ページ履歴

...

• conf/saml-nameid.xml
<ref bean="shibboleth.SAML2PersistentGenerator" /> をアンコメントして有効にします。

  展開
  コード ブロック language xml title conf/saml-nameid.xml <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <!-- --> コード ブロック language diff title 差分 <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> - <!-- + <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> - --> + <!-- -->

• conf/saml-nameid.properties
idp.persistentId.sourceAttribute, idp.persistentId.salt, idp.persistentId.generatorとidp.persistentId.storeを設定します。idp.persistentId.saltには他人が推測できないランダムな値を指定してください。古いIdPから設定を引き継ぐ場合は同じ値を指定してください。

  展開

  コード ブロック language java title conf/saml-nameid.properties # Persistent IDs can be computed on the fly with a hash, or managed in a database   # For computed IDs, set a source attribute and a secret salt: idp.persistentId.sourceAttribute = uid #idp.persistentId.useUnfilteredAttributes = true # Do *NOT* share the salt with other people, it's like divulging your private key. #idp.persistentId.algorithm = SHA idp.persistentId.salt = XXXXXXXXXXXXXXXXXXXXXXXXXXX   # To use a database, use shibboleth.StoredPersistentIdGenerator idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator # For basic use, set this to a JDBC DataSource bean name: #idp.persistentId.dataSource = PersistentIdDataSource # For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore idp.persistentId.store = MyPersistentIdStore # Set to an empty property to skip hash-based generation of first stored ID #idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator コード ブロック language diff title 差分 # Persistent IDs can be computed on the fly with a hash, or managed in a database # For computed IDs, set a source attribute and a secret salt: -#idp.persistentId.sourceAttribute = changethistosomethingreal +idp.persistentId.sourceAttribute = uid #idp.persistentId.useUnfilteredAttributes = true # Do *NOT* share the salt with other people, it's like divulging your private key. #idp.persistentId.algorithm = SHA -#idp.persistentId.salt = changethistosomethingrandom +idp.persistentId.salt = XXXXXXXXXXXXXXXXXXXXXXXXXXX # To use a database, use shibboleth.StoredPersistentIdGenerator -#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator +idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator # For basic use, set this to a JDBC DataSource bean name: #idp.persistentId.dataSource = PersistentIdDataSource # For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore -#idp.persistentId.store = MyPersistentIdStore +idp.persistentId.store = MyPersistentIdStore # Set to an empty property to skip hash-based generation of first stored ID #idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator

• conf/attribute-resolver.xml
conf/attribute-resolver.xmlのidp.persistentId.sourceAttributeで指定したresolver:AttributeDefinitionをコメントアウトします。

  展開

  コード ブロック language xml title conf/attribute-resolver.xml <!-- Schema: Core schema attributes--> <!-- --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> </resolver:AttributeDefinition> <!-- コード ブロック language diff title 差分 <!-- Schema: Core schema attributes--> - <!-- + <!-- --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> </resolver:AttributeDefinition> + <!--

• shibpidテーブルの作成
  shibpidテーブルを作成します。

  展開

  コード ブロック language sql title shibpid CREATE TABLE shibpid ( localEntity VARCHAR(255) NOT NULL, peerEntity VARCHAR(255) NOT NULL, persistentId VARCHAR(50) NOT NULL, principalName VARCHAR(50) NOT NULL, localId VARCHAR(50) NOT NULL, peerProvidedId VARCHAR(50) NULL, creationDate TIMESTAMP NOT NULL, deactivationDate TIMESTAMP NULL, PRIMARY KEY (localEntity, peerEntity, persistentId) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

• conf/globalsaml-nameid.xml
conf/global.xmlでsaml-nameid.xmlで、idp.persistentId.storeのbeanを定義します。で指定したbean MyPersistentIdStoreを定義します。

