Instalacija Davaoca Identiteta (Shibboleth IdP 5.1.2) - Debian/Ubuntu

Priprema pred instalaciju¶

Hardverski zahtevi¶

Hardverski zahtevi:

CPU: 2 Core (64 bit)
RAM: 4 GB
HDD: 20 GB
OS: Debian 12 / Ubuntu 22.04

Softver koji će biti instaliran¶

Softver koji će biti instaliran:

ca-certificates
Shibboleth Identity Provider (<= 5.0.0)
OpenSSL (<= 3.0.2)
Jetty 11+ Servlet Container (implementing Servlet API 5.0 or above)
Amazon Corretto JDK 17
Apache Web Server (>= 2.4)

Podesiti IP TABLES¶

Ažurirati instalirane pakete:

apt update && apt-get upgrade -y --no-install-recommends

Najpre je potrebno instalirati iptables softverski paket i izvršiti početna podešavanja ukoliko već niste.

apt-get remove --auto-remove nftables

apt-get purge nftables

apt-get install iptables

apt-get install iptables-persistent

Otvoriti portove 80 (HTTP) i 443 (HTTPS)

To se može uraditi na sledeći način:

nano /etc/iptables/rules.v4

Otvoriti port 80 i 443 dodavanjem sledećih linija u fajl:

-A INPUT -s xxx.xxx.xxx.xxx/255.255.255.xxx -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/255.255.255.xxx -p tcp -m tcp --dport 443 -j ACCEPT

Napomena: Navedene linije je potrebno uneti bavezno iznad linije: -A INPUT -j REJECT --reject-with icmp-host-prohibited

Sačuvati izmene:

iptables-restore < /etc/iptables/rules.v4

systemctl restart iptables

iptables -L

Podesiti hosta¶

U okviru čitavog uputstva smatraće se da je domen VM idp.institucija.ac.rs, tako da na svim mestima umesto ovog naziva domena potrebno je da unesete naziv po vašem izboru.

Veoma je važno da FQDN (Full Qualified Domain Name) i pun hostname (# hostname -f) ove VM, npr. idp.institucija.ac.rs, koji se podešava u okviru ove sekcije bude isti kao i domen koji je adekvatno podešen na DNS serveru, a taj domen će se takođe kasnije koristiti za kreiranje sertifikata.

Podešavanje host podataka

Dat je primer postavljanja idp.institucija.ac.rs kao FQDN podatka, koji je potrebno zameniti FQDN podatkom Vašeg Davaoca Identiteta, kao i postavljanja HOSTNAME podatka: idp, koji je potrebno zameniti hostname podatkom Vašeg Davaoca Identiteta.

nano /etc/hosts

Na kraju fajla se unosi linija u formi: IP ADRESA FQDN HOSTNAME Npr:

1xx.xxx.xxx.xxx idp.institucija.ac.rs idp

Postaviti hostname

Koristi se komanda sledeće forme: hostnamectl set-hostname HOSTNAME

hostnamectl set-hostname idp

Konfiguracija okruženja¶

Postaviti varijablu JAVA_HOME:

echo 'JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto' > /etc/environment

source /etc/environment

export JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto

echo $JAVA_HOME

Instalacija neophodnih softverskih paketa¶

apt install fail2ban vim wget gnupg ca-certificates openssl ntp --no-install-recommends

Instalirati Apache web server¶

apt install apache2

Instalirati Amazon Corretto JDK¶

Preuzeti javni ključ B04F24E3.pub u /tmp direktorijum kako bi se verifikovao potpisan fajl sa AMAZON-a (https://docs.aws.amazon.com/corretto/latest/corretto-17-ug/downloads-list.html#signature)

wget https://corretto.aws/downloads/resources/17.0.12.7.1/B04F24E3.pub -o /tmp/B04F24E3.pub

