tiqr
子ページ
  • Installing Shibbolized Tiqr

このページの古いバージョンを表示しています。現在のバージョンを表示します。

現在のバージョンとの相違点 ページ履歴を表示

« 前のバージョン バージョン 6 次のバージョン »

Installing Shibbolized Tiqr

Following document instructs how to install shibbolized Tiqr in the idP environemnt.

In order to connect tiqr and shibboleth accounts, this shibbolized tiqr utilizes "title" and "street" attributes in the LDAP, each of which corresponds to "isActive" and "secret" values of Tiqr, respectively. Plase modify these attribute appropriately for your environment. You can realize it by chaning /var/tiqrzenddemo/library/tiqrShibLdap.php

1. Installation of Shibboleth SP in IdP Server

SP function is required when Tiqr account will enroll in the IdP. This SP does not need to join to the federation but only need to communicate with the IdP. The IdP includes the SP's metadata in its relying-party.xml. Installed SP also includes the IdP's metadata solely. 

2. Deployment of TiqrShib

Obrain the source code from the repository then,

svn co https://forge.gakunin.nii.ac.jp/svn/tiqrshib/trunk tiqrshib
  1. Copy tiqrzenddemo to /var/tiqrzenddemo 
  2. Copy var/www/html/TiqrShib to /var/www/html/TiqrShib (deploy trans.php)
  3. Copy var/www/html/tiqrenroll/index.html to /var/www/html/tiqrenroll (deploy index.html)
    Modify the server FQDN in the above index.html (the following part)
<input style="font:8pt" type=button value="Register" onclick="window.location.href='https://(FQDN of the IdP server)/TiqrShib/trans.php'">

3. Deployment of Related Library

Download the following application and deploy

Application

Version

Download Site

Tiqr-server-library

1.0.0

https://tiqr.org/archives/196/

Tiqr-server-zendframework

1.0.0

https://tiqr.org/archives/196/

ZendFramework

1.12.2-minimal
   or
1.12.2-full
(*) 2.x.x is untested

http://framework.zend.com/downloads/latest

phpqrcode

1.1.4
(*) php-gd is required

http://phpqrcode.sourceforge.net/ 

mkdir /var/www/library
cp -rf tiqr-server-library-1.0.0/library/tiqr /var/www/library/libTiqr
cp -rf tiqr-server-zendframework-1.0.0/library/tiqr-zf /var/www/library/tiqr-zf
cp -rf phpqrcode /var/www/library/phpqrcode
Deploy ZendFramework-1.12.1-minimal to /usr/share
ln -s ZendFramework-1.12.1-minimal ZendFramework

   Confirm the following links. If not provide soft links as follows.

ln -s /var/www/library/libTiqr    /var/tiqrzenddemo/library/tiqr
ln -s /var/www/library/phpqrcode  /var/tiqrzenddemo/library/phpqrcode
ln -s /var/www/library/tiqr-zf    /var/tiqrzenddemo/library/tiqr-zf
ln -s /usr/share/ZendFramework    /var/tiqrzenddemo/library/zend

   (*) If you don't like the link, you can copy the files in both directory. 
      In that case, the libraries should be stored in /var/tiqrzenddemo/library/ . Following modification also required in /var/tiqrzenddemo/public/index.php

// Ensure library/ is on include_path
  set_include_path(implode(PATH_SEPARATOR, array(
    realpath(APPLICATION_PATH . '/../library/zend/library'),
    realpath(APPLICATION_PATH . '/../library/tiqr'),
    realpath(APPLICATION_PATH . '/../library/tiqr-zf'),
    realpath(APPLICATION_PATH . '/../library/libTiqrShib'),
    get_include_path(),
  )));

Configure Llibrary Path

Include the following configuration in /etc/php.ini

include_path = ".:/usr/share/ZendFramework/library:/var/www/library/libTiqr"

4. Modification of Library

Modification of ZendFramework

Following function have to be added in /usr/share/ZendFramework/library/Zend/View/Helper/Placeholder/Container/Abstract.php

/**
    * Sort the array by key
    *
    * @return array
    */
    public function ksort()
    {
        $items = $this->getArrayCopy();
        return ksort($items);
    }

