Installing Shibbolized Tiqr
Following document instructs how to install shibbolized Tiqr in the environemnt which has been installed shibboleth IdP.
- Install Shibboleth SP
- Deploy TiqrShib (tar.gz file)
- Deploy Related Library
- Modify Library
- Configure Apache
- Configure TiqrShib handler in Shibboleth
- Configure Initial Setting of TiqrShib
1. Install Shibboleth SP in IdP Server
SP function is required when Tiqr account will enroll in the IdP. This SP does not need to join to the federation but only need to communicate with the IdP. The IdP includes the SP's metadata in its relying-party.xml. Installed SP also includes the IdP's metadata solely.
2. Deploy TiqrShib
Obrain the source code from the repository then,
- Copy tiqrzenddemo to /var/tiqrzenddemo
- Copy var/www/html/TiqrShib to /var/www/html/TiqrShib (deploy trans.php)
- Copy var/www/html/tiqrenroll/index.html to /var/www/html/tiqrenroll (deploy index.html)
Modify the server FQDN in the above index.html (the following part)
<input style="font:8pt" type=button value="Register" onclick="window.location.href='https://(FQDN of the IdP server)/TiqrShib/trans.php'">
3. Deploy Related Library
Download the following application and deploy
Application |
Version |
Download Site |
---|---|---|
Tiqr-library |
1.0.0 |
|
Tiqr-zendframework |
1.0.0 |
|
ZendFramework |
1.12.2-minimal |
|
phpqrcode |
1.1.4 |
mkdir /var/www/library cp -rf tiqr-server-library-1.0.0/library/tiqr /var/www/library/libTiqr cp -rf tiqr-server-zendframework-1.0.0/library/tiqr-zf /var/www/library/tiqr-zf cp -rf phpqrcode /var/www/library/phpqrcode Deploy ZendFramework-1.12.1-minimal to /usr/share ln -s ZendFramework-1.12.1-minimal ZendFramework
Confirm the following links. If not provide soft links as follows.
ln -s /var/www/library/libTiqr /var/tiqrzenddemo/library/tiqr ln -s /var/www/library/phpqrcode /var/tiqrzenddemo/library/phpqrcode ln -s /var/www/library/tiqr-zf /var/tiqrzenddemo/library/tiqr-zf ln -s /usr/share/ZendFramework /var/tiqrzenddemo/library/zend
(*) If you don't like the link, you can copy the files in both directory.
In that case, the libraries should be stored in /var/tiqrzenddemo/library/ . Following modification also required in /var/tiqrzenddemo/public/index.php
// Ensure library/ is on include_path set_include_path(implode(PATH_SEPARATOR, array( realpath(APPLICATION_PATH . '/../library/zend/library'), realpath(APPLICATION_PATH . '/../library/tiqr'), realpath(APPLICATION_PATH . '/../library/tiqr-zf'), realpath(APPLICATION_PATH . '/../library/libTiqrShib'), get_include_path(), )));
Configure Llibrary Path
Include the following configuration in /etc/php.ini
include_path = ".:/usr/share/ZendFramework/library:/var/www/library/libTiqr"
4. ライブラリの修正
【ZendFramework修正】=>作業報告書P23
/usr/share/ZendFramework/library/Zend/View/Helper/Placeholder/Container/Abstract.php に以下を追記
/** * Sort the array by key * * @return array */ public function ksort() { $items = $this->getArrayCopy(); return ksort($items); }
【Tiqr,Tiqr-zf修正】=>作業報告書P25-P30(P28はTiqrShibに反映済み)
/var/www/library/tiqr-zf/Tiqr/Resource/Tiqr.php 修正(25ページ)
# require_once "Tiqr/Server.php"; require_once "Tiqr/Service.php";
/var/www/library/tiqr-zf/Tiqr/Controller/Login/Abstract.php 修正(26ページ)
