Иди на текст

Instalacija Davaoca Identiteta (Shibboleth IdP 4.2.1) - CentOS

Priprema pred instalaciju

Podesiti IP TABLES

Najpre je potrebno onemogućiti firewalld servis, ukoliko već nije. 

systemctl stop firewalld

systemctl mask firewalld

Potrebno je instalirati iptables-services softverski paket i omogućiti iptables proces, ukoliko već nije. 

yum install iptables-services

systemctl enable iptables

Otvoriti portove 80 (HTTP) i 443 (HTTPS)

Jedna od mogućnosti kako se to može uraditi: 
vim /etc/sysconfig/iptables

Otvoriti port 80 i 443 dodavanjem sledećih linija u fajl:

-A INPUT -s xxx.xxx.xxx.xxx/255.255.255.xxx -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/255.255.255.xxx -p tcp -m tcp --dport 443 -j ACCEPT

Napomena: Navedene linije je potrebno uneti bavezno iznad linije: -A INPUT -j REJECT --reject-with icmp-host-prohibited

Sačuvati izmene:

iptables-restore < /etc/sysconfig/iptables

iptables-save

systemctl restart iptables

iptables -L

Podesiti hosta

U okviru čitavog uputstva smatraće se da je domen VM idp.institucija.ac.rs, tako da na svim mestima umesto ovog naziva domena potrebno je da unesete naziv po vašem izboru.

Veoma je važno da pun hostname (# hostname -f) ove VM, npr. idp.institucija.ac.rs, koji se podešava u okviru ove sekcije bude isti kao i domen koji je adekvatno podešen na DNS serveru, a taj domen će se takođe kasnije koristiti za kreiranje sertifikata.

Podešavanje host podataka

Dat je primer postavljanja idp.institucija.ac.rs kao FQDN (Full Qualified Domain Name) podatka, koji je potrebno zameniti FQDN podatkom Vašeg Davaoca Identiteta, kao i postavljanja HOSTNAME podatka: idp, koji je potrebno zameniti hostname podatkom Vašeg Davaoca Identiteta.

vim /etc/hosts

Na kraju fajla se unosi linija u formi: IP ADRESA FQDN HOSTNAME Npr:

xxx.xxx.xxx.xxx idp.institucija.ac.rs idp
Postaviti hostname

Koristi se komanda sledeće forme: hostnamectl set-hostname HOSTNAME 

hostnamectl set-hostname idp
Sačuvati izmene:

reboot

Onemogućiti SElinux

Provera statusa:

sestatus
Jedna od mogućnosti kako se to može uraditi:

Otoriti fajl /etc/selinux/config i promeniti vrednost iz SELINUX=enforcing u SELINUX=disabled.

vim /etc/selinux/config


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
Sačuvati izmene:

reboot

Hardverski zahtevi

Hardverski zahtevi:
  • CPU: 2 Core (64 bit)
  • RAM: 4 GB
  • HDD: 20 GB
  • OS: Centos 7

Softver koji će biti instaliran

Softver koji će biti instaliran:
  • ca-certificates
  • chrony
  • vim
  • Amazon Corretto 11 JDK
  • jetty 9.4.x
  • apache2 (>= 2.4)
  • openssl
  • tar
  • wget

Ažurirati instalirane pakete:

yum update ; yum upgrade -y

Instalirati potrebne pakete:

yum install -y vim wget openssl httpd chrony mod_ssl tar openldap-clients

Instalirati Amazon Corretto JDK:

rpm --import https://yum.corretto.aws/corretto.key

wget https://yum.corretto.aws/corretto.repo -O /etc/yum.repos.d/corretto.repo

yum install -y java-11-amazon-corretto-devel
Provera verzije instaliranog Java paketa: 
java -version

[root@idp ~]# java -version
openjdk version "11.0.16" 2022-07-19 LTS
OpenJDK Runtime Environment Corretto-11.0.16.8.1 (build 11.0.16+8-LTS)
OpenJDK 64-Bit Server VM Corretto-11.0.16.8.1 (build 11.0.16+8-LTS, mixed mode)

Aktivirati Chrony proces:

systemctl enable chronyd

Proveriti datum i vreme:

date

Izlistavanje vremenskih zona:

timedatectl list-timezones

Podesiti vremensku zonu:

timedatectl set-timezone Europe/Belgrade

Postaviti varijablu JAVA_HOME:

echo export JAVA_HOME=/usr/lib/jvm/java > /etc/profile.d/javaenv.sh

chmod 0755 /etc/profile.d/javaenv.sh

Instalacija Davaoca Identiteta ( Shibboleth IdP 4.2.1 )

Preuzeti i otpakovati Shibboleth Identity Provider v4.2.1 repozitorijum na lokaciji /usr/local/src:

cd /usr/local/src

wget https://shibboleth.net/downloads/identity-provider/archive/4.2.1/shibboleth-identity-provider-4.2.1.tar.gz

tar -xzf shibboleth-identity-provider-4.2.1.tar.gz

Pokrenuti skriptu za instalaciju:

cd /usr/local/src/shibboleth-identity-provider-4.2.1/bin

bash install.sh -Didp.host.name=$(hostname -f) -Didp.keysize=3072
U procesu instalacije biće ispisana sledeća obaveštenja i biće postavljena pitanja.

Kada se prikažu određene linije koje su markirane bojom u nastavku potrebno je uneti odgovarajuće podatke:

  • Source (Distribution) Directory (press to accept default): [/usr/local/src/shibboleth-identity-provider-4.2.1] ? Klik ENTER
  • Installation Directory: [/opt/shibboleth-idp] ? Klik ENTER
  • Backchannel PKCS12 Password: ###LOZINKA-ZA-BACKCHANNEL###
  • Re-enter password: ###LOZINKA-ZA-BACKCHANNEL###
  • Cookie Encryption Key Password: ###LOZINKA-ZA-COOKIE-ENCRYPTION###
  • Re-enter password: ###LOZINKA-ZA-COOKIE-ENCRYPTION###
  • SAML EntityID: [https://idp.institucija.ac.rs/idp/shibboleth] ? Klik ENTER
  • Attribute Scope: [institucija.ac.rs] ? Klik ENTER

Objašnjenje za :

  • Backchannel PKCS12 Password: predstavlja lozinku za Backchannel
  • Cookie Encryption Key Password: predstavlja lozinku za enkripciju kolačića
  • Attribute Scope: Scope treba da bude validan domen institucije

Napomena:

Od ovog momenta, promenljiva idp.home odnosi se na direktorijum: /opt/shibboleth-idp

Napravite rezervnu kopiju lozinke ###LOZINKA-ZA-BACKCHANNEL### negde ukoliko Vam zatreba u budućnosti.

Lozinka ###LOZINKA-ZA-COOKIE-ENCRYPTION### će biti sačuvana u fajlu /opt/shibboleth-idp/credentials/secrets.properties kao idp.sealer.storePassword i idp.sealer.keyPassword vrednost.

