Documentation sur le logiciel SYMPA

Piste: navigation wiki_exterieur

Créateur de livres
 Ajouter cette page à votre livre
Créateur de livres
 Retirer cette page de votre livre  

 Voir ou modifier le livre(0 pages)
 Aide

Ceci est une ancienne révision du document !

Table des matières

Wiki sur un serveur différent que celui de sympa

en cours de rédaction

Shibboleth

Installation du package

Configuration de shibboleth sur /etc/shibboleth

Connexion :

  • soit par la fédération Renater : permet la connexion par d'autres établissement
  • soit directement par l'IDP Grenoble INP : permet la connexion que par des personnels INP

http://wiki-dokuwiki.grenoble-inp.fr/wiki/sso_login/federation_renater/Shibboleth.sso/Metadata

/etc/shibboleth/attribute-map.xml

# cp -p attribute-map.xml attribute-map.xml.orig

décommenter l'attribut mail ( 2 lignes ) 

  -->
    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
  <!--  
  ............... 
  -->
  <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
  <!--

/etc/shibboleth/shibboleth2.xml

Indiquer l'application

<ApplicationDefaults id="default"
   entityID="http://dokuwiki.grenoble-inp.fr/"
        homeURL="http://dokuwiki.grenoble-inp.fr/sso_login/federation_renater"
             signing="false" encryption="false">

Configuration commune

<Sessions lifetime="28800" timeout="3600" checkAddress="false"
    handlerURL="/sso_login/federation_renater/Shibboleth.sso" handlerSSL="false"
          exportLocation="http://localhost/sso_login/federation_renater/Shibboleth.sso/GetAssertion"
                idpHistory="false" idpHistoryDays="7">

Connexion

par la fédération Renater
<SSO  discoveryProtocol="SAMLDS" discoveryURL="http://federation.renater.fr/wayf">
        SAML2 SAML1
  </SSO>
<SessionInitiator type="Chaining" Location="/wayf" id="WAYF" relayState="cookie">
            <SessionInitiator type="WAYF" defaultACSIndex="5" URL="https://federation.renater.fr/wayf"/>
</SessionInitiator>
Connexion directement sur l'IDP de Grenoble INP
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
                  relayState="cookie" entityID="https://shibboleth.grenoble-inp.fr/idp/shibboleth">
   <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
   <SessionInitiator type="Shib1" acsIndex="5"/>
</SessionInitiator>

Configuration commune

      <md:AssertionConsumerService Location="/SAML/POST" index="1"
                     Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
      <md:AssertionConsumerService Location="/SAML2/POST" index="2"
                     Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

      <LogoutInitiator type="Chaining" Location="/Logout">
        <LogoutInitiator type="Local"/>
      </LogoutInitiator>

      <md:ManageNameIDService Location="/NIM/SOAP"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
      <md:ManageNameIDService Location="/NIM/Redirect" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
      <md:ManageNameIDService Location="/NIM/POST" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
      <md:ManageNameIDService Location="/NIM/Artifact" conf:template="/etc/shibboleth/bindingTemplate.html"
                                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
      <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
                       Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

           <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <!--
        Allows overriding of error template information/filenames. You can
        also add attributes with values that can be plugged into the templates.
        -->
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>

MetadataProvider

par la fédération Renater
<MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-metadata.xml"
            backingFilePath="/etc/shibboleth/renater-metadata.xml" reloadInterval="7200">
          <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
          <MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
</MetadataProvider>
Connexion directement sur l'IDP de Grenoble INP

Configuration commune

       <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <!-- Simple file-based resolver for using a single keypair. -->
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
        
    </ApplicationDefaults>

    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/

/etc/shibboleth/renater-metadata.xml

Déclaration

Soit à la fédération Renater

https://services-federation.renater.fr/gestion?federation=renater

Soit sur l'IDP de Grenoble INP

attribute-filter-test.xml: 

<basic:Rule xsi:type="basic:AttributeRequesterString" value="http://wiki-dokuwiki.grenoble-inp.fr/wiki" />

service.xml: 

<srv:ConfigurationResource file="/usr/local/inp/shibboleth-idp/conf/attribute-filter-test.xml" 
                           xsi:type="resource:FilesystemResource"/>

Apache : httpd.conf

<VirtualHost xxx>
   ServerName dokuwiki.grenoble-inp.fr
    
    ...
  <Location />
    AuthType shibboleth
    require shibboleth
  </Location>

</VirtualHost>

dokuwiki

version de dokuwiki fourni lors de la formation sympa

conf/local.php

$conf['title'] = 'test';
$conf['updatecheck'] = 0;
$conf['start'] = 'index';
$conf['youarehere'] = 1;
$conf['useacl'] = 1;
$conf['userewrite'] = '1';
$conf['useslash'] = 1;
$conf['authtype'] = 'shibboleth2';

$conf['plugin']['shibbolethauth2']['emailAttribute'] = 'mail';
$conf['plugin']['shibbolethauth2']['loginURL'] = 'https://dokuwiki.grenoble-inp.fr/sso_login/federation_renater/Shibboleth.sso/Login';
$conf['plugin']['shibbolethauth2']['logoutURL'] = 'https://dokuwiki.grenoble-inp.fr/sso_login/federation_renater/Shibboleth.sso/Logout';


$conf['resendpasswd'] = '0';
$conf['plugin']['sympaauth']['sympaSoapService'] = 'https://listes.grenoble-inp.fr/sympa/wsdl';


$conf['plugin']['shibbolethauth']['sympaApplicationPwd'] = 'sxxx';

/.htaccess