Modification of Tiqr,Tiqr-zf

Modification in /var/www/library/tiqr-zf/Tiqr/Resource/Tiqr.php

# require_once "Tiqr/Server.php";
require_once "Tiqr/Service.php";

Modification in /var/www/library/tiqr-zf/Tiqr/Controller/Login/Abstract.php

# case Tiqr_Server::AUTH_RESULT_AUTHENTICATED:
case Tiqr_Service::AUTH_RESULT_AUTHENTICATED:
# case Tiqr_Server::AUTH_RESULT_INVALID_CHALLENGE:
case Tiqr_Service::AUTH_RESULT_INVALID_CHALLENGE:
# case Tiqr_Server::AUTH_RESULT_INVALID_REQUEST:
case Tiqr_Service::AUTH_RESULT_INVALID_REQUEST:
# case Tiqr_Server::AUTH_RESULT_INVALID_RESPONSE:
case Tiqr_Service::AUTH_RESULT_INVALID_RESPONSE:
# case Tiqr_Server::AUTH_RESULT_INVALID_USERID:
case Tiqr_Service::AUTH_RESULT_INVALID_USERID:

Addition in /var/www/library/libTiqr/Tiqr/Random.php

(Add following under the "public static function randomBytes($length)")
   $strong = false;
   $rnd = "";

Modification and Addition in /var/tiqrzenddemo/application/configs/application.ini

Modification Part (commented lines which start from # have to be removed otherwise it cause error)

# resources.tiqr.identifier = "zeus.local"
resources.tiqr.identifier = "vm2.peofiamp.nii.ac.jp"
# resources.tiqr.name = "Zeus"
resources.tiqr.name = "vm2"
# resources.tiqr.auth.protocol = "surfauth"
resources.tiqr.auth.protocol = "tiqrauth"
# resources.tiqr.logoUrl  = "http://zeus.local/img/surfmedia-logo.png"
resources.tiqr.logoUrl  = "https://vm2.peofiamp.nii.ac.jp/icons/GakuNin_logo.png"
# resources.tiqr.session.secret = "enter something truly random here, preferably generated using openssl"
resources.tiqr.session.secret = "0124567abcdefgh"

Addition Part

\# (Add following under the 'resources.tiqr.userstorage.path = "/tmp"')
resources.tiqr.ocra.suite = "OCRA-1:HOTP-SHA1-6:QH10"
resources.log.stream.writerName = "Stream"
resources.log.stream.writerParams.stream = APPLICATION_PATH "/logs/application_" DATESTAMP ".log"
resources.log.stream.writerParams.mode = "a"
resources.log.stream.filterName = "Priority"
resources.log.stream.filterParams.priority = 7

Modification in /var/tiqrzenddemo/application/modules/v1/views/scripts/login/index.phtml

# $this->headScript()->prependFile($this->baseURL().'/scripts/jquery.js')
$this->headScript()->prependFile($this->baseUrl().'/scripts/jquery.js')

Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Controller/Enroll/Abstract.php

# $this->view->enrollmentURL = $this->_getTiqr()->generateEnrollmentURL($metadataURL);
$this->view->enrollmentURL = $metadataURL;

Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Login/Abstract.php

//$secret = pack('H*', $this->_getUserSecret($userId));
$secret = $this->_getUserSecret($userId);

5. Configuration of Apache

httpd.conf (Add)

Alias /tiqr/ "/var/tiqrzenddemo/public/"

ssl.conf (Add)

<Location /tiqr>
       RewriteEngine On
       RewriteBase /tiqr
       RewriteCond %{REQUEST_FILENAME} -s [OR]
       RewriteCond %{REQUEST_FILENAME} -l [OR]
       RewriteCond %{REQUEST_FILENAME} -d
       RewriteRule ^.*$ - [NC,L]
       RewriteRule ^.*$ /tiqr/index.php [NC,L]
</Location>

Remove the following expression in /var/tiqrzenddemo/public/.htaccess

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]

6. Configuration of TiqrShib Handler in Shibboleth

Generate tiqrshibAuthn.class by compiling the tiqrshibAuthn.java
Copy the class file into /usr/java/tomcat/webapps/idp/WEB-INF/classes/
Following is an example of compiling option.

javac -classpath /usr/java/tomcat/lib/servlet-api.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-common-1.3.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-identityprovider-2.3.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-jce-1.1.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/slf4j-api-1.6.1.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/openws-1.4.2.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/xmltooling-1.3.2.jar tiqrshibAuthn.java

Configuration of web.xml and handler.xml
(*) In the handler.xml configuration, UserPassword handler should remain. That is, UserPassword handler should not be commented out and following TiqrShib handler should be added as a new handler. 

