...
Following document instructs how to install shibbolized Tiqr in the IdP environment. You don't have to hack the IdP itself. It works as an external login handler. Please feel free to contact us (tiqr at meatmail.jp) if you have any difficulty while installing this.
| 目次 |
|---|
| 注意 |
|---|
In order to connect tiqr and shibboleth accounts, this shibbolized tiqr utilizes "title" and "street" attributes in the LDAP, each of which corresponds to "isActive" and "secret" values of Tiqr, respectively. Please modify these attributes appropriately depending on your environment. You can realize it by customizing /var/tiqrzenddemo/library/tiqrShibLdap.php |
...
Checkout the source code from the repository then,
| コード ブロック |
|---|
svn co https://forge.gakunin.nii.ac.jp/svn/tiqrshib/trunk tiqrshib
|
...
- Copy var/www/html/TiqrShib to /var/www/html/TiqrShib (deploy trans.php)
If you are using PHP under 5.2, please modify tran.php as follows.
| コード ブロック |
|---|
// for under php5.2
ini_set('session.cookie_httponly', 1);
setcookie($cookieName, $value, $timeout, $cookiepath, "", TRUE);
// for php5.2 over
//setcookie($cookieName, $value, $timeout, $cookiepath, "", TRUE, TRUE);
|
- Copy var/www/html/tiqrenroll/index.html to /var/www/html/tiqrenroll (deploy index.html)
Modify the server FQDN in the above index.html (the following part)
| コード ブロック |
|---|
<input style="font:8pt" type=button value="Register" onclick="window.location.href='https://(FQDN of the IdP server)/TiqrShib/trans.php'">
|
...
Download the following application and deploy
Application | Version | Download Site |
|---|---|---|
Tiqr-server-library | 1.0.0 | |
Tiqr-server-zendframework | 1.0.0 | |
ZendFramework | 1.12.3-minimal | |
phpqrcode | 1.1.4 |
| コード ブロック |
|---|
mkdir /var/www/library
cp -rp tiqr-server-library-1.0.0/library/tiqr /var/www/library/libTiqr
cp -rp tiqr-server-zendframework-1.0.0/library/tiqr-zf /var/www/library/
cp -rp phpqrcode /var/www/library/
cp -rp ZendFramework-1.12.3-minimal /usr/share/
ln -s ZendFramework-1.12.3-minimal ZendFramework
|
Confirm the following links. If not provide soft links as follows.
| コード ブロック |
|---|
ln -s /var/www/library/libTiqr /var/tiqrzenddemo/library/tiqr
ln -s /var/www/library/phpqrcode /var/tiqrzenddemo/library/phpqrcode
ln -s /var/www/library/tiqr-zf /var/tiqrzenddemo/library/tiqr-zf
ln -s /usr/share/ZendFramework /var/tiqrzenddemo/library/zend
|
(*) If you don't like the link, you can copy the files in both directory.
In that case, the libraries should be stored in /var/tiqrzenddemo/library/ . Following modification also required in /var/tiqrzenddemo/public/index.php
| コード ブロック |
|---|
// Ensure library/ is on include_path
set_include_path(implode(PATH_SEPARATOR, array(
realpath(APPLICATION_PATH . '/../library/zend/library'),
realpath(APPLICATION_PATH . '/../library/tiqr'),
realpath(APPLICATION_PATH . '/../library/tiqr-zf'),
realpath(APPLICATION_PATH . '/../library/libTiqrShib'),
get_include_path(),
)));
|
Configure
...
Library Path
Include the following configuration in /etc/php.ini
| コード ブロック |
|---|
include_path = ".:/usr/share/ZendFramework/library:/var/www/library/libTiqr"
|
...
Following function have to be added in /usr/share/ZendFramework/library/Zend/View/Helper/Placeholder/Container/Abstract.php
| コード ブロック |
|---|
/**
* Sort the array by key
*
* @return array
*/
public function ksort()
{
$items = $this->getArrayCopy();
return ksort($items);
}
|
...
| 情報 |
|---|
Some of the bugs seems to be fixed in the trunk version. |
| コード ブロック |
|---|
# require_once "Tiqr/Server.php";
require_once "Tiqr/Service.php";
|
Modification in /var/www/library/tiqr-zf/Tiqr/Controller/Login/Abstract.php
| コード ブロック |
|---|
# case Tiqr_Server::AUTH_RESULT_AUTHENTICATED:
case Tiqr_Service::AUTH_RESULT_AUTHENTICATED:
# case Tiqr_Server::AUTH_RESULT_INVALID_CHALLENGE:
case Tiqr_Service::AUTH_RESULT_INVALID_CHALLENGE:
# case Tiqr_Server::AUTH_RESULT_INVALID_REQUEST:
case Tiqr_Service::AUTH_RESULT_INVALID_REQUEST:
# case Tiqr_Server::AUTH_RESULT_INVALID_RESPONSE:
case Tiqr_Service::AUTH_RESULT_INVALID_RESPONSE:
# case Tiqr_Server::AUTH_RESULT_INVALID_USERID:
case Tiqr_Service::AUTH_RESULT_INVALID_USERID:
|
Addition in /var/www/library/libTiqr/Tiqr/Random.php
| コード ブロック |
|---|
(Add following statement under the "public static function randomBytes($length)", just before the "if" function.)
