Guida base di Shibboleth

Semplice guida pratica per installare e configurare Shibboleth
Data: 12/07/2011 Autore: Iasparra Francesco 

Creazione di una webapp di esempio

Nella cartella <TOMCAT_HOME>/webapps creare le seguenti cartelle e file: 
<TOMCAT_HOME>/webapps/APP1
<TOMCAT_HOME>/webapps/APP1/index.jsp
<TOMCAT_HOME>/webapps/APP1/WEB-INF
<TOMCAT_HOME>/webapps/APP1/WEB-INF/web.xml
Il file index.jsp e' il seguente: 
	
<%@page contentType="text/html" import="java.util.*" pageEncoding="UTF-8"%>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Prova Shibboleth</title>
    </head>
    <body>
    <B>Request Method: </B><%=request.getMethod() %><BR>
    <B>Request URI: </B><%=request.getRequestURI() %><BR>
    <B>Request Protocol: </B><%=request.getProtocol() %><BR>
    <TABLE BORDER=1 ALIGN=CENTER>
        <TR BGCOLOR=\"#FFAD00\">
            <TH>Header Name<TH>Header Value
            <%
                Enumeration headerNames = request.getHeaderNames();
                while(headerNames.hasMoreElements()) {
                String headerName = (String)headerNames.nextElement();
                out.println("<TR><TD>" + headerName);
                out.println("    <TD>" + request.getHeader(headerName));
                }
            %>
            </TABLE>
    <a href="https://www.debian1.server/Shibboleth.sso/Logout">Logout</a>
    </body>
</html>
Il file web.xml e' il seguente: 
<?xml version="1.0" encoding="UTF-8"?>
<web-app>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>
            index.jsp
        </welcome-file>
        <welcome-file>
            index.html
        </welcome-file>
    </welcome-file-list>
</web-app>
Riavviare tomcat e provare ad accedere al seguente indirizzo: 
    http://www.debian1.server:8180/APP1/

Configurazione del IPD

I file da modificare sono i seguenti: 
shibboleth-idp/conf/attribute-filter.xml
shibboleth-idp/conf/attribute-resolver.xml
shibboleth-idp/conf/handler.xml
shibboleth-idp/conf/login.config
1) Modificare il file attribute-filter.xml:
Aggiungere in fondo al file il seguente codice: 
<afp:AttributeFilterPolicy id="myLDAP">
        <afp:PolicyRequirementRule xsi:type="basic:ANY" />
        <afp:AttributeRule attributeID="uid">
                <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
</afp:AttributeFilterPolicy>
<afp:AttributeFilterPolicy id="rolesLDAP">
        <afp:PolicyRequirementRule xsi:type="basic:ANY" />
        <afp:AttributeRule attributeID="ruolo">
                <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
</afp:AttributeFilterPolicy>
2) Modificare il file attribute-resolver.xml
Aggiungere subito dopo il seguente commento il codice: 
<resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
    </resolver:AttributeDefinition>
    <resolver:AttributeDefinition xsi:type="ad:Simple" id="ruolo" sourceAttributeID="cn">
        <resolver:Dependency ref="rolesLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:ruolo" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.1.2.1" friendlyName="cn" />
    </resolver:AttributeDefinition>
Aggiungere subito dopo il seguente commento il codice: 
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
    ldapURL="ldap://localhost" 
    baseDN="ou=people,dc=debian1,dc=server" 
    principal="cn=admin,dc=debian1,dc=server"
    principalCredential="sviluppo">
    <dc:FilterTemplate>
        <![CDATA[
            (uid=$requestContext.principalName)
        ]]>
    </dc:FilterTemplate>
</resolver:DataConnector>
<resolver:DataConnector id="rolesLDAP" xsi:type="dc:LDAPDirectory"
    ldapURL="ldap://localhost"
    baseDN="ou=roles,dc=debian1,dc=server"
    principal="cn=admin,dc=debian1,dc=server"
    principalCredential="sviluppo"
    mergeResults="true"
    maxResultSize="30">
    <dc:FilterTemplate>
        <![CDATA[
            (&(objectclass=groupOfUniqueNames)(uniqueMember=uid=$requestContext.principalName))
        ]]>
    </dc:FilterTemplate>
    <dc:ReturnAttributes>cn</dc:ReturnAttributes>
</resolver:DataConnector>
3) Modificare il file handler.xml
Commentare il seguente codice: 
<!-- Login Handlers <ph:LoginHandler xsi:type="ph:RemoteUser">    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod></ph:LoginHandler>-->
Decommentare il seguente codice: <ph:LoginHandler xsi:type="ph:UsernamePassword" jaasConfigurationLocation="file:///mnt/programs/shibboleth-idp/conf/login.config"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod></ph:LoginHandler>4) Modificare il file login.config
Aggiungere in fondo al file il seguente codice: 
edu.vt.middleware.ldap.jaas.LdapLoginModule required
   host="localhost"
   port="389"
   base="ou=people,dc=debian1,dc=server"
   ssl="false"
   userField="uid";
Pratica

  • Java
  • Php
  • Mysql
  • Apache ant
  • Eclipse
  • Spring
  • Hibernate
  • Netbeans
  • Debian
  • Linux
  • Maven

by Iasparra Francesco - © Copyright 2021

E' vietata la riproduzione anche parziale dei materiali presenti in questo sito.

I marchi e le immagini esposti sono Copyright dei rispettivi proprietari.