Il sito dedicato all'informatica ideato da Iasparra Francesco

Guida base di Shibboleth

  • Semplice guida pratica per installare e configurare Shibboleth

  • Data: 12/07/2011 Autore: Iasparra Francesco 


Shibboleth schema

L'architettura Shibboleth si compone di due servizi:

- Identity Provider (IdP): colloquia con il sistema di gestione delle identit' (LDAP, DB relazionale) per autenticare un utente e associarvi degli attributi;

- Service Provider (SP): colloquia con un server web per indirizzare gli utenti all'autenticazione sull'IdP, gestisce l'autorizzazione basata sugli attributi utente, inoltra questi attributi al server web.

Lo SP pu' interrogare direttamente lo IdP, ma in genere il dialogo tra SP e IdP (e viceversa) ' mediato dal browser utente. La fiducia tra IdP e SP ' fondata sulla condivisione di un file di metadata che contiene la definizione degli attori e le loro chiavi pubbliche.

Dettaglio: esiste un terzo compomente, il 'Where Are You From' Service (WAYF) per permettere all'utente di scegliere la istituzione presso cui autenticarsi.

Per installare shibboleth seguire le istruzioni riportate sul sito:

shibboleth.internet2.edu
Selezionare la voce: Software -> Download
Selezionare il link: full installation instructions
Seguire le istruzioni per installare IdP e poi SP.

Configurazione del sistema

Modificare il file:
        /etc/hostname

        in: 
                debian1.server
        N.B. per rendere definitive le modifiche riavviare il server.
Modificare il file:
        /etc/hosts
        in: 
                127.0.0.1 localhost debian1.server
                127.0.0.1 www.debian1.server idp.debian1.server

Configurazione di Apache2

Installazione di Apache2:

aptitude install apache2

Installazione del modulo SP di Shibboleth2:

aptitude install libapache2-mod-shib2

Installazione del modulo JK di Tomcat:

aptitude install libapache2-mod-jk

Abilitare i moduli di Apache2:

a2enmod rewrite
a2enmod headers
a2enmod	shib2
a2enmod jk

Creare un certificato contenente chiave pubblica e privata per acesso https e posizionarlo nella cartella:

/etc/apache2/apache1.pem

Modificare il file /etc/apache2/ports.conf nel seguente modo:

NameVirtualHost *:80
NameVirtualHost *:443
Listen 80
Listen 443

Modificare il file /etc/apache2/mods-available/jk.load

JkWorkersFile /etc/apache2/worker.properties
JkShmFile   /var/log/apache2/mod_jk.shm
JkLogFile   /var/log/apache2/mod_jk.log
JkLogLevel  error
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

Creare il file /etc/apache2/worker.properties

workers.tomcat_home=/mnt/programs/apache-tomcat-6.0.32
workers.java_home=/mnt/programs/jdk1.6.0_26
ps=/

# Define 1 real worker using ajp13
worker.list=shibboleth

# Set properties for worker1 (ajp13)
worker.shibboleth.type=ajp13
worker.shibboleth.host=localhost
worker.shibboleth.port=8009
worker.shibboleth.lbfactor=100
worker.shibboleth.socket_keepalive=1
worker.shibboleth.socket_timeout=1200

Creare il file /etc/apache2/sites-available/idp-ssl

<IfModule mod_ssl.c>
   <VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName idp.debian1.server
    JkMount /idp* shibboleth
    SSLEngine on
    SSLCertificateFile /etc/apache2/apache1.pe
    ErrorLog ${APACHE_LOG_DIR}/error-idp.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/ssl_access-idp.log combined
    </VirtualHost>
</IfModule>

Creare il file /etc/apache2/sites-available/idp-ssl

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName www.debian1.server

    SSLEngine on
    SSLCertificateFile /etc/apache2/apache1.pem

    JkMount /APP1* shibboleth

    RewriteEngine On
    RequestHeader set SHIB_PERSON_UID %{uid}e
    RequestHeader set SHIB_RUOLI %{ruolo}e

    DocumentRoot /var/www
    <Directory />        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error-www.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/ssl_access-www.log combined
    <Location /test>
        AuthType shibboleth
        ShibRequireSession On
        require valid-user
    </Location>
    <Location /APP1>
        AuthType shibboleth
        ShibRequireSession On
        require valid-user
    </Location>
</VirtualHost>
</IfModule>

Attivare i due siti appena creati con i seguenti comandi di shell:

    a2ensite idp-ssl
    a2ensite www-ssl

Configurazione di LDAP

La configurazione di ldap e' la seguente.
Si presuppone che la password di amministratore sia: sviluppo
Quella dell'utente francesco: 12345
quella dell'utente maria: 12345

