注意 |
---|
If you are using TiqrShib version 2.0, we strongly recommend you update it to 2.1 or later. |
Following document instructs how to install Shibbolized Tiqr (or "tiqrshib") in the IdP environment. Please feel free to contact us (tiqr at meatmail.jp) if you have any difficulty while installing thisduring installation.
目次 |
---|
About Enviroment
This instruction is for Shibbolized Tiqr 2.2. Shibbolized Tiqr is tested under the following environment.
- CentOS 7.35
- httpd 2.4
- PHP 5.4
- Oracle JDK 1.8
- Apache Maven 3.2
- Tomcat 89.0
- Shibboleth IdP 3.34.10
- Shibboleth SP 23.60
This document assumes Shibboleth IdP and SP are configured and ready for SAML SSO; IdP should be able to authenticate users per SP's authn request, and supply users' attributes back to SP appropriately. Some attributes must be supplied to SP because Shibbolized Tiqr implicitly requires them:
...
This document assumes they are installed based on the following document provided by GakuNin. If you installed them in a different way, consider modifying some of our proceduresmodify the procedure below as your system requires.
https://meatwiki.nii.ac.jp/confluence/pages/viewpage.action?pageId=20021624 (in Japanese)
Installation
Install
...
Dependent Yum Packages
To install depending packages, run the following command:
コード ブロック | |
---|---|
bash | $ sudo yum -y install httpd php mod_ssl php-gd php-pdo php-mcrypt sqlite |
Here, sqlite is installed as our sample configuration requires it. If you want to use MySQL for the backend DB, consider installing "mysql-connector-odbc" and "php-mysql" instead.
...
Checkout
...
Source Code for Shibbolized Tiqr
Checkout the source code from the repository.
...
It should contain two projects, "tiqrzend" and the Shibboleth IdP extension. Here
Deploy "tiqrzend" server
Here we setup "tiqrzend" first.
...
After the procedure above, you can check the result with tree command:
コード ブロック | language | bash
---|
$ tree --charset=ascii -L 2 /opt/tiqrzend/ /opt/tiqrzend/ |-- application | |-- Bootstrap.php | |-- configs | |-- controllers | |-- layouts | |-- modules | `-- views |-- library | |-- phpqrcode | |-- tiqr | |-- tiqrshib | |-- tiqr-zf | |-- zend -> ZendFramework-1.12.9-minimal | `-- ZendFramework-1.12.9-minimal |-- public | |-- images | |-- index.php | `-- scripts |-- resources | `-- Sample.php `-- tests |-- application |-- library `-- phpunit.xml 20 directories, 4 files |
...
Copy /opt/tiqrzend/application/configs/application.example.ini to /opt/tiqrzend/application/configs/application.ini.
コード ブロック | ||
---|---|---|
| ||
$ cp /opt/tiqrzend/application/configs/application.example.ini /opt/tiqrzend/application/configs/application.ini |
...
Prepare DB for tiqrshib's "SecretStorage". For evaluation purpose, run the following commands:
コード ブロック | language | bash
---|
$ mkdir -p /opt/tiqrzend/db/ $ sqlite3 /opt/tiqrzend/db/secrets.db sqlite> CREATE TABLE IF NOT EXISTS tiqrshibsecrets ( ...> `id` integer NOT NULL PRIMARY KEY AUTOINCREMENT, ...> `uid` text NOT NULL UNIQUE, ...> `secret` text DEFAULT NULL, ...> `isActive` integer DEFAULT NULL); sqlite> , ...> `loginattempts` integer DEFAULT NULL, ...> `isBlocked` integer DEFAULT NULL); sqlite> (exit) $ sudo chown -R apache: /opt/tiqrzend/db $ sudo chmod -R go-rwx /opt/tiqrzend/db |
Configure httpd
...
コード ブロック |
---|
Alias /tiqr/ "/opt/tiqrzend/public/" <Location /tiqr> RewriteEngine On RewriteBase /tiqr RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ /tiqr/index.php [NC,L] require all granted </Location> <Location /tiqr/shib/enroll/process> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </Location> |
Confirm "tiqrzend
...
" is Working
With the modifications above, tiqr authentication flow should be ready for evaluation.
...
What you should check here is if the redirect happens at this point. If the redirect does not happen and some other problem happens, you will need to trouble-shoot it here.
Checking "tiqrzend
...
" Log
There are multiple logs to be checked when there are some errors.
- httpd's logs in /var/log/httpd
- PHP's logs in syslog or whatever you configured at /etc/php.ini
- tiqrzend's login logs /opt/tiqrzend/application/logs/
Deploy the Shibboleth IdP extension
Build the
...
Extension
Building the IdP extension requires Apache Maven. You can build the extension outside where IdP resides, but you need the same Java environment to build the extenion extension there.
