Instalacija Davaoca Identiteta (Shibboleth IdP 4.3.1) - Debian/Ubuntu

Priprema pred instalaciju¶

Podesiti IP TABLES¶

Ažurirati instalirane pakete:

apt update && apt-get upgrade -y --no-install-recommends

Najpre je potrebno instalirati iptables softverski paket i izvršiti početna podešavanja ukoliko već niste.

apt-get remove --auto-remove nftables

apt-get purge nftables

apt-get install iptables

apt-get install iptables-persistent

Otvoriti portove 80 (HTTP) i 443 (HTTPS)

To se može uraditi na sledeći način:

nano /etc/iptables/rules.v4

Otvoriti port 80 i 443 dodavanjem sledećih linija u fajl:

-A INPUT -s xxx.xxx.xxx.xxx/255.255.255.xxx -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/255.255.255.xxx -p tcp -m tcp --dport 443 -j ACCEPT

Napomena: Navedene linije je potrebno uneti bavezno iznad linije: -A INPUT -j REJECT --reject-with icmp-host-prohibited

Sačuvati izmene:

iptables-restore < /etc/iptables/rules.v4

systemctl restart iptables

iptables -L

Podesiti hosta¶

U okviru čitavog uputstva smatraće se da je domen VM idp.institucija.ac.rs, tako da na svim mestima umesto ovog naziva domena potrebno je da unesete naziv po vašem izboru.

Veoma je važno da FQDN (Full Qualified Domain Name) i pun hostname (# hostname -f) ove VM, npr. idp.institucija.ac.rs, koji se podešava u okviru ove sekcije bude isti kao i domen koji je adekvatno podešen na DNS serveru, a taj domen će se takođe kasnije koristiti za kreiranje sertifikata.

Podešavanje host podataka

Dat je primer postavljanja idp.institucija.ac.rs kao FQDN podatka, koji je potrebno zameniti FQDN podatkom Vašeg Davaoca Identiteta, kao i postavljanja HOSTNAME podatka: idp, koji je potrebno zameniti hostname podatkom Vašeg Davaoca Identiteta.

nano /etc/hosts

Na kraju fajla se unosi linija u formi: IP ADRESA FQDN HOSTNAME Npr:

1xx.xxx.xxx.xxx idp.institucija.ac.rs idp

Postaviti hostname

Koristi se komanda sledeće forme: hostnamectl set-hostname HOSTNAME

hostnamectl set-hostname idp

Hardverski zahtevi¶

Hardverski zahtevi:

CPU: 2 Core (64 bit)
RAM: 4 GB
HDD: 20 GB
OS: Debian 10 / Ubuntu 18.04 / Ubuntu 20.04 / Ubuntu 22.04

Softver koji će biti instaliran¶

Softver koji će biti instaliran:

ca-certificates
ntp
vim
Amazon Corretto 11 JDK
jetty 9.4.x
apache2 (>= 2.4)
openssl
gnupg
libservlet3.1-java
liblogback-java

Instalirati potrebne pakete:

apt install vim wget gnupg ca-certificates openssl apache2 ntp libservlet3.1-java liblogback-java -y --no-install-recommends

Instalirati Amazon Corretto JDK:

wget -O- https://apt.corretto.aws/corretto.key | apt-key add -

apt-get install software-properties-common

add-apt-repository 'deb https://apt.corretto.aws stable main'

apt-get update; apt-get install -y java-11-amazon-corretto-jdk

Provera verzije instaliranog Java paketa:

java -version

openjdk version "11.0.16" 2022-07-19 LTS
OpenJDK Runtime Environment Corretto-11.0.16.8.1 (build 11.0.16+8-LTS)
OpenJDK 64-Bit Server VM Corretto-11.0.16.8.1 (build 11.0.16+8-LTS, mixed mode)

Provera da li Java funkcioniše:

update-alternatives --config java

Postaviti varijablu JAVA_HOME:

echo 'JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto' > /etc/environment

source /etc/environment

export JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto

echo $JAVA_HOME

Instalacija Davaoca Identiteta ( Shibboleth IdP 4.3.1 )¶

Preuzeti i otpakovati Shibboleth Identity Provider v4.3.1 repozitorijum na lokaciji /usr/local/src:

cd /usr/local/src

wget https://shibboleth.net/downloads/identity-provider/latest4/shibboleth-identity-provider-4.3.1.tar.gz

tar -xzf shibboleth-identity-provider-4.3.1.tar.gz

Pokrenuti skriptu za instalaciju:

cd /usr/local/src/shibboleth-identity-provider-4.3.1/bin

bash install.sh -Didp.host.name=$(hostname -f) -Didp.keysize=3072

U procesu instalacije biće ispisana sledeća obaveštenja i biće postavljena pitanja.

Kada se prikažu određene linije koje su markirane bojom u nastavku potrebno je uneti odgovarajuće podatke:

Source (Distribution) Directory (press to accept default): [/usr/local/src/shibboleth-identity-provider-4.3.1] ? Klik ENTER
Installation Directory: [/opt/shibboleth-idp] ? Klik ENTER
Backchannel PKCS12 Password: ###LOZINKA-ZA-BACKCHANNEL###
Re-enter password: ###LOZINKA-ZA-BACKCHANNEL###
Cookie Encryption Key Password: ###LOZINKA-ZA-BACKCHANNEL###
Re-enter password: ###LOZINKA-ZA-BACKCHANNEL###
SAML EntityID: [https://idp.institucija.ac.rs/idp/shibboleth] ? Klik ENTER
Attribute Scope: [institucija.ac.rs] ? Klik ENTER

Objašnjenje za :

Backchannel PKCS12 Password: predstavlja lozinku za Backchannel
Cookie Encryption Key Password: predstavlja lozinku za enkripciju kolačića
Attribute Scope: Scope treba da bude validan domen institucije

Napomena:

Od ovog momenta, promenljiva idp.home odnosi se na direktorijum: /opt/shibboleth-idp

Napravite rezervnu kopiju lozinke ###LOZINKA-ZA-BACKCHANNEL### negde ukoliko Vam zatreba u budućnosti.

Lozinka ###LOZINKA-ZA-COOKIE-ENCRYPTION### će biti sačuvana u fajlu /opt/shibboleth-idp/credentials/secrets.properties kao idp.sealer.storePassword i idp.sealer.keyPassword vrednost.

Buildfile: /usr/local/src/shibboleth-identity-provider-4.3.1/bin/build.xml

install:
Source (Distribution) Directory (press to accept default): [/usr/local/src/shibboleth-identity-provider-4.3.1] ? Klik Enter

Installation Directory: [/opt/shibboleth-idp] ? Klik Enter

INFO [net.shibboleth.idp.installer.V4Install:158] - New Install. Version: 4.3.1
INFO [net.shibboleth.idp.installer.V4Install:601] - Creating idp-signing, CN = idp.institucija.ac.rs URI = https://idp.institucija.ac.rs/idp/shibboleth, keySize=3072
INFO [net.shibboleth.idp.installer.V4Install:601] - Creating idp-encryption, CN = idp.institucija.ac.rs URI = https://idp.institucija.ac.rs/idp/shibboleth, keySize=3072
Backchannel PKCS12 Password: ###LOZINKA-ZA-BACKCHANNEL###
Re-enter password: ###LOZINKA-ZA-BACKCHANNEL###
INFO [net.shibboleth.idp.installer.V4Install:644] - Creating backchannel keystore, CN = idp.institucija.ac.rs URI = https://idp.institucija.ac.rs/idp/shibboleth, keySize=3072
Cookie Encryption Key Password: ###LOZINKA-ZA-COOKIE-ENCRYPTION###
Re-enter password: ###LOZINKA-ZA-COOKIE-ENCRYPTION###
INFO [net.shibboleth.idp.installer.V4Install:685] - Creating backchannel keystore, CN = idp.institucija.ac.rs URI = https://idp.institucija.ac.rs/idp/shibboleth, keySize=3072
INFO [net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool:166] - No existing versioning property, initializing...
SAML EntityID: [https://idp.institucija.ac.rs/idp/shibboleth] ? Klik ENTER

Attribute Scope: [institucija.ac.rs] ? Klik ENTER

INFO [net.shibboleth.idp.installer.V4Install:474] - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml
INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.3.1
INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL
Total time: 1 minute 19 seconds

Instalacija Jetty 9 Web Servera¶

cd /usr/local/src

wget https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.43.v20210629/jetty-distribution-9.4.43.v20210629.tar.gz

tar xzvf jetty-distribution-9.4.43.v20210629.tar.gz

Kreirati jetty-src folder kao simbolički link. Ovo će biti korisno za ažuriranje Jetty softvera u budućnosti:

ln -nsf jetty-distribution-9.4.43.v20210629 jetty-src

Kreirati jetty korisnika i grupu:

useradd --system --home-dir /usr/local/src/jetty-src --user-group jetty

Podesiti Jetty konfiguraciju koja će da pregazi default-u i koja će da podnese prolazak update-a:

mkdir /opt/jetty

Podesiti Jetty konfiguraciju koja će da pregazi inicijalnu i koja će da podnese ažuriranje:

wget https://docs.amres.ac.rs/download/shibboleth/debian/start.ini -O /opt/jetty/start.ini

