soit directement par l'IDP Grenoble INP : permet la connexion que par des personnels INP

http://wiki-dokuwiki.grenoble-inp.fr/wiki/sso_login/federation_renater/Shibboleth.sso/Metadata

# cp -p attribute-map.xml attribute-map.xml.orig

décommenter l'attribut mail ( 2 lignes )

  -->
    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
  <!--  
  ............... 
  -->
  <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
  <!-- 

<ApplicationDefaults id="default"
   entityID="http://dokuwiki.grenoble-inp.fr/"
        homeURL="http://dokuwiki.grenoble-inp.fr/sso_login/federation_renater"
             signing="false" encryption="false">

<Sessions lifetime="28800" timeout="3600" checkAddress="false"
    handlerURL="/sso_login/federation_renater/Shibboleth.sso" handlerSSL="false"
          exportLocation="http://localhost/sso_login/federation_renater/Shibboleth.sso/GetAssertion"
                idpHistory="false" idpHistoryDays="7">

<SSO  discoveryProtocol="SAMLDS" discoveryURL="http://federation.renater.fr/wayf">
        SAML2 SAML1
  </SSO>
<SessionInitiator type="Chaining" Location="/wayf" id="WAYF" relayState="cookie">
            <SessionInitiator type="WAYF" defaultACSIndex="5" URL="https://federation.renater.fr/wayf"/>
</SessionInitiator>

<SSO entityID="https://shibboleth.grenoble-inp.fr/idp/shibboleth">
            SAML2 SAML1
</SSO>

      <md:AssertionConsumerService Location="/SAML/POST" index="1"
                     Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
      <md:AssertionConsumerService Location="/SAML2/POST" index="2"
                     Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

      <LogoutInitiator type="Chaining" Location="/Logout">
        <LogoutInitiator type="Local"/>
      </LogoutInitiator>

      <md:ManageNameIDService Location="/NIM/SOAP"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
      <md:ManageNameIDService Location="/NIM/Redirect" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
      <md:ManageNameIDService Location="/NIM/POST" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
      <md:ManageNameIDService Location="/NIM/Artifact" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
      <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
                       Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

           <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <!--
        Allows overriding of error template information/filenames. You can
        also add attributes with values that can be plugged into the templates.
        -->
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>

<MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-metadata.xml"
            backingFilePath="/etc/shibboleth/renater-metadata.xml" reloadInterval="7200">
          <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
          <MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
</MetadataProvider>

à tester comment récupérer les metadonnées sur l'idp, pour l'instant cela a marché parceque que l'on a configuré d'abord par la fede, puis par l'idp en s'appuyant sur le fichier fourni par la fede

       <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <!-- Simple file-based resolver for using a single keypair. -->
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
        
    </ApplicationDefaults>

    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/

/etc/shibboleth/renater-metadata.xml

# wget https://services-federation.renater.fr/metadata/renater-metadata.xml

????

https://services-federation.renater.fr/gestion?federation=renater

• Vos attributs : email
• URL du service : https://dokuwiki.grenoble-inp.fr/sso_login/federation_renater/
• entityID ! https://dokuwiki.grenoble-inp.fr
• URL du service AssertionConsumerService SAML 1.0 : https://dokuwiki.grenoble-inp.fr/sso_login/federation_renater/Shibboleth.sso/SAML/POST
• URL du service AssertionConsumerService SAML 2.0 : https://dokuwiki.grenoble-inp.fr/sso_login/federation_renater/Shibboleth.sso/SAML2/POST

attribute-filter-test.xml:

<basic:Rule xsi:type="basic:AttributeRequesterString" value="http://wiki-dokuwiki.grenoble-inp.fr/wiki" />

service.xml:

<srv:ConfigurationResource file="/usr/local/inp/shibboleth-idp/conf/attribute-filter-test.xml" 
                           xsi:type="resource:FilesystemResource"/>

Utiliser Location et non pas Directory : sinon à la connexion on ne se retrouve pas en mode connecté, il faut recliquer sur connexion

<VirtualHost xxx>
   ServerName dokuwiki.grenoble-inp.fr
    
    ...
  <Location />
    AuthType shibboleth
    require shibboleth
  </Location>

  <Location /wiki1>
    AuthType shibboleth
    require shibboleth
  </Location>

</VirtualHost>

version de dokuwiki fourni lors de la formation sympa

$conf['title'] = 'test';
$conf['updatecheck'] = 0;
$conf['start'] = 'index';
$conf['youarehere'] = 1;
$conf['useacl'] = 1;
$conf['userewrite'] = '1';
$conf['useslash'] = 1;
$conf['resendpasswd'] = '0';

$conf['authtype'] = 'shibboleth2';

$conf['plugin']['shibbolethauth2']['emailAttribute'] = 'mail';
$conf['plugin']['shibbolethauth2']['loginURL'] = 'https://dokuwiki.grenoble-inp.fr/sso_login/federation_renater/Shibboleth.sso/Login';
$conf['plugin']['shibbolethauth2']['logoutURL'] = 'https://dokuwiki.grenoble-inp.fr/sso_login/federation_renater/Shibboleth.sso/Logout';

$conf['plugin']['sympagroups']['enabled'] = 1;
$conf['plugin']['sympagroups']['soapService'] = 'https://listes.grenoble-inp.fr/sympa/wsdl';
$conf['plugin']['sympagroups']['applicationId'] = 'XXXX';
$conf['plugin']['sympagroups']['applicationPwd'] = 'XXXX';

• Pour un wiki directement sous l'url : https://dokuwiki.grenoble-inp.fr

# RewriteBase /wiki/ 

• Pour un wiki sous un dossier en dessous de l'url : https://dokuwiki.grenoble-inp.fr/wiki1

#RewriteBase /wiki/
RewriteBase /wiki1/
 

Installation en ferme