Il file e' in formato LDIF:
    dn: dc=debian1,dc=server
    objectClass: top
    objectClass: dcObject
    objectClass: organization
    o: DEBIAN1
    dc: debian1
    structuralObjectClass: organization
    entryUUID: bcd80ce6-40ca-1030-9015-172a0b675858
    creatorsName: cn=admin,dc=debian1,dc=server
    createTimestamp: 20110712120345Z
    entryCSN: 20110712120345.295836Z#000000#000#000000
    modifiersName: cn=admin,dc=debian1,dc=server
    modifyTimestamp: 20110712120345Z

    dn: cn=admin,dc=debian1,dc=server
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: admin
    description: LDAP administrator
    userPassword:: e1NTSEF9LzliQzgwNnQ3aFpCdE4xT3FyaWRTOHYxaXdjRzlCMjk=
    structuralObjectClass: organizationalRole
    entryUUID: bcd966cc-40ca-1030-9016-172a0b675858
    creatorsName: cn=admin,dc=debian1,dc=server
    createTimestamp: 20110712120345Z
    entryCSN: 20110712120345.304706Z#000000#000#000000
    modifiersName: cn=admin,dc=debian1,dc=server
    modifyTimestamp: 20110712120345Z

    dn: ou=people,dc=debian1,dc=server
    ou: people
    objectClass: organizationalUnit
    objectClass: top
    structuralObjectClass: organizationalUnit
    entryUUID: 797ad75a-40c3-1030-87de-674f8997c213
    creatorsName: cn=admin,dc=debian1,dc=server
    createTimestamp: 20110712111145Z
    entryCSN: 20110712111145.800544Z#000000#000#000000
    modifiersName: cn=admin,dc=debian1,dc=server
    modifyTimestamp: 20110712111145Z

    dn: ou=roles,dc=debian1,dc=server
    structuralObjectClass: organizationalUnit
    entryUUID: 94824c0e-40c3-1030-87df-674f8997c213
    creatorsName: cn=admin,dc=debian1,dc=server
    createTimestamp: 20110712111231Z
    objectClass: organizationalUnit
    ou: Roles
    entryCSN: 20110712111644.914149Z#000000#000#000000
    modifiersName: cn=admin,dc=debian1,dc=server
    modifyTimestamp: 20110712111644Z

    dn: uid=francesco,ou=people,dc=debian1,dc=server
    cn: iasparra
    objectClass: inetOrgPerson
    objectClass: top
    userPassword:: e01ENX1nbnpMRHVxS2NHeE1OS0Zva2ZoT2V3PT0=
    sn: francesco
    uid: francesco
    structuralObjectClass: inetOrgPerson
    entryUUID: ba11cbca-40c3-1030-87e0-674f8997c213
    creatorsName: cn=admin,dc=debian1,dc=server
    createTimestamp: 20110712111334Z
    entryCSN: 20110712111334.164020Z#000000#000#000000
    modifiersName: cn=admin,dc=debian1,dc=server
    modifyTimestamp: 20110712111334Z

    dn: cn=amministratore,ou=roles,dc=debian1,dc=server
    cn: amministratore
    objectClass: groupOfUniqueNames
    objectClass: top
    uniqueMember: uid=francesco
    structuralObjectClass: groupOfUniqueNames
    entryUUID: fbaae148-40c3-1030-87e2-674f8997c213
    creatorsName: cn=admin,dc=debian1,dc=server
    createTimestamp: 20110712111524Z
    entryCSN: 20110712111524.219180Z#000000#000#000000
    modifiersName: cn=admin,dc=debian1,dc=server
    modifyTimestamp: 20110712111524Z

    dn: cn=consulente,ou=roles,dc=debian1,dc=server
    cn: consulente
    objectClass: groupOfUniqueNames
    objectClass: top
    uniqueMember: uid=maria
    structuralObjectClass: groupOfUniqueNames
    entryUUID: 1699a070-40c4-1030-87e3-674f8997c213
    creatorsName: cn=admin,dc=debian1,dc=server
    createTimestamp: 20110712111609Z
    entryCSN: 20110712111609.404587Z#000000#000#000000
    modifiersName: cn=admin,dc=debian1,dc=server
    modifyTimestamp: 20110712111609Z

Installazione del IDP di Shibboleth (Identity Provider)