Konvertovanje javnog ključa u "amazon-corretto.gpg":

gpg --no-default-keyring --keyring /tmp/temp-keyring.gpg --import /tmp/B04F24E3.pub

gpg --no-default-keyring --keyring /tmp/temp-keyring.gpg --export --output /etc/apt/keyrings/amazon-corretto.gpg

rm /tmp/temp-keyring.gpg /tmp/B04F24E3.pub /tmp/temp-keyring.gpg~

Kreiranje APT source liste neophodne za Amazon Corretto:

echo "deb [signed-by=/etc/apt/keyrings/amazon-corretto.gpg] https://apt.corretto.aws stable main" >> /etc/apt/sources.list.d/amazon-corretto.list

echo "#deb-src [signed-by=/etc/apt/keyrings/amazon-corretto.gpg] https://apt.corretto.aws stable main" >> /etc/apt/sources.list.d/amazon-corretto.list

Instalirati Amazon Corretto:

apt update ; apt install -y java-17-amazon-corretto-jdk

Provera verzije instaliranog Java paketa:

java -version

openjdk 17.0.11 2024-04-16 LTS
OpenJDK Runtime Environment Corretto-17.0.11.9.1 (build 17.0.11+9-LTS)
OpenJDK 64-Bit Server VM Corretto-17.0.11.9.1 (build 17.0.11+9-LTS, mixed mode, sharing)

Instalirati Jetty Servlet Container¶

Preuzeti Jetty 11:

cd /usr/local/src

wget https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/11.0.19/jetty-home-11.0.19.tar.gz

tar xzvf jetty-home-11.0.19.tar.gz

Kreirati jetty-src folder kao simbolički link. Ovo će biti korisno za ažuriranje Jetty softvera u budućnosti:

ln -nsf jetty-home-11.0.19 jetty-src

Kreirati jetty korisnika:

useradd -r -M jetty

Podesiti Jetty konfiguraciju koja će da pregazi inicijalnu i koja će da podnese ažuriranje:

mkdir -p /opt/jetty

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/start.ini -O /opt/jetty/start.ini

Kreirati /opt/jetty/tmp direktorijum tako da se koristi od strane Jetty softvera:

mkdir /opt/jetty/tmp ; chown jetty:jetty /opt/jetty/tmp

chown -R jetty:jetty /opt/jetty /usr/local/src/jetty-src

Kreirati Jetty Log direktorijume:

mkdir /var/log/jetty

mkdir /opt/jetty/logs

chown jetty:jetty /var/log/jetty /opt/jetty/logs

Preuzeti fajl jetty:

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/jetty -O /etc/default/jetty

Omogućiti da jetty servis može da se učitava iz komandne linije (loadable):

cd /etc/init.d

ln -s /usr/local/src/jetty-src/bin/jetty.sh jetty

update-alternatives --config editor

Odaberite editor sa kojim ste najbolje upoznati

cp /usr/local/src/jetty-src/bin/jetty.service /etc/systemd/system/jetty.service

Potrebno je da se u fajlu /etc/systemd/system/jetty.service zameni PIDFile=/opt/web/mybase/jetty.pid sa PIDFile=/opt/jetty/jetty.pid putanjom.

systemctl edit --full jetty.service

Hint

        ...
    [Service]
    Type=forking
    PIDFile=/opt/jetty/jetty.pid
    ExecStart=/etc/init.d/jetty start
    ExecStop=/etc/init.d/jetty stop
    ExecReload=/etc/init.d/jetty restart
    User=jetty
    Group=jetty

        ...

systemctl daemon-reload

systemctl enable jetty.service

Instalirati Servlet Jakarta API 5.0.0:

apt install libjakarta-servlet-api-java

Instalirati i konfigurisati LogBack:

cd /opt/jetty

java -jar /usr/local/src/jetty-src/start.jar --add-module=logging-logback

mkdir /opt/jetty/etc

mkdir /opt/jetty/resources

wget "https://docs.amres.ac.rs/download/shibboleth/5.1.2/jetty-requestlog.xml" -O /opt/jetty/etc/jetty-requestlog.xml

wget "https://docs.amres.ac.rs/download/shibboleth/5.1.2/jetty-logging.properties" -O /opt/jetty/resources/jetty-logging.properties

Proveriti da li su podešavanja u redu:

service jetty check

Izveštaj izvršene komande:

Jetty NOT running

service jetty start

service jetty check

Izveštaj izvršene komande:

Jetty running pid=XXXX

Ukoliko se prikaže greška "Job for jetty.service failed because the control process exited with error code. See "systemctl status jetty.service" and "journalctl -xe" for details.", pokušajte sledeće:

rm /opt/jetty/jetty.pid

systemctl start jetty.service

Instalacija Davaoca Identiteta ( Shibboleth IdP 5.1.2 )¶

Preuzeti i otpakovati Shibboleth Identity Provider v5.1.2 repozitorijum na lokaciju /usr/local/src:

cd /usr/local/src

wget https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-5.1.2.tar.gz

tar -xzf shibboleth-identity-provider-5.1.2.tar.gz

Pokrenuti skriptu za instalaciju:

cd /usr/local/src/shibboleth-identity-provider-5.1.2/bin

bash install.sh --hostName $(hostname -f)

U procesu instalacije biće ispisana sledeća obaveštenja i biće postavljena pitanja.

Kada se prikažu određene linije koje su markirane bojom u nastavku potrebno je uneti odgovarajuće podatke:

Installation Directory: [/opt/shibboleth-idp] ? Klik ENTER
SAML EntityID: [https://idp.institucija.ac.rs/idp/shibboleth] ? Klik ENTER
Attribute Scope: [institucija.ac.rs] ? Klik ENTER

Objašnjenje :

Attribute Scope: Scope treba da bude validan domen institucije

Napomena:

Od ovog momenta, promenljiva idp.home odnosi se na direktorijum: /opt/shibboleth-idp

Installation Directory: [/opt/shibboleth-idp] ?

INFO  - New Install.  Version: 5.1.2
INFO  - Creating idp-signing, CN = idp.institucija.ac.rsidp.institucija.ac.rs URI = https://idp.institucija.ac.rs/idp/shibboleth, keySize=3072
INFO  - Creating idp-encryption, CN = idp.institucija.ac.rs URI = https://idp.institucija.ac.rs/idp/shibboleth, keySize=3072
INFO  - Creating backchannel keystore, CN = idp.institucija.ac.rs URI = https://idp.institucija.ac.rs/idp/shibboleth, keySize=3072
INFO  - Creating Sealer KeyStore
INFO  - No existing versioning property, initializing...
SAML EntityID: [https://iaai.outsource.amres.ac.rs/idp/shibboleth] ?

Attribute Scope: [outsource.amres.ac.rs] ?

INFO  - Initializing OpenSAML using the Java Services API
INFO  - Algorithm failed runtime support check, will not be usable: http://www.w3.org/2001/04/xmlenc#ripemd160
INFO  - Algorithm failed runtime support check, will not be usable: http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160
INFO  - Algorithm failed runtime support check, will not be usable: http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/ldap.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/services.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/authn/authn.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/saml-nameid.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/conf/admin/admin.properties
INFO  - Creating Metadata to /opt/shibboleth-idp/metadata/idp-metadata.xml
INFO  - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.2
INFO  - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Creating war file /opt/shibboleth-idp/war/idp.war

Onemogućiti Jetty Directory indeksiranje¶

Kreirati direktorijum koji nedostaje:

mkdir /opt/shibboleth-idp/edit-webapp/WEB-INF

cp /opt/shibboleth-idp/dist/webapp/WEB-INF/web.xml /opt/shibboleth-idp/edit-webapp/WEB-INF/web.xml

Izvršite rebild IdP war fajla:

bash /opt/shibboleth-idp/bin/build.sh

Konfiguracija Apache Web servera¶

Kreirati DocumentRoot:

mkdir /var/www/html/$(hostname -f)

chown -R www-data: /var/www/html/$(hostname -f)

echo '<h1>It Works!</h1>' > /var/www/html/$(hostname -f)/index.html

Komercijalni SSL sertifikat¶

Kreiranje komercijalnog SSL sertifikata i ključa:

Komercijalni sertifikat i ključ treba da budu vrste GÉANT OV SSL kog kreirate po uputstvu:

HTTPS Server Certificate (Public Key) - (idp.institucija.ac.rs.crt) u /etc/ssl/certs
HTTPS Server Key (Private Key) - (idp.institucija.ac.rs.key) u /etc/ssl/private

Jedna od mogućnosti kako se to može uraditi:

Preuzme se fajl SCSreq.cnf na lokaciju /etc/ssl/private/SCSreq.cnf

wget https://docs.amres.ac.rs/download/shibboleth/SCSreq.cnf -O /etc/ssl/private/SCSreq.cnf

Generisati privatni ključ (.key) i zahtev (.csr):

openssl req -new -sha256 -config /etc/ssl/private/SCSreq.cnf -utf8 -keyout /etc/ssl/private/$(hostname -f).key -out /etc/ssl/private/$(hostname -f).csr

Primer postupka kreiranja privatnog ključa i zahteva (koristitli biste drugačiji naziv sertifikata i uneli biste odgovarajuće podatke):

openssl req -new -sha256 -config /etc/ssl/private/SCSreq.cnf -utf8 -keyout /etc/ssl/private/$(hostname -f).key -out /etc/ssl/private/$(hostname -f).csr
Generating a 2048 bit RSA private key
....................+++
....................+++
writing new private key to '/etc/ssl/private/idp.institucija.ac.rs.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Oznaka zemlje (2 znaka) [RS]: Klik Enter
Pun naziv drzave []: Klik Enter
Lokacija (mesto) []: Belgrade
Postanski broj []: 11000
Ulica i broj []: Bulevar kralja Aleksandra 90
Zvanični naziv institucije []: Academic network of the Republic of Serbia – AMRES
FQDN adresa servera []: idp.institucija.ac.rs

Zatim generisani zahtev iskorititi za kreiranje sertifikata (javnog ključa) koji treba da bude tipa GÉANT OV SSL

cat /etc/ssl/private/$(hostname -f).csr

Preuzimanje CA Cert (GEANT_OV_RSA_CA_4.crt) sertifikata:

wget https://docs.amres.ac.rs/download/shibboleth/GEANT_OV_RSA_CA_4.crt -O /etc/ssl/certs/GEANT_OV_RSA_CA_4.crt

Dati odgovarajuće privilegije SSL sertifikatu i ključu:

chmod 400 /etc/ssl/private/$(hostname -f).key

chmod 644 /etc/ssl/certs/$(hostname -f).crt

Omogućiti Apache2 modul:

a2enmod proxy_http ssl headers alias include negotiation

a2dissite 000-default.conf default-ssl

Zatim treba restartovati Apache proces:

systemctl restart apache2.service

Konfiguracija Jetty Context Descriptor za Davaoca Identiteta¶

Konfigurisati IdP Context Descriptor. Kreirati direktorijum /opt/jetty/webapps:

mkdir /opt/jetty/webapps

Preuzeti fajl idp.xml:

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/idp.xml -O /opt/jetty/webapps/idp.xml

Postaviti da vlasnik glavnih direktorijuma Davaoca Identiteta bude jetty:

cd /opt/shibboleth-idp

chown -R jetty logs/ metadata/ credentials/ conf/ war/

Restartovati Jetty servis:

systemctl restart jetty.service

Konfiguracija - Apache2 (front-end Jetty)¶

Kreirati VirtualHost file:

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/000-idp.institucija.ac.rs.conf -O /etc/apache2/sites-available/$(hostname -f).conf

Fajl /etc/apache2/sites-available/$(hostname -f).conf je potrebno izmeniti. Uneti nazive sertifikata i ključa i podatke o serveru.

vim /etc/apache2/sites-available/$(hostname -f).conf

Fajl /etc/apache2/sites-available/000-$(hostname -f).conf sa svim potrebnim izmenama:

# This is an example Apache2 configuration for a Shibboleth Identity Provider
# installed with IDEM Tutorials.
#
# Edit this file and:
# - Adjust "idp.example.org" with your IdP Full Qualified Domain Name
# - Adjust "ServerAdmin" email address
# - Adjust "CustomLog" and "ErrorLog" with Apache log files path (there are examples for Debian or CentOS distribution)
# - Adjust "SSLCertificateFile", "SSLCertificateKeyFile" and "SSLCACertificateFile" with the correct file path


# SSL general security improvements should be moved in global settings
# OCSP Stapling, only in httpd/apache >= 2.3.3
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

<VirtualHost *:80>
   ServerName "idp.institucija.ac.rs"
   Redirect permanent "/" "https://idp.institucija.ac.rs/"
</VirtualHost>

<IfModule mod_ssl.c>
   <VirtualHost _default_:443>
     ServerName idp.institucija.ac.rs:443
     ServerAdmin helpdesk@institucija.ac.rs
     # Debian/Ubuntu
     CustomLog /var/log/apache2/idp.institucija.ac.rs combined
     ErrorLog /var/log/apache2/idp.institucija.ac.rs-error.log    
     # Centos
     #CustomLog /var/log/httpd/idp.example.org.log combined
     #ErrorLog /var/log/httpd/idp.example.org-error.log

     DocumentRoot /var/www/html/idp.institucija.ac.rs

     SSLEngine On
     SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
     SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

     SSLHonorCipherOrder on   

     # Disallow embedding your IdP's login page within an iframe and
     # Enable HTTP Strict Transport Security with a 2 year duration
     <IfModule headers_module>
        Header set X-Frame-Options DENY
        Header set Strict-Transport-Security "max-age=63072000 ; includeSubDomains ; preload"
     </IfModule>

     # Debian/Ubuntu
     SSLCertificateFile /etc/ssl/certs/idp.institucija.ac.rs.crt      
     SSLCertificateKeyFile /etc/ssl/private/idp.institucija.ac.rs.key

     # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
     #SSLCACertificateFile /etc/ssl/certs/ACME-CA.pem
     SSLCACertificateFile /etc/ssl/certs/GEANT_OV_RSA_CA_4.crt


     # Centos
     #SSLCertificateFile /etc/pki/tls/certs/idp.example.org.crt
     #SSLCertificateKeyFile /etc/pki/tls/private/idp.example.org.key

     # ACME-CA or GEANT_OV_RSA_CA_4 (For users who use GARR TCS/Sectigo RSA Organization Validation Secure Server CA)
     #SSLCACertificateFile /etc/pki/tls/certs/ACME-CA.pem
     #SSLCACertificateFile /etc/pki/tls/certs/GEANT_OV_RSA_CA_4.crt

     <IfModule mod_proxy.c>
        ProxyPreserveHost On
        RequestHeader set X-Forwarded-Proto "https"
        ProxyPass /idp http://localhost:8080/idp retry=5
        ProxyPassReverse /idp http://localhost:8080/idp retry=5

        <Location /idp>
           Require all granted
        </Location>
     </IfModule>
   </VirtualHost>
</IfModule>

# This virtualhost is only here to handle administrative commands for Shibboleth, executed from localhost
<VirtualHost 127.0.0.1:80>
  ProxyPass /idp http://localhost:8080/idp retry=5
  ProxyPassReverse /idp http://localhost:8080/idp retry=5
  <Location /idp>
    Require all granted
  </Location>
</VirtualHost>

Dodati Apache2 kreirane virtualne hostove:

a2ensite $(hostname -f).conf

systemctl reload apache2.service

Ukoliko se prikaže greška proverite:

Da li ste kreirali privatni ključ i sertifikat i uneli ga na pravilnu lokaciju?
Da li ste preuzeli GEANT_OV_RSA_CA_4.crt sertifikat?
Da li ste uneli sve potrebne izmene u okviru fajla /etc/apache2/sites-available/$(hostname -f).conf?
Da li ste omogućili Apache2 modul prema uputstvu?
Da li ste instalirali sav potreban softver prema uputstvu (ca-certificates openssl apache2)?

