...
conf/saml-nameid.xml
<ref bean="shibboleth.SAML2PersistentGenerator" />
をアンコメントして有効にします。展開 コード ブロック language xml title conf/saml-nameid.xml <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <!-- -->
コード ブロック language diff title 差分 <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> - <!-- + <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> - --> + <!-- -->
conf/saml-nameid.properties
idp.persistentId.generator
のデフォルトはComputedId
の設定のため、idp.persistentId.sourceAttribute
とidp.persistentId.salt
のみを設定します。idp.persistentId.salt
には他人が推測できないランダムな値を指定してください。古いIdPから設定を引き継ぐ場合は同じ値を指定してください。展開 コード ブロック language java title conf/saml-nameid.properties # Persistent IDs can be computed on the fly with a hash, or managed in a database # For computed IDs, set a source attribute and a secret salt: idp.persistentId.sourceAttribute = uid #idp.persistentId.useUnfilteredAttributes = true # Do *NOT* share the salt with other people, it's like divulging your private key. #idp.persistentId.algorithm = SHA idp.persistentId.salt = XXXXXXXXXXXXXXXXXXXXXXXXXXX # To use a database, use shibboleth.StoredPersistentIdGenerator
コード ブロック language diff title 差分 # # Persistent IDs can be computed on the fly with a hash, or managed in a database # For computed IDs, set a source attribute and a secret salt: -#idp.persistentId.sourceAttribute = changethistosomethingreal +idp.persistentId.sourceAttribute = uid #idp.persistentId.useUnfilteredAttributes = true # Do *NOT* share the salt with other people, it's like divulging your private key. #idp.persistentId.algorithm = SHA -#idp.persistentId.salt = changethistosomethingrandom +idp.persistentId.salt = XXXXXXXXXXXXXXXXXXXXXXXXXXX # To use a database, use shibboleth.StoredPersistentIdGenerator
conf/attribute-resolver.xml
idp.persistentId.sourceAttribute
で指定した属性がLDAPで定義されているのみでconf/attribute-resolver.xml
の//resolver:AttributeDefinition
で定義されていない場合は、PersistentIdGenerator
から参照できませんので以下のように定義します。他の用途に使用しない場合resolver:AttributeEncoder
の2行は不要です。idp.persistentId.sourceAttribute
で指定したresolver:AttributeDefinitionをコメントアウトします
。展開 コード ブロック language xml title conf/attribute-resolver.xml <!-- Schema: Core schema attributes--> <!-- --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> </resolver:AttributeDefinition> <!--
コード ブロック language diff title 差分 <!-- Schema: Core schema attributes--> - <!-- + <!-- --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> </resolver:AttributeDefinition> + <!--
...
展開 | |||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
computedIdでの設定を下記に示します。
|
storedId
storedIdでの設定を下記に示します。
|
storedId
storedIdでの設定を下記に示します。
conf/saml-nameid.xml
<ref bean="shibboleth.SAML2PersistentGenerator" />
をアンコメントして有効にします。展開 コード ブロック language xml title conf/saml-nameid.xml <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <!-- -->
コード ブロック language diff title 差分 <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> - <!-- + <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> - --> + <!-- -->
conf/saml-nameid.properties
idp.persistentId.sourceAttribute,
idp.persistentId.salt, idp.persistentId.generatorとidp.persistentId.store
を設定します。idp.persistentId.salt
には他人が推測できないランダムな値を指定してください。古いIdPから設定を引き継ぐ場合は同じ値を指定してください。展開 コード ブロック language java title conf/saml-nameid.properties # Persistent IDs can be computed on the fly with a hash, or managed in a database # For computed IDs, set a source attribute and a secret salt: idp.persistentId.sourceAttribute = uid #idp.persistentId.useUnfilteredAttributes = true # Do *NOT* share the salt with other people, it's like divulging your private key. #idp.persistentId.algorithm = SHA idp.persistentId.salt = XXXXXXXXXXXXXXXXXXXXXXXXXXX # To use a database, use shibboleth.StoredPersistentIdGenerator idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator # For basic use, set this to a JDBC DataSource bean name: #idp.persistentId.dataSource = PersistentIdDataSource # For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore idp.persistentId.store = MyPersistentIdStore # Set to an empty property to skip hash-based generation of first stored ID #idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
コード ブロック language diff title 差分 # Persistent IDs can be computed on the fly with a hash, or managed in a database # For computed IDs, set a source attribute and a secret salt: -#idp.persistentId.sourceAttribute = changethistosomethingreal +idp.persistentId.sourceAttribute = uid #idp.persistentId.useUnfilteredAttributes = true # Do *NOT* share the salt with other people, it's like divulging your private key. #idp.persistentId.algorithm = SHA -#idp.persistentId.salt = changethistosomethingrandom +idp.persistentId.salt = XXXXXXXXXXXXXXXXXXXXXXXXXXX # To use a database, use shibboleth.StoredPersistentIdGenerator -#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator +idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator # For basic use, set this to a JDBC DataSource bean name: #idp.persistentId.dataSource = PersistentIdDataSource # For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore -#idp.persistentId.store = MyPersistentIdStore +idp.persistentId.store = MyPersistentIdStore # Set to an empty property to skip hash-based generation of first stored ID #idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