Kreirati /opt/jetty/tmp direktorijum tako da se koristi od strane Jetty softvera:

mkdir /opt/jetty/tmp ; chown jetty:jetty /opt/jetty/tmp

chown -R jetty:jetty /opt/jetty /usr/local/src/jetty-src

Kreirati Jetty Log direktorijume:

mkdir /var/log/jetty

mkdir /opt/jetty/logs

chown jetty:jetty /var/log/jetty /opt/jetty/logs

Preuzeti fajl jetty:

wget https://docs.amres.ac.rs/download/shibboleth/jetty -O /etc/default/jetty

Omogućiti da jetty servis može da se učitava iz komandne linije (loadable):

cd /etc/init.d

ln -s /usr/local/src/jetty-src/bin/jetty.sh jetty

update-rc.d jetty defaults

Proveriti da li je jetty ispravno podešen:

service jetty check

Provera statusa jetty procesa:

Jetty NOT running

JAVA                  =  /usr/bin/java
JAVA_OPTIONS          =  -Djetty.home=/usr/local/src/jetty-src -Djetty.base=/opt/jetty -Djava.io.tmpdir=/opt/jetty/tmp
JETTY_HOME            =  /usr/local/src/jetty-src
JETTY_BASE            =  /opt/jetty
START_D               =  /opt/jetty/start.d
START_INI             =  /opt/jetty/start.ini
JETTY_START           =  /usr/local/src/jetty-src/start.jar
JETTY_CONF            =  /usr/local/src/jetty-src/etc/jetty.conf
JETTY_ARGS            =  jetty.state=/opt/jetty/jetty.state jetty-started.xml
JETTY_RUN             =  /var/run/jetty
JETTY_PID             =  /var/run/jetty/jetty.pid
JETTY_START_LOG       =  /var/log/jetty/start.log
JETTY_STATE           =  /opt/jetty/jetty.state
JETTY_START_TIMEOUT   =  60
RUN_CMD               =  /usr/bin/java -Djetty.home=/usr/local/src/jetty-src -Djetty.base=/opt/jetty -Djava.io.tmpdir=/opt/jetty/tmp -jar /usr/local/src/jetty-src/start.jar jetty.state=/opt/jetty/jetty.state jetty-started.xml

Pokrenuti Jetty proces:

service jetty start

Ponovna provera statusa jetty procesa:

service jetty check

Provera statusa jetty procesa:

Jetty running pid=3886

JAVA                  =  /usr/bin/java
JAVA_OPTIONS          =  -Djetty.home=/usr/local/src/jetty-src -Djetty.base=/opt/jetty -Djava.io.tmpdir=/opt/jetty/tmp
JETTY_HOME            =  /usr/local/src/jetty-src
JETTY_BASE            =  /opt/jetty
START_D               =  /opt/jetty/start.d
START_INI             =  /opt/jetty/start.ini
JETTY_START           =  /usr/local/src/jetty-src/start.jar
JETTY_CONF            =  /usr/local/src/jetty-src/etc/jetty.conf
JETTY_ARGS            =  jetty.state=/opt/jetty/jetty.state jetty-started.xml
JETTY_RUN             =  /var/run/jetty
JETTY_PID             =  /var/run/jetty/jetty.pid
JETTY_START_LOG       =  /var/log/jetty/start.log
JETTY_STATE           =  /opt/jetty/jetty.state
JETTY_START_TIMEOUT   =  60
RUN_CMD               =  /usr/bin/java -Djetty.home=/usr/local/src/jetty-src -Djetty.base=/opt/jetty -Djava.io.tmpdir=/opt/jetty/tmp -jar /usr/local/src/jetty-src/start.jar jetty.state=/opt/jetty/jetty.state jetty-started.xml

Konfiguracija Jetty 9 Web Servera¶

Konfigurisati IdP Context Descriptor. Kreirati direktorijum /opt/jetty/webapps:

mkdir /opt/jetty/webapps

Preuzeti fajl idp.xml:

wget https://docs.amres.ac.rs/download/shibboleth/idp.xml -O /opt/jetty/webapps/idp.xml

Postaviti da vlasnik glavnih direktorijuma Davaoca Identiteta bude jetty:

cd /opt/shibboleth-idp

chown -R jetty logs/ metadata/ credentials/ conf/ war/

Pregled direktorijuma /opt/shibboleth-idp:

root@idp:/opt/shibboleth-idp# ls -l
total 48
drwxr-xr-x 3 root  root 4096 Aug 16 10:46 bin
drwxr-xr-x 8 jetty root 4096 Aug 16 10:46 conf
drwxr-xr-x 2 jetty root 4096 Aug 16 10:46 credentials
drwxr-xr-x 7 root  root 4096 Aug 16 10:46 dist
drwxr-xr-x 2 root  root 4096 Aug 16 10:46 doc
drwxr-xr-x 5 root  root 4096 Aug 16 10:46 edit-webapp
drwxr-xr-x 4 root  root 4096 Aug 16 10:46 flows
drwxr-xr-x 2 jetty root 4096 Aug 16 10:46 logs
drwxr-xr-x 2 root  root 4096 Aug 16 10:46 messages
drwxr-xr-x 2 jetty root 4096 Aug 16 10:46 metadata
drwxr-xr-x 4 root  root 4096 Aug 16 10:46 views
drwxr-xr-x 2 jetty root 4096 Aug 16 10:46 war

Restartovati Jetty servis:

systemctl restart jetty.service

SSL konfiguracija - Apache2 (front-end Jetty)¶

Kreirati DocumentRoot:

mkdir /var/www/html/$(hostname -f)

chown -R www-data: /var/www/html/$(hostname -f)

echo '<h1>It Works!</h1>' > /var/www/html/$(hostname -f)/index.html

wget https://docs.amres.ac.rs/download/shibboleth/debian/000-idp.institucija.ac.rs.conf -O /etc/apache2/sites-available/$(hostname -f).conf

Fajl /etc/apache2/sites-available/$(hostname -f).conf je potrebno izmeniti. Uneti nazive sertifikata i ključa i podatke o serveru.

vim /etc/apache2/sites-available/$(hostname -f).conf

Fajl /etc/apache2/sites-available/000-$(hostname -f).conf sa svim potrebnim izmenama:

# This is an example Apache2 configuration for a Shibboleth Identity Provider
# installed with IDEM Tutorials.
#
# Edit this file and:
# - Adjust "idp.example.org" with your IdP Full Qualified Domain Name
# - Adjust "ServerAdmin" email address
# - Adjust "CustomLog" and "ErrorLog" with Apache log files path (there are examples for Debian or CentOS distribution)
# - Adjust "SSLCertificateFile", "SSLCertificateKeyFile" and "SSLCACertificateFile" with the correct file path


# SSL general security improvements should be moved in global settings
# OCSP Stapling, only in httpd/apache >= 2.3.3
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

<VirtualHost *:80>
   ServerName "idp.institucija.ac.rs"
   Redirect permanent "/" "https://idp.institucija.ac.rs/"
</VirtualHost>

<IfModule mod_ssl.c>
   <VirtualHost _default_:443>
     ServerName idp.institucija.ac.rs:443
     ServerAdmin helpdesk@institucija.ac.rs
     # Debian/Ubuntu
     CustomLog /var/log/apache2/idp.institucija.ac.rs combined
     ErrorLog /var/log/apache2/idp.institucija.ac.rs-error.log    
     # Centos
     #CustomLog /var/log/httpd/idp.example.org.log combined
     #ErrorLog /var/log/httpd/idp.example.org-error.log

     DocumentRoot /var/www/html/idp.institucija.ac.rs

     SSLEngine On
     SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
     SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

     SSLHonorCipherOrder on   

     # Disallow embedding your IdP's login page within an iframe and
     # Enable HTTP Strict Transport Security with a 2 year duration
     <IfModule headers_module>
        Header set X-Frame-Options DENY
        Header set Strict-Transport-Security "max-age=63072000 ; includeSubDomains ; preload"
     </IfModule>

     # Debian/Ubuntu
     SSLCertificateFile /etc/ssl/certs/idp.institucija.ac.rs.crt      
     SSLCertificateKeyFile /etc/ssl/private/idp.institucija.ac.rs.key

     # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
     #SSLCACertificateFile /etc/ssl/certs/ACME-CA.pem
     SSLCACertificateFile /etc/ssl/certs/GEANT_OV_RSA_CA_4.crt


     # Centos
     #SSLCertificateFile /etc/pki/tls/certs/idp.example.org.crt
     #SSLCertificateKeyFile /etc/pki/tls/private/idp.example.org.key

     # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
     #SSLCACertificateFile /etc/pki/tls/certs/ACME-CA.pem
     #SSLCACertificateFile /etc/pki/tls/certs/GEANT_OV_RSA_CA_4.crt

     <IfModule mod_proxy.c>
        ProxyPreserveHost On
        RequestHeader set X-Forwarded-Proto "https"
        ProxyPass /idp http://localhost:8080/idp retry=5
        ProxyPassReverse /idp http://localhost:8080/idp retry=5

        <Location /idp>
           Require all granted
        </Location>
     </IfModule>
   </VirtualHost>
</IfModule>

# This virtualhost is only here to handle administrative commands for Shibboleth, executed from localhost
<VirtualHost 127.0.0.1:80>
  ProxyPass /idp http://localhost:8080/idp retry=5
  ProxyPassReverse /idp http://localhost:8080/idp retry=5
  <Location /idp>
    Require all granted
  </Location>
</VirtualHost>

Komercijalni SSL sertifikat¶

Kreiranje komercijalnog SSL sertifikata i ključa:

Komercijalni sertifikat i ključ treba da budu vrste GÉANT OV SSL kog kreirate po uputstvu:

HTTPS Server Certificate (Public Key) - (idp.institucija.ac.rs.crt) u /etc/ssl/certs
HTTPS Server Key (Private Key) - (idp.institucija.ac.rs.key) u /etc/ssl/private

Jedna od mogućnosti kako se to može uraditi:

Preuzme se fajl SCSreq.cnf na lokaciju /etc/ssl/private/SCSreq.cnf

wget https://docs.amres.ac.rs/download/shibboleth/SCSreq.cnf -O /etc/ssl/private/SCSreq.cnf

Generisati privatni ključ (.key) i zahtev (.csr):

openssl req -new -sha256 -config /etc/ssl/private/SCSreq.cnf -utf8 -keyout /etc/ssl/private/$(hostname -f).key -out /etc/ssl/private/$(hostname -f).csr

Primer postupka kreiranja privatnog ključa i zahteva (koristitli biste drugačiji naziv sertifikata i uneli biste odgovarajuće podatke):

openssl req -new -sha256 -config /etc/ssl/private/SCSreq.cnf -utf8 -keyout /etc/ssl/private/$(hostname -f).key -out /etc/ssl/private/$(hostname -f).csr
Generating a 2048 bit RSA private key
....................+++
....................+++
writing new private key to '/etc/ssl/private/idp.institucija.ac.rs.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Oznaka zemlje (2 znaka) [RS]: Klik Enter
Pun naziv drzave []: Klik Enter
Lokacija (mesto) []: Belgrade
Postanski broj []: 11000
Ulica i broj []: Bulevar kralja Aleksandra 90
Zvanični naziv institucije []: Academic network of the Republic of Serbia – AMRES
FQDN adresa servera []: idp.institucija.ac.rs

Zatim generisani zahtev iskorititi za kreiranje sertifikata (javnog ključa) koji treba da bude tipa GÉANT OV SSL

cat /etc/ssl/private/$(hostname -f).csr

Preuzimanje CA Cert (GEANT_OV_RSA_CA_4.crt) sertifikata:

wget https://docs.amres.ac.rs/download/shibboleth/GEANT_OV_RSA_CA_4.crt -O /etc/ssl/certs/GEANT_OV_RSA_CA_4.crt

Dati odgovarajuće privilegije SSL sertifikatu i ključu:

chmod 400 /etc/ssl/private/$(hostname -f).key

chmod 644 /etc/ssl/certs/$(hostname -f).crt

Omogućiti Apache2 modul:

a2enmod proxy_http ssl headers alias include negotiation

a2ensite $(hostname -f).conf

a2dissite 000-default.conf default-ssl

Zatim treba restartovati Apache proces:

systemctl restart apache2.service

Ukoliko se prikaže greška proverite:

Da li ste kreirali privatni ključ i sertifikat i uneli ga na pravilnu lokaciju?
Da li ste preuzeli GEANT_OV_RSA_CA_4.crt sertifikat?
Da li ste uneli sve potrebne izmene u okviru fajla /etc/apache2/sites-available/$(hostname -f).conf?
Da li ste omogućili Apache2 modul prema uputstvu?
Da li ste instalirali sav potreban softver prema uputstvu (ca-certificates openssl apache2)?

Proveriti IdP metapodatke, koji su dostupni na linku u formi: https://DOMEN_VM/idp/shibboleth

https://idp.institucija.ac.rs/idp/shibboleth

Konfiguracija skladišta Davaoca Identiteta¶

Koriščen je princip: HTML lokalno skladište, GCM enkripcija, bez baze podataka i nije potrebno ništa dodatno konfigurisati.

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

### Operating Environment Information

### Identity Provider Information
idp_version: 4.3.1
start_time: 2022-08-16T08:51:46.669Z
current_time: 2022-08-16T09:06:12.698285Z
uptime: PT14M26.029S

enabled modules:
        idp.authn.Password (Password Authentication)
        idp.admin.Hello (Hello World)

installed plugins:

service: shibboleth.LoggingService
last successful reload attempt: 2022-08-16T08:51:41.721516Z
last reload attempt: 2022-08-16T08:51:41.721516Z

service: shibboleth.AttributeFilterService
last successful reload attempt: 2022-08-16T08:51:44.917526Z
last reload attempt: 2022-08-16T08:51:44.917526Z

service: shibboleth.AttributeResolverService
last successful reload attempt: 2022-08-16T08:51:45.016525Z
last reload attempt: 2022-08-16T08:51:45.016525Z

        No Data Connector has ever failed

service: shibboleth.AttributeRegistryService
last successful reload attempt: 2022-08-16T08:51:44.392207Z
last reload attempt: 2022-08-16T08:51:44.392207Z

service: shibboleth.NameIdentifierGenerationService
last successful reload attempt: 2022-08-16T08:51:45.144306Z
last reload attempt: 2022-08-16T08:51:45.144306Z

service: shibboleth.RelyingPartyResolverService
last successful reload attempt: 2022-08-16T08:51:45.226265Z
last reload attempt: 2022-08-16T08:51:45.226265Z

service: shibboleth.MetadataResolverService
last successful reload attempt: 2022-08-16T08:51:44.691261Z
last reload attempt: 2022-08-16T08:51:44.691261Z

        No Metadata Resolver has ever attempted a reload

service: shibboleth.ReloadableAccessControlService
last successful reload attempt: 2022-08-16T08:51:45.689784Z
last reload attempt: 2022-08-16T08:51:45.689784Z

service: shibboleth.ReloadableCASServiceRegistry
last successful reload attempt: 2022-08-16T08:51:45.736877Z
last reload attempt: 2022-08-16T08:51:45.736877Z

service: shibboleth.ManagedBeanService
last successful reload attempt: 2022-08-16T08:51:45.752055Z
last reload attempt: 2022-08-16T08:51:45.752055Z

Integracija sa OpenLDAP bazom podataka¶

Instalirati ldap-utils paket:

apt install ldap-utils

Kreirati sistemski nalog (nalog za monitoring) u OpenLDAP bazi

O tome možete da pročitate u ovom delu uputstva Instalacije i konfiguracije OpenLDAP baze podataka (Debian/Ubuntu) ili ovde (CentOS).

Nakon što kreirate sistemski nalog potrebno je da mu se daju privilegije čitanja (monitoringa) korisničkih naloga u bazi, što se postiže sastavljanjem liste za kontrolu pristupa o čemu možete da pročitate više u ovom delu (Debian/Ubuntu) ili pročitati deo (CentOS) .

Napomena: Ukoliko vam je potrebna konsultacija oko specifičnije liste za kontrolu pristupa kontaktirajte nas na imejl adresu helpdesk@amres.ac.rs.

OpenLDAP sertifikat

Ukoliko se OpenLDAP baza ne nalazi na VM na kojoj se instalira i konfiguriše Shibboleth IdP potrebno je preneti sertifikat baze na ovu VM jer će biti neophodan za ostvarivanje sigurne konekcije sa bazom podataka. Sertifikat se može preneti na lokaciju /etc/ldap/ ili /etc/ldap/certs ili neku vama pogodnu lokaciju. Podatak o lokaciji ovog sertifikata treba da se unese kasnije u fajl /opt/shibboleth-idp/conf/ldap.properties.

Koristi se metoda OpenLDAP + STARTTLS.

Fajl secrets.properties¶

Fajl secrets.properties

U fajlu secrets.properties je sadržana šifra koja je uneta u procesu instalacije Shibboleth Davaoca Identiteta (idp.sealer.storePassword i idp.sealer.keyPassword).