1) Scaricare l'ultima versione di shibboleth-identityprovider-version-bin.zip
2) Unzip del pacchetto.
3) Lanciare /install.sh e rispondere alle domande richieste (ad esempio):
Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]
/mnt/programs/shibboleth-idp
What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org]
idp.debian1.server
A keystore is about to be generated for you. Please enter a password that will be used to protect it.
sviluppo
4) Creare la variabile di ambiente nel file .bashrc:
export IDP_HOME=/mnt/programs/shibboleth-idp
5) Posizionarsi nella cartella:
cd /mnt/programs/shibboleth-idp/war
ed eseguire i seguenti comandi:
unzip idp.war -d idp
otteniamo in questo modo la cartella contenente la webapplication:
/mnt/programs/shibboleth-idp/war/idp
6) Aggiungere alla webapps la pagina /mnt/programs/shibboleth-idp/war/idp/logout.jsp:
<%@page import="edu.internet2.middleware.shibboleth.common.profile.AbstractErrorHandler"%>
<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginContext" %>
<%@ page import="org.opensaml.util.storage.StorageService" %>
<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginHandler" %>
<%@ page import="edu.internet2.middleware.shibboleth.idp.session.*" %>
<%@ page import="edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper" %>
<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException" %>
<%@ page import="org.opensaml.saml2.metadata.*" %>
<%@ page import="javax.servlet.RequestDispatcher" %>
<%@ page import="javax.servlet.ServletConfig" %> 
<%@ page import="javax.servlet.ServletException" %>
<%@ page import="javax.servlet.http.Cookie" %>
<%@ page import="javax.servlet.http.HttpServlet" %>
<%@ page import="javax.servlet.http.HttpServletRequest" %>
<%@ page import="javax.servlet.http.HttpServletResponse" %>
<%@ page import="javax.servlet.http.HttpSession" %>
<%
     String IDP_SESSION_COOKIE_NAME = "_idp_session";
     Cookie[] cc = request.getCookies();
     for(int i=0;i<cc.length;i++) {
           cc[i].setMaxAge(0); 
           cc[i].setSecure(false);
           cc[i].setPath("/idp");
           response.addCookie(cc[i]);
       }        
%>
Nel tag <body>
onload="window.location.href='https://www.debian1.server/'"

Configurazione di Tomcat

1) Modificare il file:
<TOMCAT_HOME>/conf/server.xml
alle voci opportune:
<Connector port="8180" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8443"
   protocol="org.apache.coyote.http11.Http11Protocol"
   SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
   scheme="https"
   SSLEnabled="true"
   clientAuth="true"
   keystoreFile="/mnt/programs/shibboleth-idp/credentials/idp.jks"
   keystorePass="sviluppo" />
2) Scaricare tomcat6-dta-ssl-1.0.0.jar e copiare in <TOMCAT_HOME>/lib
3) Copiare dalla cartella di installazione /<unzip di shibboleth-idp>/endorsed in <TOMCAT_HOME>/endorsed
4) Aggiungere il file di context in <TOMCAT_HOME>/conf/Catalina/localhost/idp.xml
Il contenuto del file e' il seguente:
<?xml version="1.0" encoding="UTF-8"?>
<Context path="idp" docBase="/mnt/programs/shibboleth-idp/war/idp/" unpackWAR="false" swallowOutput="true" privileged="true" antiResourceLocking="false" antiJARLocking="false" />
5) Riavviare Tomcate e testare il funzionamento con i seguenti link:
http://127.0.0.1:8180/idp/status
http://127.0.0.1:8180/idp/profile/Status

Creazione di una webapp di esempio

Nella cartella <TOMCAT_HOME>/webapps creare le seguenti cartelle e file:
<TOMCAT_HOME>/webapps/APP1
<TOMCAT_HOME>/webapps/APP1/index.jsp
<TOMCAT_HOME>/webapps/APP1/WEB-INF
<TOMCAT_HOME>/webapps/APP1/WEB-INF/web.xml
Il file index.jsp e' il seguente:
	
