...
| パネル |
|---|
| borderColor | #cccccc |
|---|
| bgColor | #eeeeee |
|---|
| borderStyle | solid |
|---|
|
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!-- -->
<!--
<MetadataProvider type="XML" validate="true"
uri="https://ex-ds.gakunin.nii.ac.jp/fed/ex-fed-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
-->
<MetadataProvider type="XML" validate="true"
uri="https://metadata.gakunin.nii.ac.jp/gakunin-test-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="1296000"/>
<!--
<MetadataFilter type="Signature" certificate="/etc/shibboleth/cert/ex-fed.crt"/>
-->
<MetadataFilter type="Signature" certificate="/etc/shibboleth/cert/gakunin-test-signer-2011.cer"/>
</MetadataProvider>
<!-- -->
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
--> |
...
| パネル |
|---|
| borderColor | #cccccc |
|---|
| bgColor | #eeeeee |
|---|
| borderStyle | solid |
|---|
|
cd /opt/shibboleth-idp/credentials
wget https://metadata.gakunin.nii.ac.jp/gakunin-test-signer-2011.cer |
② metadatarelying-providersparty.xmlのメタデータ自動ダウンロード設定を変更します。
| パネル |
|---|
| borderColor | #cccccc |
|---|
| bgColor | #eeeeee |
|---|
| borderStyle | solid |
|---|
|
(省略)
The EntityRoleWhiteList saves memory by only loading metadata from entity types
that you will interoperate with.
<!-- ========================================== -->
<!-- Metadata Configuration -->
<!-- ========================================== -->
<!--
<MetadataProvider MetadataProvider the combining other MetadataProviders -->
<metadata:MetadataProvider id="HTTPMetadata"
xsiShibbolethMetadata" xsi:type="FileBackedHTTPMetadataProvidermetadata:ChainingMetadataProvider">
(省略)
<!-- Example metadata provider. -->
<!-- Reads metadata from a URL and store a backup copy on the file system. -->
<!-- Validates the signature of the metadata and filters out all by SP entities in order to save memory -->
<!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->
<!-- -->
backingFile="%{idp.home}/metadata/gakunin-metadata-backing.xml"
metadataURL <!--
<metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="https://ex-ds.gakunin.nii.ac.jp/fed/ex-fed-metadata.xml"
backingFile="/opt/shibboleth-idp/metadata/some-metadata.xml">
-->
<MetadataProvider <metadata:MetadataProvider id="HTTPMetadata"
xsiURLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/gakunin-metadata-backing metadataURL="https://metadata.gakunin.nii.ac.jp/gakunin-test-metadata.xml"
metadataURL="https://metadata.gakunin.nii.ac.jp/gakunin-test- backingFile="/opt/shibboleth-idp/metadata/some-metadata.xml">
<MetadataFilter <metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
<metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil" maxValidityInterval
<!-- maxValidityInterval="P15D" />
<MetadataFilter <metadata:MetadataFilter xsi:type="metadata:SignatureValidation"
requireSignedMetadata="true"
certificateFile="%{idp.home}/credentials/ex-fed.crt"/>
-->
<MetadataFilter trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" />
<metadata:MetadataFilter xsi:type="SignatureValidationmetadata:EntityRoleWhiteList">
<metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
</metadata:MetadataFilter>
</metadata:MetadataFilter>
</metadata:MetadataProvider>
<!-- -->
</metadata:MetadataProvider>
|
③ relying-party.xmlの証明書の設定を変更します。
| パネル |
|---|
| borderColor | #cccccc |
|---|
| bgColor | #eeeeee |
|---|
| borderStyle | solid |
|---|
|
<!-- ========================================== -- requireSignedMetadata="true"
certificateFile="%{idp.home}/credentials/gakunin-test-signer-2011.cer"/>
<!-- Security Configurations -->
<!-- ========================================== -->
<security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
<security:PrivateKey>/opt/shibboleth-idp/credentials/server.key</security:PrivateKey>
<security:Certificate>/opt/shibboleth-idp/credentials/server.crt</security:Certificate>
</security:Credential>
<!-- Trust engine used to evaluate the signature on loaded metadata. -->
<!-- -->
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<!--
<security:Certificate>/opt/shibboleth-idp/credentials/ex-fed.crt</security:Certificate>
-->
<security:Certificate>/opt/shibboleth-idp/credentials/gakunin-test-signer-2011.cer</security:Certificate>
</security:Credential>
</security:TrustEngine>
<PublicKey>
THIS IS AN EXAMPLE
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxg0TyQAP/tIvOH89EtaX
uRRn8SYzTj7W1TbNY4VvBmobjkRmSkki4hH9x4sQpi635wn6WtXTN/FNNmkTK3N/
LspmBWxfZS+n+cc7I82E5yvCAPX67QsZgqgglp2W5dvK/FsMMCS6X6SVqzBLMP88
NenXKxY+HMxMs0sT0UKYh1cAEqadrHRBO65aDBcm5a0sBVYt9K6pgaOHrp/zSIbh
nR5tFFLjBbtFktDpHL3AdGBH3OYidNGKBO3tJ3Ms7LeKXsM0+0Y4P+9fHZINL2X3
E2N6GVnKs5PZTg9sP0FtIpAbYm/+zCx7Yj1ET/Er8mDd6tNVGSQsn9s5xUBwGqn1
4wIDAQAB
</PublicKey>
</MetadataFilter>
-->
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
<!-- -->
|
③ ④ tomcatを再起動します。
| パネル |
|---|
| borderColor | #cccccc |
|---|
| bgColor | #eeeeee |
|---|
| borderStyle | solid |
|---|
|
service tomcat7tomcat6 restart |
⑤ テストフェデレーションの接続テスト用SP https://test-sp1.gakunin.nii.ac.jp にアクセスします。
...