Documentation sur le logiciel SYMPA

Piste: wiki_exterieur

Créateur de livres
 Ajouter cette page à votre livre
Créateur de livres
 Retirer cette page de votre livre  

 Voir ou modifier le livre(0 pages)
 Aide

Ceci est une ancienne révision du document !

Table des matières

Wiki sur un serveur différent que celui de sympa

en cours de rédaction

Shibboleth

Installation du package

Configuration de shibboleth sur /etc/shibboleth

Connexion :

  • soit par la fédération Renater : permet la connexion par d'autres établissement
  • soit directement par l'IDP Grenoble INP : permet la connexion que par des personnels INP

http://wiki-dokuwiki.grenoble-inp.fr/wiki/sso_login/federation_renater/Shibboleth.sso/Metadata

/etc/shibboleth/attribute-map.xml

# cp -p attribute-map.xml attribute-map.xml.orig

décommenter l'attribut mail ( 2 lignes ) 

  -->
    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
  <!--  
  ............... 
  -->
  <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
  <!--

/etc/shibboleth/shibboleth2.xml

Indiquer l'application

<ApplicationDefaults id="default"
   entityID="http://dokuwiki.grenoble-inp.fr/"
        homeURL="http://dokuwiki.grenoble-inp.fr/sso_login/federation_renater"
             signing="false" encryption="false">

Configuration commune

<Sessions lifetime="28800" timeout="3600" checkAddress="false"
    handlerURL="/sso_login/federation_renater/Shibboleth.sso" handlerSSL="false"
          exportLocation="http://localhost/sso_login/federation_renater/Shibboleth.sso/GetAssertion"
                idpHistory="false" idpHistoryDays="7">

Connexion

par la fédération Renater
<SSO  discoveryProtocol="SAMLDS" discoveryURL="http://federation.renater.fr/wayf">
        SAML2 SAML1
  </SSO>
<SessionInitiator type="Chaining" Location="/wayf" id="WAYF" relayState="cookie">
            <SessionInitiator type="WAYF" defaultACSIndex="5" URL="https://federation.renater.fr/wayf"/>
</SessionInitiator>
Connexion directement sur l'IDP de Grenoble INP
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
                  relayState="cookie" entityID="https://shibboleth.grenoble-inp.fr/idp/shibboleth">
   <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
   <SessionInitiator type="Shib1" acsIndex="5"/>
</SessionInitiator>

Configuration commune

      <md:AssertionConsumerService Location="/SAML/POST" index="1"
                     Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
      <md:AssertionConsumerService Location="/SAML2/POST" index="2"
                     Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

      <LogoutInitiator type="Chaining" Location="/Logout">
        <LogoutInitiator type="Local"/>
      </LogoutInitiator>

      <md:ManageNameIDService Location="/NIM/SOAP"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
      <md:ManageNameIDService Location="/NIM/Redirect" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
      <md:ManageNameIDService Location="/NIM/POST" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
      <md:ManageNameIDService Location="/NIM/Artifact" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
      <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
                       Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

           <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <!--
        Allows overriding of error template information/filenames. You can
        also add attributes with values that can be plugged into the templates.
        -->
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>

MetadataProvider

par la fédération Renater
<MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-metadata.xml"
            backingFilePath="/etc/shibboleth/renater-metadata.xml" reloadInterval="7200">
          <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
          <MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
</MetadataProvider>
Connexion directement sur l'IDP de Grenoble INP

Configuration commune

       <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <!-- Simple file-based resolver for using a single keypair. -->
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
        
    </ApplicationDefaults>

    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/

Déclaration

Soit à la fédération Renater

https://services-federation.renater.fr/gestion?federation=renater

Soit sur l'IDP de Grenoble INP

attribute-filter-test.xml: 

<basic:Rule xsi:type="basic:AttributeRequesterString" value="http://wiki-dokuwiki.grenoble-inp.fr/wiki" />

service.xml: 

<srv:ConfigurationResource file="/usr/local/inp/shibboleth-idp/conf/attribute-filter-test.xml" 
                           xsi:type="resource:FilesystemResource"/>

Apache : httpd.conf

<VirtualHost xxx>
   ServerName dokuwiki.grenoble-inp.fr
    
    ...
  <Location />
    AuthType shibboleth
    require shibboleth
  </Location>

</VirtualHost>

dokuwiki

Configuration avec dokuwiki fourni lors de la formation sympa

local.php

$conf['title'] = 'test';
$conf['lang'] = 'fr';
$conf['useacl'] = 1;
$conf['authtype'] = 'shibboleth';
$conf['superuser'] = '@admin,catherine.balleydier@grenoble-inp.fr';

$conf['resendpasswd'] = '0';
$conf['plugin']['sympaauth']['sympaSoapService'] = 'https://listes.grenoble-inp.fr/sympa/wsdl';

$conf['plugin']['shibbolethauth']['shibbolethEmailAttribute'] = 'mail';
$conf['plugin']['shibbolethauth']['useSympa'] = 1;
$conf['plugin']['shibbolethauth']['sympaSoapService'] = 'https://listes.grenoble-inp.fr/sympa/wsdl';
$conf['plugin']['shibbolethauth']['sympaApplicationId'] = 'xxxx';
$conf['plugin']['shibbolethauth']['sympaApplicationPwd'] = 'sxxx';

Lignes posant problème : 

$conf['plugin']['shibbolethauth']['shibbolethLoginURL'] = 
  'http://wiki-dokuwiki.grenoble-inp.fr/wiki/sso_login/federation_renater/Shibboleth.sso/Login?return=http://wiki-dokuwiki.grenoble-inp.fr/wiki';
$conf['plugin']['shibbolethauth']['shibbolethLogoutURL'] = 
  'http://wiki-dokuwiki.grenoble-inp.fr/wiki/sso_login/federation_renater/Shibboleth.sso/Logout';

Retour à la connexion 

ERROR

An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.

This service requires cookies. Please ensure that they are enabled and try your going back to your desired resource and trying to login again.

Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again.

If you think you were sent here in error, please contact technical support
Error Message: No peer endpoint available to which to send SAML response

# tail -500 dokuwiki_error_log 

[Fri Jun 21 09:57:32 2013] [error] [client 195.83.75.160] shibbolethauth: no email address to log
[Fri Jun 21 09:57:33 2013] [error] [client 195.83.75.160] shibbolethauth: no email address to log, 
     referer: http://wiki-dokuwiki.grenoble-inp.fr/wiki/doku.php
[Fri Jun 21 09:57:36 2013] [error] [client 195.83.75.160] shibbolethauth: redirect user for login to 
     http://wiki-dokuwiki.grenoble-inp.fr/wiki/sso_login/federation_renater/Shibboleth.sso/Login?
     return=http://wiki-dokuwiki.grenoble-inp.fr/wiki, 
     referer: http://wiki-dokuwiki.grenoble-inp.fr/wiki/doku.php

Déclaration fédé de test

https://services-federation.renater.fr/gestion?federation=test

wiki test grenoble inp http://wiki-dokuwiki.grenoble-inp.fr/wiki