注意 |
---|
If you are using TiqrShib version 2.0, we strongly recommend you update it to 2.1 or later. |
...
Following document instructs how to install shibbolized Tiqr Shibbolized Tiqr (or "tiqrshib") in the IdP environment. You don't have to hack the IdP itself. It works as an external login handler. Please feel free to contact us (tiqr at meatmail.jp) if you have any difficulty while installing thisduring installation.
目次 |
---|
注意 |
---|
In order to connect tiqr and shibboleth accounts, this shibbolized tiqr utilizes "title" and "street" attributes in the LDAP, each of which corresponds to "isActive" and "secret" values of Tiqr, respectively. Please modify these attributes appropriately depending on your environment. You can realize it by customizing /var/tiqrzenddemo/library/tiqrShibLdap.php |
1. Installation of Shibboleth SP in IdP Server
SP function is required when Tiqr account will enroll in the IdP. This SP does not need to join to the federation but only need to communicate with the IdP. The IdP includes the SP's metadata in its relying-party.xml. Installed SP also includes the IdP's metadata solely.
2. Deployment of TiqrShib
Checkout the source code from the repository then,
...
About Enviroment
This instruction is for Shibbolized Tiqr 2.2. Shibbolized Tiqr is tested under the following environment.
- CentOS 7.5
- httpd 2.4
- PHP 5.4
- Oracle JDK 1.8
- Apache Maven 3.2
- Tomcat 9.0
- Shibboleth IdP 3.4.0
- Shibboleth SP 3.0
This document assumes Shibboleth IdP and SP are configured and ready for SAML SSO; IdP should be able to authenticate users per SP's authn request, and supply users' attributes back to SP appropriately. Some attributes must be supplied to SP because Shibbolized Tiqr implicitly requires them:
- ePPN (eduPersonPrincipalName)
- displayName
This document assumes they are installed based on the following document provided by GakuNin. If you installed them in a different way, modify the procedure below as your system requires.
...
...
pages/viewpage.action?pageId=20021624 (in Japanese)
Installation
Install Dependent Yum Packages
To install depending packages, run the following command:
コード ブロック |
---|
$ sudo yum -y install httpd php mod_ssl php-gd php-pdo php-mcrypt sqlite |
Here, sqlite is installed as our sample configuration requires it. If you want to use MySQL for the backend DB, consider installing "mysql-connector-odbc" and "php-mysql" instead.
Checkout Source Code for Shibbolized Tiqr
Checkout the source code from the repository.
コード ブロック |
---|
$ svn co https://forge.gakunin.nii.ac.jp/anonsvn/tiqrshib/trunk tiqrshib
|
It should contain two projects, "tiqrzend" and the Shibboleth IdP extension.
Deploy "tiqrzend" server
Here we setup "tiqrzend" first.
- Extract all the content in "tiqrzend" package under /opt/tiqrzend/.
- Download phpqrcode 1.1.4 and unarchive under /opt/tiqrzend/library/phpqrcode/: http://phpqrcode.sourceforge.net/
- Make /opt/tiqrzend/application/logs writable from your httpd.
After the procedure above, you can check the result with tree command:
コード ブロック |
---|
$ tree --charset=ascii -L 2 /opt/tiqrzend/
/opt/tiqrzend/
|-- application
| |-- Bootstrap.php
| |-- configs
| |-- controllers
| |-- layouts
| |-- modules
| `-- views
|-- library
| |-- phpqrcode
| |-- tiqr
| |-- tiqrshib
| |-- tiqr-zf
| |-- zend -> ZendFramework-1.12.9-minimal
| `-- ZendFramework-1.12.9-minimal
|-- public
| |-- images
| |-- index.php
| `-- scripts
|-- resources
| `-- Sample.php
`-- tests
|-- application
|-- library
`-- phpunit.xml
20 directories, 4 files |
Configure tiqrzend
Copy /opt/tiqrzend/application/configs/application.example.ini to /opt/tiqrzend/application/configs/application.ini.
コード ブロック |
---|
$ cp /opt/tiqrzend/application/configs/application.example.ini /opt/tiqrzend/application/configs/application.ini |
The sample configuration file should contain detailed instructions for each setting. It is recommended to read it through and modify the setting as your organization requires.