Izmena fajla secrets.properties :

vim /opt/shibboleth-idp/credentials/secrets.properties

Fajl secrets.properties Hint

Potrebno je editovati liniju:

idp.authn.LDAP.bindDNCredential = myServicePassword

Umesto dela myServicePassword unosi lozinka sistemskog naloga koji će povezati IdP sa LDAP bazom podataka i na taj način omogučiti autentifikaciju korisnika iz baze:

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = pass********
idp.sealer.keyPassword = pass********

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
#idp.persistentId.salt = changethistosomethingrandom

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = pass********
idp.sealer.keyPassword = pass********

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = mojalozinka123
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
#idp.persistentId.salt = changethistosomethingrandom

Fajl ldap.properties¶

mv /opt/shibboleth-idp/conf/ldap.properties /opt/shibboleth-idp/conf/ldap.properties_default

wget https://docs.amres.ac.rs/download/shibboleth/debian/ldap.properties -O /opt/shibboleth-idp/conf/ldap.properties

U fajl ldap.properties se navode pojedinosti vezane za LDAP bazu sa kojom se IdP povezuje:

idp.authn.LDAP.ldapURL = ldap://<DOMEN VM NA KOJOJ_JE LDAP BAZA> npr. ldap://ldap.institucija.ac.rs

idp.authn.LDAP.trustCertificates = <PUTANJA_DO_LDAP_SERTIFIKATA> npr. /etc/ldap/ldap.institucija.ac.rs.crt

idp.authn.LDAP.baseDN = <DEO LDAP BAZE GDE SU KORISNIČKI NALOZI KOJI SE AUTENTIFIKUJU> npr. ou=people,dc=institucija,dc=ac,dc=rs

idp.authn.LDAP.subtreeSearch = false

idp.authn.LDAP.bindDN = <DN SISTEMSKOG NALOGA> npr. cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs

idp.attribute.resolver.LDAP.exportAttributes = <ATRIBUTI KOJI SE UZIMAJU IZ LDAP BAZE> npr. cn givenName sn mail rsEduPersonAffiliation displayName eduPersonEntitlement rsEduPersonLocalNumber

Napomena:

U primeru iznad vrednost parametra idp.authn.LDAP.baseDN je navedena organizaciona jedinica u kojoj se nalaze svi korisnički nalozi koji se autentifikuju. Ukoliko je Vaša baza podataka kreirana tako da su nalozi organizovani u više grana i organizacionih jedinica, vrednost parametra idp.authn.LDAP.baseDN treba da bude koren LDAP stabla, a vrednost parametra idp.authn.LDAP.subtreeSearch treba da bude true
eduPersonEntitlement je specijalna vrsta atributa koji se koristi za autorizaciju. Može se koristiti da bi se utvrdilo da li korisnik ima pravo da koristi određeni servis.
rsEduPersonAffiliation atribut definiše način na koji je osoba povezana sa institucijom (moguće vrednosti su: student, učenik, nastavni kadar, zaposleni, spoljni saradnik, korisnik usluge, gost).
rsEduPersonLocalNumber atribut predstavlja lokalni identifikator osobe, npr. za studenta broj studenta ili za zaposlenog broj zaposlenog.

Primer popunjenog fajla ldap.properties:

vim /opt/shibboleth-idp/conf/ldap.properties

idp.authn.LDAP.authenticator = bindSearchAuthenticator
idp.authn.LDAP.ldapURL = ldap://ldap.institucija.ac.rs
idp.authn.LDAP.useStartTLS = true
idp.authn.LDAP.sslConfig = certificateTrust
#idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
idp.authn.LDAP.trustCertificates =  /etc/ldap/ldap.institucija.ac.rs.crt
# List of attributes to request during authentication
idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining
idp.authn.LDAP.baseDN = ou=people,dc=institucija,dc=ac,dc=rs
idp.authn.LDAP.subtreeSearch = false
idp.authn.LDAP.bindDN = cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs
# The userFilter is used to locate a directory entry to bind against for LDAP authentication.
idp.authn.LDAP.userFilter = (uid={user})

# pool passivator, either none, bind or anonymousBind
#idp.authn.LDAP.bindPoolPassivator = bind

# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver configurations
idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout      = %{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout     = %{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
# The searchFilter is is used to find user attributes from an LDAP source
idp.attribute.resolver.LDAP.searchFilter        = (uid=$resolutionContext.principal)
# List of attributes produced by the Data Connector that should be directly exported as resolved IdPAttributes without requiring any <AttributeDefinition>
idp.attribute.resolver.LDAP.exportAttributes    = cn givenName sn mail rsEduPersonAffiliation displayName eduPersonEntitlement rsEduPersonLocalNumber

Provera konektivnosti sa LDAP bazom

ldapsearch -x -h <FQDN ili IP adresa> -D '<DN_SISTEMSKOG_NALOGA>' -w '<IDPUSER_PASSWORD>' -b 'ou=people,dc=example,dc=org' '(uid=<KORISNIČKO_IME>)'

<FQDN ili IP adresa> zameniti podatkom o domenu (FQDN) ili IP adresi virtuelne mašine na kojoj je LDAP baza

<DN_SISTEMSKOG_NALOGA> zameniti podatkom o kreiranom sistemskom nalogu npr. cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs

<IDPUSER_PASSWORD> zameniti lozinkom sistemskog naloga

ou=people,dc=example,dc=org zameniti podatkom o delu LDAP baze gde su korisnički nalozi koji se autentifikuju npr. ou=people,dc=institucija,dc=ac,dc=rs

<KORISNIČKO_IME> zameniti podatkom o korisničkom imenu test naloga za kog se proverava uspešnost autentifikacije

Primer komande:

ldapsearch -x -h ldap.institucija.ac.rs -D 'cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs' -w 'mojalozinka123' -b 'ou=people,dc=institucija,dc=ac,dc=rs' '(uid=petar.petrovic)'

Napomena: Iz komande izbaciti "-h ldap.institucija.ac.rs" parametar ukoliko komanda ne radi, a razlog je što nije podržan na novijoj verzija OS.

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta. Napomena: Ukoliko je izveštaj isti kao prethodni put sa konfiguracijom je sve u redu:

bash /opt/shibboleth-idp/bin/status.sh

Podesiti da Davaoc Identiteta pušta persistent NameID¶

Shibboleth Documentation: https://wiki.shibboleth.net/confluence/display/IDP4/PersistentNameIDGenerationConfiguration

persistent NameID je jedinstveni trajni identifikator korisnika, koji Davalac Identiteta prosleđuje Davaocu Servisa.

Strategija A "Computed mode" (preporučena):¶

mv /opt/shibboleth-idp/conf/saml-nameid.properties /opt/shibboleth-idp/conf/saml-nameid.properties_default

wget https://docs.amres.ac.rs/download/shibboleth/saml-nameid.properties -O /opt/shibboleth-idp/conf/saml-nameid.properties

mv /opt/shibboleth-idp/conf/saml-nameid.xml /opt/shibboleth-idp/conf/saml-nameid_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/saml-nameid.xml -O /opt/shibboleth-idp/conf/saml-nameid.xml

openssl rand -base64 36

Rezultat komande je potrebno sačuvati/kopirati, jer se primenjuje u sledećem koraku

Rezultat komande je niz karaktera formata:

4Z4VL1gOzw*******************************

Izmena fajla secrets.properties Hint

vim /opt/shibboleth-idp/credentials/secrets.properties

Otkomentarisati liniju:

idp.persistentId.salt = changethistosomethingrandom

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = pass********
idp.sealer.keyPassword = pass********

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
#idp.persistentId.salt = changethistosomethingrandom

Deo changethistosomethingrandom izmeniti dobijenim nizom karaktera dobijenim kao rezultat prethodno primenjene komande (openssl rand -base64 36).

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = pass********
idp.sealer.keyPassword = pass********

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
idp.persistentId.salt = 4Z4VL1gOzw*******************************

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Strategija B "Stored mode" (korišćenje baze podataka za skladištenje persistent NameID)¶

Instalirati potrebne pakete:

apt install default-mysql-server libmariadb-java --no-install-recommends

Pokrenuti bazu:

systemctl start mariadb.service

Pokrenuti proces uspostavljanja bezbedonosne politike MariaDB baze podataka (ukoliko već nije uspostavljena):

mysql_secure_installation

Pokretanjem ove komande ulazi se u interaktivni mod, u okviru koga je potrebno odgovotiri na sledeća pitanja:

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none): pass123
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] n
 ... skipping.

You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n] n
 ... skipping.

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Kreirati shibpid tabelu u shibboleth bazi podataka:

wget  https://docs.amres.ac.rs/download/shibboleth/debian/shib-pid-db.sql  -O /root/shib-pid-db.sql

Potrebno je editovati ###SHIB-USERNAME-CHANGEME### i ###SHIB-DB-USER-PASSWORD-CHANGEME### delove konfiguracije, čime ćete kreirati korisnika koji će biti korišćen kasnije.

Importovati bazu:

mysql -u root < /root/shib-pid-db.sql

Restartovati MariaDB servis:

systemctl restart mariadb.service

Pokrenuti build skripte za dodavanje neophodnih biblioteka:

cd /opt/shibboleth-idp

ln -s /usr/share/java/mariadb-java-client.jar edit-webapp/WEB-INF/lib

bin/build.sh

Omogućiti konekciju sa bazom izmenom sledećeg fajla:

vim /opt/shibboleth-idp/conf/global.xml

Dodati deo konfiguracije pre poslednjeg taga:

U delu ###SHIB-USERNAME-CHANGEME### i ###SHIB-DB-USER-PASSWORD-CHANGEME### unesite kredencijale prethodno kreiranog korisnika.