<%@page contentType="text/html" import="java.util.*" pageEncoding="UTF-8"%>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Prova Shibboleth</title>
    </head>
    <body>
    <B>Request Method: </B><%=request.getMethod() %><BR>
    <B>Request URI: </B><%=request.getRequestURI() %><BR>
    <B>Request Protocol: </B><%=request.getProtocol() %><BR>
    <TABLE BORDER=1 ALIGN=CENTER>
        <TR BGCOLOR=\"#FFAD00\">
            <TH>Header Name<TH>Header Value
            <%
                Enumeration headerNames = request.getHeaderNames();
                while(headerNames.hasMoreElements()) {
                String headerName = (String)headerNames.nextElement();
                out.println("<TR><TD>" + headerName);
                out.println("    <TD>" + request.getHeader(headerName));
                }
            %>
            </TABLE>
    <a href="https://www.debian1.server/Shibboleth.sso/Logout">Logout</a>
    </body>
</html>
Il file web.xml e' il seguente:
<?xml version="1.0" encoding="UTF-8"?>
<web-app>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>
            index.jsp
        </welcome-file>
        <welcome-file>
            index.html
        </welcome-file>
    </welcome-file-list>
</web-app>
Riavviare tomcat e provare ad accedere al seguente indirizzo:
    http://www.debian1.server:8180/APP1/

Configurazione del IPD

I file da modificare sono i seguenti:
shibboleth-idp/conf/attribute-filter.xml
shibboleth-idp/conf/attribute-resolver.xml
shibboleth-idp/conf/handler.xml
shibboleth-idp/conf/login.config
1) Modificare il file attribute-filter.xml:
Aggiungere in fondo al file il seguente codice:
<afp:AttributeFilterPolicy id="myLDAP">
        <afp:PolicyRequirementRule xsi:type="basic:ANY" />
        <afp:AttributeRule attributeID="uid">
                <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
</afp:AttributeFilterPolicy>
<afp:AttributeFilterPolicy id="rolesLDAP">
        <afp:PolicyRequirementRule xsi:type="basic:ANY" />
        <afp:AttributeRule attributeID="ruolo">
                <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
</afp:AttributeFilterPolicy>
2) Modificare il file attribute-resolver.xml
Aggiungere subito dopo il seguente commento il codice:
<resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
    </resolver:AttributeDefinition>
    <resolver:AttributeDefinition xsi:type="ad:Simple" id="ruolo" sourceAttributeID="cn">
        <resolver:Dependency ref="rolesLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:ruolo" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.1.2.1" friendlyName="cn" />
    </resolver:AttributeDefinition>
Aggiungere subito dopo il seguente commento il codice:
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
    ldapURL="ldap://localhost" 
    baseDN="ou=people,dc=debian1,dc=server" 
    principal="cn=admin,dc=debian1,dc=server"
    principalCredential="sviluppo">
    <dc:FilterTemplate>
        <![CDATA[
            (uid=$requestContext.principalName)
        ]]>
    </dc:FilterTemplate>
</resolver:DataConnector>
<resolver:DataConnector id="rolesLDAP" xsi:type="dc:LDAPDirectory"
    ldapURL="ldap://localhost"
    baseDN="ou=roles,dc=debian1,dc=server"
    principal="cn=admin,dc=debian1,dc=server"
    principalCredential="sviluppo"
    mergeResults="true"
    maxResultSize="30">
    <dc:FilterTemplate>
        <![CDATA[
            (&(objectclass=groupOfUniqueNames)(uniqueMember=uid=$requestContext.principalName))
        ]]>
    </dc:FilterTemplate>
    <dc:ReturnAttributes>cn</dc:ReturnAttributes>
</resolver:DataConnector>
3) Modificare il file handler.xml
Commentare il seguente codice:
<!-- Login Handlers <ph:LoginHandler xsi:type="ph:RemoteUser">    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod></ph:LoginHandler>-->	
Decommentare il seguente codice: <ph:LoginHandler xsi:type="ph:UsernamePassword" jaasConfigurationLocation="file:///mnt/programs/shibboleth-idp/conf/login.config"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod></ph:LoginHandler>4) Modificare il file login.config
Aggiungere in fondo al file il seguente codice:
edu.vt.middleware.ldap.jaas.LdapLoginModule required
   host="localhost"
   port="389"
   base="ou=people,dc=debian1,dc=server"
   ssl="false"
   userField="uid";

