shibboleth

• fédération renater : installation d'un SP
  • https://services.renater.fr/federation/docs/installation#installer_un_sp_shibboleth
  • https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplication
  • https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride

Récupérer le fichier repo à déposer dans /etc/yum.repos.d

# cd /etc/yum.repos.d

# wget http://download.opensuse.org/repositories/security://shibboleth/RHEL_5/security:shibboleth.repo

# cat shibboleth.repo

[security_shibboleth]
name=Shibboleth (RHEL_5)
type=rpm-md
baseurl=http://download.opensuse.org/repositories/security:/shibboleth/RHEL_5/
gpgcheck=1
gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/RHEL_5/repodata/repomd.xml.key
enabled=1

# yum install shibboleth.x86_64

Installing for dependencies:
 libsaml8
 libxerces-c-3_1
 libxml-security-c17
 libxmltooling6
 log4shib
 opensaml-schemas 
 xmltooling-schemas    

# cd /etc/yum.repos.d

# wget http://download.opensuse.org/repositories/security://shibboleth/RHEL_6/security:shibboleth.repo

# yum install shibboleth.x86_64

Installing for dependencies:
 libcurl-openssl
 liblog4shib1
 libsaml8
 libxerces-c-3_1
 libxml-security-c17
 libxmltooling6 
 opensaml-schemas
 xmltooling-schemas  

<note warning>

Il faut que la variable d’environnement LD_LIBRARY_PATH contienne /opt/shibboleth/lib64 sinon au lancement du démon shibd il y aura le message d’erreur

ERROR XMLTooling.libcurl.InputStream : on Red Hat 6+, make sure libcurl used is built with OpenSSL

Paramétrer la variable LD_LIBRARY_PATH dans /etc/environment

LD_LIBRARY_PATH=/opt/shibboleth/lib64

Rebooter le serveur

Pour vérifier

# echo $LD_LIBRARY_PATH

</note>

# aptitude search shibboleth

p   shibboleth-sp2-common                 - Federated web single sign-on system (common files)
p   shibboleth-sp2-schemas                - Federated web single sign-on system (transitional package)
p   shibboleth-sp2-utils                  - Federated web single sign-on system (daemon and utilities)
p   wordpress-shibboleth                  - Shibboleth plugin for WordPress

# aptitude install shibboleth-sp2-common

# aptitude install shibboleth-sp2-utils

# aptitude install libapache2-mod-shib2

....
Setting up libapache2-mod-shib2 (2.5.3+dfsg-2) ...
apache2_invoke: Enable module shib2

  <Location /sympa/sso_login/federation_renater>
     AuthType shibboleth
     ShibRequireSession On
     ShibApplicationID default
     require shibboleth
  #  require mail ~ @
  </Location>

# cd /usr/local/INSTALL/shibboleth/ 
# wget https://test.federation.renater.fr/exemples/conf_sp2_renater.tar.gz
# tar xvfz conf_sp2_renater.tar.gz
# chown -R _shibd:_shibd conf_sp2
# cd /etc/shibboleth/ 
# mv accessError.html accessError.html.orig
# mv attribute-policy.xml attribute-policy.xml.orig
# mv globalLogout.html globalLogout.html.orig
# mv localLogout.html localLogout.html.orig
# mv metadataError.html metadataError.html.orig
# mv sessionError.html sessionError.html.orig
# mv sslError.html sslError.html.orig
# mv /usr/local/INSTALL/shibboleth/conf_sp2/* .

/etc/shibboleth : configuration contenant shibboleth2.xml

# chown -R shibd:shibd /etc/shibboleth       # redhat
# chown -R _shibd:_shibd /etc/shibboleth     # debian

<columns>

• accessError.html
• attrChecker.html
• attribute-map.xml
• attribute-policy.xml
• bindingTemplate.html
• console.logger
• discoveryTemplate.html
• example-metadata.xml

<newcolumn>

• example-shibboleth2.xml
• globalLogout.html
• localLogout.html
• metadataError.html
• native.logger
• partialLogout.html
• postTemplate.html
• protocols.xml

<newcolumn>

• security-policy.xml
• sessionError.html
• shibboleth2.xml
• shibd.logger
• sslError.html
• syslog.logger
• upgrade.xsl

</columns>

• /var/log/shibboleth : logs contenant shibd.log
• /var/run/shibboleth : runtime contenant fichier de “process ID” et “socket”
• /var/cache/shibboleth : cache contenant fichier de “metadata backup” and “CRL”
• /etc/init.d : contenant le script de démarrage pour le daemon shibd

Le processus shibd a besoin d'un certificat pour signer les requêtes SAML transmises aux fournisseurs d'identités (IdP).

# cd /etc/shibboleth

# openssl genrsa 1024 > [nom serveur].grenoble-inp.fr.key

 Generating RSA private key, 1024 bit long modulus
 ..........++++++
 ................++++++
 e is 65537 (0x10001)

# openssl req -new -x509 -nodes -sha1 -days 7300 -subj “/C=FR/O=Institut Polytechnique de Grenoble/CN=[nom serveur].grenoble-inp.fr” -key ./[nom serveur].grenoble-inp.fr.key > ./[nom serveur].grenoble-inp.fr.crt

# openssl x509 -noout -fingerprint -text < ./[nom serveur].grenoble-inp.fr.crt » ./[nom serveur].grenoble-inp.fr.crt

# shib-keygen -f -u _shibd -h [nom serveur].grenoble-inp.fr -y 3 -e https://[nom serveur].grenoble-inp.fr/shibboleth -o /etc/shibboleth/