<!-- Bean to store persistent-id on 'shibboleth' database -->

<bean id="MyDataSource"
    class="org.apache.commons.dbcp2.BasicDataSource" destroy-method="close" lazy-init="true"
      p:driverClassName="org.mariadb.jdbc.Driver"
    p:url="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true"
    p:username="###_SHIB-USERNAME-CHANGEME_###"
    p:password="###_SHIB-DB-USER-PASSWORD-CHANGEME_###"
    p:maxTotal="10"
    p:maxIdle="5"
    p:maxWaitMillis="15000"
    p:testOnBorrow="true"
    p:validationQuery="select 1"
    p:validationQueryTimeout="5" />

Omogućite kreiranje persistent-id vrednosti preuzimanjem konfiguracionog fajla:

mv /opt/shibboleth-idp/conf/saml-nameid.properties /opt/shibboleth-idp/conf/saml-nameid.properties_default

wget https://docs.amres.ac.rs/download/shibboleth/debian/saml-nameid.properties -O /opt/shibboleth-idp/conf/saml-nameid.properties

mv /opt/shibboleth-idp/conf/saml-nameid.xml /opt/shibboleth-idp/conf/saml-nameid_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/debian/saml-nameid.xml -O /opt/shibboleth-idp/conf/saml-nameid.xml

openssl rand -base64 36

Rezultat komande je potrebno sačuvati/kopirati, jer se primenjuje u sledećem koraku

Rezultat komande je niz karaktera formata:

4Z4VL1gOzw*******************************

Izmena fajla secrets.properties Hint

vim /opt/shibboleth-idp/credentials/secrets.properties

Otkomentarisati liniju:

idp.persistentId.salt = changethistosomethingrandom

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = pass********
idp.sealer.keyPassword = pass********

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
#idp.persistentId.salt = changethistosomethingrandom

Deo changethistosomethingrandom izmeniti dobijenim nizom karaktera dobijenim kao rezultat prethodno primenjene komande (openssl rand -base64 36).

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = pass********
idp.sealer.keyPassword = pass********

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
idp.persistentId.salt = 4Z4VL1gOzw*******************************

mv /opt/shibboleth-idp/conf/c14n/subject-c14n.xml /opt/shibboleth-idp/conf/c14n/subject-c14n.xml_default

wget https://docs.amres.ac.rs/download/shibboleth/debian/subject-c14n.xml -O /opt/shibboleth-idp/conf/c14n/subject-c14n.xml

mv /opt/shibboleth-idp/conf/c14n/subject-c14n.properties /opt/shibboleth-idp/conf/c14n/subject-c14n.properties_default

wget https://docs.amres.ac.rs/download/shibboleth/debian/subject-c14n.properties -O /opt/shibboleth-idp/conf/c14n/subject-c14n.properties

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Podešavanje attribute-resolver.xml fajla¶

Preuzeti fajl attribute-resolver.xml

mv /opt/shibboleth-idp/conf/attribute-resolver.xml /opt/shibboleth-idp/conf/attribute-resolver_default.xml

U slučaju da ste odabrali Strategiju A "Computed mode" (preporučena) za persistent NameID, preuzimate sledeći fajl:

wget https://docs.amres.ac.rs/download/shibboleth/attribute-resolver.xml -O /opt/shibboleth-idp/conf/attribute-resolver.xml

U slučaju da ste odabrali Strategiju B "Stored mode" za persistent NameID, preuzimate sledeći fajl:

wget https://docs.amres.ac.rs/download/shibboleth/debian/attribute-resolver.xml -O /opt/shibboleth-idp/conf/attribute-resolver.xml

U fajlu treba izmeniti sledeće:

vim /opt/shibboleth-idp/conf/attribute-resolver.xml

Umesto dela Naziv Vaše institucije uneti naziv Vaše institucije.

        <Attribute id="o">
            <Value>Naziv Vaše institucije</Value>
        </Attribute>

Ukoliko želite da učestvujete u Erazmus+ projektu i imate HEI ulogu, potrebno je da dodate konfiguraciju za ESI atribut.

Promeniti vlasnika fajla:

chown jetty /opt/shibboleth-idp/conf/attribute-resolver.xml

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Podesiti da Shibboleth Identity Provider pušta eduPersonTargetedID¶

Trajni identifikator korisnika koji razmenjuju Davalac Servisa i Davalac Identiteta (Shibboleth IdP). Nikada se ne dodeljuje ponovo i ne sadrži nikakve podatke o korisniku. Davalac Identiteta smešta persistentId vrednost u eduPersonTargetedID atribut kada komunicira sa određenim Davaocem Servisa ukoliko on to zahteva.

Ovaj deo je već podešen u okviru fajla attribute-resolver.xml koji ste preuzeli i izmenili u prethodnim koracima.

Dodatno, potrebno je preuzeti fajl eduPersonTargetedID.properties.

wget https://docs.amres.ac.rs/download/shibboleth/eduPersonTargetedID.properties -O /opt/shibboleth-idp/conf/attributes/custom/eduPersonTargetedID.properties ; chown jetty:root /opt/shibboleth-idp/conf/attributes/custom/eduPersonTargetedID.properties

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Uneti dodatne šeme za definisanje atributa¶

rm /opt/shibboleth-idp/conf/attributes/eduPerson.xml ; wget https://docs.amres.ac.rs/download/shibboleth/eduPerson.xml -O /opt/shibboleth-idp/conf/attributes/eduPerson.xml

chown jetty:root /opt/shibboleth-idp/conf/attributes/eduPerson.xml

rm /opt/shibboleth-idp/conf/attributes/inetOrgPerson.xml ; wget https://docs.amres.ac.rs/download/shibboleth/inetOrgPerson.xml -O /opt/shibboleth-idp/conf/attributes/inetOrgPerson.xml

chown jetty:root /opt/shibboleth-idp/conf/attributes/inetOrgPerson.xml

rm /opt/shibboleth-idp/conf/attributes/samlSubject.xml ; wget https://docs.amres.ac.rs/download/shibboleth/samlSubject.xml -O /opt/shibboleth-idp/conf/attributes/samlSubject.xml

chown jetty:root /opt/shibboleth-idp/conf/attributes/samlSubject.xml

Preuzeti rsEdu.xml i schac.xml šemu na lokaciju /opt/shibboleth-idp/conf/attributes/

wget https://docs.amres.ac.rs/download/shibboleth/rsEdu.xml -O /opt/shibboleth-idp/conf/attributes/rsEdu.xml ; chown jetty:root /opt/shibboleth-idp/conf/attributes/rsEdu.xml

wget https://docs.amres.ac.rs/download/shibboleth/schac.xml -O /opt/shibboleth-idp/conf/attributes/schac.xml ; chown jetty:root /opt/shibboleth-idp/conf/attributes/schac.xml

Preuzeti fajl default-rules.xml :

mv /opt/shibboleth-idp/conf/attributes/default-rules.xml /opt/shibboleth-idp/conf/attributes/default-rules_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/default-rules.xml -O /opt/shibboleth-idp/conf/attributes/default-rules.xml

Konfiguracija Shibboleth IdP Logova¶

Konfiguracija logova vezanih za LDAP greške u autentifikaciji:

mv /opt/shibboleth-idp/conf/logback.xml /opt/shibboleth-idp/conf/logback_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/logback.xml -O /opt/shibboleth-idp/conf/logback.xml

Podešavanje interfejsa¶

Preuzeti korisnički interfejs na lokaciju /opt/shibboleth-idp/:

wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/edit-webapp.tar.gz -O /opt/shibboleth-idp/edit-webapp.tar.gz ; rm -Ir /opt/shibboleth-idp/edit-webapp

tar -xzf /opt/shibboleth-idp/edit-webapp.tar.gz && rm -f /opt/shibboleth-idp/edit-webapp.tar.gz

Uneti logo vaše institucije u direktorijum: /opt/shibboleth-idp/edit-webapp/images

Imate mogućnost da unesete 2 logo fajla, jedan na srpskom i engleskom i shodno tome treba dati naziv formata npr. institucija_logo_sr.jpg i institucija_logo_en.jpg
Dimenzije: širina do 200px.
Podatak o logou institucije treba uneti u kasnijim koracima u fajlove messages_sr.properties i messages_en.properties

Prevod interfejsa i sistemskih poruka se preuzima u direktorijum /opt/shibboleth-idp/messages

wget https://docs.amres.ac.rs/download/shibboleth/messages_sr.properties -O /opt/shibboleth-idp/messages/messages_sr.properties

Izmeniti parametre:

idp.title=Institucija Web SSO
idp.logo=/images/institucija_logo_sr.jpg
idp.userprefs.title=Institucija Web SSO

wget https://docs.amres.ac.rs/download/shibboleth/messages_en.properties -O /opt/shibboleth-idp/messages/messages_en.properties

Izmeniti parametar:

idp.logo=/images/institucija_logo_en.jpg

U okviru fajla /opt/shibboleth-idp/messages/messages.properties izmeniti parametre:

idp.css = /css/amres.css
idp.logo=/images/institucija_logo_sr.jpg

Sledi prikaz pozicije i okvirnih dimenzija logo fotografije, kao primer je prikazan logo institucije AMRES.