  展開

  コード ブロック language xml title conf/globalsaml-nameid.xml (Tomcat 7の場合) <!-- Use this file to define any custom beans needed globally. --> <bean id="MyDataSource" class="org.apache.tomcat.dbcp.dbcp.BasicDataSource"========================= SAML NameID Generation ========================= --> <!-- A "store" bean suitable for use in the idp.persistentId.store property. --> <bean p:driverClassNameid="MyPersistentIdStore" parent="com.mysql.jdbc.Drivershibboleth.JDBCPersistentIdStore" p:urldataSource-ref="jdbc:mysql://localhost:3306/shibbolethMyDataSource" p:usernamequeryTimeout="usernamePT2S" p:passwordretryableErrors="password"#{{'23000'}}" />   <!-- A p:maxActive="10" p:maxIdle="5" p:maxWait="15000DataSource bean suitable for use in the idp.persistentId.dataSource property. --> <bean id="MyDataSource" class="org.apache.tomcat.dbcp.dbcp.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth" p:testOnBorrowusername="trueusername" p:validationQuerypassword="select 1" "password" p:maxActive="10" p:validationQueryTimeout="5" /> <bean id="PersistentIdStore" maxIdle="5" p:maxWait="15000" p:testOnBorrow="true" p:validationQuery="select 1" p:validationQueryTimeout="5" /> コード ブロック language diff title 差分 <!-- ========================= SAML NameID Generation ========================= --> + <!-- A "store" bean suitable for use in the idp.persistentId.store property. --> + <bean id="MyPersistentIdStore" parent="shibboleth.JDBCPersistentIdStore" + p:dataSource-ref="MyDataSource" + class="net.shibboleth.idp.saml.nameid.impl.JDBCPersistentIdStore" p:queryTimeout="PT2S" + p:dataSource-refretryableErrors="MyDataSource#{{'23000'}}" /> コード ブロック language xml title conf/global.xml (Tomcat 8の場合) + + <!-- UseA thisDataSource filebean tosuitable definefor anyuse customin beans needed globallythe idp.persistentId.dataSource property. --> + <bean id="MyDataSource" + class="org.apache.tomcat.dbcp.dbcp2dbcp.BasicDataSource" + p:driverClassName="com.mysql.jdbc.Driver" + p:url="jdbc:mysql://localhost:3306/shibboleth" + p:username="username" + p:password="password" + p:maxIdle="5"       p:maxTotalmaxActive="10"  +     p:maxWaitMillis="15000"       p:testOnBorrowmaxIdle="true5" + p:validationQuerymaxWait="select 115000" + p:validationQueryTimeouttestOnBorrow="5true" + /> <bean id="PersistentIdStore" class="net.shibboleth.idp.saml.nameid.impl.JDBCPersistentIdStore" p:validationQuery="select 1" + p:dataSource-refvalidationQueryTimeout="MyDataSource5" /> 情報 Tomcat 8付属のDBCP2から、p:maxActiveはp:maxTotalに、p:maxWaitはp:maxWaitMillisに変更になりました。

   

Shibboleth IdP 3.1の情報

...

• [Shibboleth wiki] Identity Provider 3
• [Shibboleth wiki] IdP 3 / ReleaseNotes
• [SWITCH] Shibboleth Identity Provider (IdP) 3 Installation Guide
• [SWITCH] Shibboleth IdPv3: Considerations in the Context of SWITCHaai
  • 3.1 Operating Systems: Linux long-term support (Ubuntu Server 14.04 LTS / Red Hat Enterprise Linux 7 / CentOS 7)
  • 3.2 Java & Servlet Container: OpenJDK 7, Apache Tomcat 7 & Apache HTTP Server 2.4
  • 3.3 Database for persistentIDs and user consent: PostgreSQL
  • 3.4 IdP Session Storage: Client Session Storage with Cookies
• [upki-fed:00880] Re: Shibboleth IdP 3.0 リリース
• シボレス実習活用編
• 学認技術ガイド > IdP構築後のカスタマイズ 内「IdPアップデート手順」
• 学認技術ガイド > 貴学にてIdPv3をインストールする場合の構築手順

idp.persistentId.store

MyPersistentIdStore