# case Tiqr_Server::AUTH_RESULT_AUTHENTICATED: case Tiqr_Service::AUTH_RESULT_AUTHENTICATED: # case Tiqr_Server::AUTH_RESULT_INVALID_CHALLENGE: case Tiqr_Service::AUTH_RESULT_INVALID_CHALLENGE: # case Tiqr_Server::AUTH_RESULT_INVALID_REQUEST: case Tiqr_Service::AUTH_RESULT_INVALID_REQUEST: # case Tiqr_Server::AUTH_RESULT_INVALID_RESPONSE: case Tiqr_Service::AUTH_RESULT_INVALID_RESPONSE: # case Tiqr_Server::AUTH_RESULT_INVALID_USERID: case Tiqr_Service::AUTH_RESULT_INVALID_USERID:
/var/www/library/libTiqr/Tiqr/Random.php 追記(27ページ)
(public static function randomBytes($length)以下に追記) $strong = false; $rnd = "";
/var/tiqrzenddemo/application/configs/application.ini 修正および追記(28ページ:提供コードで修正済)
・修正箇所 (実際の修正時には、コメント行= "#"の付いた行は、エラーとなるので削除してください。)
# resources.tiqr.identifier = "zeus.local" resources.tiqr.identifier = "vm2.peofiamp.nii.ac.jp" # resources.tiqr.name = "Zeus" resources.tiqr.name = "vm2" # resources.tiqr.auth.protocol = "surfauth" resources.tiqr.auth.protocol = "tiqrauth" # resources.tiqr.logoUrl = "http://zeus.local/img/surfmedia-logo.png" resources.tiqr.logoUrl = "https://vm2.peofiamp.nii.ac.jp/icons/GakuNin_logo.png" # resources.tiqr.session.secret = "enter something truly random here, preferably generated using openssl" resources.tiqr.session.secret = "0124567abcdefgh"
・追記箇所
# (resources.tiqr.userstorage.path = "/tmp" 以下に追記) resources.tiqr.ocra.suite = "OCRA-1:HOTP-SHA1-6:QH10" resources.log.stream.writerName = "Stream" resources.log.stream.writerParams.stream = APPLICATION_PATH "/logs/application_" DATESTAMP ".log" resources.log.stream.writerParams.mode = "a" resources.log.stream.filterName = "Priority" resources.log.stream.filterParams.priority = 7
/var/tiqrzenddemo/application/modules/v1/views/scripts/login/index.phtml 修正(29ページ)
# $this->headScript()->prependFile($this->baseURL().'/scripts/jquery.js') $this->headScript()->prependFile($this->baseUrl().'/scripts/jquery.js')
/var/tiqrzenddemo/library/tiqr-zf/Tiqr/Controller/Enroll/Abstract.php 修正(30ページ)
# $this->view->enrollmentURL = $this->_getTiqr()->generateEnrollmentURL($metadataURL); $this->view->enrollmentURL = $metadataURL;
/var/tiqrzenddemo/library/tiqr-zf/Tiqr/Login/Abstract.php 修正
//$secret = pack('H*', $this->_getUserSecret($userId)); $secret = $this->_getUserSecret($userId);
5. Apacheの設定
<httpd.conf>
追記:
Alias /tiqr/ "/var/tiqrzenddemo/public/"
<ssl.conf>
追記:
<Location /tiqr> RewriteEngine On RewriteBase /tiqr RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ /tiqr/index.php [NC,L] </Location>
【.htacsess設定】=>作業報告書P22
/var/tiqrzenddemo/public/.htaccessの以下を削除
RewriteEngine On RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ index.php [NC,L]
6. ShibbolethへのTiqrShibハンドラー設定
CDのtiqrshibAuthn.javaをコンパイルして、tiqrshibAuthn.classを作成。
/usr/java/tomcat/webapps/idp/WEB-INF/classes/を作成して配置。
コンパイルは、こんな感じです;
javac -classpath /usr/java/tomcat/lib/servlet-api.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-common-1.3.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-identityprovider-2.3.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-jce-1.1.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/slf4j-api-1.6.1.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/openws-1.4.2.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/xmltooling-1.3.2.jar tiqrshibAuthn.java
web.xmlとhandler.xmlの設定。=>作業報告書P38,P39
(*) handler.xmlでの設定は、UserPasswordハンドラーを残したままで、(つまり、コメントアウトしないで、)追加して下さい。
/usr/java/tomcat/webapps/idp/WEB-INF/web.xmlを修正。
<!-- Servlet protected by container used for TiqrShib authentication --> <servlet> <servlet-name>TiqrShibAuthHandler</servlet-name> <servlet-class>tiqrshibAuthn</servlet-class> <init-param> <param-name>authnMethod</param-name> <param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</param-value> </init-param> <load-on-startup>3</load-on-startup> </servlet> <servlet-mapping> <servlet-name>TiqrShibAuthHandler</servlet-name> <url-pattern>/Authn/TiqrShib</url-pattern> </servlet-mapping>
