Following document instructs how to install Shibbolized Tiqr (or "tiqrshib") in the IdP environment. Please feel free to contact us (tiqr at meatmail.jp) if you have any difficulty during installation.

About Enviroment

This instruction is for Shibbolized Tiqr 2.2. Shibbolized Tiqr is tested under the following environment.

• CentOS 7.35
• httpd 2.4
• PHP 5.4
• Oracle JDK 1.8
• Apache Maven 3.2
• Tomcat 89.0
• Shibboleth IdP 3.34.10
• Shibboleth SP 23.60

This document assumes Shibboleth IdP and SP are configured and ready for SAML SSO; IdP should be able to authenticate users per SP's authn request, and supply users' attributes back to SP appropriately. Some attributes must be supplied to SP because Shibbolized Tiqr implicitly requires them:

...

https://meatwiki.nii.ac.jp/confluence/pages/viewpage.action?pageId=20021624 (in Japanese)

Installation

Install Dependent Yum Packages

...

$ mkdir -p /opt/tiqrzend/db/
$ sqlite3 /opt/tiqrzend/db/secrets.db
sqlite> CREATE TABLE IF NOT EXISTS tiqrshibsecrets (
...> `id` integer NOT NULL PRIMARY KEY AUTOINCREMENT,
...> `uid` text NOT NULL UNIQUE,
...> `secret` text DEFAULT NULL,
...> `isActive` integer DEFAULT NULL);
sqlite> (,
...> `loginattempts` integer DEFAULT NULL,
...> `isBlocked` integer DEFAULT NULL);
sqlite> (exit)
$ sudo chown -R apache: /opt/tiqrzend/db
$ sudo chmod -R go-rwx /opt/tiqrzend/db

Configure httpd

...

• httpd's logs in /var/log/httpd
• PHP's logs in syslog or whatever you configured at /etc/php.ini
• tiqrzend's login logs /opt/tiqrzend/application/logs/

...

Building the IdP extension requires Apache Maven. You can build the extension outside where IdP resides, but you need the same Java environment to build the extenion extension there.

Here is how to install Apache Maven 3.5.0 in /opt/ directory.

...

$ ls
pom.xml  src
$ mvn -DskipTests=false clean package
... (a lot of logs) ...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.683 s
[INFO] Finished at: 2017-09-05T16:41:39+09:00
[INFO] Final Memory: 24M/361M
[INFO] ------------------------------------------------------------------------
$ ls
pom.xml  src  target
$ ls target/
classes  maven-archiver  tiqrshibauthn-2.02.jar

Here, tiqrshibauthn-2.0x.jar in target/ is what we want.

...

From this step, we assume you logged in the host where IdP resides as root. You should also prepare IdP's installation package unpacked somewhere.

# pwd
/root/shibboleth-identity-provider-3.3.1

Before going forwardBefore going forward, we recommend to stop Tomcat.

# systemctl stop tomcat

Place tiqrshibauthn-2.0x.jar in IdP installer's /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ directory.

<servlet>
# cp -i .../tiqrshibauthn-2.?.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/

Add the following XML content in `/opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml`. If you don't have the web.xml file, copy from `/opt/shibboleth-idp/webapp/WEB-INF/web.xml` in advance.

<servlet>  <servlet-name>TiqrShibAuthnHandler</servlet-name>
    <servlet-class>jp.gakunin.tiqrshib.TiqrShibAuthnServlet</servlet-class>
    <load-on-startup>4</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>TiqrShibAuthnHandler</servlet-name>
    <url-pattern>/Authn/<servlet-class>jp.gakunin.tiqrshib.TiqrShibAuthnServlet</servlet-class>
    <load-on-startup>4</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>TiqrShibAuthnHandler</servlet-name>
    <url-pattern>/Authn/TiqrShib</url-pattern>
</servlet-mapping>

Install Rebuild the modified IdP WAR package using bin/installbuild.sh as usual IdP installation.

# bin/installbuild.sh

Depending on your Tomcat configuration, you may need to copy `idp.war` in `/usr/java/tomcat`$CATALINA_BASE/webapps/` and remove `idp/` directory there.

# cp -f /opt/shibboleth-idp/war/idp.war /usr/java/tomcat/$CATALINA_BASE/webapps/
# rm -rf /usr/java/tomcat/$CATALINA_BASE/webapps/idp

If you choose to run Tomcat under the user "tomcat"Also depending on your Tomcat version, you may also need to review directory permissions in /opt/shibboleth-idp/ againremove temporary files.