conf/attribute-resolver.xml
conf/attribute-resolver.xml
のidp.persistentId.sourceAttribute
で指定したresolver:AttributeDefinitionをコメントアウトします
。展開 コード ブロック language xml title conf/attribute-resolver.xml <!-- Schema: Core schema attributes--> <!-- --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> </resolver:AttributeDefinition> <!--
コード ブロック language diff title 差分 <!-- Schema: Core schema attributes--> - <!-- + <!-- --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> </resolver:AttributeDefinition> + <!--
shibpidテーブルの作成
shibpidテーブルを作成します。展開 コード ブロック language sql title shibpid CREATE TABLE shibpid ( localEntity VARCHAR(255) NOT NULL, peerEntity VARCHAR(255) NOT NULL, persistentId VARCHAR(50) NOT NULL, principalName VARCHAR(50) NOT NULL, localId VARCHAR(50) NOT NULL, peerProvidedId VARCHAR(50) NULL, creationDate TIMESTAMP NOT NULL, deactivationDate TIMESTAMP NULL, PRIMARY KEY (localEntity, peerEntity, persistentId) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
conf/global.xml
conf/global.xml
でidp.persistentId.store
のbeanを定義します。展開 コード ブロック language xml title conf/global.xml (Tomcat 7の場合) <!-- Use this file to define any custom beans needed globally. --> <bean id="MyDataSource" class="org.apache.tomcat.dbcp.dbcp.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth" p:username="username" p:password="password" p:maxActive="10" p:maxIdle="5" p:maxWait="15000" p:testOnBorrow="true" p:validationQuery="select 1" p:validationQueryTimeout="5" /> <bean id="PersistentIdStore" class="net.shibboleth.idp.saml.nameid.impl.JDBCPersistentIdStore" p:dataSource-ref="MyDataSource" />
コード ブロック language xml title conf/global.xml (Tomcat 8の場合) <!-- Use this file to define any custom beans needed globally. --> <bean id="MyDataSource" class="org.apache.tomcat.dbcp.dbcp2.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth" p:username="username" p:password="password" p:maxIdle="5" p:maxTotal="10" p:maxWaitMillis="15000" p:testOnBorrow="true" p:validationQuery="select 1" p:validationQueryTimeout="5" /> <bean id="PersistentIdStore" class="net.shibboleth.idp.saml.nameid.impl.JDBCPersistentIdStore" p:dataSource-ref="MyDataSource" />
情報 Tomcat 8付属のDBCP2から、
p:maxActive
はp:maxTotal
に、p:maxWait
はp:maxWaitMillis
に変更になりました。
Shibboleth IdP 3.1の情報
展開 | |||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
computedIdでの設定を下記に示します。Shibboleth IdP 2と同じ設定で送信可能です。
conf/attribute-resolver.xml
展開 コード ブロック language xml title conf/attribute-resolver.xml <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <!-- Schema: eduPerson attributes --> <!-- Attribute Definition for eduPersonTargetedID --> <resolver:AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="computedID"> <resolver:Dependency ref="computedID" /> <resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> <resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </resolver:AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <!-- Computed targeted ID connector --> <resolver:DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc" id="computedID" generatedAttributeID="computedID" sourceAttributeID="uid" salt="changethistosomethingrandom"> <resolver:Dependency ref="myLDAP" /> </resolver:DataConnector>
conf/attribute-filter.xml
展開 コード ブロック language xml title conf/attribute-filter.xml <!-- Release to sp.example.jp --> <afp:AttributeFilterPolicy id="PolicyforSP1ExampleJP"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.example.jp/shibboleth-sp" /> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>
...
- [Shibboleth wiki] Identity Provider 3
- [Shibboleth wiki] IdP 3 / ReleaseNotes
- [SWITCH] Shibboleth Identity Provider (IdP) 3 Installation Guide
- [SWITCH] Shibboleth IdPv3: Considerations in the Context of SWITCHaai
- 3.1 Operating Systems: Linux long-term support (Ubuntu Server 14.04 LTS / Red Hat Enterprise Linux 7 / CentOS 7)
- 3.2 Java & Servlet Container: OpenJDK 7, Apache Tomcat 7 & Apache HTTP Server 2.4
- 3.3 Database for persistentIDs and user consent: PostgreSQL
- 3.4 IdP Session Storage: Client Session Storage with Cookies
- [upki-fed:00880] Re: Shibboleth IdP 3.0 リリース
- シボレス実習活用編
- 学認技術ガイド > IdP構築後のカスタマイズ 内「IdPアップデート手順」
- 学認技術ガイド > 貴学にてIdPv3をインストールする場合の構築手順
idp.persistentId.store