idpのhandler.xmlに下記を設定。
<ph:LoginHandler xsi:type="ph:ExternalAuthn" externalAuthnPath="/Authn/TiqrShib" > <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ph:AuthenticationMethod> </ph:LoginHandler>
【Shib設定】
(1) IdPの設定
Username/PasswordHandlerをデフォルトにする設定。
/usr/java/tomcat/webapps/idp/WEB-INF/web.xmlに下記を追記。
<!-- Servlet for doing Username/Password authentication --> <servlet> <servlet-name>UsernamePasswordAuthHandler</servlet-name> <servlet-class>edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet</servlet-class> <init-param> <param-name>authnMethod</param-name> <param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</param-value> </init-param> <load-on-startup>3</load-on-startup> </servlet>
relying-party.xmlに下記を設定。
<rp:DefaultRelyingParty provider="https://IdPサーバ/idp/shibboleth" defaultSigningCredentialRef="IdPCredential" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
(2) IdPサーバのSPの設定
shibboleth2.xmlへのSessionInitiator追加
<!-- Special SessionInitiator for Tiqr!!! --> <SessionInitiator type="SAML2" Location="/TiqrShib" id="siid1" entityID="https://simptest2.nec.test/idp/shibboleth" template="bindingTemplate.html" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
/etc/httpd/conf.d/shibd.confへの追加
<Location /TiqrShib> AuthType shibboleth ShibRequestSetting requireSessionWith siid1 require valid-user </Location>
(3) SPの設定(Tiqr認証を要求するIdPサーバとは別のSPの設定)
SessionInitiatorで、="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"を設定する。
<SessionInitiator type="Chaining" Location="/DS" isDefault="true" id="tiqrshiblogin" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"> <SessionInitiator type="SAML2" template="bindingTemplate.html"/> <SessionInitiator type="Shib1"/> <SessionInitiator type="SAMLDS" URL="https://DSサーバ/ds/WAYF"/> </SessionInitiator>
7. TiqrShibの初期値設定
application/Bootstrap.phpに初期値読み込みを設定。(=>作業報告書P34)
<?php class Bootstrap extends Zend_Application_Bootstrap_Bootstrap { // retrieve tiqrshib constants protected function _initConstants() { $options = $this->getOption('constants'); if (is_array($options)) { foreach($options as $key => $value) { if(!defined($key)) { define($key, $value); } } } } protected function _initLogger() { $this->bootstrap("log"); $logger = $this->getResource("log"); Zend_Registry::set("logger", $logger); } }
(*) tiqrshib20130329.tar.gz内のtiqrshibコードには、ログ出力コードを入れているため、上記のLogger設定も必要。
【Tiqr初期値設定】(作業報告書P33)
/var/tiqrzenddemo/application/config/application.iniの設定を修正。
resources.tiqr.identifier = "vm2.peofiamp.nii.ac.jp" ↑サーバのFQDNを記入。 resources.tiqr.name = "vm2" ↑Tiqrサーバの名称(アプリ上に表示される)を記入。 resources.tiqr.logoUrl = "https://vm2.peofiamp.nii.ac.jp/icons/gakunin-logo.png" ↑アプリに表示するロゴを指定。5KBくらいのpngファイル。100KBくらいだとアプリへのロードに時間が掛る。 constants.TIQRSHIB_DOMAIN = "nii.ac.jp" ↑IdPが送るeppnのセキュリティドメイン ↓以下のLDAP設定には、attribute-resolver.xmlと同じものを設定。 constants.TIQRSHIB_LDAP_HOST = "localhost" constants.TIQRSHIB_LDAP_PORT = "389" constants.TIQRSHIB_LDAP_BASEDN = "o=test_o,dc=ac,c=JP" constants.TIQRSHIB_LDAP_BINDREQUIRESDN = "true" constants.TIQRSHIB_LDAP_USERNAME = "cn=Manager,o=test_o,dc=ac,c=JP" constants.TIQRSHIB_LDAP_PASSWORD = "password"
(*) LDAPの検索では、"uid"をフィルタとして検索しています。
uidと異なる属性名を利用している場合は、/var/tiqrzenddemo/library/libTiqrShib/tiqrShibLdap.phpの
$result = $ldap->search('(uid='.$userId.')');
の行(2か所)にて、"uid"を修正して下さい。