Ceci est une ancienne révision du document !
Table des matières
Fichiers de configuration shibboleth à modifier
Sous /etc/shibboleth
Pour distinguer les commentaires, utiliser vim avec l'option “:syntax on”
shibboleth2.xml
# cp -p shibboleth2.xml shibboleth2.xml.orig
Mettre en commentaire
<ApplicationDefaults entityID="https://sp.example.org/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id">
…
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
…
<SSO entityID="https://idp.example.org/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
…
<Logout>SAML2 Local</Logout>
Ajouter
<!-- <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id">
-->
<ApplicationDefaults id="default"
entityID="http://[NOM].grenoble-inp.fr"
homeURL="http://[NOM].grenoble-inp.fr/sympa/sso_login/federation_renater" # pour shibbolethiser sympa
signing="false" encryption="false">
…
<!-- <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/sympa/sso_login/federation_renater/Shibboleth.sso" handlerSSL="false"
exportLocation="http://localhost/sympa/sso_login/federation_renater/Shibboleth.sso/GetAssertion"
idpHistory="false" idpHistoryDays="7">
…
<!-- <SSO entityID="https://idp.example.org/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
-->
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://federation.renater.fr/wayf">
SAML2 SAML1
</SSO>
…
<!-- <Logout>SAML2 Local</Logout>
-->
<md:AssertionConsumerService Location="/SAML/POST" index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML2/POST" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<LogoutInitiator type="Chaining" Location="/Logout">
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect" conf:template="/etc/shibboleth/bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST" conf:template="/etc/shibboleth/bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="/etc/shibboleth/bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
…
Décommenter
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
…
Pour fédération de test
<MetadataProvider type="XML" uri="https://federation.renater.fr/renater/renater-test-metadata.xml"
backingFilePath="/etc/shibboleth/renater-test-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
</MetadataProvider>
Pour fédération de production
<MetadataProvider type="XML" uri="https://federation.renater.fr/renater/renater-metadata.xml"
backingFilePath="/etc/shibboleth/renater-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
</MetadataProvider>
attribute-map.xml
# cp -p attribute-map.xml attribute-map.xml.orig
décommenter l'attribut mail ( 2 lignes ) (normalement plus besoin par défaut mais à vérifier)
-->
<Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
<!--
...............
-->
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
<!--