At the very least, you probably need to configure two settings show below:
- resources.tiqrshib.eppnScope must be exactly same as idp.scope setting in Shibboleth IdP's idp.properties (/opt/shibboleth-idp/conf/idp.properties)
- resources.tiqr.identifier should contain your organization identifier
Prepare DB for tiqrshib's "SecretStorage". For evaluation purpose, run the following commands:
コード ブロック |
---|
$ mkdir -p /opt/tiqrzend/db/
$ sqlite3 /opt/tiqrzend/db/secrets.db
sqlite> CREATE TABLE IF NOT EXISTS tiqrshibsecrets (
...> `id` integer NOT NULL PRIMARY KEY AUTOINCREMENT,
...> `uid` text NOT NULL UNIQUE,
...> `secret` text DEFAULT NULL,
...> `isActive` integer DEFAULT NULL,
...> `loginattempts` integer DEFAULT NULL,
...> `isBlocked` integer DEFAULT NULL);
sqlite> (exit)
$ sudo chown -R apache: /opt/tiqrzend/db
$ sudo chmod -R go-rwx /opt/tiqrzend/db |
Configure httpd
Modify /etc/httpd/conf.d/ssl.conf (or whatever httpd config file you prefer) so httpd contain the following settings:
コード ブロック |
---|
Alias /tiqr/ "/opt/tiqrzend/public/"
<Location /tiqr>
RewriteEngine On
RewriteBase /tiqr
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ /tiqr/index.php [NC,L]
require all granted
</Location>
<Location /tiqr/shib/enroll/process>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location> |
Confirm "tiqrzend" is Working
With the modifications above, tiqr authentication flow should be ready for evaluation.
Now try the following "enrollment" and "login" flow.
- Enrollment flow
- Visit https://(your host name)/tiqr/shib/enroll
- Check if a QR code is shown to the screen
- Scan the QR code using Tiqr mobile application, and enter a 4-digit PIN code
- You should be able to register the service via the mobile app.
- Login flow
- After the enrollment, visit https://(your host name)/tiqr/shib/login
- You will see another QR code
- Scan the QR code with the Tiqr mobile app
- You are asked to enter the 4-digit PIN code that you entered in the enrollment flow
- If you enter the correct PIN, Tiqr mobile app ask you if you are ok with the login.
- After you approve the login, the message "Login is successful" will be shown to the mobile app.
- You will see HTTP 404 or similar error messages that happens because IdP is not ready yet.
- At this step you can at least check enrollment and login in tiqr side is successful.
Note that web interface will show some error message at the last step. At this point it is expected. The tiqrzend's login interface is intended for IdP integration, and without IdP, it cannot correctly redirect back to the IdP.
What you should check here is if the redirect happens at this point. If the redirect does not happen and some other problem happens, you will need to trouble-shoot it here.
Checking "tiqrzend" Log
There are multiple logs to be checked when there are some errors.
- httpd's logs in /var/log/httpd
- PHP's logs in syslog or whatever you configured at /etc/php.ini
- tiqrzend's logs /opt/tiqrzend/application/logs/
Deploy the Shibboleth IdP extension
Build the Extension
Building the IdP extension requires Apache Maven. You can build the extension outside where IdP resides, but you need the same Java environment to build the extension there.
Here is how to install Apache Maven 3.5.0 in /opt/ directory.
コード ブロック |
---|
$ export MVN_VERSION=3.5.0
$ wget http://ftp.riken.jp/net/apache/maven/maven-3/${MVN_VERSION}/binaries/apache-maven-${MVN_VERSION}-bin.tar.gz
$ tar xf apache-maven-${MVN_VERSION}-bin.tar.gz -C /opt/
$ export PATH=/opt/apache-maven-${MVN_VERSION}/bin:$PATH
$ mvn --version
(Check Maven is installed) |
Under the "idp/" directory in this project, run the following commands:
コード ブロック |
---|
$ ls
pom.xml src
$ mvn -DskipTests=false clean package
... (a lot of logs) ...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.683 s
[INFO] Finished at: 2017-09-05T16:41:39+09:00
[INFO] Final Memory: 24M/361M
[INFO] ------------------------------------------------------------------------
$ ls
pom.xml src target
$ ls target/
classes maven-archiver tiqrshibauthn-2.2.jar |
Here, tiqrshibauthn-2.x.jar
in target/ is what we want.