Buildfile: /usr/local/src/shibboleth-identity-provider-4.2.1/bin/build.xml

install:
Source (Distribution) Directory (press to accept default): [/usr/local/src/shibboleth-identity-provider-4.2.1] ? Klik ENTER

Installation Directory: [/opt/shibboleth-idp] ? Klik ENTER

INFO [net.shibboleth.idp.installer.V4Install:158] - New Install. Version: 4.2.1
INFO [net.shibboleth.idp.installer.V4Install:601] - Creating idp-signing, CN = idp.institucija.ac.rs URI = https://idp.institucija.ac.rs/idp/shibboleth, keySize=3072
INFO [net.shibboleth.idp.installer.V4Install:601] - Creating idp-encryption, CN = idp.institucija.ac.rs URI = https://idp.institucija.ac.rs/idp/shibboleth, keySize=3072
Backchannel PKCS12 Password: ###LOZINKA-ZA-BACKCHANNEL###
Re-enter password: ###LOZINKA-ZA-BACKCHANNEL###
INFO [net.shibboleth.idp.installer.V4Install:644] - Creating backchannel keystore, CN = idp.institucija.ac.rs URI = https://idp.institucija.ac.rs/idp/shibboleth, keySize=3072
Cookie Encryption Key Password: ###LOZINKA-ZA-COOKIE-ENCRYPTION###
Re-enter password: ###LOZINKA-ZA-COOKIE-ENCRYPTION###
INFO [net.shibboleth.idp.installer.V4Install:685] - Creating backchannel keystore, CN = idp.institucija.ac.rs URI = https://idp.institucija.ac.rs/idp/shibboleth, keySize=3072
INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool:166] - No existing versioning property, initializing...
SAML EntityID: [https://idp.institucija.ac.rs/idp/shibboleth] ? Klik ENTER

Attribute Scope: [institucija.ac.rs] ?  Klik ENTER

INFO [net.shibboleth.idp.installer.V4Install:474] - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml
INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.2.1
INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL
Total time: 1 minute 19 seconds

Instalacija Jetty 9 Web Servera

cd /usr/local/src

wget https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.39.v20210325/jetty-distribution-9.4.39.v20210325.tar.gz

tar xzvf jetty-distribution-9.4.39.v20210325.tar.gz

Kreirati jetty-src folder kao simbolički link. Ovo će biti korisno za ažuriranje Jetty softvera u budućnosti:

ln -nsf jetty-distribution-9.4.39.v20210325 jetty-src

Kreirati jetty korisnika i grupu:

useradd --system --home-dir /usr/local/src/jetty-src --user-group jetty

Podesiti Jetty konfiguraciju koja će da pregazi inicijalnu i koja će da podnese ažuriranje:

mkdir /opt/jetty

wget https://docs.amres.ac.rs/download/shibboleth/start.ini -O /opt/jetty/start.ini

Kreirati /opt/jetty/tmp direktorijum tako da se koristi od strane Jetty softvera:

mkdir /opt/jetty/tmp ; chown jetty:jetty /opt/jetty/tmp

chown -R jetty:jetty /opt/jetty/ /usr/local/src/jetty-src/

Kreirati Jetty Log direktorijume:

mkdir /var/log/jetty

mkdir /opt/jetty/logs

chown jetty:jetty /var/log/jetty/ /opt/jetty/logs/

Preuzeti fajl jetty:

wget https://docs.amres.ac.rs/download/shibboleth/jetty -O /etc/default/jetty

Omogućiti da jetty servis može da se učitava iz komandne linije (loadable):

cd /etc/init.d

ln -s /usr/local/src/jetty-src/bin/jetty.sh jetty

chkconfig --add jetty

systemctl enable jetty

Izveštaj: 

[root@idp init.d]# systemctl enable jetty
jetty.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig jetty on

Proveriti da li je jetty ispravno podešen:

Provera statusa jetty procesa: 

systemctl check jetty
Izveštaj:

inactive

Pokrenuti Jetty proces:

systemctl start jetty

Provera statusa jetty procesa: 

systemctl check jetty
Izveštaj:

active

Konfiguracija Jetty 9 Web Servera

Konfigurisati IdP Context Descriptor. Kreirati direktorijum /opt/jetty/webapps:

mkdir /opt/jetty/webapps

Preuzeti fajl idp.xml:

wget https://docs.amres.ac.rs/download/shibboleth/idp.xml -O /opt/jetty/webapps/idp.xml

Postaviti da vlasnik glavnih direktorijuma Davaoca Identiteta bude jetty:

cd /opt/shibboleth-idp

chown -R jetty logs/ metadata/ credentials/ conf/ war/
Pregled direktorijuma /opt/shibboleth-idp: 
[root@idp shibboleth-idp]# cd /opt/shibboleth-idp
[root@idp shibboleth-idp]# ll
total 8
drwxr-xr-x 3 root root 4096 Jan 30 19:17 bin
drwxr-xr-x 8 jetty root 4096 Jan 30 19:18 conf
drwxr-xr-x 2 jetty root 221 Jan 30 19:18 credentials
drwxr-xr-x 7 root root 103 Jan 30 19:17 dist
drwxr-xr-x 2 root root 171 Jan 30 19:17 doc
drwxr-xr-x 5 root root 46 Jan 30 19:18 edit-webapp
drwxr-xr-x 4 root root 31 Jan 30 19:18 flows
drwxr-xr-x 2 jetty root 99 Jan 30 20:33 logs
drwxr-xr-x 2 root root 33 Jan 30 19:18 messages
drwxr-xr-x 2 jetty root 30 Jan 30 19:18 metadata
drwxr-xr-x 4 root root 207 Jan 30 19:18 views
drwxr-xr-x 2 jetty root 21 Jan 30 19:18 war

Restartovati Jetty servis:

systemctl restart jetty.service

SSL konfiguracija - Apache2 (front-end Jetty)

Kreirati DocumentRoot:

mkdir /var/www/html/$(hostname -f)

chown -R apache: /var/www/html/$(hostname -f)

echo '<h1>It Works!</h1>' > /var/www/html/$(hostname -f)/index.html

wget https://docs.amres.ac.rs/download/shibboleth/000-idp.institucija.ac.rs.conf -O /etc/httpd/conf.d/000-$(hostname -f).conf

Fajl /etc/httpd/conf.d/000-$(hostname -f).conf je potrebno izmeniti. Uneti nazive sertifikata i ključa i podatke o serveru. 

vim /etc/httpd/conf.d/000-$(hostname -f).conf
Fajl /etc/httpd/conf.d/000-$(hostname -f).conf sa svim potrebnim izmenama: 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# This is an example Apache2 configuration for a Shibboleth Identity Provider
# installed with IDEM Tutorials.
#
# Edit this file and:
# - Adjust "idp.example.org" with your IdP Full Qualified Domain Name
# - Adjust "ServerAdmin" email address
# - Adjust "CustomLog" and "ErrorLog" with Apache log files path (there are examples for Debian or CentOS distribution)
# - Adjust "SSLCertificateFile", "SSLCertificateKeyFile" and "SSLCACertificateFile" with the correct file path


# SSL general security improvements should be moved in global settings
# OCSP Stapling, only in httpd/apache >= 2.3.3
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

<VirtualHost *:80>
   ServerName "idp.institucija.ac.rs"
   Redirect permanent "/" "https://idp.institucija.ac.rs/"
</VirtualHost>

<IfModule mod_ssl.c>
   <VirtualHost _default_:443>
     ServerName idp.institucija.ac.rs:443
     ServerAdmin helpdesk@institucija.ac.rs
     # Debian/Ubuntu
     #CustomLog /var/log/apache2/idp.example.org.log combined
     #ErrorLog /var/log/apache2/idp.example.org-error.log
     # Centos
     CustomLog /var/log/httpd/idp.institucija.ac.rs combined
     ErrorLog /var/log/httpd/idp.institucija.ac.rs-error.log

     DocumentRoot /var/www/html/idp.institucija.ac.rs

     SSLEngine On
     SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
     SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

     SSLHonorCipherOrder on

     # Disallow embedding your IdP's login page within an iframe and
     # Enable HTTP Strict Transport Security with a 2 year duration
     <IfModule headers_module>
        Header set X-Frame-Options DENY
        Header set Strict-Transport-Security "max-age=63072000 ; includeSubDomains ; preload"
     </IfModule>