Ilustracija logo fotografije za IdP

Preimenovanje postojećih i preuzimanje novih fajlova user-prefs.vm, logout-propagate.vm, logout-complete.vm, error.vm, login.vm i logout.vm

mv /opt/shibboleth-idp/views/user-prefs.vm /opt/shibboleth-idp/views/user-prefs_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/user-prefs.vm -O /opt/shibboleth-idp/views/user-prefs.vm

mv /opt/shibboleth-idp/views/logout-propagate.vm /opt/shibboleth-idp/views/logout-propagate_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/logout-propagate.vm -O /opt/shibboleth-idp/views/logout-propagate.vm

mv /opt/shibboleth-idp/views/logout-complete.vm /opt/shibboleth-idp/views/logout-complete_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/logout-complete.vm -O /opt/shibboleth-idp/views/logout-complete.vm

mv /opt/shibboleth-idp/views/error.vm /opt/shibboleth-idp/views/error_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/error.vm -O /opt/shibboleth-idp/views/error.vm

mv /opt/shibboleth-idp/views/login.vm /opt/shibboleth-idp/views/login_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/login.vm -O /opt/shibboleth-idp/views/login.vm

mv /opt/shibboleth-idp/views/logout.vm /opt/shibboleth-idp/views/logout_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/logout.vm -O /opt/shibboleth-idp/views/logout.vm

mv /opt/shibboleth-idp/views/login-error.vm /opt/shibboleth-idp/views/login-error_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/login-error.vm -O /opt/shibboleth-idp/views/login-error.vm

mv /opt/shibboleth-idp/views/admin/hello.vm /opt/shibboleth-idp/views/admin/hello_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/hello.vm -O /opt/shibboleth-idp/views/admin/hello.vm

mv /opt/shibboleth-idp/views/client-storage/client-storage-read.vm /opt/shibboleth-idp/views/client-storage/client-storage-read_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/client-storage-read.vm -O /opt/shibboleth-idp/views/client-storage/client-storage-read.vm

mv /opt/shibboleth-idp/views/client-storage/client-storage-write.vm /opt/shibboleth-idp/views/client-storage/client-storage-write_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/client-storage-write.vm -O /opt/shibboleth-idp/views/client-storage/client-storage-write.vm

Restartovati Jetty servis:

systemctl restart jetty.service

Pokretanje build skripte

cd /opt/shibboleth-idp/bin ; ./build.sh

Izveštaj pokretanja skripte

Buildfile: /opt/shibboleth-idp/bin/build.xml

build-war:
Installation Directory: [/opt/shibboleth-idp] ? Klik ENTER

INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/services.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/authn/authn.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/saml-nameid.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/ldap.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/admin/admin.properties
Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.3.1
Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL
Total time: 5 seconds

Restartovati Jetty servis:

systemctl restart jetty.service

Izmeniti fajl idp-metadata.xml¶

Pre bilo koje izmene ovog fajla najsigurnije je napraviti njegovu kopiju

Ovaj fajl je veoma značajan i unikatan. Iz tog razloga treba vrlo pažljivo izvršiti sve potrebne izmene i u slučaju potrebe zgodno je imati mogućnost povratka na početno stanje.

cp /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idp-metadata_default.xml

Domen (npr. idp.institucija.ac.rs) u ovom fajlu nije potrebno menjati, već je podešen na osnovu definicija iz prethodnih fajlova.

vim /opt/shibboleth-idp/metadata/idp-metadata.xml

Obrisati kompletno sledeći komentar:

<!--
     This is example metadata only. Do *NOT* supply it as is without review,
     and do *NOT* provide it in real time to your partners.

     This metadata is not dynamic - it will not change as your configuration changes.
-->

Pre izmene Nakon izmene

Obrisati deo validUntil="2022-01-30T18:18:24.695Z" u sledećoj celini. Napomena: Vama će biti generisan drugačiji datum i vreme:

<EntityDescriptor  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr" validUntil="2022-02-07T21:13:49.962Z" entityID="https://idp.institucija.amres.ac.rs/idp/shibboleth">

<EntityDescriptor  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr" entityID="https://idp.institucija.amres.ac.rs/idp/shibboleth">

Obrisati deo:

<!--
    Fill in the details for your IdP here

            <mdui:UIInfo>
                <mdui:DisplayName xml:lang="en">A Name for the IdP at idp.institucija.amres.ac.rs</mdui:DisplayName>
                <mdui:Description xml:lang="en">Enter a description of your IdP at idp.institucija.amres.ac.rs</mdui:Description>
                <mdui:Logo height="80" width="80">https://idp.institucija.ac.rs/Path/To/Logo.png</mdui:Logo>
            </mdui:UIInfo>
-->

Umesto tog dela dodati sledeći deo uz određene izmene:

Izmeniti sledeće podatke:

Naziv institucije: Uneti pun naziv institucije.
Name of the Institution: Uneti pun naziv institucije na engleskom jeziku.
IDP za zaposlene u instituciji: Svrha korišćenja IdP-a, npr. IDP za zaposlene u instituciji.
IDP for staff in the Institution: Svrha korišćenja IdP-a na engleskom jeziku , npr. IDP for staff in the Institution.
https://amres.ac.rs/dokumenti/amres_idp.png : Logo fotografija dostupna putem linka koji se navodi, širine i visine 50px.

<!-- UIInfo -->
           <mdui:UIInfo>
               <mdui:DisplayName xml:lang="sr">Naziv institucije</mdui:DisplayName>
               <mdui:DisplayName xml:lang="en">Name of the Institution</mdui:DisplayName>
               <mdui:Description xml:lang="sr">IDP za zaposlene u instituciji</mdui:Description>
               <mdui:Description xml:lang="en">IDP for staff in the Institution</mdui:Description>
               <mdui:Logo height="50" width="50">https://amres.ac.rs/dokumenti/amres_idp.png</mdui:Logo>
           </mdui:UIInfo>

Sledi prikaz pozicije i okvirnih dimenzija logo fotografije, kao primer je dat logo institucije AMRES. Ova logo fotografija bi se prikazala prilikom odabira Vaše institucije (Davaoca Identiteta) prilikom autentifikacije na željeni servis.

Ilustracija logo fotografije za IdP, koja se unosi putem linka

Obrisati deo

        <!--<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.hosted.amres.ac.rs:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
-->

Sledeći korak:

Pre izmene Nakon izmene

U sledećoj celini potrebno je obrisati niz karaktera :8443 i izmeniti da indeks bude 1 umesto 2:

        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>

        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/ArtifactResolution" index="1"/>

Sledeći korak:

Pre izmene Posle izmene

Obrisati oznake za komentar dela SingleLogoutService:

<!--
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SLO"/>
-->

        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SLO"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SLO"/>

Sledeći korak:

Pre izmene Posle izmene

U sledećoj celini potrebno je obrisati niz kataktera :8443

        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/SLO"/>

        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/SLO"/>

Sledeći korak:

Obrisati deo

        <!--<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.institucija.ac.rs/idp/profile/Shibboleth/SSO"/>
-->

Sledeći korak:

Dodati linije Hint

Dodati sledeće 2 linije između poslednje SingleLogoutService Binding i prve SingleSignOnService Binding sekcije:

        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

        ...
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SLO"/>

        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" req-attr:supportsRequestedAttributes="true" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SSO"/>
        ...