If you are outside the host where IdP resides, copy the jar file to the server.
Install the Extension into Shibboleth IdP
From this step, we assume you logged in the host where IdP resides as root.
Before going forward, we recommend to stop Tomcat.
コード ブロック |
---|
# systemctl stop tomcat |
Place tiqrshibauthn-2.x.jar in /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
directory.
コード ブロック |
---|
# cp -i .../tiqrshibauthn-2.?.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ |
Add the following XML content in `/opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml`. If you don't have the web.xml file, copy from `/opt/shibboleth-idp/webapp/WEB-INF/web.xml` in advance.
コード ブロック |
---|
<servlet>
<servlet-name>TiqrShibAuthnHandler</servlet-name>
<servlet-class>jp.gakunin.tiqrshib.TiqrShibAuthnServlet</servlet-class>
<load-on-startup>4</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>TiqrShibAuthnHandler</servlet-name>
<url-pattern>/Authn/TiqrShib</url-pattern>
</servlet-mapping> |
Rebuild the modified IdP WAR package using bin/build.sh.
コード ブロック |
---|
# bin/build.sh |
Depending on your Tomcat configuration, you may need to copy `idp.war` in `$CATALINA_BASE/webapps/` and remove `idp/` directory there.
コード ブロック |
---|
# cp -f /opt/shibboleth-idp/war/idp.war $CATALINA_BASE/webapps/
# rm -rf $CATALINA_BASE/webapps/idp |
Also depending on your Tomcat version, you may need to remove temporary files.
コード ブロック |
---|
# rm -r $CATALINA_BASE/webapps/idp $CATALINA_BASE/work/Catalina/localhost/idp |
Configure IdP for the Extension
Move to `/opt/shibboleth-idp/` and modify relevant configuration files.
コード ブロック |
---|
# cd /opt/shibboleth-idp |
Create `flows/authn/tiqrshib/` directory and copy some relevant XML files. Then edit copied files so they become ready for tiqrshib authentication.
You can use the following sequence of sed commands if original XML are untouched:
コード ブロック |
---|
# mkdir flows/authn/tiqrshib/
# cp system/flows/authn/external-authn-flow.xml flows/authn/tiqrshib/tiqrshib-flow.xml
# sed -i 's/external-authn-beans\.xml/tiqrshib-beans.xml/' flows/authn/tiqrshib/tiqrshib-flow.xml
# cp system/flows/authn/external-authn-beans.xml flows/authn/tiqrshib/tiqrshib-beans.xml
# sed -i 's/external-authn-config\.xml/tiqrshib-authn-config.xml/' flows/authn/tiqrshib/tiqrshib-beans.xml
# cp dist/conf/authn/external-authn-config.xml.dist conf/authn/tiqrshib-authn-config.xml
# sed -i 's/Authn\/External/Authn\/TiqrShib/' conf/authn/tiqrshib-authn-config.xml |
情報 |
---|
All the procedures above are case-sensitive. Distinguish between "authn/tiqrshib" and "Authn/TiqrShib". |
Add the following XML content in `conf/authn/general-authn.xml`.
コード ブロック |
---|
<bean id="authn/tiqrshib" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false">
<property name="supportedPrincipals">
<list> |
- Copy tiqrzenddemo to /var/tiqrzenddemo
- Copy var/www/html/TiqrShib to /var/www/html/TiqrShib (deploy trans.php)
If you are using PHP under 5.2, please modify tran.php as follows.
コード ブロック |
---|
// for under php5.2
ini_set('session.cookie_httponly', 1);
setcookie($cookieName, $value, $timeout, $cookiepath, "", TRUE);
// for php5.2 over
//setcookie($cookieName, $value, $timeout, $cookiepath, "", TRUE, TRUE);
|
- Copy var/www/html/tiqrenroll/index.html to /var/www/html/tiqrenroll (deploy index.html)
Modify the server FQDN in the above index.html (the following part)
コード ブロック |
---|
<input style="font:8pt" type=button value="Register" onclick="window.location.href='https://(FQDN of the IdP server)/TiqrShib/trans.php'">
|
3. Deployment of Related Library
Download the following application and deploy
Application | Version | Download Site |
---|---|---|
Tiqr-server-library | 1.0.0 | |
Tiqr-server-zendframework | 1.0.0 | |
ZendFramework | 1.12.3-minimal | |
phpqrcode | 1.1.4 |
コード ブロック |
---|
mkdir /var/www/library
cp -rp tiqr-server-library-1.0.0/library/tiqr /var/www/library/libTiqr
cp -rp tiqr-server-zendframework-1.0.0/library/tiqr-zf /var/www/library/
cp -rp phpqrcode /var/www/library/
cp -rp ZendFramework-1.12.3-minimal /usr/share/
ln -s ZendFramework-1.12.3-minimal ZendFramework
|
Confirm the following links. If not provide soft links as follows.