Modification in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml

<!-- Servlet protected by container used for TiqrShib authentication -->
    <servlet>
        <servlet-name>TiqrShibAuthHandler</servlet-name>
        <servlet-class>tiqrshibAuthn</servlet-class>
            <init-param>
                 <param-name>authnMethod</param-name>
                 <param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</param-value>
            </init-param>
        <load-on-startup>3</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>TiqrShibAuthHandler</servlet-name>
        <url-pattern>/Authn/TiqrShib</url-pattern>
    </servlet-mapping>

Modification in handler.xml of shibboleth IdP

<ph:LoginHandler xsi:type="ph:ExternalAuthn"
                     externalAuthnPath="/Authn/TiqrShib" >

    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ph:AuthenticationMethod>
</ph:LoginHandler>

Configuration of Shibboleth

(1) Configuration of IdP

Make Username/PasswordHandler as default handler
Addition in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml

<!-- Servlet for doing Username/Password authentication -->
    <servlet>
        <servlet-name>UsernamePasswordAuthHandler</servlet-name>
        <servlet-class>edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet</servlet-class>
            <init-param>
                 <param-name>authnMethod</param-name>
                 <param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</param-value>
            </init-param>
        <load-on-startup>3</load-on-startup>
    </servlet>

Configuration in relying-party.xml

<rp:DefaultRelyingParty provider="https://IDP SERVER/idp/shibboleth"
                         defaultSigningCredentialRef="IdPCredential"
                         defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">

(2) Configuration of SP in IdP server

Add SessionInitiator in shibboleth2.xml

<!-- Special SessionInitiator for Tiqr!!! -->
            <SessionInitiator type="SAML2" Location="/TiqrShib" id="siid1" entityID="https://simptest2.nec.test/idp/shibboleth" template="bindingTemplate.html" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />

Addition in /etc/httpd/conf.d/shibd.conf

<Location /TiqrShib>
  AuthType shibboleth
  ShibRequestSetting requireSessionWith siid1
  require valid-user
</Location>

(3) Configuration of SP (Application SP which requests Tiqr authentication)

Add ="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract" in SessionInitiator

<SessionInitiator type="Chaining" Location="/DS" isDefault="true" id="tiqrshiblogin" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract">
               <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
               <SessionInitiator type="Shib1"/>
               <SessionInitiator type="SAMLDS" URL="https://DS SERVER/ds/WAYF"/>
            </SessionInitiator>

7. Initial Setting of TiqrShib

Initial values setting in application/Bootstrap.php

<?php

class Bootstrap extends Zend_Application_Bootstrap_Bootstrap
{
    // retrieve tiqrshib constants
    protected function _initConstants()
    {
        $options = $this->getOption('constants');

        if (is_array($options)) {
            foreach($options as $key => $value) {
                if(!defined($key)) {
                    define($key, $value);
                }
            }
        }
    }


    protected function _initLogger() {

         $this->bootstrap("log");
         $logger = $this->getResource("log");
         Zend_Registry::set("logger", $logger);
     }

}

(*) The above Logger function is required since tiqrshib code has log outputs.

Initial Setting of Tiqr

Modification in /var/tiqrzenddemo/application/config/application.ini

resources.tiqr.identifier = "tiqr.nii.ac.jp"
↑replace as your server FQDN
resources.tiqr.name = "vm2"
↑server name of Tiqr (it will be appeared in the application)
resources.tiqr.logoUrl  = "https://tiqr.nii.ac.jp/icons/gakunin-logo.png"
↑logo file appeared in the application. 5KB is better. Over 100KB file takes long time to load it.
constants.TIQRSHIB_DOMAIN = "nii.ac.jp"
↑eppn security domain of the IdP

↓Following LDAP configuration is same with attribute-resolver.xml
constants.TIQRSHIB_LDAP_HOST = "localhost"
constants.TIQRSHIB_LDAP_PORT = "389"
constants.TIQRSHIB_LDAP_BASEDN = "o=test_o,dc=ac,c=JP"
constants.TIQRSHIB_LDAP_BINDREQUIRESDN = "true"
constants.TIQRSHIB_LDAP_USERNAME = "cn=Manager,o=test_o,dc=ac,c=JP"
constants.TIQRSHIB_LDAP_PASSWORD = "password"

(*) "uid" filter is utilized for LDAP search

If you would like to use the different filter, please modify the following 'uid"s to your preference.

In /var/tiqrzenddemo/library/libTiqrShib/tiqrShibLdap.php
In the line of $result = $ldap->search('(uid='.$userId.')');
there are two parts to be modified. 

In order to connect tiqr and shibboleth accounts, this shibbolized tiqr utilizes "title" and "street" attributes in the LDAP, each of which corresponds to  "isActive" and "secret" values of Tiqr, respectively. Plase modify these attribute appropriately for your environment. You can realize it by chaning /var/tiqrzenddemo/library/tiqrShibLdap.php 


  • ラベルがありません