| 注意 |
|---|
If you are using TiqrShib version 2.0, we strongly recommend you update it to 2.1 or later. |
...
| 最近の更新 |
|---|
| 添付ファイル |
|---|
Installing Shibbolized Tiqr
Following document instructs how to install shibbolized Tiqr in the idP environemnt.
- Installation of Shibboleth SP
- Deployment of TiqrShib (tar.gz file)
- Deployment of Related Library
- Modification of Library
- Configuration of Apache
- Configuration of TiqrShib Handler in Shibboleth
- Initial Setting of TiqrShib
1. Installation of Shibboleth SP in IdP Server
SP function is required when Tiqr account will enroll in the IdP. This SP does not need to join to the federation but only need to communicate with the IdP. The IdP includes the SP's metadata in its relying-party.xml. Installed SP also includes the IdP's metadata solely.
2. Deployment of TiqrShib
Obrain the source code from the repository then,
- Copy tiqrzenddemo to /var/tiqrzenddemo
- Copy var/www/html/TiqrShib to /var/www/html/TiqrShib (deploy trans.php)
- Copy var/www/html/tiqrenroll/index.html to /var/www/html/tiqrenroll (deploy index.html)
Modify the server FQDN in the above index.html (the following part)
| コード ブロック |
|---|
<input style="font:8pt" type=button value="Register" onclick="window.location.href='https://(FQDN of the IdP server)/TiqrShib/trans.php'">
|
3. Deployment of Related Library
Download the following application and deploy
Application | Version | Download Site |
|---|---|---|
Tiqr-library | 1.0.0 | |
Tiqr-zendframework | 1.0.0 | |
ZendFramework | 1.12.2-minimal | |
phpqrcode | 1.1.4 |
| コード ブロック |
|---|
mkdir /var/www/library
cp -rf tiqr-server-library-1.0.0/library/tiqr /var/www/library/libTiqr
cp -rf tiqr-server-zendframework-1.0.0/library/tiqr-zf /var/www/library/tiqr-zf
cp -rf phpqrcode /var/www/library/phpqrcode
Deploy ZendFramework-1.12.1-minimal to /usr/share
ln -s ZendFramework-1.12.1-minimal ZendFramework
|
Confirm the following links. If not provide soft links as follows.
| コード ブロック |
|---|
ln -s /var/www/library/libTiqr /var/tiqrzenddemo/library/tiqr
ln -s /var/www/library/phpqrcode /var/tiqrzenddemo/library/phpqrcode
ln -s /var/www/library/tiqr-zf /var/tiqrzenddemo/library/tiqr-zf
ln -s /usr/share/ZendFramework /var/tiqrzenddemo/library/zend
|
(*) If you don't like the link, you can copy the files in both directory.
In that case, the libraries should be stored in /var/tiqrzenddemo/library/ . Following modification also required in /var/tiqrzenddemo/public/index.php
| コード ブロック |
|---|
// Ensure library/ is on include_path
set_include_path(implode(PATH_SEPARATOR, array(
realpath(APPLICATION_PATH . '/../library/zend/library'),
realpath(APPLICATION_PATH . '/../library/tiqr'),
realpath(APPLICATION_PATH . '/../library/tiqr-zf'),
realpath(APPLICATION_PATH . '/../library/libTiqrShib'),
get_include_path(),
)));
|
Configure Llibrary Path
Include the following configuration in /etc/php.ini
| コード ブロック |
|---|
include_path = ".:/usr/share/ZendFramework/library:/var/www/library/libTiqr"
|
4. Modification of Library
Modification of ZendFramework
Following function have to be added in /usr/share/ZendFramework/library/Zend/View/Helper/Placeholder/Container/Abstract.php
| コード ブロック |
|---|
/**
* Sort the array by key
*
* @return array
*/
public function ksort()
{
$items = $this->getArrayCopy();
return ksort($items);
}
|
Modification of Tiqr,Tiqr-zf
Modification in /var/www/library/tiqr-zf/Tiqr/Resource/Tiqr.php
| コード ブロック |
|---|
# require_once "Tiqr/Server.php";
require_once "Tiqr/Service.php";
|
Modification in /var/www/library/tiqr-zf/Tiqr/Controller/Login/Abstract.php
| コード ブロック |
|---|
# case Tiqr_Server::AUTH_RESULT_AUTHENTICATED:
case Tiqr_Service::AUTH_RESULT_AUTHENTICATED:
# case Tiqr_Server::AUTH_RESULT_INVALID_CHALLENGE:
case Tiqr_Service::AUTH_RESULT_INVALID_CHALLENGE:
# case Tiqr_Server::AUTH_RESULT_INVALID_REQUEST:
case Tiqr_Service::AUTH_RESULT_INVALID_REQUEST:
# case Tiqr_Server::AUTH_RESULT_INVALID_RESPONSE:
case Tiqr_Service::AUTH_RESULT_INVALID_RESPONSE:
# case Tiqr_Server::AUTH_RESULT_INVALID_USERID:
case Tiqr_Service::AUTH_RESULT_INVALID_USERID:
|
Addition in /var/www/library/libTiqr/Tiqr/Random.php
| コード ブロック |
|---|
(Add following under the "public static function randomBytes($length)")
$strong = false;
$rnd = "";
|
Modification and Addition in /var/tiqrzenddemo/application/configs/application.ini
Modification Part (commented lines which start from # have to be removed otherwise it cause error)
| コード ブロック |
|---|
# resources.tiqr.identifier = "zeus.local"
resources.tiqr.identifier = "vm2.peofiamp.nii.ac.jp"
# resources.tiqr.name = "Zeus"
resources.tiqr.name = "vm2"
# resources.tiqr.auth.protocol = "surfauth"
resources.tiqr.auth.protocol = "tiqrauth"
# resources.tiqr.logoUrl = "http://zeus.local/img/surfmedia-logo.png"
resources.tiqr.logoUrl = "https://vm2.peofiamp.nii.ac.jp/icons/GakuNin_logo.png"
# resources.tiqr.session.secret = "enter something truly random here, preferably generated using openssl"
resources.tiqr.session.secret = "0124567abcdefgh"
|
Addition Part
| コード ブロック |
|---|
\# (Add following under the 'resources.tiqr.userstorage.path = "/tmp"')
resources.tiqr.ocra.suite = "OCRA-1:HOTP-SHA1-6:QH10"
resources.log.stream.writerName = "Stream"
resources.log.stream.writerParams.stream = APPLICATION_PATH "/logs/application_" DATESTAMP ".log"
resources.log.stream.writerParams.mode = "a"
resources.log.stream.filterName = "Priority"
resources.log.stream.filterParams.priority = 7
|
Modification in /var/tiqrzenddemo/application/modules/v1/views/scripts/login/index.phtml
| コード ブロック |
|---|
# $this->headScript()->prependFile($this->baseURL().'/scripts/jquery.js')
$this->headScript()->prependFile($this->baseUrl().'/scripts/jquery.js')
|
Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Controller/Enroll/Abstract.php
| コード ブロック |
|---|
# $this->view->enrollmentURL = $this->_getTiqr()->generateEnrollmentURL($metadataURL);
$this->view->enrollmentURL = $metadataURL;
|
Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Login/Abstract.php
| コード ブロック |
|---|
//$secret = pack('H*', $this->_getUserSecret($userId));
$secret = $this->_getUserSecret($userId);
|
5. Configuration of Apache
httpd.conf (Add)
| コード ブロック |
|---|
Alias /tiqr/ "/var/tiqrzenddemo/public/"
|
ssl.conf (Add)
| コード ブロック |
|---|
<Location /tiqr>
RewriteEngine On
RewriteBase /tiqr
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ /tiqr/index.php [NC,L]
</Location>
|
Remove the following expression in /var/tiqrzenddemo/public/.htaccess
| コード ブロック |
|---|
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
|
6. Configuration of TiqrShib Handler in Shibboleth
Generate tiqrshibAuthn.class by compiliing the tiqrshibAuthn.java
Copy the class file in /usr/java/tomcat/webapps/idp/WEB-INF/classes/
Following is an example of compiling option.
| コード ブロック |
|---|
javac -classpath /usr/java/tomcat/lib/servlet-api.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-common-1.3.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-identityprovider-2.3.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-jce-1.1.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/slf4j-api-1.6.1.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/openws-1.4.2.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/xmltooling-1.3.2.jar tiqrshibAuthn.java
|
Configuration of web.xml and handler.xml
(*) In the handler.xml configuration, UserPassword handler should remain. That is, UserPassword handler should not be commented out but it just be added as a new handler.