Proveriti IdP metapodatke, koji su dostupni na linku u formi: https://DOMEN_VM/idp/shibboleth

https://idp.institucija.ac.rs/idp/shibboleth

Konfiguracija skladišta Davaoca Identiteta¶

Koriščen je princip: HTML lokalno skladište, GCM enkripcija, bez baze podataka i nije potrebno ništa dodatno konfigurisati.

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

### Operating Environment Information
operating_system: Linux
operating_system_version: 6.1.0-21-amd64
operating_system_architecture: amd64
jdk_version: 17.0.11
available_cores: 2
used_memory: 143 MB
maximum_memory: 1778 MB

### Identity Provider Information
idp_version: 5.1.2
start_time: 2024-06-06T15:11:00.855Z
current_time: 2024-06-06T15:11:02.370367340Z
uptime: PT1.515S

enabled modules:
        idp.Core (Core IdP Functions (Required))
        idp.CommandLine (Command Line Scripts)
        idp.EditWebApp (Overlay Tree for WAR Build)
        idp.authn.Password (Password Authentication)
        idp.admin.Hello (Hello World)

installed plugins:

service: shibboleth.LoggingService
last successful reload attempt: 2024-06-06T15:01:56.729374635Z
last reload attempt: 2024-06-06T15:01:56.729374635Z

service: shibboleth.AttributeFilterService
last successful reload attempt: 2024-06-06T15:02:00.429587328Z
last reload attempt: 2024-06-06T15:02:00.429587328Z

service: shibboleth.AttributeResolverService
last successful reload attempt: 2024-06-06T15:02:00.539291194Z
last reload attempt: 2024-06-06T15:02:00.539291194Z

        No Data Connector has ever failed

service: shibboleth.AttributeRegistryService
last successful reload attempt: 2024-06-06T15:01:59.727803890Z
last reload attempt: 2024-06-06T15:01:59.727803890Z

service: shibboleth.NameIdentifierGenerationService
last successful reload attempt: 2024-06-06T15:02:00.648774869Z
last reload attempt: 2024-06-06T15:02:00.648774869Z

service: shibboleth.RelyingPartyResolverService
last successful reload attempt: 2024-06-06T15:02:00.709470138Z
last reload attempt: 2024-06-06T15:02:00.709470138Z

service: shibboleth.MetadataResolverService
last successful reload attempt: 2024-06-06T15:02:00.133460957Z
last reload attempt: 2024-06-06T15:02:00.133460957Z

        No Metadata Resolver has ever attempted a reload

service: shibboleth.ReloadableAccessControlService
last successful reload attempt: 2024-06-06T15:02:01.408871260Z
last reload attempt: 2024-06-06T15:02:01.408871260Z

service: shibboleth.ReloadableCASServiceRegistry
last successful reload attempt: 2024-06-06T15:02:01.452175673Z
last reload attempt: 2024-06-06T15:02:01.452175673Z

service: shibboleth.ManagedBeanService
last successful reload attempt: 2024-06-06T15:02:01.471856987Z
last reload attempt: 2024-06-06T15:02:01.471856987Z

Integracija sa OpenLDAP bazom podataka¶

Instalirati ldap-utils paket:

apt install ldap-utils

Kreirati sistemski nalog (nalog za monitoring) u OpenLDAP bazi

O tome možete da pročitate u ovom delu uputstva Instalacije i konfiguracije OpenLDAP baze podataka (Debian/Ubuntu) ili ovde (CentOS).

Nakon što kreirate sistemski nalog potrebno je da mu se daju privilegije čitanja (monitoringa) korisničkih naloga u bazi, što se postiže sastavljanjem liste za kontrolu pristupa o čemu možete da pročitate više u ovom delu (Debian/Ubuntu) ili pročitati deo (CentOS) .

Napomena: Ukoliko vam je potrebna konsultacija oko specifičnije liste za kontrolu pristupa kontaktirajte nas na imejl adresu helpdesk@amres.ac.rs.

