GakuNinmAPpublic

ページ ツリー

比較バージョン

古いバージョン 14

changes.mady.by.user Takeshi Nishimura

保存しました

次と比較

新しいバージョン 15

changes.mady.by.user Takeshi Nishimura

保存しました

キー

  • この行は追加されました。
  • この行は削除されました。
  • 書式設定が変更されました。

...

Shibboleth SP which has been installed in section 4 will be configured for Attribute Provider.

Download required

...

files from following URL

...

.

Please contact nii.ac.jp/svn/GakuNinmAP/local-map/sp-conf/Please obtain an account from GakuNin Office if authentication is requested.

index.zipattribute-map.xml
attribute-policy.xml
shibboleth2.xml
attr.php
embedded-wayf_config.js

 

Modify Setting

  • attribute-

    policy

    map.xml

    Modify “Host Name of the SP” to this server host name.

  • shibboleth2.xml
    Modify “Host Name of the IdP” to your university IdP which authenticate users.
    Certificate and Key files in the “CredentialResolver” also have to be changed depending on theにserver certificate.
    Initial Setting of the CredentialResolver

    コード ブロック
    <CredentialResolver type="File" key="cert/server.key" certificate="cert/server.crt"/>

    * Owner of these files have to be changed as shibd.

...

  • Add the following line or make sure isMemberOf attribute is recognized.

    コード ブロック
    languagexml
        <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/> 

  • attribute-policy.xml
    Add the following rule before attributeID="*" line.

    コード ブロック
    languagexml
            <!-- isMemberOf -->
        <afp:AttributeRule attributeID="isMemberOf">
            <afp:PermitValueRule xsi:type="AttributeIssuerString"
                    value="https://[Host Name of the SP]/idp/shibboleth"/>
        </afp:AttributeRule>

    Modify “[Host Name of the SP]” to this server host name.

  • shibboleth2.xml
    Add MetadataProvider.

    コード ブロック
    languagexml
            <!-- Example of locally maintained metadata. -->
        <!-- Metadata of this IdP -->
        <MetadataProvider type="XML" file="/opt/shibboleth-idp/metadata/idp-metadata.xml"/>

    And add SimpleAggregation AttributeResolver after <AttributeResolver type="Query" subjectMatch="true"/> line.

    コード ブロック
            <!-- Uses eduPersonPrincipalName from IdP to query, and asks for isMemberOf. -->
        <AttributeResolver type="SimpleAggregation" attributeId="eppn" format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
          <Entity>https://[Host Name of the IdP]/idp/shibboleth</Entity>
        </AttributeResolver>

    Modify “[Host Name of the IdP]” to this server host name.

  • embedded-wayf_config.js
    Modify “Host Name of the Server” SP” to the name of this server.
    Values in wayf_additional_idps also have to be changed.
Copy Files
  • .
    Instead, you can use your own embedded DS in app/views/pages/home.ctp.
Copy Files
コード ブロック
$ sudo mkdir /var/www/html/secure
$ unzip index.zip
コード ブロック
Back Up First
$ sudo cp /etc/shibboleth/attribute-map.xml /etc/shibboleth/attribute-map.xml.bk
$ sudo cp /etc/shibboleth/attribute-policy.xml /etc/shibboleth/attribute-policy.xml.bk
$ sudo cp /etc/shibboleth/shibboleth2.xml /etc/shibboleth/shibboleth2.xml.bk


Then Copy
$ sudo cp attribute-map.xml /etc/shibboleth/.
$ sudo cp attribute-policy.xml /etc/shibboleth/.
$ sudo cp shibboleth2.xml /etc/shibboleth/.
$ sudo mkdir /var/www/html/secure
$ sudo cp attrindex.php /var/www/html/secure/attr.php
$ sudo mkdir /var/www/html/js
$ sudo cp embedded-wayf_config.js /var/www/html/js/.

...

  • Store the metadata of the SP of this server in the following location.
    /etc/shibboleth/metadata/sp-metadata.xml
  • Store the metadata of this IdP of this server in the following location.
    /opt/shibboleth-idp/metadata/idp-metadata.xml
    * shibd have to be restarted after the “10. Installing Attribute Provider (IdP)”since the metadata※of metadata of the IdP is not yet generated at this moment.Store the metadata of the IdP which utilizes university authentication./etc/shibboleth-idp/metadata/uni-idp-metadata.xml
  • Federation Metadata
    If required, federation metadata have to be included by the shibboleth2.xml configuration.