Here is how to install Apache Maven 3.5.0 in /opt/ directory.
コード ブロック | ||
---|---|---|
| ||
$ export MVN_VERSION=3.5.0 $ wget http://ftp.riken.jp/net/apache/maven/maven-3/${MVN_VERSION}/binaries/apache-maven-${MVN_VERSION}-bin.tar.gz $ tar xf apache-maven-${MVN_VERSION}-bin.tar.gz -C /opt/ $ export PATH=/opt/apache-maven-${MVN_VERSION}/bin:$PATH $ mvn --version (Check Maven is installed) |
Under the "idp/" directory in this project, run the following commands:
コード ブロック | language | bash
---|
$ ls pom.xml src $ mvn -DskipTests=false clean package ... (a lot of logs) ... [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1.683 s [INFO] Finished at: 2017-09-05T16:41:39+09:00 [INFO] Final Memory: 24M/361M [INFO] ------------------------------------------------------------------------ $ ls pom.xml src target $ ls target/ classes maven-archiver tiqrshibauthn-2.02.jar |
Here, tiqrshibauthn-2.
0x.jar
in target/ is what we want.
If you are outside the host where IdP resides, copy the jar file to the server.
Install the
...
Extension into
...
Shibboleth IdP
From this step, we assume you logged in the host where IdP resides as root. You should also prepare IdP's installation package unpacked somewhere.
...
language | bash |
---|
...
root
...
.
...
Before going forward, we recommend to stop Tomcat.
コード ブロック | |
---|---|
bash | # systemctl stop tomcat |
Place tiqrshibauthn-2.0x.jar in IdP installer's /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/
directory.
コード ブロック |
---|
<servlet> # cp <servlet-name>TiqrShibAuthnHandler</servlet-name> <servlet-class>jp.gakunin.tiqrshib.TiqrShibAuthnServlet</servlet-class> <load-on-startup>4</load-on-startup> </servlet> <servlet-mapping> <servlet-name>TiqrShibAuthnHandler</servlet-name> <url-pattern>/Authn/TiqrShib</url-pattern> </servlet-mapping> |
Install the modified IdP using bin/install.sh as usual IdP installation.
コード ブロック | ||
---|---|---|
| ||
# bin/install.sh |
Depending on your Tomcat configuration, you may need to copy `idp.war` in `/usr/java/tomcat/webapps/` and remove `idp/` directory there.
コード ブロック | ||
---|---|---|
| ||
# cp -f /opt/shibboleth-idp/war/idp.war /usr/java/tomcat/webapps/
# rm -rf /usr/java/tomcat/webapps/idp |
If you choose to run Tomcat under the user "tomcat", you may also need to review directory permissions in /opt/shibboleth-idp/ again.
コード ブロック |
---|
# chown -R tomcat:tomcat /opt/shibboleth-idp/logs
# chgrp -R tomcat /opt/shibboleth-idp/conf
# chmod -R g+r /opt/shibboleth-idp/conf
# find /opt/shibboleth-idp/conf -type d -exec chmod -R g+s {} \;
# chgrp tomcat /opt/shibboleth-idp/metadata
# chmod g+w /opt/shibboleth-idp/metadata
# chmod +t /opt/shibboleth-idp/metadata |
Configure IdP
Move to `/opt/shibboleth-idp/` and modify relevant configuration files.
コード ブロック | ||
---|---|---|
| ||
# cd /opt/shibboleth-idp |
Create `flows/authn/tiqrshib/` directory and copy some relevante XML files. Then edit copied files so they become ready for tiqrshib authentication.
You can use the following sequence of sed commands if original XML are untouched:
-i .../tiqrshibauthn-2.?.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ |
Add the following XML content in `/opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml`. If you don't have the web.xml file, copy from `/opt/shibboleth-idp/webapp/WEB-INF/web.xml` in advance.
コード ブロック |
---|
<servlet>
<servlet-name>TiqrShibAuthnHandler</servlet-name>
<servlet-class>jp.gakunin.tiqrshib.TiqrShibAuthnServlet</servlet-class>
<load-on-startup>4</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>TiqrShibAuthnHandler</servlet-name>
<url-pattern>/Authn/TiqrShib</url-pattern>
</servlet-mapping> |
Rebuild the modified IdP WAR package using bin/build.sh.
コード ブロック |
---|
# bin/build.sh |
Depending on your Tomcat configuration, you may need to copy `idp.war` in `$CATALINA_BASE/webapps/` and remove `idp/` directory there.
コード ブロック |
---|
# cp -f /opt/shibboleth-idp/war/idp.war $CATALINA_BASE/webapps/
# rm -rf $CATALINA_BASE/webapps/idp |
Also depending on your Tomcat version, you may need to remove temporary files.
