...
Shibboleth SP which has been installed in section 4 will be configured for Attribute Provider.
Download required
...
files from following URL
...
.
Please contact nii.ac.jp/svn/GakuNinmAP/local-map/sp-conf/Please obtain an account from GakuNin Office if authentication is requested. index.zipattribute-map.xml |
Modify Setting
attribute-
policymap.xml
Modify “Host Name of the SP” to this server host name.shibboleth2.xml
Modify “Host Name of the IdP” to your university IdP which authenticate users.
Certificate and Key files in the “CredentialResolver” also have to be changed depending on theにserver certificate.
Initial Setting of the CredentialResolverコード ブロック <CredentialResolver type="File" key="cert/server.key" certificate="cert/server.crt"/>
* Owner of these files have to be changed as shibd.
...
Add the following line or make sure
isMemberOf
attribute is recognized.コード ブロック language xml <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/>
attribute-policy.xml
Add the following rule beforeattributeID="*"
line.コード ブロック language xml <!-- isMemberOf --> <afp:AttributeRule attributeID="isMemberOf"> <afp:PermitValueRule xsi:type="AttributeIssuerString" value="https://[Host Name of the SP]/idp/shibboleth"/> </afp:AttributeRule>
Modify “[Host Name of the SP]” to this server host name.
shibboleth2.xml
Add MetadataProvider.コード ブロック language xml <!-- Example of locally maintained metadata. --> <!-- Metadata of this IdP --> <MetadataProvider type="XML" file="/opt/shibboleth-idp/metadata/idp-metadata.xml"/>
And add SimpleAggregation AttributeResolver after
<AttributeResolver type="Query" subjectMatch="true"/>
line.コード ブロック <!-- Uses eduPersonPrincipalName from IdP to query, and asks for isMemberOf. --> <AttributeResolver type="SimpleAggregation" attributeId="eppn" format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"> <Entity>https://[Host Name of the IdP]/idp/shibboleth</Entity> </AttributeResolver>
Modify “[Host Name of the IdP]” to this server host name.
- embedded-wayf_config.js
Modify “Host Name of the Server” SP” to the name of this server.
Values in wayf_additional_idps also have to be changed.
Copy Files
- .
Instead, you can use your own embedded DS inapp/views/pages/home.ctp
.
Copy Files
コード ブロック |
---|
$ sudo mkdir /var/www/html/secure
$ unzip index.zip |
コード ブロック |
Back Up First $ sudo cp /etc/shibboleth/attribute-map.xml /etc/shibboleth/attribute-map.xml.bk $ sudo cp /etc/shibboleth/attribute-policy.xml /etc/shibboleth/attribute-policy.xml.bk $ sudo cp /etc/shibboleth/shibboleth2.xml /etc/shibboleth/shibboleth2.xml.bk Then Copy $ sudo cp attribute-map.xml /etc/shibboleth/. $ sudo cp attribute-policy.xml /etc/shibboleth/. $ sudo cp shibboleth2.xml /etc/shibboleth/. $ sudo mkdir /var/www/html/secure $ sudo cp attrindex.php /var/www/html/secure/attr.php $ sudo mkdir /var/www/html/js $ sudo cp embedded-wayf_config.js /var/www/html/js/. |
...
- Store the metadata of the SP of this server in the following location.
/etc/shibboleth/metadata/sp-metadata.xml - Store the metadata of this IdP of this server in the following location.
/opt/shibboleth-idp/metadata/idp-metadata.xml
* shibd have to be restarted after the “10. Installing Attribute Provider (IdP)”since the metadata※of metadata of the IdP is not yet generated at this moment.Store the metadata of the IdP which utilizes university authentication./etc/shibboleth-idp/metadata/uni-idp-metadata.xml - Federation Metadata
If required, federation metadata have to be included by the shibboleth2.xml configuration.
...
Shibboleth IdP which has been installed in section 5 will be configured for Attribute Provider.
Download required file from following URL.
...
