Il sito dedicato all'informatica ideato da Iasparra Francesco
Configurazione del SP
Installare il modulo di shibboleth SP per Apache2:libapache2-mod-shib2Creare un certificato contenente la chiave privata e posizionarlo nella cartella indicata:
/etc/shibboleth/www.debian1.server.keyCreare un certificato contenente la chiave pubblica e posizionarlo nella cartella indicata:
/etc/shibboleth/www.debian1.server.pemI file da modificare sono i seguenti:
/etc/shibboleth/attribute-map.xml /etc/shibboleth/localLogout.html /etc/shibboleth/partialLogout.html /etc/shibboleth/shibboleth2.xml1) Modificare il file attribute-map.xml
<Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/><Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"><Attribute name="urn:mace:dir:attribute-def:ruolo" id="ruolo"/><Attribute name="urn:oid:1.1.2.1" id="ruolo"/>2) Modificare il file localLogout.html nella parte del <body>:
<body onload="window.location.href='https://idp.debian1.server/idp/logout.jsp'"> Uscita in corso.... </body>3) Modificare il file partialLogout.html nella parte del body come sopra.
<Site id="1" name="www.debian1.server"/>Modificare la voce seguente:
<Host name="www.debian1.server"> <Path name="test" authType="shibboleth" requireSession="true"/> <Path name="APP1" authType="shibboleth" requireSession="true"> <!--<AccessControl> <Rule require="ruolo">amministatore</Rule> </AccessControl>--> </Path></Host>Modificare le seguenti voci in cui vanno indicati i giusti URL:
<ApplicationDefaults id="default" policyId="default" entityID="https://www.debian1.server/shibboleth"<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/Shibboleth.sso" handlerSSL="false" exportLocation="http://www.debian1.server/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1" idpHistory="false" idpHistoryDays="7"><SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://idp.debian1.server/idp/shibboleth"> <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/> <SessionInitiator type="Shib1" acsIndex="5"/></SessionInitiator>Decommentare la voce:
<MetadataProvider type="XML" file="partner-metadata.xml"/>(questo file viene aggiunto al punto successivo della guida)
<CredentialResolver type="File" key="www.debian1.server.key" certificate="www.debian1.server.pem"/>Verificare la corretta configurazione attraverso il comando di shell:
shibd -t shibboleth2.xml
Configurazione dei Metadata IDP e SP
Modificare il file shibboleth-idp/metadata/idp-metadata.xml<?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Aggiungere in fondo al file il seguente codice:
</EntitiesDescriptor>Aggiungere subito dopo la chiusura del tag (ovvero subito prima del tag appena aggiunto </EntitiesDescriptor> ) il seguente codice:
<EntityDescriptor entityID="https://www.debian1.server/shibboleth"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> AGGIUNGI IL CONTENUTO DEL FILE /etc/shibboleth/www.debian1.server.pem');?> </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> AGGIUNGI IL CONTENUTO DEL FILE /etc/shibboleth/www.debian1.server.pem </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www.debian1.server/Shibboleth.sso/SLO/SOAP"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.debian1.server/Shibboleth.sso/SLO/Redirect"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.debian1.server/Shibboleth.sso/SLO/POST"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://www.debian1.server/Shibboleth.sso/SLO/Artifact"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www.debian1.server/Shibboleth.sso/NIM/SOAP"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.debian1.server/Shibboleth.sso/NIM/Redirect"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.debian1.server/Shibboleth.sso/NIM/POST"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://www.debian1.server/Shibboleth.sso/NIM/Artifact"/> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.debian1.server/Shibboleth.sso/SAML2/POST" index="1"/> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://www.debian1.server/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://www.debian1.server/Shibboleth.sso/SAML2/Artifact" index="3"/> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://www.debian1.server/Shibboleth.sso/SAML2/ECP" index="4"/> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://www.debian1.server/Shibboleth.sso/SAML/POST" index="5"/> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://www.debian1.server/Shibboleth.sso/SAML/Artifact" index="6"/> </SPSSODescriptor> </EntityDescriptor>Copiare il file shibboleth-idp/metadata/idp-metadata.xml
Riavviare in seguenza:
/etc/init.d/apache2 restart /etc/init.d/tomcat6 restart /etc/init.d/shidb restartVerificare i file di log per la lettura di eventuali errori:
/var/log/shibboleth/shibd.log /var/log/apache2/error.log TOMCAT_HOME/logsProvare ad accedere in seguenza ai seguenti indirizzi:
https://www.debian1.server/APP1 https://idp.debian1.server/idp/Proviamo a verificare il funzionamento:
https://www.debian1.server/APP1Viene fatto un redirect alla pagina di login di Shibbolth.