     # Debian/Ubuntu
     #SSLCertificateFile /etc/ssl/certs/idp.example.org.crt
     #SSLCertificateKeyFile /etc/ssl/private/idp.example.org.key

     # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
     #SSLCACertificateFile /etc/ssl/certs/ACME-CA.pem
     #SSLCACertificateFile /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem


     # Centos
     SSLCertificateFile /etc/pki/tls/certs/idp.institucija.ac.rs.crt
     SSLCertificateKeyFile /etc/pki/tls/private/idp.institucija.ac.rs.key

     # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
     #SSLCACertificateFile /etc/pki/tls/certs/ACME-CA.pem
     SSLCACertificateFile /etc/pki/tls/certs/GEANT_OV_RSA_CA_4.crt

     <IfModule mod_proxy.c>
        ProxyPreserveHost On
        RequestHeader set X-Forwarded-Proto "https"
        ProxyPass /idp http://localhost:8080/idp retry=5
        ProxyPassReverse /idp http://localhost:8080/idp retry=5

        <Location /idp>
           Require all granted
        </Location>
     </IfModule>
   </VirtualHost>
</IfModule>

# This virtualhost is only here to handle administrative commands for Shibboleth, executed from localhost
<VirtualHost 127.0.0.1:80>
  ProxyPass /idp http://localhost:8080/idp retry=5
  ProxyPassReverse /idp http://localhost:8080/idp retry=5
  <Location /idp>
    Require all granted
  </Location>
</VirtualHost>

Deaktivirati welcome stranicu:

mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.deactivated

Komercijalni SSL sertifikat

Kreiranje komercijalnog SSL sertifikata i ključa:

Komercijalni sertifikat i ključ treba da budu vrste GÉANT OV SSL koje kreirate po uputstvu:

  • HTTPS Server Certificate (Public Key) - (idp.institucija.ac.rs.crt) u /etc/pki/tls/certs
  • HTTPS Server Key (Private Key) - (idp.institucija.ac.rs.key) u /etc/pki/tls/private

Jedna od mogućnosti kako se to može uraditi:

Preuzme se fajl SCSreq.cnf na lokaciju /etc/pki/tls/private/SCSreq.cnf

wget https://docs.amres.ac.rs/download/shibboleth/SCSreq.cnf -O /etc/pki/tls/private/SCSreq.cnf

Generisati privatni ključ (.key) i zahtev (.csr):

openssl req -new -sha256 -config /etc/pki/tls/private/SCSreq.cnf -utf8 -keyout /etc/pki/tls/private/$(hostname -f).key -out /etc/pki/tls/private/$(hostname -f).csr

Primer postupka kreiranja privatnog ključa i zahteva (koristitli biste drugačiji naziv sertifikata i uneli biste odgovarajuće podatke):

openssl req -new -sha256 -config /etc/pki/tls/private/SCSreq.cnf -utf8 -keyout /etc/pki/tls/private/$(hostname -f).key -out /etc/pki/tls/private/$(hostname -f).csr
Generating a 2048 bit RSA private key
....................+++
....................+++
writing new private key to '/etc/pki/tls/private/idp.institucija.ac.rs.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Oznaka zemlje (2 znaka) [RS]: Klik Enter
Pun naziv drzave []: Klik Enter
Lokacija (mesto) []: Belgrade
Postanski broj []: 11000
Ulica i broj []: Bulevar kralja Aleksandra 90
Zvanični naziv institucije []: Academic network of the Republic of Serbia – AMRES
FQDN adresa servera []: idp.institucija.ac.rs

Zatim generisani zahtev iskorititi za kreiranje sertifikata (javnog ključa) koji treba da bude tipa GÉANT OV SSL

cat /etc/pki/tls/private/$(hostname -f).csr

Na kraju, kreiran komercijalni sertifikat se unosi na lokaciju /etc/pki/tls/certs.

Preuzimanje CA Cert (GEANT_OV_RSA_CA_4.crt) sertifikata:

wget https://docs.amres.ac.rs/download/shibboleth/GEANT_OV_RSA_CA_4.crt -O /etc/pki/tls/certs/GEANT_OV_RSA_CA_4.crt

Dati odgovarajuće privilegije SSL sertifikatu i ključu:

chmod 400 /etc/pki/tls/private/$(hostname -f).key

chmod 644 /etc/pki/tls/certs/$(hostname -f).crt

Zatim treba restartovati httpd proces:

systemctl restart httpd.service

Ukoliko se prikaže greška proverite:

  1. Da li ste kreirali privatni ključ i sertifikat i uneli ga na pravilnu lokaciju?
  2. Da li ste preuzeli GEANT_OV_RSA_CA_4.crt sertifikat?
  3. Da li ste uneli sve potrebne izmene u okviru fajla /etc/httpd/conf.d/000-$(hostname -f).conf?
  4. Da li ste deaktivirali welcome stranicu prema uputstvu?
  5. Da li ste instalirali sav potreban softver prema uputstvu (openssl httpd mod_ssl)?

Proveriti IdP metapodatke, koji su dostupni na linku u formi: https://DOMEN_VM/idp/shibboleth

https://idp.institucija.ac.rs/idp/shibboleth

Konfiguracija skladišta Davaoca Identiteta

Koriščen je princip: HTML lokalno skladište, GCM enkripcija, bez baze podataka i nije potrebno ništa dodatno konfigurisati.

Proveriti status Davaoca Identiteta: 
bash /opt/shibboleth-idp/bin/status.sh

### Operating Environment Information
...

### Identity Provider Information
idp_version: 4.2.1
start_time: 2022-08-12T11:09:52.475Z
current_time: 2022-08-12T11:36:56.577574Z
uptime: PT27M4.102S

enabled modules:
        idp.authn.Password (Password Authentication)
        idp.admin.Hello (Hello World)

installed plugins:

service: shibboleth.LoggingService
last successful reload attempt: 2022-08-12T11:09:47.167353Z
last reload attempt: 2022-08-12T11:09:47.167353Z

service: shibboleth.AttributeFilterService
last successful reload attempt: 2022-08-12T11:09:50.785028Z
last reload attempt: 2022-08-12T11:09:50.785028Z

service: shibboleth.AttributeResolverService
last successful reload attempt: 2022-08-12T11:09:50.895467Z
last reload attempt: 2022-08-12T11:09:50.895467Z

        No Data Connector has ever failed

service: shibboleth.AttributeRegistryService
last successful reload attempt: 2022-08-12T11:09:50.170925Z
last reload attempt: 2022-08-12T11:09:50.170925Z

service: shibboleth.NameIdentifierGenerationService
last successful reload attempt: 2022-08-12T11:09:50.978883Z
last reload attempt: 2022-08-12T11:09:50.978883Z

service: shibboleth.RelyingPartyResolverService
last successful reload attempt: 2022-08-12T11:09:51.053517Z
last reload attempt: 2022-08-12T11:09:51.053517Z

service: shibboleth.MetadataResolverService
last successful reload attempt: 2022-08-12T11:09:50.535193Z
last reload attempt: 2022-08-12T11:09:50.535193Z

        No Metadata Resolver has ever attempted a reload

service: shibboleth.ReloadableAccessControlService
last successful reload attempt: 2022-08-12T11:09:51.523983Z
last reload attempt: 2022-08-12T11:09:51.523983Z

service: shibboleth.ReloadableCASServiceRegistry
last successful reload attempt: 2022-08-12T11:09:51.578849Z
last reload attempt: 2022-08-12T11:09:51.578849Z

service: shibboleth.ManagedBeanService
last successful reload attempt: 2022-08-12T11:09:51.600054Z
last reload attempt: 2022-08-12T11:09:51.600054Z

Integracija sa OpenLDAP bazom podataka

Kreirati sistemski nalog (nalog za monitoring) u OpenLDAP bazi

O tome možete da pročitate u ovom delu uputstva Instalacije i konfiguracije OpenLDAP baze podataka (Debian/Ubuntu) ili ovde (CentOS).