コード ブロック |
---|
ln -s /var/www/library/libTiqr /var/tiqrzenddemo/library/tiqr
ln -s /var/www/library/phpqrcode /var/tiqrzenddemo/library/phpqrcode
ln -s /var/www/library/tiqr-zf /var/tiqrzenddemo/library/tiqr-zf
ln -s /usr/share/ZendFramework /var/tiqrzenddemo/library/zend
|
(*) If you don't like the link, you can copy the files in both directory.
In that case, the libraries should be stored in /var/tiqrzenddemo/library/ . Following modification also required in /var/tiqrzenddemo/public/index.php
コード ブロック |
---|
// Ensure library/ is on include_path
set_include_path(implode(PATH_SEPARATOR, array(
realpath(APPLICATION_PATH . '/../library/zend/library'),
realpath(APPLICATION_PATH . '/../library/tiqr'),
realpath(APPLICATION_PATH . '/../library/tiqr-zf'),
realpath(APPLICATION_PATH . '/../library/libTiqrShib'),
get_include_path(),
)));
|
Configure Llibrary Path
Include the following configuration in /etc/php.ini
コード ブロック |
---|
include_path = ".:/usr/share/ZendFramework/library:/var/www/library/libTiqr"
|
4. Modification of Library
Modification of ZendFramework
Following function have to be added in /usr/share/ZendFramework/library/Zend/View/Helper/Placeholder/Container/Abstract.php
コード ブロック |
---|
/**
* Sort the array by key
*
* @return array
*/
public function ksort()
{
$items = $this->getArrayCopy();
return ksort($items);
}
|
Modification of Tiqr,Tiqr-zf
Modification in /var/www/library/tiqr-zf/Tiqr/Resource/Tiqr.php
情報 |
---|
Some of the bugs seems to be fixed in the trunk version. |
コード ブロック |
---|
# require_once "Tiqr/Server.php";
require_once "Tiqr/Service.php";
|
Modification in /var/www/library/tiqr-zf/Tiqr/Controller/Login/Abstract.php
コード ブロック |
---|
# case Tiqr_Server::AUTH_RESULT_AUTHENTICATED:
case Tiqr_Service::AUTH_RESULT_AUTHENTICATED:
# case Tiqr_Server::AUTH_RESULT_INVALID_CHALLENGE:
case Tiqr_Service::AUTH_RESULT_INVALID_CHALLENGE:
# case Tiqr_Server::AUTH_RESULT_INVALID_REQUEST:
case Tiqr_Service::AUTH_RESULT_INVALID_REQUEST:
# case Tiqr_Server::AUTH_RESULT_INVALID_RESPONSE:
case Tiqr_Service::AUTH_RESULT_INVALID_RESPONSE:
# case Tiqr_Server::AUTH_RESULT_INVALID_USERID:
case Tiqr_Service::AUTH_RESULT_INVALID_USERID:
|
Addition in /var/www/library/libTiqr/Tiqr/Random.php
コード ブロック |
---|
(Add following statement under the "public static function randomBytes($length)", just before the "if" function.)
