...
パネル |
---|
borderColor | #cccccc |
---|
bgColor | #eeeeee |
---|
borderStyle | solid |
---|
|
<!-- Allows overriding of error template information/filenames. You can also add attributes with values that can be plugged into the templates. -->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. --> <!-- --> <!-- <MetadataProvider type="XML" validate="true" uri="https://ex-ds.gakunin.nii.ac.jp/fed/ex-fed-metadata.xml" --> <MetadataProvider type="XML" validate="true" uri="https://metadata.gakunin.nii.ac.jp/gakunin-test-metadata.xml" backingFilePath="federation-metadata.xml" reloadInterval="7200" <MetadataFilter type="RequireValidUntil" maxValidityInterval="1296000"/> <!-- <MetadataFilter type="Signature" certificate="/etc/shibboleth/cert/ex-fed.crt"/> --> <MetadataFilter type="Signature" certificate="/etc/shibboleth/cert/gakunin-test-signer-2011.cer"/> <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://refeds.org/category/hide-from-discovery" /> <TransportOption provider="CURL" option="64">1</TransportOption> <TransportOption provider="CURL" option="81">2</TransportOption> <TransportOption provider="CURL" option="10065">/etc/pki/tls/certs/ca-bundle.crt</TransportOption>
</MetadataProvider> <!-- -->
<!-- Example of locally maintained metadata. --> <!-- <MetadataProvider type="XML" validate="true" file="partner-metadata.xml"/> --> |
④ shibdおよびhttpdを再起動します。
パネル |
---|
borderColor | #cccccc |
---|
bgColor | #eeeeee |
---|
borderStyle | solid |
---|
|
servicesystemctl restart httpd
systemctl restart
service shibd restart |
⑤ テストフェデレーションDSから接続テスト用IdPを選択します。
・各自構築したSPにアクセスします。
...
パネル |
---|
borderColor | #cccccc |
---|
bgColor | #eeeeee |
---|
borderStyle | solid |
---|
|
cd /opt/shibboleth-idp/credentials
wget https://metadata.gakunin.nii.ac.jp/gakunin-test-signer-2011.cer |
② relyingmetadata-partyproviders.xmlのメタデータ自動ダウンロード設定を変更します。
パネル |
---|
borderColor | #cccccc |
---|
bgColor | #eeeeee |
---|
borderStyle | solid |
---|
|
パネル |
---|
borderColor | #cccccc |
---|
bgColor | #eeeeee |
---|
borderStyle | solid |
---|
|
<!-- =========================================== -->
<!-- Metadata Configuration -->
<!-- =============================================== -->
<!-- MetadataProvider the combining other MetadataProviders -->
<metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider"> (省略) <!-- Example metadata provider. -->
<!-- Reads metadata from a URL and store a backup copy on the file system. -->
<!-- Validates the signature of the metadata and filters out all by SP entities in order to save memory -->
<!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element --> <!-- --> <!-- <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider" metadataURL="https://ex-ds.gakunin.nii.ac.jp/fed/ex-fed-metadata.xml" backingFile="/opt/shibboleth-idp/metadata/some-metadata.xml"> --> <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="https://metadata.gakunin.nii.ac.jp/gakunin-test-metadata.xml" backingFile="/opt/shibboleth-idp/metadata/some-metadata.xml"> <metadata:MetadataFilter xsi:type="metadata:ChainingFilter"> <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil" maxValidityInterval="P15D" /> <metadata:MetadataFilter xsi:type="metadata:SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" requireSignedMetadata="true" /> <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList"> <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole> </metadata:MetadataFilter> </metadata:MetadataFilter> </metadata:MetadataProvider> <!-- --> </metadata:MetadataProvider>
|
...
Metadata Configuration --> <!-- --> <!-- Below you place the mechanisms which define how to load the metadata for the SP you will --> <!-- provide a service to. --> <!-- --> <!-- Two examples are provided. The Shibboleth Documentation at --> <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration --> <!-- provides more details. --> <!-- --> <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP. --> <!-- --> <!-- ========================================== -->
<!-- Security Configurations -->
<!-- ================================================ -->
<!-- Example HTTP metadata provider. Use this if you want to download the metadata from a remote source.
(省略)
<!-- -->
<!-- <MetadataProvider <security:Credential id="IdPCredential" HTTPMetadata" xsi:type="security:X509FilesystemFileBackedHTTPMetadataProvider">
<security:PrivateKey>/opt/shibboleth-idp/credentials/server.key</security:PrivateKey>
<security:Certificate>/opt/shibboleth-idp/credentials/server.crt</security:Certificate>
</security:Credential> backingFile="%{idp.home}/metadata/gakunin-metadata-backing.xml" metadataURL="https://ex-ds.gakunin.nii.ac.jp/fed/ex-fed-metadata.xml"> --> <MetadataProvider id="HTTPMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/gakunin-metadata-backing.xml" metadataURL="https://metadata.gakunin.nii.ac.jp/gakunin-test-metadata.xml">
<!-- <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/ex-fed.crt"> --> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}
<!-- Trust engine used to evaluate the signature on loaded metadata. -->
<!-- -->
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<!--
<security:Certificate>/opt/shibboleth-idp/credentials/ex-fed.crt</security:Certificate>
-->
<security:Certificate>/opt/shibboleth-idp/credentials/gakunin-test-signer-2011.cer</security:Certificate>
</security:Credential>
</security:TrustEngine> .cer"> <!-- <PublicKey> MIIBI..... </PublicKey> --> </MetadataFilter> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P15D"/> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider> <!-- -->
|
④ ③ tomcatを再起動します。
パネル |
---|
borderColor | #cccccc |
---|
bgColor | #eeeeee |
---|
borderStyle | solid |
---|
|
servicesystemctl tomcat6restart restarttomcat |
⑤ ④ テストフェデレーションの接続テスト用SP https://test-sp1.gakunin.nii.ac.jp にアクセスします。
...