Nakon što kreirate sistemski nalog potrebno je da mu se daju privilegije čitanja (monitoringa) korisničkih naloga u bazi, što se postiže sastavljanjem liste za kontrolu pristupa o čemu možete da pročitate više u ovom delu (Debian/Ubuntu) ili pročitati deo (CentOS) .

Napomena: Ukoliko vam je potrebna konsultacija oko specifičnije liste za kontrolu pristupa kontaktirajte nas na imejl adresu helpdesk@amres.ac.rs.

LDAP sertifikat

Ukoliko se LDAP baza ne nalazi na VM na kojoj se instalira i konfiguriše Shibboleth IdP potrebno je preneti sertifikat baze na ovu VM jer će biti neophodan za ostvarivanje sigurne konekcije sa bazom podataka. Sertifikat se može preneti na lokaciju /etc/openldap/ ili /etc/openldap/certs ili neku vama pogodnu lokaciju. Podatak o lokaciji ovog sertifikata treba da se unese kasnije kao vrednost parametra u fajl /opt/shibboleth-idp/conf/ldap.properties.

Koristi se metoda LDAP + STARTTLS.

Fajl secrets.properties

Fajl secrets.properties

U fajlu secrets.properties je sadržana šifra koja je uneta u procesu instalacije Shibboleth Davaoca Identiteta (idp.sealer.storePassword i idp.sealer.keyPassword).

Izmena fajla secrets.properties :

vim /opt/shibboleth-idp/credentials/secrets.properties

Potrebno je editovati liniju:

idp.authn.LDAP.bindDNCredential = myServicePassword

Tako da se umesto dela myServicePassword unosi lozinka sistemskog naloga koji će povezati IdP sa LDAP bazom podataka i na taj način omogučiti autentifikaciju korisnika iz baze 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = pass********
idp.sealer.keyPassword = pass********

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
#idp.persistentId.salt = changethistosomethingrandom

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = pass********
idp.sealer.keyPassword = pass********

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = mojalozinka123
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
#idp.persistentId.salt = changethistosomethingrandom

Fajl ldap.properties

mv /opt/shibboleth-idp/conf/ldap.properties /opt/shibboleth-idp/conf/ldap.properties_default

wget https://docs.amres.ac.rs/download/shibboleth/ldap.properties -O /opt/shibboleth-idp/conf/ldap.properties

U fajl ldap.properties se navode pojedinosti vezane za LDAP bazu sa kojom se IdP povezuje:

idp.authn.LDAP.ldapURL = ldap://<DOMEN VM NA KOJOJ_JE LDAP BAZA> npr. ldap://ldap.institucija.ac.rs

idp.authn.LDAP.trustCertificates = <PUTANJA_DO_LDAP_SERTIFIKATA> npr. /etc/openldap/ldap.institucija.ac.rs.crt

idp.authn.LDAP.baseDN = <DEO LDAP BAZE GDE SU KORISNIČKI NALOZI KOJI SE AUTENTIFIKUJU> npr. ou=people,dc=institucija,dc=ac,dc=rs

idp.authn.LDAP.subtreeSearch = false

idp.authn.LDAP.bindDN = <DN SISTEMSKOG NALOGA> npr. cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs

idp.attribute.resolver.LDAP.exportAttributes = <ATRIBUTI KOJI SE UZIMAJU IZ LDAP BAZE> npr. cn givenName sn mail rsEduPersonAffiliation displayName eduPersonEntitlement rsEduPersonLocalNumber

Napomena:

  • U primeru iznad vrednost parametra idp.authn.LDAP.baseDN je navedena organizaciona jedinica u kojoj se nalaze svi korisnički nalozi koji se autentifikuju. Ukoliko je Vaša baza podataka kreirana tako da su nalozi organizovani u više grana i organizacionih jedinica, vrednost parametra idp.authn.LDAP.baseDN treba da bude koren LDAP stabla, a vrednost parametra idp.authn.LDAP.subtreeSearch treba da bude true
  • eduPersonEntitlement je specijalna vrsta atributa koji se koristi za autorizaciju. Može se koristiti da bi se utvrdilo da li korisnik ima pravo da koristi određeni servis.
  • rsEduPersonAffiliation atribut definiše način na koji je osoba povezana sa institucijom (moguće vrednosti su: student, učenik, nastavni kadar, zaposleni, spoljni saradnik, korisnik usluge, gost).
  • rsEduPersonLocalNumber atribut predstavlja lokalni identifikator osobe, npr. za studenta broj studenta ili za zaposlenog broj zaposlenog.

Primer popunjenog fajla ldap.properties:

vim /opt/shibboleth-idp/conf/ldap.properties

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
idp.authn.LDAP.authenticator = bindSearchAuthenticator
idp.authn.LDAP.ldapURL = ldap://ldap.institucija.ac.rs
idp.authn.LDAP.useStartTLS = true
idp.authn.LDAP.sslConfig = certificateTrust
#idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
idp.authn.LDAP.trustCertificates =  /etc/openldap/ldap.institucija.ac.rs.crt
# List of attributes to request during authentication
idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining
idp.authn.LDAP.baseDN = ou=people,dc=institucija,dc=ac,dc=rs
idp.authn.LDAP.subtreeSearch = false
idp.authn.LDAP.bindDN = cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs
# The userFilter is used to locate a directory entry to bind against for LDAP authentication.
idp.authn.LDAP.userFilter = (uid={user})

# pool passivator, either none, bind or anonymousBind
#idp.authn.LDAP.bindPoolPassivator = bind

# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver configurations
idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout      = %{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout     = %{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
# The searchFilter is is used to find user attributes from an LDAP source
idp.attribute.resolver.LDAP.searchFilter        = (uid=$resolutionContext.principal)
# List of attributes produced by the Data Connector that should be directly exported as resolved IdPAttributes without requiring any <AttributeDefinition>
idp.attribute.resolver.LDAP.exportAttributes    = cn givenName sn mail rsEduPersonAffiliation displayName eduPersonEntitlement rsEduPersonLocalNumber

Provera konektivnosti sa LDAP bazom

ldapsearch -x -h <FQDN ili IP adresa> -D '<DN SISTEMSKOG NALOGA>' -w '<IDPUSER-PASSWORD>' -b 'ou=people,dc=example,dc=org' '(uid=<KORISNIČKO_IME>)'

<FQDN ili IP adresa> zameniti podatkom o domenu (FQDN) ili IP adresi virtuelne mašine na kojoj je LDAP baza

<DN SISTEMSKOG NALOGA> zameniti podatkom o kreiranom sistemskom nalogu npr. cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs

<IDPUSER-PASSWORD> zameniti lozinkom sistemskog naloga

ou=people,dc=example,dc=org zameniti podatkom o delu LDAP baze gde su korisnički nalozi koji se autentifikuju npr. ou=people,dc=institucija,dc=ac,dc=rs

<KORISNIČKO_IME> zameniti podatkom o korisničkom imenu test naloga za kog se proverava uspešnost autentifikacije

Primer komande:

ldapsearch -x -h ldap.institucija.ac.rs -D 'cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs' -w 'mojalozinka123' -b 'ou=people,dc=institucija,dc=ac,dc=rs' '(uid=petar.petrovic)'

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta. Napomena: Ukoliko je izveštaj isti kao prethodni put sa konfiguracijom je sve u redu:

bash /opt/shibboleth-idp/bin/status.sh

Podesiti da Davaoc Identiteta pušta persistent NameID

Shibboleth Documentation: https://wiki.shibboleth.net/confluence/display/IDP4/PersistentNameIDGenerationConfiguration

persistent NameID je jedinstveni trajni identifikator korisnika, koji Davalac Identiteta prosleđuje Davaocu Servisa.