Modification in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml
| コード ブロック |
|---|
<!-- Servlet protected by container used for TiqrShib authentication -->
<servlet>
<servlet-name>TiqrShibAuthHandler</servlet-name>
<servlet-class>tiqrshibAuthn</servlet-class>
<init-param>
<param-name>authnMethod</param-name>
<param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>TiqrShibAuthHandler</servlet-name>
<url-pattern>/Authn/TiqrShib</url-pattern>
</servlet-mapping>
|
Modification in handler.xml of shibboleth IdP
| コード ブロック |
|---|
<ph:LoginHandler xsi:type="ph:ExternalAuthn"
externalAuthnPath="/Authn/TiqrShib" >
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ph:AuthenticationMethod>
</ph:LoginHandler>
|
Configuration of Shibboleth
(1) Configuration of IdP
Make Username/PasswordHandler as default handler
Addition in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml
| コード ブロック |
|---|
<!-- Servlet for doing Username/Password authentication -->
<servlet>
<servlet-name>UsernamePasswordAuthHandler</servlet-name>
<servlet-class>edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet</servlet-class>
<init-param>
<param-name>authnMethod</param-name>
<param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
|
Configuration in relying-party.xml
| コード ブロック |
|---|
<rp:DefaultRelyingParty provider="https://IdPサーバ/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
|
(2) Configuration of SP in IdP server
Add SessionInitiator in shibboleth2.xml
| コード ブロック |
|---|
<!-- Special SessionInitiator for Tiqr!!! -->
<SessionInitiator type="SAML2" Location="/TiqrShib" id="siid1" entityID="https://simptest2.nec.test/idp/shibboleth" template="bindingTemplate.html" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
|
Addition in /etc/httpd/conf.d/shibd.conf
| コード ブロック |
|---|
<Location /TiqrShib>
AuthType shibboleth
ShibRequestSetting requireSessionWith siid1
require valid-user
</Location>
|
(3) Configuration of SP (Application SP which requests Tiqr authentication)
Add ="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract" in SessionInitiator
| コード ブロック |
|---|
<SessionInitiator type="Chaining" Location="/DS" isDefault="true" id="tiqrshiblogin" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract">
<SessionInitiator type="SAML2" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1"/>
<SessionInitiator type="SAMLDS" URL="https://DSサーバ/ds/WAYF"/>
</SessionInitiator>
|
7. Initial Setting of TiqrShib
Initial values setting in application/Bootstrap.php
| コード ブロック |
|---|
<?php
class Bootstrap extends Zend_Application_Bootstrap_Bootstrap
{
// retrieve tiqrshib constants
protected function _initConstants()
{
$options = $this->getOption('constants');
if (is_array($options)) {
foreach($options as $key => $value) {
if(!defined($key)) {
define($key, $value);
}
}
}
}
protected function _initLogger() {
$this->bootstrap("log");
$logger = $this->getResource("log");
Zend_Registry::set("logger", $logger);
}
}
|
(*) The above Logger function is required since tiqrshib code has log output codes.
Initial Setting of Tiqr
Modification in /var/tiqrzenddemo/application/config/application.ini
| コード ブロック |
|---|
resources.tiqr.identifier = "vm2.peofiamp.nii.ac.jp"
↑replace as your server FQDN
resources.tiqr.name = "vm2"
↑Tiqrサーバの名称(アプリ上に表示される)を記入。
resources.tiqr.logoUrl = "https://vm2.peofiamp.nii.ac.jp/icons/gakunin-logo.png"
↑アプリに表示するロゴを指定。5KBくらいのpngファイル。100KBくらいだとアプリへのロードに時間が掛る。
constants.TIQRSHIB_DOMAIN = "nii.ac.jp"
↑IdPが送るeppnのセキュリティドメイン
↓以下のLDAP設定には、attribute-resolver.xmlと同じものを設定。
constants.TIQRSHIB_LDAP_HOST = "localhost"
constants.TIQRSHIB_LDAP_PORT = "389"
constants.TIQRSHIB_LDAP_BASEDN = "o=test_o,dc=ac,c=JP"
constants.TIQRSHIB_LDAP_BINDREQUIRESDN = "true"
constants.TIQRSHIB_LDAP_USERNAME = "cn=Manager,o=test_o,dc=ac,c=JP"
constants.TIQRSHIB_LDAP_PASSWORD = "password"
|
(*) LDAPの検索では、"uid"をフィルタとして検索しています。
uidと異なる属性名を利用している場合は、/var/tiqrzenddemo/library/libTiqrShib/tiqrShibLdap.phpの
$result = $ldap->search('(uid='.$userId.')');
の行(2か所)にて、"uid"を修正して下さい。