Configurazione del SP

Installare il modulo di shibboleth SP per Apache2:
libapache2-mod-shib2
Creare un certificato contenente la chiave privata e posizionarlo nella cartella indicata:
/etc/shibboleth/www.debian1.server.key
Creare un certificato contenente la chiave pubblica e posizionarlo nella cartella indicata:
/etc/shibboleth/www.debian1.server.pem
I file da modificare sono i seguenti:
/etc/shibboleth/attribute-map.xml
/etc/shibboleth/localLogout.html
/etc/shibboleth/partialLogout.html
/etc/shibboleth/shibboleth2.xml
1) Modificare il file attribute-map.xml
Aggiungere in fondo al file prima della chiusura del tag :
<Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/><Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"><Attribute name="urn:mace:dir:attribute-def:ruolo" id="ruolo"/><Attribute name="urn:oid:1.1.2.1" id="ruolo"/>
2) Modificare il file localLogout.html nella parte del <body>:
<body onload="window.location.href='https://idp.debian1.server/idp/logout.jsp'">         Uscita in corso....      
</body>
3) Modificare il file partialLogout.html nella parte del come sopra.
4) Modificare il file shibboleth2.xml
Modificare la voce seguente:
<Site id="1" name="www.debian1.server"/>
Modificare la voce seguente:
<Host name="www.debian1.server">        <Path name="test" authType="shibboleth" requireSession="true"/>        <Path name="APP1" authType="shibboleth" requireSession="true">               <!--<AccessControl>                   <Rule require="ruolo">amministatore</Rule>               </AccessControl>-->        </Path></Host>
Modificare le seguenti voci in cui vanno indicati i giusti URL:
<ApplicationDefaults id="default" policyId="default"     entityID="https://www.debian1.server/shibboleth"<Sessions lifetime="28800" timeout="3600" checkAddress="false"         handlerURL="/Shibboleth.sso" handlerSSL="false"         exportLocation="http://www.debian1.server/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"         idpHistory="false" idpHistoryDays="7"><SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"         relayState="cookie" entityID="https://idp.debian1.server/idp/shibboleth">     <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>     <SessionInitiator type="Shib1" acsIndex="5"/></SessionInitiator>
Decommentare la voce:
<MetadataProvider type="XML" file="partner-metadata.xml"/>
(questo file viene aggiunto al punto successivo della guida)
Indicare i certificati:
<CredentialResolver type="File" key="www.debian1.server.key" certificate="www.debian1.server.pem"/>
Verificare la corretta configurazione attraverso il comando di shell:
shibd -t shibboleth2.xml

Configurazione dei Metadata IDP e SP

Modificare il file shibboleth-idp/metadata/idp-metadata.xml
Aggiungere all'inizio del file il seguente codice:
<?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
Aggiungere in fondo al file il seguente codice:
</EntitiesDescriptor>
Aggiungere subito dopo la chiusura del tag (ovvero subito prima del tag appena aggiunto </EntitiesDescriptor> ) il seguente codice:
<EntityDescriptor entityID="https://www.debian1.server/shibboleth">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
                AGGIUNGI IL CONTENUTO DEL FILE /etc/shibboleth/www.debian1.server.pem');?>

          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
                AGGIUNGI IL CONTENUTO DEL FILE /etc/shibboleth/www.debian1.server.pem

          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www.debian1.server/Shibboleth.sso/SLO/SOAP"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.debian1.server/Shibboleth.sso/SLO/Redirect"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.debian1.server/Shibboleth.sso/SLO/POST"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://www.debian1.server/Shibboleth.sso/SLO/Artifact"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www.debian1.server/Shibboleth.sso/NIM/SOAP"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.debian1.server/Shibboleth.sso/NIM/Redirect"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.debian1.server/Shibboleth.sso/NIM/POST"/>
    <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://www.debian1.server/Shibboleth.sso/NIM/Artifact"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.debian1.server/Shibboleth.sso/SAML2/POST" index="1"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://www.debian1.server/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://www.debian1.server/Shibboleth.sso/SAML2/Artifact" index="3"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://www.debian1.server/Shibboleth.sso/SAML2/ECP" index="4"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://www.debian1.server/Shibboleth.sso/SAML/POST" index="5"/>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://www.debian1.server/Shibboleth.sso/SAML/Artifact" index="6"/>
  </SPSSODescriptor>
</EntityDescriptor>
Copiare il file shibboleth-idp/metadata/idp-metadata.xml
in /etc/shibboleth/partner-metadata.xml

Riavviare in seguenza:

/etc/init.d/apache2 restart
/etc/init.d/tomcat6 restart
/etc/init.d/shidb restart
Verificare i file di log per la lettura di eventuali errori:
/var/log/shibboleth/shibd.log
/var/log/apache2/error.log
TOMCAT_HOME/logs
Provare ad accedere in seguenza ai seguenti indirizzi:
https://www.debian1.server/APP1
https://idp.debian1.server/idp/
Proviamo a verificare il funzionamento:
https://www.debian1.server/APP1
Viene fatto un redirect alla pagina di login di Shibbolth.
Indicare login e password per accedere alla applicazione APP1

  • Java

  • Php

  • Mysql

  • Apache ant

  • Eclipse

  • Spring

  • Hibernate

  • Netbeans

  • Debian

  • Linux

  • Maven