Shibboleth IdP 3に関する情報をまとめているページです。
| OS | Java | Servlet | IdP |
|---|---|---|---|
| CentOS 6.5 | OpenJDK 7 (CentOS 6.5付属) | Apache Tomcat 7.0.62 | Shibboleth IdP 3.1.1 |
| CentOS 6.5 | Oracle Java 8u45 + JCE Unlimited Strength Jurisdiction Policy Files | Apache Tomcat 8.0.23 | Shibboleth IdP 3.1.1 |
学認メタデータの読み込みはmetadata-providers.xmlで設定します。
metadata-providers.xml
<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/gakunin-metadata-backing.xml"
metadataURL="https://metadata.gakunin.nii.ac.jp/gakunin-metadata.xml">
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P15D" />
<MetadataFilter xsi:type="SignatureValidation"
requireSignedMetadata="true"
certificateFile="%{idp.home}/credentials/gakunin-signer-2010.cer"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider> |
Shibboleth IdP 3からは、LDAPモジュールを用いたJAASによるパスワード認証に加えて、直接LDAPを参照するパスワード認証が追加さえました。
ldap.properties
参照するLDAPにあわせて、Connection properties, SSL configuration, Search DN resolutionのプロパティを設定します。
## Connection properties ##
idp.authn.LDAP.ldapURL = ldap://localhost
idp.authn.LDAP.useStartTLS = false
#idp.authn.LDAP.useSSL = false
#idp.authn.LDAP.connectTimeout = 3000
## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
#idp.authn.LDAP.sslConfig = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN = ou=shiken-idp1,ou=gakunin,dc=nii,dc=ac,dc=jp
idp.authn.LDAP.subtreeSearch = true
idp.authn.LDAP.userFilter = (uid={user})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
idp.authn.LDAP.bindDN =
idp.authn.LDAP.bindDNCredential = |
//saml2:Subject/saml2:NameIDはattribute-filter.xmlに記述しなくてもsaml-nameid.propertiesとsaml-nameid.xmlの設定により、SPメタデータの<NameIDFormat>に従って下記の通り送信します。
SPメタデータの<NameIDFormat>の値 | 送信する属性 | |
|---|---|---|
urn:oasis:names:tc:SAML:2.0:nameid-format:transient | transient-id | |
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent | persistent-id
| |
<NameIDFormat>がない |
|
<NameIDFormat>がないSPの場合と<NameIDFormat>がurn:oasis:names:tc:SAML:2.0:nameid-format:persistentの場合の//saml2:Subject/saml2:NameIDの例を下記に示す。
<NameIDFormat>がないSPの場合
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.example.ac.jp/idp/shibboleth"
SPNameQualifier="https://sp1.example.jp/shibboleth-sp">AAdzZWNyZXQxgUnobM3/AN3fn8DfZPDqBp/GnKNxc5JR4nxXAxDAXZZSg0AZSrDh1Sip1fl9JGYrm2NWjl8zHKxHmbsgS/mFZ1ZlSYQ2U/Kz7tCQ+SDswixwLRcGg3tDvVSAY8imKSrElGWSm5gMM45D4rkeQONJYr7gQZ13</saml2:NameID> |
<NameIDFormat>がurn:oasis:names:tc:SAML:2.0:nameid-format:persistentの場合
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="https://idp.example.ac.jp/idp/shibboleth"
SPNameQualifier="https://sp2.example.jp/shibboleth-sp">oiUiApwGnBP8pS3HZJ02ZW/aOTI=</saml2:NameID> |
transient-idのデフォルトはCryptoTransientに変更になりました。CryptoTransientの使用例を下記に示します。
IdP 2系と同じ短いTransientを使いたい場合は下記の変更を行います。
saml-nameid.propertiesidp.transientId.generatorをアンコメントして、値をshibboleth.StoredTransientIdGeneratorに変更します。
# Set to shibboleth.StoredTransientIdGenerator for server-side storage idp.transientId.generator = shibboleth.StoredTransientIdGenerator |
Transientの使用例を下記に示します。
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.example.ac.jp/idp/shibboleth"
SPNameQualifier="https://sp1.example.jp/shibboleth-sp">_f358fb015b9b45c7d18a4a2647e79c33</saml2:NameID>
|
computedIdでの設定を下記に示します。
saml-nameid.xml<ref bean="shibboleth.SAML2PersistentGenerator" /> をアンコメントして有効にします。
<!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <!-- --> |
saml-nameid.propertiesidp.persistentId.generatorのデフォルトはComputedIdの設定のため、idp.persistentId.sourceAttributeとidp.persistentId.saltのみを設定します。
# Set to shibboleth.StoredPersistentIdGenerator for db-backed storage # and uncomment/name the PersistentIdStore bean to use #idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator # Otherwise for computed PersistentIDs set the source attribute and salt. idp.persistentId.sourceAttribute = uid4persistentId idp.persistentId.salt = changethistosomethingrandom |
attribute-resolver.xmlとattribute-filter.xmlidp.persistentId.sourceAttributeの値をattribute-resolver.xmlの//resolver:AttributeDefinitionで定義して、attribute-filter.xmlで送信設定を行います。