Preporučena strategija je "Computed mode":

mv /opt/shibboleth-idp/conf/saml-nameid.properties /opt/shibboleth-idp/conf/saml-nameid.properties_default

wget https://docs.amres.ac.rs/download/shibboleth/saml-nameid.properties -O /opt/shibboleth-idp/conf/saml-nameid.properties

mv /opt/shibboleth-idp/conf/saml-nameid.xml /opt/shibboleth-idp/conf/saml-nameid_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/saml-nameid.xml -O /opt/shibboleth-idp/conf/saml-nameid.xml

openssl rand -base64 36

Rezultat komande je potrebno sačuvati/kopirati, jer se primenjuje u sledećem koraku

Rezultat komande je niz karaktera formata:

4Z4VL1gOzw*******************************

vim /opt/shibboleth-idp/credentials/secrets.properties
  • Otkomentarisati liniju:
idp.persistentId.salt = changethistosomethingrandom

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = pass********
idp.sealer.keyPassword = pass********

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
#idp.persistentId.salt = changethistosomethingrandom
  • Deo changethistosomethingrandom izmeniti dobijenim nizom karaktera dobijenim kao rezultat prethodno primenjene komande (openssl rand -base64 36).
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = pass********
idp.sealer.keyPassword = pass********

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
idp.persistentId.salt = 4Z4VL1gOzw*******************************

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Preuzeti fajl attribute-resolver.xml

mv /opt/shibboleth-idp/conf/attribute-resolver.xml /opt/shibboleth-idp/conf/attribute-resolver_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/attribute-resolver.xml -O /opt/shibboleth-idp/conf/attribute-resolver.xml

U fajlu treba izmeniti sledeće: 

vim /opt/shibboleth-idp/conf/attribute-resolver.xml

Umesto dela Naziv Vaše institucije uneti naziv Vaše institucije.

        <Attribute id="o">
            <Value>Naziv Vaše institucije</Value>
        </Attribute>

Ukoliko želite da učestvujete u Erazmus+ projektu i imate HEI ulogu, potrebno je da dodate konfiguraciju za ESI atribut.

Promeniti vlasnika fajla:

chown jetty /opt/shibboleth-idp/conf/attribute-resolver.xml

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Podesiti da Shibboleth Identity Provider pušta eduPersonTargetedID

Trajni identifikator korisnika koji razmenjuju Davalac Servisa i Davalac Identiteta (Shibboleth IdP). Nikada se ne dodeljuje ponovo i ne sadrži nikakve podatke o korisniku. Davalac Identiteta smešta persistentId vrednost u eduPersonTargetedID atribut kada komunicira sa određenim Davaocem Servisa ukoliko on to zahteva.

Ovaj deo je već podešen u okviru fajla attribute-resolver.xml koji ste preuzeli i izmenili u prethodnim koracima.

Dodatno, potrebno je preuzeti fajl eduPersonTargetedID.properties. 

wget https://docs.amres.ac.rs/download/shibboleth/eduPersonTargetedID.properties -O /opt/shibboleth-idp/conf/attributes/custom/eduPersonTargetedID.properties ; chown jetty:root /opt/shibboleth-idp/conf/attributes/custom/eduPersonTargetedID.properties

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Uneti dodatne šeme za definisanje atributa

rm -f /opt/shibboleth-idp/conf/attributes/eduPerson.xml ; wget https://docs.amres.ac.rs/download/shibboleth/eduPerson.xml -O /opt/shibboleth-idp/conf/attributes/eduPerson.xml

chown jetty:root /opt/shibboleth-idp/conf/attributes/eduPerson.xml

rm -f /opt/shibboleth-idp/conf/attributes/inetOrgPerson.xml ; wget https://docs.amres.ac.rs/download/shibboleth/inetOrgPerson.xml -O /opt/shibboleth-idp/conf/attributes/inetOrgPerson.xml

chown jetty:root /opt/shibboleth-idp/conf/attributes/inetOrgPerson.xml

rm -f /opt/shibboleth-idp/conf/attributes/samlSubject.xml ; wget https://docs.amres.ac.rs/download/shibboleth/samlSubject.xml -O /opt/shibboleth-idp/conf/attributes/samlSubject.xml

chown jetty:root /opt/shibboleth-idp/conf/attributes/samlSubject.xml

Preuzeti rsEdu.xml i schac.xml šemu na lokaciju /opt/shibboleth-idp/conf/attributes/

wget https://docs.amres.ac.rs/download/shibboleth/rsEdu.xml -O /opt/shibboleth-idp/conf/attributes/rsEdu.xml ; chown jetty:root /opt/shibboleth-idp/conf/attributes/rsEdu.xml

wget https://docs.amres.ac.rs/download/shibboleth/schac.xml -O /opt/shibboleth-idp/conf/attributes/schac.xml ; chown jetty:root /opt/shibboleth-idp/conf/attributes/schac.xml

Preuzeti fajl default-rules.xml :

mv /opt/shibboleth-idp/conf/attributes/default-rules.xml /opt/shibboleth-idp/conf/attributes/default-rules_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/default-rules.xml -O /opt/shibboleth-idp/conf/attributes/default-rules.xml

Konfiguracija Shibboleth IdP Logova

Konfiguracija logova vezanih za LDAP greške u autentifikaciji:

mv /opt/shibboleth-idp/conf/logback.xml /opt/shibboleth-idp/conf/logback_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/logback.xml -O /opt/shibboleth-idp/conf/logback.xml

Podešavanje interfejsa

Preuzeti korisnički interfejs na lokaciju /opt/shibboleth-idp/:

wget https://docs.amres.ac.rs/download/shibboleth/edit-webapp.tar.gz -O /opt/shibboleth-idp/edit-webapp.tar.gz ; rm -Ir /opt/shibboleth-idp/edit-webapp

tar -xzf /opt/shibboleth-idp/edit-webapp.tar.gz && rm -f /opt/shibboleth-idp/edit-webapp.tar.gz

Uneti logo vaše institucije u direktorijum: /opt/shibboleth-idp/edit-webapp/images

  • Imate mogućnost da unesete 2 logo fajla, jedan na srpskom i engleskom i shodno tome treba dati naziv formata npr. institucija_logo_sr.jpg i institucija_logo_en.jpg
  • Dimenzije: širina do 200px.
  • Podatak o logou institucije treba uneti u kasnijim koracima u fajlove messages_sr.properties i messages_en.properties

Prevod interfejsa i sistemskih poruka se preuzima u direktorijum /opt/shibboleth-idp/messages

wget https://docs.amres.ac.rs/download/shibboleth/messages_sr.properties -O /opt/shibboleth-idp/messages/messages_sr.properties

Izmeniti parametre:

  • idp.title=Institucija Web SSO
  • idp.logo=/images/institucija_logo_sr.jpg
  • idp.userprefs.title=Institucija Web SSO
wget https://docs.amres.ac.rs/download/shibboleth/messages_en.properties -O /opt/shibboleth-idp/messages/messages_en.properties

Izmeniti parametar:

  • idp.logo=/images/institucija_logo_en.jpg

Sledi prikaz pozicije i okvirnih dimenzija logo fotografije, kao primer je prikazan logo institucije AMRES.

