Following document instructs how to install shibbolized Tiqr in the idP environemnt.
SP function is required when Tiqr account will enroll in the IdP. This SP does not need to join to the federation but only need to communicate with the IdP. The IdP includes the SP's metadata in its relying-party.xml. Installed SP also includes the IdP's metadata solely.
Obrain the source code from the repository then,
<input style="font:8pt" type=button value="Register" onclick="window.location.href='https://(FQDN of the IdP server)/TiqrShib/trans.php'"> |
Application |
Version |
Download Site |
---|---|---|
Tiqr-library |
1.0.0 |
|
Tiqr-zendframework |
1.0.0 |
|
ZendFramework |
1.12.2-minimal |
|
phpqrcode |
1.1.4 |
mkdir /var/www/library cp -rf tiqr-server-library-1.0.0/library/tiqr /var/www/library/libTiqr cp -rf tiqr-server-zendframework-1.0.0/library/tiqr-zf /var/www/library/tiqr-zf cp -rf phpqrcode /var/www/library/phpqrcode Deploy ZendFramework-1.12.1-minimal to /usr/share ln -s ZendFramework-1.12.1-minimal ZendFramework |
Confirm the following links. If not provide soft links as follows.
ln -s /var/www/library/libTiqr /var/tiqrzenddemo/library/tiqr ln -s /var/www/library/phpqrcode /var/tiqrzenddemo/library/phpqrcode ln -s /var/www/library/tiqr-zf /var/tiqrzenddemo/library/tiqr-zf ln -s /usr/share/ZendFramework /var/tiqrzenddemo/library/zend |
(*) If you don't like the link, you can copy the files in both directory.
In that case, the libraries should be stored in /var/tiqrzenddemo/library/ . Following modification also required in /var/tiqrzenddemo/public/index.php
// Ensure library/ is on include_path set_include_path(implode(PATH_SEPARATOR, array( realpath(APPLICATION_PATH . '/../library/zend/library'), realpath(APPLICATION_PATH . '/../library/tiqr'), realpath(APPLICATION_PATH . '/../library/tiqr-zf'), realpath(APPLICATION_PATH . '/../library/libTiqrShib'), get_include_path(), ))); |
Include the following configuration in /etc/php.ini
include_path = ".:/usr/share/ZendFramework/library:/var/www/library/libTiqr" |
Following function have to be added in /usr/share/ZendFramework/library/Zend/View/Helper/Placeholder/Container/Abstract.php
/** * Sort the array by key * * @return array */ public function ksort() { $items = $this->getArrayCopy(); return ksort($items); } |
Modification in /var/www/library/tiqr-zf/Tiqr/Resource/Tiqr.php
# require_once "Tiqr/Server.php"; require_once "Tiqr/Service.php"; |
Modification in /var/www/library/tiqr-zf/Tiqr/Controller/Login/Abstract.php
# case Tiqr_Server::AUTH_RESULT_AUTHENTICATED: case Tiqr_Service::AUTH_RESULT_AUTHENTICATED: # case Tiqr_Server::AUTH_RESULT_INVALID_CHALLENGE: case Tiqr_Service::AUTH_RESULT_INVALID_CHALLENGE: # case Tiqr_Server::AUTH_RESULT_INVALID_REQUEST: case Tiqr_Service::AUTH_RESULT_INVALID_REQUEST: # case Tiqr_Server::AUTH_RESULT_INVALID_RESPONSE: case Tiqr_Service::AUTH_RESULT_INVALID_RESPONSE: # case Tiqr_Server::AUTH_RESULT_INVALID_USERID: case Tiqr_Service::AUTH_RESULT_INVALID_USERID: |
Addition in /var/www/library/libTiqr/Tiqr/Random.php
(Add following under the "public static function randomBytes($length)") $strong = false; $rnd = ""; |
Modification and Addition in /var/tiqrzenddemo/application/configs/application.ini
Modification Part (commented lines which start from # have to be removed otherwise it cause error)
# resources.tiqr.identifier = "zeus.local" resources.tiqr.identifier = "vm2.peofiamp.nii.ac.jp" # resources.tiqr.name = "Zeus" resources.tiqr.name = "vm2" # resources.tiqr.auth.protocol = "surfauth" resources.tiqr.auth.protocol = "tiqrauth" # resources.tiqr.logoUrl = "http://zeus.local/img/surfmedia-logo.png" resources.tiqr.logoUrl = "https://vm2.peofiamp.nii.ac.jp/icons/GakuNin_logo.png" # resources.tiqr.session.secret = "enter something truly random here, preferably generated using openssl" resources.tiqr.session.secret = "0124567abcdefgh" |
Addition Part
\# (Add following under the 'resources.tiqr.userstorage.path = "/tmp"') resources.tiqr.ocra.suite = "OCRA-1:HOTP-SHA1-6:QH10" resources.log.stream.writerName = "Stream" resources.log.stream.writerParams.stream = APPLICATION_PATH "/logs/application_" DATESTAMP ".log" resources.log.stream.writerParams.mode = "a" resources.log.stream.filterName = "Priority" resources.log.stream.filterParams.priority = 7 |
Modification in /var/tiqrzenddemo/application/modules/v1/views/scripts/login/index.phtml
# $this->headScript()->prependFile($this->baseURL().'/scripts/jquery.js') $this->headScript()->prependFile($this->baseUrl().'/scripts/jquery.js') |
Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Controller/Enroll/Abstract.php
# $this->view->enrollmentURL = $this->_getTiqr()->generateEnrollmentURL($metadataURL); $this->view->enrollmentURL = $metadataURL; |
Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Login/Abstract.php
//$secret = pack('H*', $this->_getUserSecret($userId)); $secret = $this->_getUserSecret($userId); |
httpd.conf (Add)
Alias /tiqr/ "/var/tiqrzenddemo/public/" |
ssl.conf (Add)
<Location /tiqr> RewriteEngine On RewriteBase /tiqr RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ /tiqr/index.php [NC,L] </Location> |
Remove the following expression in /var/tiqrzenddemo/public/.htaccess
RewriteEngine On RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ index.php [NC,L] |
Generate tiqrshibAuthn.class by compiliing the tiqrshibAuthn.java
Copy the class file in /usr/java/tomcat/webapps/idp/WEB-INF/classes/
Following is an example of compiling option.