$strong = false;
$rnd = "";
|
Modification in /var/tiqrzenddemo/application/configs/application.ini (modify these parameters depending on your environments)
コード ブロック |
---|
resources.tiqr.identifier = "idp.gakunin.nii.ac.jp"
resources.tiqr.name = "gakunin-test-tiqr"
resources.tiqr.logoUrl = "https://openidp.nii.ac.jp/images/gakunin-logo.png"
resources.tiqr.session.secret = "enter something truly random here, preferably generated using openssl"
|
Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Controller/Enroll/Abstract.php
コード ブロック |
---|
# $this->view->enrollmentURL = $this->_getTiqr()->generateEnrollmentURL($metadataURL);
$this->view->enrollmentURL = $metadataURL;
|
Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Controller/Login/Abstract.php
コード ブロック |
---|
//$secret = pack('H*', $this->_getUserSecret($userId));
$secret = $this->_getUserSecret($userId);
|
5. Configuration of Apache
httpd.conf (Add)
コード ブロック |
---|
Alias /tiqr/ "/var/tiqrzenddemo/public/"
Alias /tiqrenroll/ "/var/www/html/tiqrenroll/"
|
ssl.conf (Add)
コード ブロック |
---|
<Location /tiqr>
RewriteEngine On
RewriteBase /tiqr
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ /tiqr/index.php [NC,L]
</Location>
|
6. Configuration of TiqrShib Handler in Shibboleth
Generate tiqrshibAuthn.class by compiling the tiqrshibAuthn.java
Copy the class file into /usr/java/tomcat/webapps/idp/WEB-INF/classes/
Following is an example of compiling option.
コード ブロック |
---|
javac -classpath /usr/java/tomcat/lib/servlet-api.jar:/opt/shibboleth-idp/lib/shibboleth-common-1.3.2.jar:/opt/shibboleth-idp/lib/shibboleth-identityprovider-2.3.2.jar:/opt/shibboleth-idp/lib/shibboleth-jce-1.1.0.jar:/opt/shibboleth-idp/lib/slf4j-api-1.6.1.jar:/opt/shibboleth-idp/lib/openws-1.4.2.jar:/opt/shibboleth-idp/lib/xmltooling-1.3.2.jar tiqrshibAuthn.java
|
Configuration of web.xml and handler.xml
(*) In the handler.xml configuration, UserPassword handler should remain. That is, UserPassword handler should not be commented out and following TiqrShib handler should be added as a new handler.
Modification in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml
コード ブロック |
---|
<!-- Servlet protected by container used for TiqrShib authentication -->
<servlet>
<servlet-name>TiqrShibAuthHandler</servlet-name>
<servlet-class>tiqrshibAuthn</servlet-class>
<init-param>
<param-name>authnMethod</param-name>
<param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>TiqrShibAuthHandler</servlet-name>
<url-pattern>/Authn/TiqrShib</url-pattern>
</servlet-mapping>
|
Modification in handler.xml of shibboleth IdP
コード ブロック |
---|
<ph:LoginHandler xsi:type="ph:ExternalAuthn"
externalAuthnPath="/Authn/TiqrShib" >
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ph:AuthenticationMethod>
</ph:LoginHandler>
|
Configuration of Shibboleth
(1) Configuration of IdP
Make Username/PasswordHandler as default handler
Addition in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml
コード ブロック |
---|
<!-- Servlet for doing Username/Password authentication -->
<servlet>
<servlet-name>UsernamePasswordAuthHandler</servlet-name>
<servlet-class>edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet</servlet-class>
<init-param>
<param-name>authnMethod</param-name>
<param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
|
Configuration in relying-party.xml
コード ブロック |
---|
<rp:DefaultRelyingParty provider="https://IDP SERVER/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
|
(2) Configuration of SP in IdP server
Add SessionInitiator in shibboleth2.xml
コード ブロック |
---|
<!-- Special SessionInitiator for Tiqr!!! --> <SessionInitiator<bean typeparent="SAML2" Location="/TiqrShib" id="siid1" entityID="https://IDP-SERVER-FQDN/idp/shibboleth" template="bindingTemplate.html" authnContextClassRefshibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransportMobileTwoFactorUnregistered" /> |
Addition in /etc/httpd/conf.d/shib.conf
コード ブロック |
---|
Alias /TiqrShib/ "/var/www/html/TiqrShib/" <Location /TiqrShib> AuthType shibboleth ShibRequestSetting requireSessionWith siid1</list> require valid-user </property> </Location> |
(3) Configuration of SP (Application SP which requests Tiqr authentication)
Add ="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract" in SessionInitiator
bean> |
You probably want to modify `classRef` settings, depending on what authnContext you want to use for the tiqrshib authn.