Ilustracija logo fotografije za IdP

Ilustracija logo fotografije za IdP

Preimenovati postojeće i preuzeti nove fajlove user-prefs.vm, logout-propagate.vm, logout-complete.vm, error.vm, login.vm i logout.vm

mv /opt/shibboleth-idp/views/user-prefs.vm /opt/shibboleth-idp/views/user-prefs_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/user-prefs.vm -O /opt/shibboleth-idp/views/user-prefs.vm

mv /opt/shibboleth-idp/views/logout-propagate.vm /opt/shibboleth-idp/views/logout-propagate_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/logout-propagate.vm -O /opt/shibboleth-idp/views/logout-propagate.vm

mv /opt/shibboleth-idp/views/logout-complete.vm /opt/shibboleth-idp/views/logout-complete_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/logout-complete.vm -O /opt/shibboleth-idp/views/logout-complete.vm

mv /opt/shibboleth-idp/views/error.vm /opt/shibboleth-idp/views/error_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/error.vm -O /opt/shibboleth-idp/views/error.vm

mv /opt/shibboleth-idp/views/login.vm /opt/shibboleth-idp/views/login_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/login.vm -O /opt/shibboleth-idp/views/login.vm

mv /opt/shibboleth-idp/views/logout.vm /opt/shibboleth-idp/views/logout_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/logout.vm -O /opt/shibboleth-idp/views/logout.vm

Pokrenuti build skriptu 

cd /opt/shibboleth-idp/bin ; ./build.sh

Izveštaj pokretanja skripte

Treba enter negde

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
[root@idp messages]# cd /opt/shibboleth-idp/bin ; ./build.sh
Buildfile: /opt/shibboleth-idp/bin/build.xml

build-war:
Installation Directory: [/opt/shibboleth-idp] ? Klik Enter

INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.1.5
INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL
Total time: 7 seconds

Restartovati Jetty servis:

systemctl restart jetty.service

Izmeniti fajl idp-metadata.xml

Pre bilo koje izmene ovog fajla najsigurnije je napraviti njegovu kopiju

Ovaj fajl je veoma značajan i unikatan. Iz tog razloga treba vrlo pažljivo izvršiti sve potrebne izmene i u slučaju potrebe zgodno je imati mogućnost povratka na početno stanje.

cp /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idp-metadata_default.xml

Domen (npr. idp.institucija.ac.rs) u ovom fajlu nije potrebno menjati, već je podešen na osnovu definicija iz prethodnih fajlova. 

vim /opt/shibboleth-idp/metadata/idp-metadata.xml

Obrisati kompletno sledeći komentar: 

<!--
     This is example metadata only. Do *NOT* supply it as is without review,
     and do *NOT* provide it in real time to your partners.

     This metadata is not dynamic - it will not change as your configuration changes.
-->

Obrisati deo validUntil="2022-01-30T18:18:24.695Z" u sledećoj celini. Napomena: Vama će biti generisan drugačiji datum i vreme:

<EntityDescriptor  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr" validUntil="2022-02-07T21:13:49.962Z" entityID="https://idp.institucija.amres.ac.rs/idp/shibboleth">

<EntityDescriptor  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr" entityID="https://idp.institucija.amres.ac.rs/idp/shibboleth">

Obrisati deo: 

<!--
    Fill in the details for your IdP here

            <mdui:UIInfo>
                <mdui:DisplayName xml:lang="en">A Name for the IdP at idp.institucija.amres.ac.rs</mdui:DisplayName>
                <mdui:Description xml:lang="en">Enter a description of your IdP at idp.institucija.amres.ac.rs</mdui:Description>
                <mdui:Logo height="80" width="80">https://idp.institucija.ac.rs/Path/To/Logo.png</mdui:Logo>
            </mdui:UIInfo>
-->

Umesto tog dela dodati sledeći deo uz određene izmene:

Izmeniti sledeće podatke:

  • Naziv institucije: Uneti pun naziv institucije.
  • Name of the Institution: Uneti pun naziv institucije na engleskom jeziku.
  • IDP za zaposlene u instituciji: Svrha korišćenja IdP-a, npr. IDP za zaposlene u instituciji.
  • IDP for staff in the Institution: Svrha korišćenja IdP-a na engleskom jeziku , npr. IDP for staff in the Institution.
  • https://amres.ac.rs/dokumenti/amres_idp.png : Logo fotografija dostupna putem linka koji se navodi, širine i visine 50px.
1
2
3
4
5
6
7
8
<!-- UIInfo -->
           <mdui:UIInfo>
               <mdui:DisplayName xml:lang="sr">Naziv institucije</mdui:DisplayName>
               <mdui:DisplayName xml:lang="en">Name of the Institution</mdui:DisplayName>
               <mdui:Description xml:lang="sr">IDP za zaposlene u instituciji</mdui:Description>
               <mdui:Description xml:lang="en">IDP for staff in the Institution</mdui:Description>
               <mdui:Logo height="50" width="50">https://amres.ac.rs/dokumenti/amres_idp.png</mdui:Logo>
           </mdui:UIInfo>

Sledi prikaz pozicije i okvirnih dimenzija logo fotografije, kao primer je dat logo institucije AMRES. Ova logo fotografija bi se prikazala prilikom odabira Vaše institucije (Davaoca Identiteta) prilikom autentifikacije na željeni servis.

Ilustracija logo fotografije za IdP, koja se unosi putem linka

Ilustracija logo fotografije za IdP, koja se unosi putem linka

Obrisati deo 

        <!--<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.hosted.amres.ac.rs:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
-->

Sledeći korak:

U sledećoj celini potrebno je obrisati niz karaktera :8443 i izmeniti da indeks bude 1 umesto 2:

        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>

        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/ArtifactResolution" index="1"/>

Sledeći korak:

Obrisati oznake za komentar dela SingleLogoutService:

<!--
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SLO"/>
-->

        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SLO"/>

Sledeći korak:

U sledećoj celini potrebno je obrisati niz kataktera :8443

        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/SLO"/>

        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/SLO"/>

Sledeći korak:

Obrisati deo 

        <!--<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.institucija.ac.rs/idp/profile/Shibboleth/SSO"/>
-->

Sledeći korak:

Dodati sledeće 2 linije između poslednje SingleLogoutService Binding i prve SingleSignOnService Binding sekcije:

        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

        ...
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SLO"/>

        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" req-attr:supportsRequestedAttributes="true" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SSO"/>
        ...