コード ブロック |
---|
# rm -r $CATALINA_BASE/webapps/idp $CATALINA_BASE/work/Catalina/localhost/idp |
Configure IdP for the Extension
Move to `/opt/shibboleth-idp/` and modify relevant configuration files.
コード ブロック |
---|
# cd /opt/shibboleth-idp |
Create `flows/authn/tiqrshib/` directory and copy some relevant XML files. Then edit copied files so they become ready for tiqrshib authentication.
You can use the following sequence of sed commands if original XML are untouched:
コード ブロック | ||
---|---|---|
# mkdir flows/authn/tiqrshib/
# cp system/flows/authn/external-authn-flow.xml flows/authn/tiqrshib/tiqrshib-flow.xml
# sed -i 's/external-authn-beans\.xml/tiqrshib-beans.xml/' flows/authn/tiqrshib/tiqrshib-flow.xml
# cp system/flows/authn/external-authn-beans.xml flows/authn/tiqrshib/tiqrshib-beans.xml
# sed -i 's/external-authn-config\.xml/tiqrshib-authn-config | ||
コード ブロック | ||
| ||
# mkdir flows/authn/tiqrshib/ # cp system/flows/authn/external-authn-flow.xml flows/authn/tiqrshib/tiqrshib-flow.xml # sed -i 's/external-authn-beans\.xml/tiqrshib-beans.xml/' flows/authn/tiqrshib/tiqrshib-flowbeans.xml # cp systemdist/flowsconf/authn/external-authn-beansconfig.xml.dist flowsconf/authn/tiqrshib/tiqrshib-authn-beansconfig.xml # sed -i 's/external-authn-config\.xml/tiqrshib-authn-config.xml/' flows/authn/tiqrshib/tiqrshib-beans.xml # cp dist/Authn\/External/Authn\/TiqrShib/' conf/authn/externaltiqrshib-authn-config.xml.dist conf/authn/tiqrshib-authn-config.xml # sed -i 's/Authn\/External/Authn\/TiqrShib/' conf/authn/tiqrshib-authn-config.xml |
情報 |
---|
All the procedures above are case-sensitive. Distinguish between "authn/tiqrshib" and "Authn/TiqrShib". |
情報 |
---|
All the procedures above are case-sensitive. Distinguish between "authn/tiqrshib" and "Authn/TiqrShib". |
Add the Add the following XML content in `conf/authn/general-authn.xml`.
コード ブロック |
---|
<bean id="authn/tiqrshib" parent="shibboleth.AuthenticationFlow"
p:nonBrowserSupported="false">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered" />
</list>
</property>
</bean> |
You probably want to modify `classRef` settings, depending on what authnContext you want to use for the tiqrshib authn.
Modify `conf/idp.properties` so `idp.authn.flows` contain "tiqrshib"
コード ブロック |
---|
idp.authn.flows=Password|tiqrshib |
Add sessionCookiePath="/"
in Context
element in `$CATALINA_BASE/conf/Catalina/localhost/idp.xml` in order to be able to check JSESSIONID in PHP side. E.g.:
コード ブロック | ||
---|---|---|
| ||
<Context docBase="/opt/shibboleth-idp/war/idp.war" /> privileged="true" </list> </property> </bean> |
You probably want to modify `classRef` settings, depending on what authnContext you want to use for the tiqrshib authn.
Modify `conf/idp.properties` so `idp.authn.flows` contain "tiqrshib"
コード ブロック |
---|
idp.authn.flows=Password|tiqrshib |
antiResourceLocking="false"
swallowOutput="true"
sessionCookiePath="/">
...
</Context> |
Finally, start Tomcat.
コード ブロック | ||
---|---|---|
| ||
# systemctl start tomcat |
...
コード ブロック |
---|
<Location /shibtiqr_protected> AuthType shibboleth ShibRequestSetting requireSession 1 ShibRequestSetting authnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered Require valid-user </Location> |
...
Configuration
Now that you confirmed Shibbolized Tiqr works on your server, we recommend reviewing your tiqrshib settings. Check your application.ini and review your settings. If you copied it from application.example.ini, you will see prenty of comments that describe each configuration and some recommendations.
...
Change secrets shared between tiqrzend and the IdP extentionextension.
- On tiqrzend side, modify resources.tiqrshib.encryption.key and resources.tiqrshib.encryption.iv.
- On the extension side, modify AES_KEY and AES_IV in TiqrShibConstants.java in the IdP extension.
Note that the modification requires recreating jar file and IdP package re-installationbuild.
Metadata for Tiqr Server
...
- resources.tiqr.identifier
- resources.tiqr.name
- resources.tiqr.logoUrl
Consult to the officitial official document (https://tiqr.org/tiqr-simplesaml-integration-guide) for more information.
...
You may want some redundancy or possibly more performance, in which case consider using MySQL instead of SQLite3. There are descriptions in the example config how to achieve it.