GakuNinShibInstall

スペース ショートカット

ページ ツリー

比較バージョン

古いバージョン 36

changes.mady.by.user Takeshi Nishimura

保存しました

次と比較

新しいバージョン 37

changes.mady.by.user Yoshiaki Kawano

保存しました

キー

  • この行は追加されました。
  • この行は削除されました。
  • 書式設定が変更されました。

...

パネル
borderColor#cccccc
bgColor#eeeeee
borderStylesolid

<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
    helpLocation="/about.html"
    styleSheet="/shibboleth-sp/main.css"/>

<!-- Example of remotely supplied batch of signed metadata. -->
<!-- -->
<!--
<MetadataProvider type="XML" validate="true"
uri="https://ex-ds.gakunin.nii.ac.jp/fed/ex-fed-metadata.xml"
-->
<MetadataProvider type="XML" validate="true"
      uri="https://metadata.gakunin.nii.ac.jp/gakunin-test-metadata.xml"
      backingFilePath="federation-metadata.xml" reloadInterval="7200"
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="1296000"/>
    <!--
    <MetadataFilter type="Signature" certificate="/etc/shibboleth/cert/ex-fed.crt"/>
    -->
    <MetadataFilter type="Signature" certificate="/etc/shibboleth/cert/gakunin-test-signer-2011.cer"/>
    <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
      attributeName="http://macedir.org/entity-category"
      attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      attributeValue="http://refeds.org/category/hide-from-discovery" />
    <TransportOption provider="CURL" option="64">1</TransportOption>
    <TransportOption provider="CURL" option="81">2</TransportOption>
    <TransportOption provider="CURL" option="10065">/etc/pki/tls/certs/ca-bundle.crt</TransportOption>

</MetadataProvider>
<!-- -->

<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" validate="true" file="partner-metadata.xml"/>
-->

④ shibdおよびhttpdを再起動します。

パネル
borderColor#cccccc
bgColor#eeeeee
borderStylesolid
servicesystemctl restart httpd
systemctl restart
service shibd restart


⑤ テストフェデレーションDSから接続テスト用IdPを選択します。
・各自構築したSPにアクセスします。

...

パネル
borderColor#cccccc
bgColor#eeeeee
borderStylesolid
cd /opt/shibboleth-idp/credentials
wget https://metadata.gakunin.nii.ac.jp/gakunin-test-signer-2011.cer


relyingmetadata-partyproviders.xmlのメタデータ自動ダウンロード設定を変更します。 

パネル
borderColor#cccccc
bgColor#eeeeee
borderStylesolid
パネル
borderColor#cccccc
bgColor#eeeeee
borderStylesolid

<!-- =========================================== -->
<!-- Metadata Configuration -->
<!-- =============================================== -->
<!-- MetadataProvider the combining other MetadataProviders -->
<metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">
(省略)
    <!-- Example metadata provider. -->
    <!-- Reads metadata from a URL and store a backup copy on the file system. -->
    <!-- Validates the signature of the metadata and filters out all by SP entities in order to save memory -->
    <!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->
    <!-- -->
    <!--
    <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
                     metadataURL="https://ex-ds.gakunin.nii.ac.jp/fed/ex-fed-metadata.xml"
                     backingFile="/opt/shibboleth-idp/metadata/some-metadata.xml">
    -->
    <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
                     metadataURL="https://metadata.gakunin.nii.ac.jp/gakunin-test-metadata.xml"
                     backingFile="/opt/shibboleth-idp/metadata/some-metadata.xml">
        <metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
            <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil"
                            maxValidityInterval="P15D" />
            <metadata:MetadataFilter xsi:type="metadata:SignatureValidation"
                            trustEngineRef="shibboleth.MetadataTrustEngine"
                            requireSignedMetadata="true" />
                <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
                <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
            </metadata:MetadataFilter>
        </metadata:MetadataFilter>
    </metadata:MetadataProvider>
    <!-- -->
</metadata:MetadataProvider>

...

                            Metadata Configuration                                         -->
<!--                                                                                            -->
<!--  Below you place the mechanisms which define how to load the metadata for the SP you will  -->
<!--  provide a service to.                                                                     -->
<!--                                                                                            -->
<!--  Two examples are provided.  The Shibboleth Documentation at                               -->
<!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
<!--  provides more details.                                                                    -->
<!--                                                                                            -->
<!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
<!--                                                                                            -->
<!-- ========================================== -->
<!-- Security Configurations -->
<!-- ================================================ -->

<!--
Example HTTP metadata provider.  Use this if you want to download the metadata
from a remote source.

(省略)

<!-- -->

<!--
<MetadataProvider <security:Credential id="IdPCredential" HTTPMetadata"
                  xsi:type="security:X509FilesystemFileBackedHTTPMetadataProvider">
    <security:PrivateKey>/opt/shibboleth-idp/credentials/server.key</security:PrivateKey>
    <security:Certificate>/opt/shibboleth-idp/credentials/server.crt</security:Certificate>
</security:Credential>
                  backingFile="%{idp.home}/metadata/gakunin-metadata-backing.xml"
                  metadataURL="https://ex-ds.gakunin.nii.ac.jp/fed/ex-fed-metadata.xml">
-->
<MetadataProvider id="HTTPMetadata"
                  xsi:type="FileBackedHTTPMetadataProvider"
                  backingFile="%{idp.home}/metadata/gakunin-metadata-backing.xml"
                  metadataURL="https://metadata.gakunin.nii.ac.jp/gakunin-test-metadata.xml">

<!--
    <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
                    certificateFile="%{idp.home}/credentials/ex-fed.crt">
-->
    <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
                    certificateFile="%{idp.home}<!-- Trust engine used to evaluate the signature on loaded metadata. -->
<!-- -->
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
    <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
        <!--
        <security:Certificate>/opt/shibboleth-idp/credentials/ex-fed.crt</security:Certificate>
        -->
        <security:Certificate>/opt/shibboleth-idp/credentials/gakunin-test-signer-2011.cer</security:Certificate>
    </security:Credential>
</security:TrustEngine>.cer">
<!--
          <PublicKey>
              MIIBI.....
          </PublicKey>
-->
    </MetadataFilter>
    <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P15D"/>
    <MetadataFilter xsi:type="EntityRoleWhiteList">
        <RetainedRole>md:SPSSODescriptor</RetainedRole>
    </MetadataFilter>
</MetadataProvider>
<!-- -->


tomcatを再起動します。 

パネル
borderColor#cccccc
bgColor#eeeeee
borderStylesolid
servicesystemctl tomcat6restart restarttomcat


テストフェデレーションの接続テスト用SP https://test-sp1.gakunin.nii.ac.jp にアクセスします。

...