Sledeći korak:

Pre izmene Posle izmene

Obrisati početnu oznaku za komentar u delu:

<!--    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">

    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">

Sledeći korak:

Pre izmene Posle izmene

U sledećem delu potrebno je izmeniti SAML verziju iz 1.1 u 2.0

    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">

    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

Sledeći korak:

Pre izmene Posle izmene

Obrisati dve oznake za komentar na početku i kraju reda (kraj prethodnog komentara i početak narednog) u sledećoj liniji:

        --> <!-- First signing certificate is BackChannel, the Second is FrontChannel-->  <!--

Napomena: Ostaviti komentar u sredini

         <!-- First signing certificate is BackChannel, the Second is FrontChannel-->

Sledeći korak:

Pre izmene Posle izmene

Obrisati sve oznake za komentar u delu:

        --> <!--<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>-->  <!--

        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>

Sledeći korak:

Pre izmene Posle izmene

U sledećem delu potrebno je obrisati niz karaktera :8443

        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>

        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/AttributeQuery"/>

Obrisati u potpunosti delove:

        --> <!-- If you uncomment the above you should add urn:oasis:names:tc:SAML:2.0:protocol to the protocolSupportEnumeration above-->  <!--

        --> <!--<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.institucija.ac.rs:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>-->  <!--

Sledeći korak:

Pre izmene Posle izmene

Obrisati oznaku za završetak komentara:

    </AttributeAuthorityDescriptor>-->

    </AttributeAuthorityDescriptor>

Ispod linije </AttributeAuthorityDescriptor> a iznad linije </EntityDescriptor> dodati sledeću sekciju:

Izmeniti sledeće podatke:

Naziv institucije: Pun naziv Vaše institucije
Name of the Institution: Pun naziv Vaše institucije na engleskom jeziku
Naziv (akronim) institucije: Akronim Vaše institucije
Naziv (akronim) institucije: Akronim Vaše institucije na engleskom
https://institucija.ac.rs/: Link do verzije sajta institucije na srpskom jeziku
https://institucija.ac.rs/en: Link do verzije sajta institucije na engleskom jeziku
Ime: Ime osobe za kontakt
Prezime: Prezime osobe za kontakt
primer@institucija.ac.rs: Imejl adresa osobe za kontak

 <Organization>
  <OrganizationName xml:lang="sr">Naziv institucije</OrganizationName>
  <OrganizationName xml:lang="en">Name of the Institution</OrganizationName>
  <OrganizationDisplayName xml:lang="sr">Naziv (akronim) institucije</OrganizationDisplayName>
  <OrganizationDisplayName xml:lang="en">Short name of the Institution</OrganizationDisplayName>

  <OrganizationURL xml:lang="sr">https://institucija.ac.rs/</OrganizationURL>
  <OrganizationURL xml:lang="en">https://institucija.ac.rs/en</OrganizationURL>
 </Organization>
 <ContactPerson contactType="technical">
  <GivenName>Ime</GivenName>
  <SurName>Prezime</SurName>
  <EmailAddress>primer@institucija.ac.rs</EmailAddress>
 </ContactPerson>

Fajl idp-metadata.xml nakon svih navedenih izmena:

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr" entityID="https://idp.institucija.amres.ac.rs/idp/shibboleth">

    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <Extensions>
            <shibmd:Scope regexp="false">institucija.ac.rs</shibmd:Scope>

            <mdui:UIInfo>
                <mdui:DisplayName xml:lang="sr">Institucije Republike Srbije</mdui:DisplayName>
                <mdui:DisplayName xml:lang="en">Institutions of the Republic of Serbia</mdui:DisplayName>
                <mdui:Description xml:lang="sr">IDP za zaposlene u Institucijama Republike Srbije</mdui:Description>
                <mdui:Description xml:lang="en">IDP for staff in the Institutions of the Republic of Serbia </mdui:Description>
                <mdui:Logo height="200" width="200">https://e7.pngegg.com/pngimages/34/35/png-clipart-flag-of-serbia-flags-of-the-world-flag-of-serbia-flag-logo.png</mdui:Logo>
            </mdui:UIInfo>


        </Extensions>

        <!-- First signing certificate is BackChannel, the Second is FrontChannel-->
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>
        <KeyDescriptor use="encryption">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>

    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/ArtifactResolution" index="1"/>

    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SLO"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/SLO"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SLO"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST/SLO"/>

    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" req-attr:supportsRequestedAttributes="true" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SSO"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" req-attr:supportsRequestedAttributes="true" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SSO"/>
     <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" req-attr:supportsRequestedAttributes="true" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST/SSO"/>

    </IDPSSODescriptor>


    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <Extensions>
            <shibmd:Scope regexp="false">institucija.ac.rs</shibmd:Scope>
        </Extensions>

         <!-- First signing certificate is BackChannel, the Second is FrontChannel-->  
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>
        <KeyDescriptor use="encryption">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
...
                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>

        </KeyDescriptor>

        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/AttributeQuery"/>  

    </AttributeAuthorityDescriptor>

 <Organization>
  <OrganizationName xml:lang="sr">Naziv institucije</OrganizationName>
  <OrganizationName xml:lang="en">Name of the Institution</OrganizationName>
  <OrganizationDisplayName xml:lang="sr">Naziv (akronim) institucije</OrganizationDisplayName>
  <OrganizationDisplayName xml:lang="en">Short name of the Institution</OrganizationDisplayName>

  <OrganizationURL xml:lang="sr">https://institucija.ac.rs/</OrganizationURL>
  <OrganizationURL xml:lang="en">https://institucija.ac.rs/en</OrganizationURL>
 </Organization>
 <ContactPerson contactType="technical">
  <GivenName>Ime</GivenName>
  <SurName>Prezime</SurName>
  <EmailAddress>primer@institucija.ac.rs</EmailAddress>
 </ContactPerson>

</EntityDescriptor>

Nakon izvršenih izmena metapodaci vašeg Davaoca Identiteta dostupni su na linku https://institucija.ac.rs/idp/shibboleth

Podešavanje kolačića i ostalih podataka¶

Preuzeti skriptu updateIDPsecrets.sh na lokaciju /opt/shibboleth-idp/bin/:

wget https://docs.amres.ac.rs/download/shibboleth/updateIDPsecrets.sh -O /opt/shibboleth-idp/bin/updateIDPsecrets.sh

Toj skripti treba dati potrebnu dozvolu za izvršavanje:

chmod +x /opt/shibboleth-idp/bin/updateIDPsecrets.sh

Preuzeti CRON skriptu (/etc/cron.daily/updateIDPsecrets) koja će da je pokreće:

wget https://docs.amres.ac.rs/download/shibboleth/updateIDPsecrets -O /etc/cron.daily/updateIDPsecrets

Toj skripti treba dati potrebnu dozvolu za izvršavanje:

chmod +x /etc/cron.daily/updateIDPsecrets

Proveriti da li će se skripta pokretati svakog dana (daily) :

run-parts --test /etc/cron.daily

Izveštaj provere:

/etc/cron.daily/apache2
/etc/cron.daily/apt-compat
/etc/cron.daily/dpkg
/etc/cron.daily/logrotate
/etc/cron.daily/man-db
/etc/cron.daily/ntp
/etc/cron.daily/updateIDPsecrets

Kreirati direktorijum tmp/httpClientCache

mkdir -p /opt/shibboleth-idp/tmp/httpClientCache ; chown jetty /opt/shibboleth-idp/tmp/httpClientCache

Preuzeti fajl services.xml:

mv /opt/shibboleth-idp/conf/services.xml /opt/shibboleth-idp/conf/services_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/services.xml -O /opt/shibboleth-idp/conf/services.xml

Restartovati Jetty servis:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Pridruživanje iAMRES Federaciji¶

Pridruživanje iAMRES Federaciji podrazumeva razmenu metapodataka konfigurisanog Davaoca Identiteta i postojećih Davalaca Servisa. U narednim koracima potrebno je preuzeti metapodatke Davalaca Servisa iAMRES Federacije.

Preuzeti sertifikate za potpis metapodatka na lokaciju: /opt/shibboleth-idp/metadata/

wget https://docs.amres.ac.rs/download/shibboleth/md.iamres.ac.rs.crt -O /opt/shibboleth-idp/metadata/md.iamres.ac.rs.crt

Preuzeti skriptu za preuzimanje metapodataka SP entiteta iAMRES Federacije (metadata.sh) na lokaciju: /opt/shibboleth-idp/metadata/

wget https://docs.amres.ac.rs/download/shibboleth/metadata.sh -O /opt/shibboleth-idp/metadata/metadata.sh

Dati skripti odgovarajuću privilegiju za izvršavanje:

chmod +x /opt/shibboleth-idp/metadata/metadata.sh

Pokrenuti skriptu:

cd /opt/shibboleth-idp/metadata/

./metadata.sh

Rezultat pokretanja skripte je kreiranje fajla iamres_federacija_metadata.xml

Ovaj fajl predstavlja skup metapodataka Davaoca Servisa iAMRES Federacije.

Preuzeti fajl metadata-providers.xml na lokaciju /opt/shibboleth-idp/conf/:

wget https://docs.amres.ac.rs/download/shibboleth/metadata-providers.xml -O /opt/shibboleth-idp/conf/metadata-providers.xml

Pregled fajla metadata-providers.xml sa tumačenjem njegovog sadržaja:

U prikazanom delu fajla navode se Davaoci Servisa iAMRES Federacije, čiji su metapodaci preuzeti skriptom (./metadata.sh) i čitaju se iz gore pomenutog fajla (iamres_federacija_metadata.xml). Ovi metapodaci su potpisani sertifikatom md.iamres.ac.rs.crt.