<!-- ========================================== -->
<!-- PersistentId Definition -->
<!-- ========================================== -->
<!-- Attribute Definition for %{idp.persistentId.sourceAttribute} -->
<resolver:AttributeDefinition id="%{idp.persistentId.sourceAttribute}" xsi:type="ad:Simple"
sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
</resolver:AttributeDefinition> |
<!-- Release to anyone -->
<afp:AttributeFilterPolicy id="PolicyforAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="%{idp.persistentId.sourceAttribute}">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy> |
storedIdでの設定を下記に示します。
saml-nameid.xml<ref bean="shibboleth.SAML2PersistentGenerator" /> をアンコメントして有効にします。
<!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <!-- --> |
saml-nameid.propertiesidp.persistentId.generator, idp.persistentId.store, idp.persistentId.sourceAttributeとidp.persistentId.saltを設定します。
# Set to shibboleth.StoredPersistentIdGenerator for db-backed storage # and uncomment/name the PersistentIdStore bean to use idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator idp.persistentId.store = PersistentIdStore # Set this to null to skip hash-based generation of first stored ID #idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator # Otherwise for computed PersistentIDs set the source attribute and salt. idp.persistentId.sourceAttribute = uid4ppersistentId idp.persistentId.salt = changethistosomethingrandom |
global.xml
idp.persistentId.storeの値をglobal.xmlの//beanで定義します。
<!-- Use this file to define any custom beans needed globally. -->
<bean id="shibboleth.MySQLDataSource"
class="org.apache.tomcat.dbcp.dbcp.BasicDataSource"
p:driverClassName="com.mysql.jdbc.Driver"
p:url="jdbc:mysql://localhost:3306/shibboleth"
p:username="username"
p:password="password"
p:maxActive="10"
p:maxIdle="5"
p:maxWait="15000"
p:testOnBorrow="true"
p:validationQuery="select 1"
p:validationQueryTimeout="5" />
<bean id="PersistentIdStore"
class="net.shibboleth.idp.saml.nameid.impl.JDBCPersistentIdStore"
p:dataSource-ref="shibboleth.MySQLDataSource" /> |
<!-- Use this file to define any custom beans needed globally. -->
<bean id="shibboleth.MySQLDataSource"
class="org.apache.tomcat.dbcp.dbcp2.BasicDataSource"
p:driverClassName="com.mysql.jdbc.Driver"
p:url="jdbc:mysql://localhost:3306/shibboleth"
p:username="username"
p:password="password"
p:maxIdle="5"
p:testOnBorrow="true"
p:validationQuery="select 1"
p:validationQueryTimeout="5" />
<bean id="PersistentIdStore"
class="net.shibboleth.idp.saml.nameid.impl.JDBCPersistentIdStore"
p:dataSource-ref="shibboleth.MySQLDataSource" /> |
Tomcat 8の場合に、 |
attribute-resolver.xmlとattribute-filter.xmlidp.persistentId.sourceAttributeの値をattribute-resolver.xmlの//resolver:AttributeDefinitionで定義して、attribute-filter.xmlで送信設定を行います。
<!-- ========================================== -->
<!-- PersistentId Definition -->
<!-- ========================================== -->
<!-- Attribute Definition for %{idp.persistentId.sourceAttribute} -->
<resolver:AttributeDefinition id="%{idp.persistentId.sourceAttribute}" xsi:type="ad:Simple"
sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
</resolver:AttributeDefinition> |
<!-- Release to anyone -->
<afp:AttributeFilterPolicy id="PolicyforAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="%{idp.persistentId.sourceAttribute}">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy> |
//saml2:Subject/saml2:NameIDとは別に//saml2:AttributeStatement/saml2:Attribute[@FriendlyName="eduPersonTargetedID"]としてeduPersonTargetedId属性を送信する設定は下記の通りです。
なお、この機能はShibboleth IdP 3ではDeprecated Featuresとなっています。