...

Shibboleth IdP which has been installed in section 5 will be configured for Attribute Provider.

Download required file from following URL.

...

Please contact GakuNin Office if authentication is required.
attribute-resolver.xml
attribute-filter.xml

Please download mysql-connector-java-5.1.xx.zip from MySQL site:
https://www.mysql.com/downloads/connector/j/
Unzip the file and you will find the JAR file.
mysql-connector-java-5.1.

...

xx-bin.jar

 

Modify Configuration
  • attribute-resolver.xml
    Modify“SALT”to appropriate random values.
    Setup database password to be the same one with “6. Installing and Setting Up MySQL”.
    Modify “Host name of the IdP”to IdP” to this server host name.

  • relying-party.xml

    Modify “Host name of the IdP” to this server host name.
    Define SP metadata which utilize local

    Add MetadataProvider for SP which utilize this mAP system.

    Define the metadata of Global mAP(https://map.gakunin.nii.ac.jp/idp/shibboleth)
    * In general, the metadata of the Global mAP is automatically integrated if the IdP ingest the federation metadata.

 

 

Overwrite the configuration files.
  • コード ブロック
    languagexml
            <metadata:MetadataProvider id="SP" xsi:type="metadata:ResourceBackedMetadataProvider">
          <metadata:MetadataResource xsi:type="resource:FilesystemResource" file="/etc/shibboleth/metadata/sp-metadata.xml" />
        </metadata:MetadataProvider>

 

Overwrite the configuration files.
コード ブロック
Back Up First
$ cd
コード ブロック
Back Up First
$ cd /opt/shibboleth-idp/conf
$ sudo cp attribute-filter.xml attribute-filter.xml.bk
$ sudo cp attribute-resolver.xml attribute-resolver.xml.bk
$ sudo cp handler.xml handler.xml.bk
$ sudo cp internal.xml internal.xml.bk
$ sudo cp relying-party.xml relying-party.xml.bk
 
Then Copy
$ cd
$ sudo cp attribute-filter.xml /opt/shibboleth-idp/conf/.
$ sudo cp attribute-resolverfilter.xml /opt/shibboleth-idp/conf/.attribute-filter.xml.bk
$ sudo cp handlerattribute-resolver.xml /opt/shibboleth-idp/conf/.attribute-resolver.xml.bk

Then Copy
$ cd
$ sudo cp internalattribute-filter.xml /opt/shibboleth-idp/conf/.
$ sudo cp relyingattribute-partyresolver.xml /opt/shibboleth-idp/conf/.

...

  • The metadata of this SP has already been stored in  the following location.
    /etc/shibboleth/metadata/sp-metadata.xml
  • Store the metadata of this IdP in the following location.
    /opt/shibboleth-idp/metadata/idp-metadata.xmlInclude the metadata of this IdP in the shibboleth2.xml of the SP which utilizes for local mAP.
Deployment of the MySQL driver
コード ブロック
$ sudo cp mysql-connector-java-5.1.10.jar \
[TOMCAT install directory] /webapps/idp/WEB-INF/lib/.
 
$ sudo cp mysql-connector-java-5.1.10.jar /opt/shibboleth-idp/lib/.

...

コード ブロック
# cd /opt/shibboleth-idp/credentials
# openssl pkcs12 -export -out pkcs12.p12 -in idp.crt -inkey idp.key -name HOST-NAME-OF-THIS-SERVER
Enter Export Password: YOUR-OWN-PASSOWRD
Verifying - Enter Export Password: YOUR-OWN-PASSWORD
 
# keytool -importkeystore -srckeystore pkcs12.p12 -destkeystore keystore.jks \
-srcstoretype pkcs12 -deststoretype jks -srcalias HOST-NAME-OF-THIS-SERVER \
-destalias HOST-NAME-OF-THIS-SERVER -storepass YOUR-OWN-PASSOWRD
Enter source keystore password: YOUR-OWN-PASSOWRD
keystore.jks will be generated.
# rm pkcs12.p12
# chmod 600 /opt/shibboleth-idp/credentials/keystore.jks

* This instruction assume IdP certificate as idp.crt and idp.key.

...

コード ブロック
$ sudo /etc/init.d/tomcat6 stop
$ sudo /etc/init.d/tomcat6 start
 
Restart SP as well in order to include the metadata of newly configured IdP.
$ sudo /etc/init.d/shibd restart
$ sudo /etc/init.d/httpd restart

...