# shibd -t

2017-03-27 09:04:57 WARN Shibboleth.Application : insecure cookieProps setting, set to "https" for SSL/TLS-only usage
2017-03-27 09:04:57 WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites
2017-03-27 09:04:57 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage
     overall configuration is loadable, check console for non-fatal problems

# wget  https://metadata.federation.renater.fr/certs/renater-metadata-signing-cert-2016.pem

Vérifier

# /usr/bin/openssl x509 -sha256 -noout -fingerprint -in renater-metadata-signing-cert-2016.pem

Doit afficher

SHA256 Fingerprint=6B:D3:5F:7A:B1:64:EC:79:03:0D:36:97:BA:40:BD:23:5D:AA:DA:C0:43:47:C6:E5:3E:B7:72:A7:74:2C:16:5F

il faut que ce fichier existe sous /etc/shibboleth

# wget https://federation.renater.fr/renater/renater-test-metadata.xml

# wget https://federation.renater.fr/renater/renater-metadata.xml

• /etc/shibboleth/shibboleth2.xml –> Modifications
• /etc/shibboleth/attribute-map.xml –> Modifications

Le SP Shibboleth 2.x publie automatiquement ses méta-données à l'adresse :

• https://[nom_serveur].grenoble-inp.fr/Shibboleth.sso/Metadata

à faire sur les 2 serveurs

# cd /home/.../install/shibboleth-idp/conf

Utiliser attribute-filter-test.xml : pour les tests. Ne plus utiliser attribute-filter.xml en local mais celui de Renater

Mettre en commentaire :

<!--        <srv:ConfigurationResource file="/usr/local/inp/shibboleth-idp/conf/attribute-filter.xml" xsi:type="resource:FilesystemResource"/>
-->

Ajouter :

<srv:Service id="shibboleth.AttributeFilterEngine"
              configurationResourcePollingFrequency="P1DT0H0M0.000S"
              configurationResourcePollingRetryAttempts="3"
              xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
   <srv:ConfigurationResource file="/usr/local/inp/shibboleth-idp/conf/attribute-filter-test.xml" xsi:type="resource:FilesystemResource"/>
   <srv:ConfigurationResource url="https://services-federation.renater.fr/renater/filtres/renater-attribute-filters-all.xml" 
            xsi:type="resource:FileBackedHttpResource" file="/usr/local/inp/shibboleth-idp/conf/renater-attribute-filters-all.xml"/>
</srv:Service>

https://services-federation.renater.fr/gestion?federation

• Description technique du service : Serveur de test Sympa Grenoble-INP

• URL du service : http://crocus-test.inpg.fr/sympa/sso_login/federation_renater/

• entityID : http://crocus-test.inpg.fr

• URL du service AssertionConsumerService SAML 1.0 :
  http://crocus-test.inpg.fr/sympa/sso_login/federation_renater/Shibboleth.sso/SAML/POST

• URL du service AssertionConsumerService SAML 2.0 :
  http://crocus-test.inpg.fr/sympa/sso_login/federation_renater/Shibboleth.sso/SAML2/POST

• Certificat X.509 : Copier le certificat contenu dans le fichier /etc/shibboleth/sp-cert.pem

/var/log/shibboleth

• /etc/sysconfig/shibd

# /etc/init.d/httpd restart

Vérifiez que la syntaxe de votre configuration shibboleth2.xml est correcte :

# /usr/sbin/shibd -tc /etc/shibboleth/shibboleth2.xml

2010-10-22 10:10:23 WARN Shibboleth.AttributeExtractor.XML : skipping duplicate Attribute mapping (same name and nameFormat)
2010-10-22 10:10:23 WARN Shibboleth.PropertySet : deprecation - remapping property (defaultACSIndex) to (acsIndex)
overall configuration is loadable, check console for non-fatal problems

# /etc/init.d/shibd start

# ps auwx | grep shibd

root     29410  0.0  0.1  99680 13528 ?        Ssl  15:25   0:00 /usr/sbin/shibd -p /var/run/shibboleth/shibd.pid -f -w 30
root     29418  0.0  0.0  65280   784 pts/2    S+   15:26   0:00 grep shibd

# tail -f /var/log/shibboleth/shibd.log

2010-10-21 15:25:13 INFO Shibboleth.Listener : registered remoted message endpoint (app-sympa/Logout::run::LocalLI)
2010-10-21 15:25:13 INFO Shibboleth.Listener : registered remoted message endpoint (app-sympa/NIM/SOAP)
2010-10-21 15:25:13 INFO Shibboleth.Listener : registered remoted message endpoint (app-sympa/NIM/Redirect)
2010-10-21 15:25:13 INFO Shibboleth.Listener : registered remoted message endpoint (app-sympa/NIM/POST)
2010-10-21 15:25:13 INFO Shibboleth.Listener : registered remoted message endpoint (app-sympa/NIM/Artifact)
2010-10-21 15:25:13 INFO Shibboleth.Listener : registered remoted message endpoint (app-sympa/Artifact/SOAP::run::SAML2Artifact)
2010-10-21 15:25:13 INFO Shibboleth.Listener : registered remoted message endpoint (app-sympa/Metadata)
2010-10-21 15:25:13 INFO Shibboleth.Listener : registered remoted message endpoint (app-sympa/Status)
2010-10-21 15:25:13 INFO Shibboleth.Listener : registered remoted message endpoint (app-sympa::getHeaders::Application)
2010-10-21 15:25:13 INFO Shibboleth.Listener : listener service starting