...
conf/saml-nameid.xml
<ref bean="shibboleth.SAML2PersistentGenerator" />
をアンコメントして有効にします。展開 コード ブロック language xml title conf/saml-nameid.xml <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <!-- -->
コード ブロック language diff title 差分 <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> - <!-- + <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> - --> + <!-- -->
conf/saml-nameid.properties
idp.persistentId.sourceAttribute,
idp.persistentId.salt, idp.persistentId.generatorとidp.persistentId.store
を設定します。idp.persistentId.salt
には他人が推測できないランダムな値を指定してください。古いIdPから設定を引き継ぐ場合は同じ値を指定してください。展開 コード ブロック language java title conf/saml-nameid.properties # Persistent IDs can be computed on the fly with a hash, or managed in a database # For computed IDs, set a source attribute and a secret salt: idp.persistentId.sourceAttribute = uid #idp.persistentId.useUnfilteredAttributes = true # Do *NOT* share the salt with other people, it's like divulging your private key. #idp.persistentId.algorithm = SHA idp.persistentId.salt = XXXXXXXXXXXXXXXXXXXXXXXXXXX # To use a database, use shibboleth.StoredPersistentIdGenerator idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator # For basic use, set this to a JDBC DataSource bean name: #idp.persistentId.dataSource = PersistentIdDataSource # For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore idp.persistentId.store = MyPersistentIdStore # Set to an empty property to skip hash-based generation of first stored ID #idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
コード ブロック language diff title 差分 # Persistent IDs can be computed on the fly with a hash, or managed in a database # For computed IDs, set a source attribute and a secret salt: -#idp.persistentId.sourceAttribute = changethistosomethingreal +idp.persistentId.sourceAttribute = uid #idp.persistentId.useUnfilteredAttributes = true # Do *NOT* share the salt with other people, it's like divulging your private key. #idp.persistentId.algorithm = SHA -#idp.persistentId.salt = changethistosomethingrandom +idp.persistentId.salt = XXXXXXXXXXXXXXXXXXXXXXXXXXX # To use a database, use shibboleth.StoredPersistentIdGenerator -#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator +idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator # For basic use, set this to a JDBC DataSource bean name: #idp.persistentId.dataSource = PersistentIdDataSource # For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore -#idp.persistentId.store = MyPersistentIdStore +idp.persistentId.store = MyPersistentIdStore # Set to an empty property to skip hash-based generation of first stored ID #idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
conf/attribute-resolver.xml
conf/attribute-resolver.xml
のidp.persistentId.sourceAttribute
で指定したresolver:AttributeDefinitionをコメントアウトします
。展開 コード ブロック language xml title conf/attribute-resolver.xml <!-- Schema: Core schema attributes--> <!-- --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> </resolver:AttributeDefinition> <!--
コード ブロック language diff title 差分 <!-- Schema: Core schema attributes--> - <!-- + <!-- --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" /> </resolver:AttributeDefinition> + <!--
shibpidテーブルの作成
shibpidテーブルを作成します。展開 コード ブロック language sql title shibpid CREATE TABLE shibpid ( localEntity VARCHAR(255) NOT NULL, peerEntity VARCHAR(255) NOT NULL, persistentId VARCHAR(50) NOT NULL, principalName VARCHAR(50) NOT NULL, localId VARCHAR(50) NOT NULL, peerProvidedId VARCHAR(50) NULL, creationDate TIMESTAMP NOT NULL, deactivationDate TIMESTAMP NULL, PRIMARY KEY (localEntity, peerEntity, persistentId) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
conf/saml-nameid.xml
conf/saml-nameid.xm
lで、idp.persistentId.store
で指定したbean MyPersistentIdStoreを定義します。MyPersistentIdStore