Please contact GakuNin Office if authentication is required. |
...
xx-bin.jar |
Modify Configuration
- attribute-resolver.xml
Modify“SALT”to appropriate random values.
Setup database password to be the same one with “6. Installing and Setting Up MySQL”.
Modify “Host name of the IdP”to IdP” to this server host name. relying-party.xml
Modify “Host name of the IdP” to this server host name.
Define SP metadata which utilize localAdd MetadataProvider for SP which utilize this mAP system.
Define the metadata of Global mAP(https://map.gakunin.nii.ac.jp/idp/shibboleth)
* In general, the metadata of the Global mAP is automatically integrated if the IdP ingest the federation metadata.
Overwrite the configuration files.
コード ブロック language xml <metadata:MetadataProvider id="SP" xsi:type="metadata:ResourceBackedMetadataProvider"> <metadata:MetadataResource xsi:type="resource:FilesystemResource" file="/etc/shibboleth/metadata/sp-metadata.xml" /> </metadata:MetadataProvider>
Overwrite the configuration files.
コード ブロック |
---|
Back Up First
$ cd |
コード ブロック |
Back Up First $ cd /opt/shibboleth-idp/conf $ sudo cp attribute-filter.xml attribute-filter.xml.bk $ sudo cp attribute-resolver.xml attribute-resolver.xml.bk $ sudo cp handler.xml handler.xml.bk $ sudo cp internal.xml internal.xml.bk $ sudo cp relying-party.xml relying-party.xml.bk Then Copy $ cd $ sudo cp attribute-filter.xml /opt/shibboleth-idp/conf/. $ sudo cp attribute-resolverfilter.xml /opt/shibboleth-idp/conf/.attribute-filter.xml.bk $ sudo cp handlerattribute-resolver.xml /opt/shibboleth-idp/conf/.attribute-resolver.xml.bk Then Copy $ cd $ sudo cp internalattribute-filter.xml /opt/shibboleth-idp/conf/. $ sudo cp relyingattribute-partyresolver.xml /opt/shibboleth-idp/conf/. |
...
- The metadata of this SP has already been stored in the following location.
/etc/shibboleth/metadata/sp-metadata.xml - Store the metadata of this IdP in the following location.
/opt/shibboleth-idp/metadata/idp-metadata.xmlInclude the metadata of this IdP in the shibboleth2.xml of the SP which utilizes for local mAP.
Deployment of the MySQL driver
コード ブロック |
---|
$ sudo cp mysql-connector-java-5.1.10.jar \ [TOMCAT install directory] /webapps/idp/WEB-INF/lib/. $ sudo cp mysql-connector-java-5.1.10.jar /opt/shibboleth-idp/lib/. |
...
コード ブロック |
---|
# cd /opt/shibboleth-idp/credentials # openssl pkcs12 -export -out pkcs12.p12 -in idp.crt -inkey idp.key -name HOST-NAME-OF-THIS-SERVER Enter Export Password: YOUR-OWN-PASSOWRD Verifying - Enter Export Password: YOUR-OWN-PASSWORD # keytool -importkeystore -srckeystore pkcs12.p12 -destkeystore keystore.jks \ -srcstoretype pkcs12 -deststoretype jks -srcalias HOST-NAME-OF-THIS-SERVER \ -destalias HOST-NAME-OF-THIS-SERVER -storepass YOUR-OWN-PASSOWRD Enter source keystore password: YOUR-OWN-PASSOWRD keystore.jks will be generated. # rm pkcs12.p12 # chmod 600 /opt/shibboleth-idp/credentials/keystore.jks |
* This instruction assume IdP certificate as idp.crt and idp.key.
...
コード ブロック |
---|
$ sudo /etc/init.d/tomcat6 stop
$ sudo /etc/init.d/tomcat6 start
Restart SP as well in order to include the metadata of newly configured IdP.
$ sudo /etc/init.d/shibd restart
$ sudo /etc/init.d/httpd restart |
...