Sledeći korak:

Obrisati početnu oznaku za komentar u delu:

<!--    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">

    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">

Sledeći korak:

U sledećem delu potrebno je izmeniti SAML verziju iz 1.1 u 2.0

    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">

    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

Sledeći korak:

Obrisati dve oznake za komentar (kraj prethodnog komentara i početak narednog) u sledećoj liniji:

        --> <!-- First signing certificate is BackChannel, the Second is FrontChannel-->  <!--
!!! warning "Napomena: Ostaviti komentar u sredini"

         <!-- First signing certificate is BackChannel, the Second is FrontChannel-->

Sledeći korak:

Obrisati sve oznake za komentar u delu:

        --> <!--<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>-->  <!--

        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>

Sledeći korak:

U sledećem delu potrebno je obrisati niz karaktera :8443

        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>

        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/AttributeQuery"/>

Sledeći korak:

Obrisati u potpunosti deo: 

        --> <!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above-->  <!--
        --> <!--<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>-->  <!--

Sledeći korak:

Obrisati oznaku za završetak komentara:

    </AttributeAuthorityDescriptor>-->

    </AttributeAuthorityDescriptor>

Sledeći korak:

Ispod linije </AttributeAuthorityDescriptor> a iznad linije </EntityDescriptor> dodati sledeću sekciju:

Izmeniti sledeće podatke:

  • Naziv institucije: Pun naziv Vaše institucije
  • Name of the Institution: Pun naziv Vaše institucije na engleskom jeziku
  • Naziv (akronim) institucije: Akronim Vaše institucije
  • Naziv (akronim) institucije: Akronim Vaše institucije na engleskom
  • https://institucija.ac.rs/: Link do verzije sajta institucije na srpskom jeziku
  • https://institucija.ac.rs/en: Link do verzije sajta institucije na engleskom jeziku
  • Ime: Ime osobe za kontakt
  • Prezime: Prezime osobe za kontakt
  • primer@institucija.ac.rs: Imejl adresa osobe za kontakt
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
 <Organization>
  <OrganizationName xml:lang="sr">Naziv institucije</OrganizationName>
  <OrganizationName xml:lang="en">Name of the Institution</OrganizationName>
  <OrganizationDisplayName xml:lang="sr">Naziv (akronim) institucije</OrganizationDisplayName>
  <OrganizationDisplayName xml:lang="en">Short name of the Institution</OrganizationDisplayName>

  <OrganizationURL xml:lang="sr">https://institucija.ac.rs/</OrganizationURL>
  <OrganizationURL xml:lang="en">https://institucija.ac.rs/en</OrganizationURL>
 </Organization>
 <ContactPerson contactType="technical">
  <GivenName>Ime</GivenName>
  <SurName>Prezime</SurName>
  <EmailAddress>primer@institucija.ac.rs</EmailAddress>
 </ContactPerson>
Fajl idp-metadata.xml nakon svih navedenih izmena: 
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr" entityID="https://idp.institucija.amres.ac.rs/idp/shibboleth">

    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <Extensions>
            <shibmd:Scope regexp="false">institucija.ac.rs</shibmd:Scope>

            <mdui:UIInfo>
                <mdui:DisplayName xml:lang="sr">Institucije Republike Srbije</mdui:DisplayName>
                <mdui:DisplayName xml:lang="en">Institutions of the Republic of Serbia</mdui:DisplayName>
                <mdui:Description xml:lang="sr">IDP za zaposlene u Institucijama Republike Srbije</mdui:Description>
                <mdui:Description xml:lang="en">IDP for staff in the Institutions of the Republic of Serbia </mdui:Description>
                <mdui:Logo height="200" width="200">https://e7.pngegg.com/pngimages/34/35/png-clipart-flag-of-serbia-flags-of-the-world-flag-of-serbia-flag-logo.png</mdui:Logo>
            </mdui:UIInfo>


        </Extensions>

        <!-- First signing certificate is BackChannel, the Second is FrontChannel-->
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>
        <KeyDescriptor use="encryption">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>

        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/ArtifactResolution" index="1"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SLO"/>

        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" req-attr:supportsRequestedAttributes="true" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" req-attr:supportsRequestedAttributes="true" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SSO"/>

    </IDPSSODescriptor>


    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <Extensions>
            <shibmd:Scope regexp="false">institucija.ac.rs</shibmd:Scope>
        </Extensions>

         <!-- First signing certificate is BackChannel, the Second is FrontChannel-->  
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>
        <KeyDescriptor use="encryption">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>

        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/AttributeQuery"/>  

    </AttributeAuthorityDescriptor>

 <Organization>
  <OrganizationName xml:lang="sr">Naziv institucije</OrganizationName>
  <OrganizationName xml:lang="en">Name of the Institution</OrganizationName>
  <OrganizationDisplayName xml:lang="sr">Naziv (akronim) institucije</OrganizationDisplayName>
  <OrganizationDisplayName xml:lang="en">Short name of the Institution</OrganizationDisplayName>

  <OrganizationURL xml:lang="sr">https://institucija.ac.rs/</OrganizationURL>
  <OrganizationURL xml:lang="en">https://institucija.ac.rs/en</OrganizationURL>
 </Organization>
 <ContactPerson contactType="technical">
  <GivenName>Ime</GivenName>
  <SurName>Prezime</SurName>
  <EmailAddress>primer@institucija.ac.rs</EmailAddress>
 </ContactPerson>

</EntityDescriptor>

Nakon izvršenih izmena metapodaci vašeg Davaoca Identiteta dostupni su na linku https://institucija.ac.rs/idp/shibboleth

Podešavanje kolačića i ostalih podataka

Preuzeti skriptu updateIDPsecrets.sh na lokaciju /opt/shibboleth-idp/bin/:

wget https://docs.amres.ac.rs/download/shibboleth/updateIDPsecrets.sh -O /opt/shibboleth-idp/bin/updateIDPsecrets.sh

Toj skripti treba dati potrebnu dozvolu za izvršavanje:

chmod +x /opt/shibboleth-idp/bin/updateIDPsecrets.sh

Preuzeti CRON skriptu (/etc/cron.daily/updateIDPsecrets) koja će da je pokreće: 

wget https://docs.amres.ac.rs/download/shibboleth/updateIDPsecrets -O /etc/cron.daily/updateIDPsecrets

Toj skripti treba dati potrebnu dozvolu za izvršavanje:

chmod +x /etc/cron.daily/updateIDPsecrets

Proveriti da li će se skripta pokretati svakog dana (daily) :

run-parts --test /etc/cron.daily

Izveštaj provere: 

[root@idp ~]# run-parts --test /etc/cron.daily
/etc/cron.daily/logrotate
/etc/cron.daily/man-db.cron
/etc/cron.daily/updateIDPsecrets

Konfigurisati IdP da koristi adekvatan Attribute Filter Policy dokument

Kreirati direktorijum tmp/httpClientCache

mkdir -p /opt/shibboleth-idp/tmp/httpClientCache ; chown jetty /opt/shibboleth-idp/tmp/httpClientCache

Preuzeti fajl services.xml:

mv /opt/shibboleth-idp/conf/services.xml /opt/shibboleth-idp/conf/services_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/services.xml -O /opt/shibboleth-idp/conf/services.xml

Restartovati Jetty servis:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Pridruživanje iAMRES Federaciji

Pridruživanje iAMRES Federaciji podrazumeva razmenu metapodataka konfigurisanog Davaoca Identiteta i postojećih Davalaca Servisa. U narednim koracima potrebno je preuzeti metapodatke Davalaca Servisa iAMRES Federacije.

Preuzeti sertifikate za potpis metapodatka na lokaciju: /opt/shibboleth-idp/metadata/

wget https://docs.amres.ac.rs/download/shibboleth/md.iamres.ac.rs.crt -O /opt/shibboleth-idp/metadata/md.iamres.ac.rs.crt

Preuzeti skriptu za preuzimanje metapodataka SP entiteta iAMRES Federacije (metadata.sh) na lokaciju: /opt/shibboleth-idp/metadata/

wget https://docs.amres.ac.rs/download/shibboleth/metadata.sh -O /opt/shibboleth-idp/metadata/metadata.sh

Dati skripti odgovarajuću privilegiju za izvršavanje:

chmod +x /opt/shibboleth-idp/metadata/metadata.sh

Pokrenuti skriptu:

cd /opt/shibboleth-idp/metadata/

./metadata.sh

Rezultat pokretanja skripte je kreiranje fajla iamres_federacija_metadata.xml

  • Ovaj fajl predstavlja skup metapodataka Davaoca Servisa iAMRES Federacije.