javac -classpath /usr/java/tomcat/lib/servlet-api.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-common-1.3.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-identityprovider-2.3.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/shibboleth-jce-1.1.0.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/slf4j-api-1.6.1.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/openws-1.4.2.jar:/root/shibIdP230/shibboleth-identityprovider-2.3.0/lib/xmltooling-1.3.2.jar tiqrshibAuthn.java |
Configuration of web.xml and handler.xml
(*) In the handler.xml configuration, UserPassword handler should remain. That is, UserPassword handler should not be commented out but it just be added as a new handler.
Modification in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml
<!-- Servlet protected by container used for TiqrShib authentication --> <servlet> <servlet-name>TiqrShibAuthHandler</servlet-name> <servlet-class>tiqrshibAuthn</servlet-class> <init-param> <param-name>authnMethod</param-name> <param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</param-value> </init-param> <load-on-startup>3</load-on-startup> </servlet> <servlet-mapping> <servlet-name>TiqrShibAuthHandler</servlet-name> <url-pattern>/Authn/TiqrShib</url-pattern> </servlet-mapping> |
Modification in handler.xml of shibboleth IdP
<ph:LoginHandler xsi:type="ph:ExternalAuthn" externalAuthnPath="/Authn/TiqrShib" > <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ph:AuthenticationMethod> </ph:LoginHandler> |
Make Username/PasswordHandler as default handler
Addition in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml
<!-- Servlet for doing Username/Password authentication --> <servlet> <servlet-name>UsernamePasswordAuthHandler</servlet-name> <servlet-class>edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet</servlet-class> <init-param> <param-name>authnMethod</param-name> <param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</param-value> </init-param> <load-on-startup>3</load-on-startup> </servlet> |
Configuration in relying-party.xml
<rp:DefaultRelyingParty provider="https://IdPサーバ/idp/shibboleth" defaultSigningCredentialRef="IdPCredential" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"> |
Add SessionInitiator in shibboleth2.xml
<!-- Special SessionInitiator for Tiqr!!! --> <SessionInitiator type="SAML2" Location="/TiqrShib" id="siid1" entityID="https://simptest2.nec.test/idp/shibboleth" template="bindingTemplate.html" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> |
Addition in /etc/httpd/conf.d/shibd.conf
<Location /TiqrShib> AuthType shibboleth ShibRequestSetting requireSessionWith siid1 require valid-user </Location> |
Add ="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract" in SessionInitiator
<SessionInitiator type="Chaining" Location="/DS" isDefault="true" id="tiqrshiblogin" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"> <SessionInitiator type="SAML2" template="bindingTemplate.html"/> <SessionInitiator type="Shib1"/> <SessionInitiator type="SAMLDS" URL="https://DSサーバ/ds/WAYF"/> </SessionInitiator> |
Initial values setting in application/Bootstrap.php
<?php class Bootstrap extends Zend_Application_Bootstrap_Bootstrap { // retrieve tiqrshib constants protected function _initConstants() { $options = $this->getOption('constants'); if (is_array($options)) { foreach($options as $key => $value) { if(!defined($key)) { define($key, $value); } } } } protected function _initLogger() { $this->bootstrap("log"); $logger = $this->getResource("log"); Zend_Registry::set("logger", $logger); } } |
(*) The above Logger function is required since tiqrshib code has log output codes.
Modification in /var/tiqrzenddemo/application/config/application.ini
resources.tiqr.identifier = "vm2.peofiamp.nii.ac.jp" ↑replace as your server FQDN resources.tiqr.name = "vm2" ↑Tiqrサーバの名称(アプリ上に表示される)を記入。 resources.tiqr.logoUrl = "https://vm2.peofiamp.nii.ac.jp/icons/gakunin-logo.png" ↑アプリに表示するロゴを指定。5KBくらいのpngファイル。100KBくらいだとアプリへのロードに時間が掛る。 constants.TIQRSHIB_DOMAIN = "nii.ac.jp" ↑IdPが送るeppnのセキュリティドメイン ↓以下のLDAP設定には、attribute-resolver.xmlと同じものを設定。 constants.TIQRSHIB_LDAP_HOST = "localhost" constants.TIQRSHIB_LDAP_PORT = "389" constants.TIQRSHIB_LDAP_BASEDN = "o=test_o,dc=ac,c=JP" constants.TIQRSHIB_LDAP_BINDREQUIRESDN = "true" constants.TIQRSHIB_LDAP_USERNAME = "cn=Manager,o=test_o,dc=ac,c=JP" constants.TIQRSHIB_LDAP_PASSWORD = "password" |
(*) LDAPの検索では、"uid"をフィルタとして検索しています。
uidと異なる属性名を利用している場合は、/var/tiqrzenddemo/library/libTiqrShib/tiqrShibLdap.phpの
$result = $ldap->search('(uid='.$userId.')');
の行(2か所)にて、"uid"を修正して下さい。