$strong = false;
$rnd = "";
|
Modification in /var/tiqrzenddemo/application/configs/application.ini (modify these parameters depending on your environments)
| コード ブロック |
|---|
resources.tiqr.identifier = "idp.gakunin.nii.ac.jp"
resources.tiqr.name = "gakunin-test-tiqr"
resources.tiqr.logoUrl = "https://openidp.nii.ac.jp/images/gakunin-logo.png"
resources.tiqr.session.secret = "enter something truly random here, preferably generated using openssl"
|
Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Controller/Enroll/Abstract.php
| コード ブロック |
|---|
# $this->view->enrollmentURL = $this->_getTiqr()->generateEnrollmentURL($metadataURL);
$this->view->enrollmentURL = $metadataURL;
|
Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Controller/Login/Abstract.php
| コード ブロック |
|---|
//$secret = pack('H*', $this->_getUserSecret($userId));
$secret = $this->_getUserSecret($userId);
|
5. Configuration of Apache
httpd.conf (Add)
| コード ブロック |
|---|
Alias /tiqr/ "/var/tiqrzenddemo/public/"
Alias /tiqrenroll/ "/var/www/html/tiqrenroll/"
|
ssl.conf (Add)
| コード ブロック |
|---|
<Location /tiqr>
RewriteEngine On
RewriteBase /tiqr
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ /tiqr/index.php [NC,L]
</Location>
|
...
Generate tiqrshibAuthn.class by compiling the tiqrshibAuthn.java
Copy the class file into /usr/java/tomcat/webapps/idp/WEB-INF/classes/
Following is an example of compiling option.
| コード ブロック |
|---|
javac -classpath /usr/java/tomcat/lib/servlet-api.jar:/opt/shibboleth-idp/lib/shibboleth-common-1.3.2.jar:/opt/shibboleth-idp/lib/shibboleth-identityprovider-2.3.2.jar:/opt/shibboleth-idp/lib/shibboleth-jce-1.1.0.jar:/opt/shibboleth-idp/lib/slf4j-api-1.6.1.jar:/opt/shibboleth-idp/lib/openws-1.4.2.jar:/opt/shibboleth-idp/lib/xmltooling-1.3.2.jar tiqrshibAuthn.java
|
...
Modification in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml
| コード ブロック |
|---|
<!-- Servlet protected by container used for TiqrShib authentication -->
<servlet>
<servlet-name>TiqrShibAuthHandler</servlet-name>
<servlet-class>tiqrshibAuthn</servlet-class>
<init-param>
<param-name>authnMethod</param-name>
<param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>TiqrShibAuthHandler</servlet-name>
<url-pattern>/Authn/TiqrShib</url-pattern>
</servlet-mapping>
|
Modification in handler.xml of shibboleth IdP
| コード ブロック |
|---|
<ph:LoginHandler xsi:type="ph:ExternalAuthn"
externalAuthnPath="/Authn/TiqrShib" >
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ph:AuthenticationMethod>
</ph:LoginHandler>
|
...
Make Username/PasswordHandler as default handler
Addition in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml
| コード ブロック |
|---|
<!-- Servlet for doing Username/Password authentication -->
<servlet>
<servlet-name>UsernamePasswordAuthHandler</servlet-name>
<servlet-class>edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet</servlet-class>
<init-param>
<param-name>authnMethod</param-name>
<param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
|
Configuration in relying-party.xml
| コード ブロック |
|---|
<rp:DefaultRelyingParty provider="https://IDP SERVER/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
|
...
Add SessionInitiator in shibboleth2.xml
| コード ブロック |
|---|
<!-- Special SessionInitiator for Tiqr!!! -->
<SessionInitiator type="SAML2" Location="/TiqrShib" id="siid1" entityID="https://IDP-SERVER-FQDN/idp/shibboleth" template="bindingTemplate.html" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
|
Addition in /etc/httpd/conf.d/shib.conf
| コード ブロック |
|---|
Alias /TiqrShib/ "/var/www/html/TiqrShib/"
<Location /TiqrShib>
AuthType shibboleth
ShibRequestSetting requireSessionWith siid1
require valid-user
</Location>
|
...
Add ="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract" in SessionInitiator
| コード ブロック |
|---|
<SessionInitiator type="Chaining" Location="/DS" isDefault="true" id="tiqrshiblogin" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract">
<SessionInitiator type="SAML2" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1"/>
<SessionInitiator type="SAMLDS" URL="https://DS SERVER/ds/WAYF"/>
</SessionInitiator>
|
...
Modification in /var/tiqrzenddemo/application/config/application.ini
| コード ブロック |
|---|
resources.tiqr.identifier = "tiqr.nii.ac.jp"
↑replace as your server FQDN
resources.tiqr.name = "vm2"
↑server name of Tiqr (it will be appeared in the application)
resources.tiqr.logoUrl = "https://tiqr.nii.ac.jp/icons/gakunin-logo.png"
↑logo file appeared in the application. 5KB is better. Over 100KB file takes long time to load it.
constants.TIQRSHIB_DOMAIN = "nii.ac.jp"
↑eppn security domain of the IdP
↓Following LDAP configuration is same with attribute-resolver.xml
constants.TIQRSHIB_LDAP_HOST = "localhost"
constants.TIQRSHIB_LDAP_PORT = "389"
constants.TIQRSHIB_LDAP_BASEDN = "o=test_o,dc=ac,c=JP"
constants.TIQRSHIB_LDAP_BINDREQUIRESDN = "true"
constants.TIQRSHIB_LDAP_USERNAME = "cn=Manager,o=test_o,dc=ac,c=JP"
constants.TIQRSHIB_LDAP_PASSWORD = "password"
|
...