Following document instructs how to install shibbolized Tiqr in the IdP environment. You don't have to hack the IdP itself. It works as an external login handler. Please feel free to contact us (tiqr at meatmail.jp) if you have any difficulty while installing this.
In order to connect tiqr and shibboleth accounts, this shibbolized tiqr utilizes "title" and "street" attributes in the LDAP, each of which corresponds to "isActive" and "secret" values of Tiqr, respectively. Please modify these attributes appropriately depending on your environment. You can realize it by changing /var/tiqrzenddemo/library/tiqrShibLdap.php |
SP function is required when Tiqr account will enroll in the IdP. This SP does not need to join to the federation but only need to communicate with the IdP. The IdP includes the SP's metadata in its relying-party.xml. Installed SP also includes the IdP's metadata solely.
Checkout the source code from the repository then,
svn co https://forge.gakunin.nii.ac.jp/svn/tiqrshib/trunk tiqrshib |
// for under php5.2 ini_set('session.cookie_httponly', 1); setcookie($cookieName, $value, $timeout, $cookiepath, "", TRUE); // for php5.2 over //setcookie($cookieName, $value, $timeout, $cookiepath, "", TRUE, TRUE); |
<input style="font:8pt" type=button value="Register" onclick="window.location.href='https://(FQDN of the IdP server)/TiqrShib/trans.php'"> |
Application |
Version |
Download Site |
---|---|---|
Tiqr-server-library |
1.0.0 |
|
Tiqr-server-zendframework |
1.0.0 |
|
ZendFramework |
1.12.3-minimal |
|
phpqrcode |
1.1.4 |
mkdir /var/www/library cp -rp tiqr-server-library-1.0.0/library/tiqr /var/www/library/libTiqr cp -rp tiqr-server-zendframework-1.0.0/library/tiqr-zf /var/www/library/ cp -rp phpqrcode /var/www/library/ cp -rp ZendFramework-1.12.3-minimal /usr/share/ ln -s ZendFramework-1.12.3-minimal ZendFramework |
Confirm the following links. If not provide soft links as follows.
ln -s /var/www/library/libTiqr /var/tiqrzenddemo/library/tiqr ln -s /var/www/library/phpqrcode /var/tiqrzenddemo/library/phpqrcode ln -s /var/www/library/tiqr-zf /var/tiqrzenddemo/library/tiqr-zf ln -s /usr/share/ZendFramework /var/tiqrzenddemo/library/zend |
(*) If you don't like the link, you can copy the files in both directory.
In that case, the libraries should be stored in /var/tiqrzenddemo/library/ . Following modification also required in /var/tiqrzenddemo/public/index.php
// Ensure library/ is on include_path set_include_path(implode(PATH_SEPARATOR, array( realpath(APPLICATION_PATH . '/../library/zend/library'), realpath(APPLICATION_PATH . '/../library/tiqr'), realpath(APPLICATION_PATH . '/../library/tiqr-zf'), realpath(APPLICATION_PATH . '/../library/libTiqrShib'), get_include_path(), ))); |
Include the following configuration in /etc/php.ini
include_path = ".:/usr/share/ZendFramework/library:/var/www/library/libTiqr" |
Following function have to be added in /usr/share/ZendFramework/library/Zend/View/Helper/Placeholder/Container/Abstract.php
/** * Sort the array by key * * @return array */ public function ksort() { $items = $this->getArrayCopy(); return ksort($items); } |
Modification in /var/www/library/tiqr-zf/Tiqr/Resource/Tiqr.php
Some of the bugs seems to be fixed in the trunk version. |
# require_once "Tiqr/Server.php"; require_once "Tiqr/Service.php"; |
Modification in /var/www/library/tiqr-zf/Tiqr/Controller/Login/Abstract.php
# case Tiqr_Server::AUTH_RESULT_AUTHENTICATED: case Tiqr_Service::AUTH_RESULT_AUTHENTICATED: # case Tiqr_Server::AUTH_RESULT_INVALID_CHALLENGE: case Tiqr_Service::AUTH_RESULT_INVALID_CHALLENGE: # case Tiqr_Server::AUTH_RESULT_INVALID_REQUEST: case Tiqr_Service::AUTH_RESULT_INVALID_REQUEST: # case Tiqr_Server::AUTH_RESULT_INVALID_RESPONSE: case Tiqr_Service::AUTH_RESULT_INVALID_RESPONSE: # case Tiqr_Server::AUTH_RESULT_INVALID_USERID: case Tiqr_Service::AUTH_RESULT_INVALID_USERID: |
Addition in /var/www/library/libTiqr/Tiqr/Random.php
(Add following statement under the "public static function randomBytes($length)", just before the "if" function.) $strong = false; $rnd = ""; |
Modification in /var/tiqrzenddemo/application/configs/application.ini (modify these parameters depending on your environments)
resources.tiqr.identifier = "idp.gakunin.nii.ac.jp" resources.tiqr.name = "gakunin-test-tiqr" resources.tiqr.logoUrl = "https://openidp.nii.ac.jp/images/gakunin-logo.png" resources.tiqr.session.secret = "enter something truly random here, preferably generated using openssl" |
Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Controller/Enroll/Abstract.php
# $this->view->enrollmentURL = $this->_getTiqr()->generateEnrollmentURL($metadataURL); $this->view->enrollmentURL = $metadataURL; |
Modification in /var/tiqrzenddemo/library/tiqr-zf/Tiqr/Controller/Login/Abstract.php
//$secret = pack('H*', $this->_getUserSecret($userId)); $secret = $this->_getUserSecret($userId); |
httpd.conf (Add)
Alias /tiqr/ "/var/tiqrzenddemo/public/" Alias /tiqrenroll/ "/var/www/html/tiqrenroll/" |
ssl.conf (Add)
<Location /tiqr> RewriteEngine On RewriteBase /tiqr RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ /tiqr/index.php [NC,L] </Location> |
Generate tiqrshibAuthn.class by compiling the tiqrshibAuthn.java
Copy the class file into /usr/java/tomcat/webapps/idp/WEB-INF/classes/
Following is an example of compiling option.