<MetadataProvider
    id="iAMRES"
    xsi:type="FilesystemMetadataProvider"
    metadataFile="%{idp.home}/metadata/iamres_federacija_metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/metadata/md.iamres.ac.rs.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P10D"/>

<MetadataFilter xsi:type="EntityRoleWhiteList">

    <RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>   

    <MetadataFilter xsi:type="Algorithm">

        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
        <Entity>https://testsp3.amres.ac.rs/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
        <Entity>https://ucionica.amres.ac.rs/auth/saml2/sp/metadata.php</Entity>
        <Entity>https://proxy.iamres.amres.ac.rs/simplesaml/module.php/saml/sp/metadata.php/amres.ac.rs</Entity>
    </MetadataFilter>
</MetadataProvider>

U prikazanom delu fajla navode se Davaoci Servisa eduGAIN Interfederacije, čiji se metapodaci dinamički preuzimaju sa linka (http://md.iamres.ac.rs/iamres_metadata/iamres-interfederation-sp-metadata.xml). Pored toga kreira se i njihov backingFile (eduGAIN-metadata.xml). Ovi metapodaci su potpisani sertifikatom md.iamres.ac.rs.crt.

<MetadataProvider
id="eduGAIN"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/eduGAIN-metadata.xml"
metadataURL="http://md.iamres.ac.rs/iamres_metadata/iamres-interfederation-sp-metadata.xml">

<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/metadata/md.iamres.ac.rs.crt"/>

<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P10D"/>

    <MetadataFilter xsi:type="Algorithm">

        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<!--        <Entity>https://ucionica.amres.ac.rs/auth/saml2/sp/metadata.php</Entity>-->
    </MetadataFilter>

</MetadataProvider>

U prikazanom delu fajla navode se Davaoci Servisa čiji se metapodaci unose ručno u posebnim fajlovima, u okviru direktorijuma /opt/shibboleth-idp/metadata/sourceDirectory/:

<MetadataProvider
    id="iAMRESlocalDynamic"
    xsi:type="LocalDynamicMetadataProvider"
    sourceDirectory="%{idp.home}/metadata/sourceDirectory">


    <MetadataFilter xsi:type="Algorithm">

        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
        <Entity>https://filesender-test.amres.ac.rs/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</Entity>
    </MetadataFilter>
</MetadataProvider>

Ukoliko budete imali potrebu za ručnim dodavanjem Davaoca Servisa u okviru direktorijuma /opt/shibboleth-idp/metadata/sourceDirectory/ fajlove kreirate tako što je naziv jednog xml fajla SHA-1 heš sažetak entityID vrednosti Davaoca Servisa, na koji je dodata ekstenzija ".xml" i dobija se na sledeći način:
Primer generisanja naziva fajla koristeći OpenSSL iz komandne linije i entityID vrednost urn:test:foobar :

$ echo -n "urn:test:foobar" | openssl sha1
d278c9975472a6b4827b1a8723192b4e99aa969c

Nakon preuzetih fajlova i pokretanja skripte sadržaj direktorijuma /opt/shibboleth-idp/metadata/ je sledeći:

[root@idp metadata]# ll
-rw-rw-r-- 1 jetty jetty 25921531 Aug  4 14:22 eduGAIN-metadata.xml
-rw-r--r-- 1 root  root    263457 Aug  4 13:55 iamres_federacija_metadata.xml
-rw-r--r-- 1 root  root     15043 Feb  7 23:16 idp-metadata_default.xml
-rw-r--r-- 1 root  root     15081 Jul 21 10:56 idp-metadata.xml
-rw-r--r-- 1 root  root      1980 Feb  8 10:27 md.iamres.ac.rs.crt
-rwxr-xr-x 1 root  root       192 Feb  8 10:27 metadata.sh
drwxrwxr-x 2 jetty jetty        6 Feb  9 11:38 sourceDirectory

Nakon izvršene konfiguracije i preuzimanja metapodataka, potrebno je registrovati metapodatke vašeg Davaoca Identiteta na iAMRES Federaciju, slanjem mejla sa linkom https://institucija.ac.rs/idp/shibboleth na helpdesk@amres.ac.rs.

Crontab:¶

Potrebno je da se podesi da se skripta metadata.sh pokreće na svaki pun sat (u 00) svakog dana:

crontab -e

0 * * * * /opt/shibboleth-idp/metadata/metadata.sh

Uslovi korišćenja i saglasnost za slanje podataka¶

Uvesti Consent modul (modul za davanje saglasnosti):

cd /opt/shibboleth-idp/

bin/module.sh -t idp.intercept.Consent || bin/module.sh -e idp.intercept.Consent

Rezultat komande

Enabling idp.intercept.Consent...
        conf/intercept/consent-intercept-config.xml created
        views/intercept/attribute-release.vm created
        views/intercept/terms-of-use.vm created
[OK]

Omogućiti Consent Module preuzimanjem fajla /opt/shibboleth-idp/conf/relying-party.xml

mv /opt/shibboleth-idp/conf/relying-party.xml /opt/shibboleth-idp/conf/relying-party_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/relying-party.xml -O /opt/shibboleth-idp/conf/relying-party.xml

Preuzeti fajl /opt/shibboleth-idp/views/intercept/attribute-release.vm:

mv /opt/shibboleth-idp/views/intercept/attribute-release.vm /opt/shibboleth-idp/views/intercept/attribute-release_default.vm

wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/attribute-release.vm -O /opt/shibboleth-idp/views/intercept/attribute-release.vm

Preuzeti fajl /opt/shibboleth-idp/views/intercept/terms-of-use.vm:

mv /opt/shibboleth-idp/views/intercept/terms-of-use.vm /opt/shibboleth-idp/views/intercept/terms-of-use_default.vm

wget https://docs.amres.ac.rs/download/shibboleth/4.3.1/terms-of-use.vm -O /opt/shibboleth-idp/views/intercept/terms-of-use.vm

Pokretanje build skripte

cd /opt/shibboleth-idp/bin ; ./build.sh

Izveštaj pokretanja skripte

Treba enter negde

[root@idp messages]# cd /opt/shibboleth-idp/bin ; ./build.sh
Buildfile: /opt/shibboleth-idp/bin/build.xml

build-war:
Installation Directory: [/opt/shibboleth-idp] ? Klik Enter

INFO [net.shibboleth.idp.installer.BuildWar:103] - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.3.1
INFO [net.shibboleth.idp.installer.BuildWar:113] - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:92] - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO [net.shibboleth.idp.installer.BuildWar:125] - Creating war file /opt/shibboleth-idp/war/idp.war

BUILD SUCCESSFUL
Total time: 7 seconds

Restartovati Jetty servis:

systemctl restart jetty.service

Testiranje slanja atributa iz komandne linije¶

Ovu komandu je moguće koristiti nakon pridruživanje iAMRES federaciji, u cilju testiranja slanja atributa ka Test servisu.

bash /opt/shibboleth-idp/bin/aacli.sh -n <UID> -r https://testsp.amres.ac.rs/shibboleth --saml2

Napomena: Umesto uneti odgovorajuće korisničko ime iz baze. Umesto entityID vrednosti Test servisa možete uneti entityID servisa čiju konekciju testirate.

Pregled korisnih logova¶

Jetty logovi:¶

cd /opt/jetty/logs

ls -l *.stderrout.log

Shibboleth IdP logovi:¶

cd /opt/shibboleth-idp/logs

Audit Log:

vim idp-audit.log

Consent Log:

vim idp-consent-audit.log

Warn Log:

tail -f idp-warn.log

Process Log:

tail -f idp-process.log

Instalacija Davaoca Identiteta (Shibboleth IdP 4.3.1) - Debian/Ubuntu

Priprema pred instalaciju¶

Podesiti IP TABLES¶

Podesiti hosta¶

Hardverski zahtevi¶

Softver koji će biti instaliran¶

Instalacija Davaoca Identiteta ( Shibboleth IdP 4.3.1 )¶

Instalacija Jetty 9 Web Servera¶

Konfiguracija Jetty 9 Web Servera¶

SSL konfiguracija - Apache2 (front-end Jetty)¶

Komercijalni SSL sertifikat¶

Konfiguracija skladišta Davaoca Identiteta¶

Integracija sa OpenLDAP bazom podataka¶

Fajl secrets.properties¶

Fajl ldap.properties¶

Podesiti da Davaoc Identiteta pušta persistent NameID¶

Strategija A "Computed mode" (preporučena):¶

Strategija B "Stored mode" (korišćenje baze podataka za skladištenje persistent NameID)¶

Podešavanje attribute-resolver.xml fajla¶

Podesiti da Shibboleth Identity Provider pušta eduPersonTargetedID¶

Uneti dodatne šeme za definisanje atributa¶

Konfiguracija Shibboleth IdP Logova¶

Podešavanje interfejsa¶

Izmeniti fajl idp-metadata.xml¶

Podešavanje kolačića i ostalih podataka¶

Konfigurisati IdP da koristi adekvatan Attribute Filter Policy dokument¶

Pridruživanje iAMRES Federaciji¶

Crontab:¶

Uslovi korišćenja i saglasnost za slanje podataka¶

Testiranje slanja atributa iz komandne linije¶

Pregled korisnih logova¶

Jetty logovi:¶

Shibboleth IdP logovi:¶