# chownrm -R tomcat:tomcat r $CATALINA_BASE/webapps/idp $CATALINA_BASE/work/Catalina/localhost/idp

Configure IdP for the Extension

Move to `/opt/shibboleth-idp/` and modify relevant configuration files.

logs
# chgrpcd -R tomcat /opt/shibboleth-idp/conf
# chmod -R g+r /opt/shibboleth-idp/conf
# find /opt/shibboleth-idp/conf -type d -exec chmod -R g+s {} \;
# chgrp tomcat /opt/shibboleth-idp/metadata
# chmod g+w /opt/shibboleth-idp/metadata
# chmod +t /opt/shibboleth-idp/metadata

Configure IdP for the Extension

Move to `/opt/shibboleth-idp/` and modify relevant configuration files.

# cd /opt/shibboleth-idp

Create `flows/authn/tiqrshib/` directory and copy some relevante XML files. Then edit copied files so they become ready for tiqrshib authentication.

You can use the following sequence of sed commands if original XML are untouched:

# mkdir flows/authn/tiqrshib/
# cp system/flows/authn/external-authn-flow.xml flows/authn/tiqrshib/tiqrshib-flow.xml
# sed -i 's/external-authn-beans\.xml/tiqrshib-beans.xml/' flows/authn/tiqrshib/tiqrshib-flow.xml
# cp system/flows/authn/external-authn-beans.xml flows/authn/tiqrshib/tiqrshib-beans.xml
# sed -i 's/external-authn-config\.xml/tiqrshib-authn-config.xml/' flows/authn/tiqrshib/tiqrshib-beans.xml
# cp dist/conf/authn/external-authn-config.xml.dist conf/authn/tiqrshib-authn-config.xml 
# sed -i 's/Authn\/External/Authn\/TiqrShib/' conf/authn/tiqrshib-authn-config.xml

Add the following XML content in `conf/authn/general-authn.xml`.

Create `flows/authn/tiqrshib/` directory and copy some relevant XML files. Then edit copied files so they become ready for tiqrshib authentication.

You can use the following sequence of sed commands if original XML are untouched:

# mkdir flows/authn/tiqrshib/
# cp system/flows/authn/external-authn-flow.xml flows/authn/tiqrshib/tiqrshib-flow.xml
# sed -i 's/external-authn-beans\.xml/tiqrshib-beans.xml/' flows/authn/tiqrshib/tiqrshib-flow.xml
# cp system/flows/authn/external-authn-beans.xml flows/authn/tiqrshib/tiqrshib-beans.xml
# sed -i 's/external-authn-config\.xml/tiqrshib-authn-config.xml/' flows/authn/tiqrshib/tiqrshib-beans.xml
# cp dist/conf/authn/external-authn-config.xml.dist conf/authn/tiqrshib-authn-config.xml 
# sed -i 's/Authn\/External/Authn\/TiqrShib/' conf/authn/tiqrshib-authn-config.xml

Add the following XML content in `conf/authn/general-authn.xml`.

<bean id="authn/tiqrshib" parent="shibboleth.AuthenticationFlow"
    p:nonBrowserSupported="false">
    <property name="supportedPrincipals">
        <list>
            <bean parent="shibboleth.SAML2AuthnContextClassRef"

<bean id="authn/tiqrshib" parent="shibboleth.AuthenticationFlow"
    p:nonBrowserSupported="false">
    <property name="supportedPrincipals">
        <list>
            <bean parent="shibboleth.SAML2AuthnContextClassRef"
                c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered" />
MobileTwoFactorUnregistered" />
        </list>
    </property>
</bean>

You probably want to modify `classRef` settings, depending on what authnContext you want to use for the tiqrshib authn.

Modify `conf/idp.properties` so `idp.authn.flows` contain "tiqrshib"

idp.authn.flows=Password|tiqrshib

Add sessionCookiePath="/" in Context element in `$CATALINA_BASE/conf/Catalina/localhost/idp.xml` in order to be able to check JSESSIONID in PHP side. E.g.:

<Context docBase="/opt/shibboleth-idp/war/idp.war"
         privileged="true"
         </list>
    </property>
</bean>

You probably want to modify `classRef` settings, depending on what authnContext you want to use for the tiqrshib authn.

Modify `conf/idp.properties` so `idp.authn.flows` contain "tiqrshib"

idp.authn.flows=Password|tiqrshib

antiResourceLocking="false"
         swallowOutput="true"
         sessionCookiePath="/">

...
</Context>

Finally, start Tomcat.

# systemctl start tomcat

...

Change secrets shared between tiqrzend and the IdP extentionextension.

• On tiqrzend side, modify resources.tiqrshib.encryption.key and resources.tiqrshib.encryption.iv.
• On the extension side, modify AES_KEY and AES_IV in TiqrShibConstants.java in the IdP extension.

Note that the modification requires recreating jar file and IdP package re-installationbuild.

Metadata for Tiqr Server

...

• resources.tiqr.identifier
• resources.tiqr.name
• resources.tiqr.logoUrl

Consult to the officitial official document (https://tiqr.org/tiqr-simplesaml-integration-guide) for more information.

...

You may want some redundancy or possibly more performance, in which case consider using MySQL instead of SQLite3. There are descriptions in the example config how to achieve it.