を定義します。展開 コード ブロック language xml title conf/saml-nameid.xml <!-- ========================= SAML NameID Generation ========================= --> <!-- A "store"DataSource bean suitable for use in the idp.persistentId.storedataSource property. --> <bean id="MyPersistentIdStoreMyDataSource" parent="shibboleth.JDBCPersistentIdStore class="org.apache.tomcat.dbcp.dbcp.BasicDataSource" p:dataSource-refdriverClassName="MyDataSourcecom.mysql.jdbc.Driver" p:queryTimeouturl="PT2Sjdbc:mysql://localhost:3306/shibboleth" p:retryableErrorsusername="#{{'23000'}}" /> username" <!-- A DataSource bean suitable for use in the idp.persistentId.dataSource property. --> p:password="password" <bean idp:maxActive="MyDataSource10" classp:maxIdle="org.apache.tomcat.dbcp.dbcp.BasicDataSource5" p:driverClassNamemaxWait="com.mysql.jdbc.Driver15000" p:urltestOnBorrow="jdbc:mysql://localhost:3306/shibbolethtrue" p:usernamevalidationQuery="usernameselect 1" p:passwordvalidationQueryTimeout="password5" /> <!-- A p:maxActive="10store" bean suitable for use in the p:maxIdle="5"idp.persistentId.store property. --> <bean p:maxWait="15000id="MyPersistentIdStore" parent="shibboleth.JDBCPersistentIdStore" p:testOnBorrowdataSource-ref="trueMyDataSource" p:validationQueryqueryTimeout="select 1PT2S" p:validationQueryTimeoutretryableErrors="5#{{'23000'}}" />
コード ブロック language diff title 差分 <!-- ========================= SAML NameID Generation ========================= --> + <!-- A "store" bean suitable for use in the idp.persistentId.store property. --> + <bean id="MyPersistentIdStore" parent="shibboleth.JDBCPersistentIdStore" + p:dataSource-ref="MyDataSource" + p:queryTimeout="PT2S" + SAML NameID p:retryableErrors="#{{'23000'}}" /> + Generation ========================= --> + <!-- A DataSource bean suitable for use in the idp.persistentId.dataSource property. --> + <bean id="MyDataSource" + class="org.apache.tomcat.dbcp.dbcp.BasicDataSource" + p:driverClassName="com.mysql.jdbc.Driver" + p:url="jdbc:mysql://localhost:3306/shibboleth" + p:username="username" + p:password="password" + p:maxActive="10" + p:maxIdle="5" + p:usernamemaxWait="username15000" + p:passwordtestOnBorrow="passwordtrue" + p:maxActivevalidationQuery="10select 1" + p:maxIdlevalidationQueryTimeout="5" /> + + <!-- A "store" bean suitable for use in the p:maxWait="15000idp.persistentId.store property. --> + <bean id="MyPersistentIdStore" parent="shibboleth.JDBCPersistentIdStore" + p:testOnBorrowdataSource-ref="trueMyDataSource" + p:validationQueryqueryTimeout="select 1PT2S" + p:validationQueryTimeoutretryableErrors="5#{{'23000'}}" />
Shibboleth IdP 3.1の情報
...
conf/attribute-resolver.xml
展開 コード ブロック language xml title conf/attribute-resolver.xml <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <!-- Schema: eduPerson attributes --> <!-- Attribute Definition for eduPersonTargetedID --> <resolver:AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="computedID"> <resolver:Dependency ref="computedID" /> <resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> <resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </resolver:AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <!-- Computed targeted ID connector --> <resolver:DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc" id="computedID" generatedAttributeID="computedID" sourceAttributeID="uid" salt="changethistosomethingrandom"> <resolver:Dependency ref="myLDAP" /> </resolver:DataConnector>
conf/attribute-filter.xml
展開 コード ブロック language xml title conf/attribute-filter.xml <!-- Release to sp.example.jp --> <afp:AttributeFilterPolicy id="PolicyforSP1ExampleJP"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.example.jp/shibboleth-sp" /> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>
conf/attribute-resolver.xml
のData ConnectorはShibboleth のComputedIdConnectorはShibboleth IdP 3の機能を用いて、persistent-idの設定で定義したconf/saml-nameid.propertiesの
プロパティを使って書くこともできます。
...
conf/attribute-resolver.xml
のData ConnectorはShibboleth のStoredIdConnectorはShibboleth IdP 3の機能を用いて、persistent-idの設定で定義したconf/saml-nameid.xml
(3.1ではconf/global.xmlの
beanとxml
)のbean MyDataSource
とconf/saml-nameid.propertiesのプ
ロパティを使って書くこともできます。
...