Preuzeti fajl metadata-providers.xml na lokaciju /opt/shibboleth-idp/conf/:

wget https://docs.amres.ac.rs/download/shibboleth/metadata-providers.xml -O /opt/shibboleth-idp/conf/metadata-providers.xml

Pregled fajla metadata-providers.xml sa tumačenjem njegovog sadržaja:

  • U prikazanom delu fajla navode se Davaoci Servisa iAMRES Federacije, čiji su metapodaci preuzeti skriptom (./metadata.sh) i čitaju se iz gore pomenutog fajla (iamres_federacija_metadata.xml). Ovi metapodaci su potpisani sertifikatom md.iamres.ac.rs.crt.
<MetadataProvider
    id="iAMRES"
    xsi:type="FilesystemMetadataProvider"
    metadataFile="%{idp.home}/metadata/iamres_federacija_metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/metadata/md.iamres.ac.rs.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P10D"/>

<MetadataFilter xsi:type="EntityRoleWhiteList">

    <RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>   

    <MetadataFilter xsi:type="Algorithm">

        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
        <Entity>https://testsp3.amres.ac.rs/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
        <Entity>https://ucionica.amres.ac.rs/auth/saml2/sp/metadata.php</Entity>
        <Entity>https://proxy.iamres.amres.ac.rs/simplesaml/module.php/saml/sp/metadata.php/amres.ac.rs</Entity>
    </MetadataFilter>
</MetadataProvider>

<MetadataProvider
id="eduGAIN"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/eduGAIN-metadata.xml"
metadataURL="http://md.iamres.ac.rs/iamres_metadata/iamres-interfederation-sp-metadata.xml">

<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/metadata/md.iamres.ac.rs.crt"/>

<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P10D"/>

    <MetadataFilter xsi:type="Algorithm">

        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<!--        <Entity>https://ucionica.amres.ac.rs/auth/saml2/sp/metadata.php</Entity>-->
    </MetadataFilter>

</MetadataProvider>
  • U prikazanom delu fajla navode se Davaoci Servisa čiji se metapodaci unose ručno u posebnim fajlovima, u okviru direktorijuma /opt/shibboleth-idp/metadata/sourceDirectory/.
<MetadataProvider
    id="iAMRESlocalDynamic"
    xsi:type="LocalDynamicMetadataProvider"
    sourceDirectory="%{idp.home}/metadata/sourceDirectory">


    <MetadataFilter xsi:type="Algorithm">

        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
        <Entity>https://filesender-test.amres.ac.rs/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</Entity>
    </MetadataFilter>
</MetadataProvider>

  • Ukoliko budete imali potrebu za ručnim dodavanjem Davaoca Servisa u okviru direktorijuma /opt/shibboleth-idp/metadata/sourceDirectory/ fajlove kreirate tako što je naziv jednog xml fajla SHA-1 heš sažetak entityID vrednosti Davaoca Servisa, na koji je dodata ekstenzija ".xml" i dobija se na sledeći način:

  • Primer generisanja naziva fajla koristeći OpenSSL iz komandne linije i entityID vrednost urn:test:foobar :

$ echo -n "urn:test:foobar" | openssl sha1
d278c9975472a6b4827b1a8723192b4e99aa969c
Nakon preuzetih fajlova i pokretanja skripte sadržaj direktorijuma /opt/shibboleth-idp/metadata/ je sledeći: 
[root@idp metadata]# ll
-rw-rw-r-- 1 jetty jetty 25921531 Aug  4 14:22 eduGAIN-metadata.xml
-rw-r--r-- 1 root  root    263457 Aug  4 13:55 iamres_federacija_metadata.xml
-rw-r--r-- 1 root  root     15043 Feb  7 23:16 idp-metadata_default.xml
-rw-r--r-- 1 root  root     15081 Jul 21 10:56 idp-metadata.xml
-rw-r--r-- 1 root  root      1980 Feb  8 10:27 md.iamres.ac.rs.crt
-rwxr-xr-x 1 root  root       192 Feb  8 10:27 metadata.sh
drwxrwxr-x 2 jetty jetty        6 Feb  9 11:38 sourceDirectory

Nakon izvršene konfiguracije i preuzimanja metapodataka, potrebno je registrovati metapodatke vašeg Davaoca Identiteta na iAMRES Federaciju, slanjem mejla sa linkom https://institucija.ac.rs/idp/shibboleth na helpdesk@amres.ac.rs.

Crontab

Potrebno je da se podesi da se skripta metadata.sh pokreće na svaki pun sat (u 00) svakog dana:

crontab -e

Iskopirati sledeće:

0 * * * * /opt/shibboleth-idp/metadata/metadata.sh

Uslovi korišćenja i saglasnost za slanje podataka

Uvesti Consent modul (modul za davanje saglasnosti):

cd /opt/shibboleth-idp/

bin/module.sh -t idp.intercept.Consent || bin/module.sh -e idp.intercept.Consent
Rezultat komande 
[root@idp shibboleth-idp]# bin/module.sh -t idp.intercept.Consent || bin/module.sh -e idp.intercept.Consent
Enabling idp.intercept.Consent...
conf/intercept/consent-intercept-config.xml created
views/intercept/attribute-release.vm created
views/intercept/terms-of-use.vm created
[OK]

Pokrenuti build skriptu 

cd /opt/shibboleth-idp/bin ; ./build.sh

Izveštaj pokretanja skripte

Treba enter negde

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
[root@idp messages]# cd /opt/shibboleth-idp/bin ; ./build.sh
Buildfile: /opt/shibboleth-idp/bin/build.xml

build-war:
Installation Directory: [/opt/shibboleth-idp] ? Klik Enter

INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.2.1
INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL
Total time: 7 seconds

Omogućiti Consent Module preuzimanjem fajla /opt/shibboleth-idp/conf/relying-party.xml

mv /opt/shibboleth-idp/conf/relying-party.xml /opt/shibboleth-idp/conf/relying-party_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/relying-party.xml -O /opt/shibboleth-idp/conf/relying-party.xml

Preuzeti fajl /opt/shibboleth-idp/views/intercept/attribute-release.vm:

mv /opt/shibboleth-idp/views/intercept/attribute-release.vm /opt/shibboleth-idp/views/intercept/attribute-release_default.vm

wget https://docs.amres.ac.rs/download/shibboleth/attribute-release.vm -O /opt/shibboleth-idp/views/intercept/attribute-release.vm

Pokrenuti ponovo build skriptu 

cd /opt/shibboleth-idp/bin ; ./build.sh

Restartovati Jetty servis:

systemctl restart jetty.service

Testiranje slanja atributa iz komandne linije

Ovu komandu je moguće koristiti nakon pridruživanje iAMRES federaciji, u cilju testiranja slanja atributa ka Test servisu.

bash /opt/shibboleth-idp/bin/aacli.sh -n <UID> -r https://testsp.amres.ac.rs/shibboleth --saml2

Napomena: Umesto uneti odgovorajuće korisničko ime iz baze. Umesto entityID vrednosti Test servisa možete uneti entityID servisa čiju konekciju testirate.

Pregled korisnih logova

Jetty logovi

cd /opt/jetty/logs

ls -l *.stderrout.log

Shibboleth IdP logovi

cd /opt/shibboleth-idp/logs

Audit Log: 

vim idp-audit.log

Consent Log: 

vim idp-consent-audit.log

Warn Log: 

tail -f idp-warn.log

Process Log: 

tail -f idp-process.log