computedIdでの設定を下記に示します。Shibboleth IdP 2と同じ設定で送信可能です。
attribute-resolver.xml
<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->
<!-- Schema: eduPerson attributes -->
<!-- Attribute Definition for eduPersonTargetedID -->
<resolver:AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
sourceAttributeID="computedID">
<resolver:Dependency ref="computedID" />
<resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
<resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
</resolver:AttributeDefinition>
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<!-- Computed targeted ID connector -->
<resolver:DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="computedID"
generatedAttributeID="computedID"
sourceAttributeID="uid"
salt="changethistosomethingrandom">
<resolver:Dependency ref="myLDAP" />
</resolver:DataConnector> |
attribute-filter.xml
<!-- Release to sp.example.jp -->
<afp:AttributeFilterPolicy id="PolicyforSP1ExampleJP">
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.example.jp/shibboleth-sp" />
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy> |
attribute-resolver.xmlのData ConnectorはShibboleth IdP 3の機能を用いて、persistent-idの設定で定義したsaml-nameid.propertiesのプロパティを使って書くこともできます。
attribute-resolver.xml
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<!-- Computed targeted ID connector -->
<resolver:DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="computedID"
generatedAttributeID="computedID"
sourceAttributeID="%{idp.persistentId.sourceAttribute}"
salt="changethistosomethingrandom">
<!--
salt="%{idp.persistentId.salt}">
-->
<resolver:Dependency ref="%{idp.persistentId.sourceAttribute}" />
</resolver:DataConnector> |
Shibboleth IdP 3.1.1では、 |
storedIdでの設定を下記に示します。Shibboleth IdP 2と同じ設定で送信可能です。
attribute-resolver.xml
<!-- ========================================== -->
<!-- Attribute Definitions -->
<!-- ========================================== -->
<!-- Schema: eduPerson attributes -->
<!-- Attribute Definition for eduPersonTargetedID -->
<resolver:AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
sourceAttributeID="computedID">
<resolver:Dependency ref="computedID" />
<resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
<resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
</resolver:AttributeDefinition>
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<!-- Stored targeted ID connector -->
<resolver:DataConnector xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="storedID"
generatedAttributeID="storedID"
sourceAttributeID="uid"
salt="changethistosomethingrandom">
<resolver:Dependency ref="myLDAP" />
<ApplicationManagedConnection jdbcDriver="com.mysql.jdbc.Driver"
jdbcURL="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true"
jdbcUserName="username"
jdbcPassword="password" />
</resolver:DataConnector> |
attribute-filter.xml
<!-- Release to sp.example.jp -->
<afp:AttributeFilterPolicy id="PolicyforSP1ExampleJP">
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.example.jp/shibboleth-sp" />
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy> |
attribute-resolver.xmlのData ConnectorはShibboleth IdP 3の機能を用いて、persistent-id の設定で定義したglobal.xmlのbeanとsaml-nameid.propertiesのプロパティを使って書くこともできます。
attribute-resolver.xml
<!-- ========================================== -->
<!-- Data Connectors -->
<!-- ========================================== -->
<!-- Stored targeted ID connector -->
<resolver:DataConnector xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="storedID"
generatedAttributeID="storedID"
sourceAttributeID="%{idp.persistentId.sourceAttribute}"
salt="changethistosomethingrandom">
<!--
salt="%{idp.persistentId.salt}">
-->
<resolver:Dependency ref="%{idp.persistentId.sourceAttribute}" />
<BeanManagedConnection>shibboleth.MySQLDataSource</BeanManagedConnection>
</resolver:DataConnector> |
Shibboleth IdP 3.1.1では、 |