javac -classpath /usr/java/tomcat/lib/servlet-api.jar:/opt/shibboleth-idp/lib/shibboleth-common-1.3.2.jar:/opt/shibboleth-idp/lib/shibboleth-identityprovider-2.3.2.jar:/opt/shibboleth-idp/lib/shibboleth-jce-1.1.0.jar:/opt/shibboleth-idp/lib/slf4j-api-1.6.1.jar:/opt/shibboleth-idp/lib/openws-1.4.2.jar:/opt/shibboleth-idp/lib/xmltooling-1.3.2.jar tiqrshibAuthn.java |
Configuration of web.xml and handler.xml
(*) In the handler.xml configuration, UserPassword handler should remain. That is, UserPassword handler should not be commented out and following TiqrShib handler should be added as a new handler.
Modification in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml
<!-- Servlet protected by container used for TiqrShib authentication --> <servlet> <servlet-name>TiqrShibAuthHandler</servlet-name> <servlet-class>tiqrshibAuthn</servlet-class> <init-param> <param-name>authnMethod</param-name> <param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</param-value> </init-param> <load-on-startup>3</load-on-startup> </servlet> <servlet-mapping> <servlet-name>TiqrShibAuthHandler</servlet-name> <url-pattern>/Authn/TiqrShib</url-pattern> </servlet-mapping> |
Modification in handler.xml of shibboleth IdP
<ph:LoginHandler xsi:type="ph:ExternalAuthn" externalAuthnPath="/Authn/TiqrShib" > <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</ph:AuthenticationMethod> </ph:LoginHandler> |
Make Username/PasswordHandler as default handler
Addition in /usr/java/tomcat/webapps/idp/WEB-INF/web.xml
<!-- Servlet for doing Username/Password authentication --> <servlet> <servlet-name>UsernamePasswordAuthHandler</servlet-name> <servlet-class>edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet</servlet-class> <init-param> <param-name>authnMethod</param-name> <param-value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</param-value> </init-param> <load-on-startup>3</load-on-startup> </servlet> |
Configuration in relying-party.xml
<rp:DefaultRelyingParty provider="https://IDP SERVER/idp/shibboleth" defaultSigningCredentialRef="IdPCredential" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"> |
Add SessionInitiator in shibboleth2.xml
<!-- Special SessionInitiator for Tiqr!!! --> <SessionInitiator type="SAML2" Location="/TiqrShib" id="siid1" entityID="https://IDP-SERVER-FQDN/idp/shibboleth" template="bindingTemplate.html" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> |
Addition in /etc/httpd/conf.d/shibd.conf
Alias /TiqrShib/ "/var/www/html/TiqrShib/" <Location /TiqrShib> AuthType shibboleth ShibRequestSetting requireSessionWith siid1 require valid-user </Location> |
Add ="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract" in SessionInitiator
<SessionInitiator type="Chaining" Location="/DS" isDefault="true" id="tiqrshiblogin" authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"> <SessionInitiator type="SAML2" template="bindingTemplate.html"/> <SessionInitiator type="Shib1"/> <SessionInitiator type="SAMLDS" URL="https://DS SERVER/ds/WAYF"/> </SessionInitiator> |
Modification in /var/tiqrzenddemo/application/config/application.ini
resources.tiqr.identifier = "tiqr.nii.ac.jp" ↑replace as your server FQDN resources.tiqr.name = "vm2" ↑server name of Tiqr (it will be appeared in the application) resources.tiqr.logoUrl = "https://tiqr.nii.ac.jp/icons/gakunin-logo.png" ↑logo file appeared in the application. 5KB is better. Over 100KB file takes long time to load it. constants.TIQRSHIB_DOMAIN = "nii.ac.jp" ↑eppn security domain of the IdP ↓Following LDAP configuration is same with attribute-resolver.xml constants.TIQRSHIB_LDAP_HOST = "localhost" constants.TIQRSHIB_LDAP_PORT = "389" constants.TIQRSHIB_LDAP_BASEDN = "o=test_o,dc=ac,c=JP" constants.TIQRSHIB_LDAP_BINDREQUIRESDN = "true" constants.TIQRSHIB_LDAP_USERNAME = "cn=Manager,o=test_o,dc=ac,c=JP" constants.TIQRSHIB_LDAP_PASSWORD = "password" |
(*) "uid" filter is utilized for LDAP search
If you would like to use the different filter, please modify the following 'uid"s to your preference.
In /var/tiqrzenddemo/library/libTiqrShib/tiqrShibLdap.php
In the line of $result = $ldap->search('(uid='.$userId.')');
there are two parts to be modified.
In order to connect tiqr and shibboleth accounts, this shibbolized tiqr utilizes "title" and "street" attributes in the LDAP, each of which corresponds to "isActive" and "secret" values of Tiqr, respectively. Plase modify these attribute appropriately for your environment. You can realize it by chaning /var/tiqrzenddemo/library/tiqrShibLdap.php |