Modify `conf/idp.properties` so `idp.authn.flows` contain "tiqrshib"
コード ブロック |
---|
idp.authn.flows=Password|tiqrshib |
Add sessionCookiePath="/"
in Context
element in `$CATALINA_BASE/conf/Catalina/localhost/idp.xml` in order to be able to check JSESSIONID in PHP side. E.g.:
コード ブロック | ||
---|---|---|
| ||
<Context docBase="/opt/shibboleth-idp/war/idp.war" | ||
コード ブロック | ||
<SessionInitiator type="Chaining" Location="/DS" isDefault="true" id="tiqrshiblogin" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"> <SessionInitiator type="SAML2" template="bindingTemplate.html"/> <SessionInitiator typeprivileged="Shib1true"/> <SessionInitiator type="SAMLDS" URL="https://DS SERVER/ds/WAYF"/> antiResourceLocking="false" swallowOutput="true" sessionCookiePath="/"> ... </SessionInitiator> |
7. Initial Setting of TiqrShib
Initial Setting of Tiqr
Modification in /var/tiqrzenddemo/application/config/application.ini
コード ブロック |
---|
resources.tiqr.identifier = "tiqr.nii.ac.jp"
↑replace as your server FQDN
resources.tiqr.name = "vm2"
↑server name of Tiqr (it will be appeared in the application)
resources.tiqr.logoUrl = "https://tiqr.nii.ac.jp/icons/gakunin-logo.png"
↑logo file appeared in the application. 5KB is better. Over 100KB file takes long time to load it.
constants.TIQRSHIB_DOMAIN = "nii.ac.jp"
↑eppn security domain of the IdP
↓Following LDAP configuration is same with attribute-resolver.xml
constants.TIQRSHIB_LDAP_HOST = "localhost"
constants.TIQRSHIB_LDAP_PORT = "389"
constants.TIQRSHIB_LDAP_BASEDN = "o=test_o,dc=ac,c=JP"
constants.TIQRSHIB_LDAP_BINDREQUIRESDN = "true"
constants.TIQRSHIB_LDAP_USERNAME = "cn=Manager,o=test_o,dc=ac,c=JP"
constants.TIQRSHIB_LDAP_PASSWORD = "password"
|
(*) "uid” filter is utilized for LDAP search
If you would like to use the different filter, please modify the following 'uid"s to your preference.
In /var/tiqrzenddemo/library/libTiqrShib/tiqrShibLdap.php
In the line of $result = $ldap->search('(uid='.$userId.')');
there are two parts to be modified.
...
Context> |
Finally, start Tomcat.
コード ブロック | ||
---|---|---|
| ||
# systemctl start tomcat |
Make Shibboleth SP Rely on Shibbolized Tiqr
Modify SP so that it requests the authnContext you specified in general-authn.xml on certain path.
Here's an example of httpd configuration on a Shibboleth SP server, assuming it is already under a same federation with the IdP.
コード ブロック |
---|
<Location /shibtiqr_protected>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting authnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered
Require valid-user
</Location> |
Configuration
Now that you confirmed Shibbolized Tiqr works on your server, we recommend reviewing your tiqrshib settings. Check your application.ini and review your settings. If you copied it from application.example.ini, you will see prenty of comments that describe each configuration and some recommendations.
In this section, we'll describe some of most important aspects of possible configurations.
Encryption Key and IV
Change secrets shared between tiqrzend and the IdP extension.
- On tiqrzend side, modify resources.tiqrshib.encryption.key and resources.tiqrshib.encryption.iv.
- On the extension side, modify AES_KEY and AES_IV in TiqrShibConstants.java in the IdP extension.
Note that the modification requires recreating jar file and IdP package re-build.
Metadata for Tiqr Server
Tiqr mobile application will show users basic information about the Tiqr server. The information is provided from Tiqr server on enrollment process. You probably want to change it before production use.
Check the following three settings.
- resources.tiqr.identifier
- resources.tiqr.name
- resources.tiqr.logoUrl
Consult to the official document (https://tiqr.org/tiqr-simplesaml-integration-guide) for more information.
Storage Setting
When SQLite3 is used, all the secret for users will be stored in local storange.
You may want some redundancy or possibly more performance, in which case consider using MySQL instead of SQLite3. There are descriptions in the example config how to achieve it.