OpenLDAP sertifikat

Ukoliko se OpenLDAP baza ne nalazi na VM na kojoj se instalira i konfiguriše Shibboleth IdP potrebno je preneti sertifikat baze na ovu VM jer će biti neophodan za ostvarivanje sigurne konekcije sa bazom podataka. Sertifikat se može preneti na lokaciju /etc/ldap/ ili /etc/ldap/certs ili neku vama pogodnu lokaciju. Podatak o lokaciji ovog sertifikata treba da se unese kasnije u fajl /opt/shibboleth-idp/conf/ldap.properties.

Koristi se metoda OpenLDAP + STARTTLS.

Fajl secrets.properties¶

Izmena fajla secrets.properties :

vim /opt/shibboleth-idp/credentials/secrets.properties

Fajl secrets.properties Hint

Potrebno je editovati liniju:

idp.authn.LDAP.bindDNCredential = myServicePassword

Umesto dela myServicePassword unosi lozinka sistemskog naloga koji će povezati IdP sa LDAP bazom podataka i na taj način omogučiti autentifikaciju korisnika iz baze:

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = randomstring
idp.sealer.keyPassword = randomstring

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
#idp.persistentId.salt = changethistosomethingrandom

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = randomstring
idp.sealer.keyPassword = randomstring

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = mojalozinka123
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
#idp.persistentId.salt = changethistosomethingrandom

Fajl ldap.properties¶

mv /opt/shibboleth-idp/conf/ldap.properties /opt/shibboleth-idp/conf/ldap.properties_default

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/ldap.properties -O /opt/shibboleth-idp/conf/ldap.properties

U fajl ldap.properties se navode pojedinosti vezane za LDAP bazu sa kojom se IdP povezuje:

idp.authn.LDAP.ldapURL = ldap://<DOMEN VM NA KOJOJ_JE LDAP BAZA> npr. ldap://ldap.institucija.ac.rs

idp.authn.LDAP.trustCertificates = <PUTANJA_DO_LDAP_SERTIFIKATA> npr. /etc/ldap/ldap.institucija.ac.rs.crt

idp.authn.LDAP.baseDN = <DEO LDAP BAZE GDE SU KORISNIČKI NALOZI KOJI SE AUTENTIFIKUJU> npr. ou=people,dc=institucija,dc=ac,dc=rs

idp.authn.LDAP.subtreeSearch = false

idp.authn.LDAP.bindDN = <DN SISTEMSKOG NALOGA> npr. cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs

idp.attribute.resolver.LDAP.exportAttributes = <ATRIBUTI KOJI SE UZIMAJU IZ LDAP BAZE> npr. cn givenName sn mail rsEduPersonAffiliation displayName eduPersonEntitlement rsEduPersonLocalNumber

Napomena:

U primeru iznad vrednost parametra idp.authn.LDAP.baseDN je navedena organizaciona jedinica u kojoj se nalaze svi korisnički nalozi koji se autentifikuju. Ukoliko je Vaša baza podataka kreirana tako da su nalozi organizovani u više grana i organizacionih jedinica, vrednost parametra idp.authn.LDAP.baseDN treba da bude koren LDAP stabla, a vrednost parametra idp.authn.LDAP.subtreeSearch treba da bude true
eduPersonEntitlement je specijalna vrsta atributa koji se koristi za autorizaciju. Može se koristiti da bi se utvrdilo da li korisnik ima pravo da koristi određeni servis.
rsEduPersonAffiliation atribut definiše način na koji je osoba povezana sa institucijom (moguće vrednosti su: student, učenik, nastavni kadar, zaposleni, spoljni saradnik, korisnik usluge, gost).
rsEduPersonLocalNumber atribut predstavlja lokalni identifikator osobe, npr. za studenta broj studenta ili za zaposlenog broj zaposlenog.

Primer popunjenog fajla ldap.properties:

vim /opt/shibboleth-idp/conf/ldap.properties

# LDAP authentication (and possibly attribute resolver) configuration
# Note, this doesn't apply to the use of JAAS authentication via LDAP

## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
idp.authn.LDAP.authenticator                   = bindSearchAuthenticator

## Connection properties ##
idp.authn.LDAP.ldapURL                          = ldap://ldap.institucija.ac.rs
idp.authn.LDAP.useStartTLS                     = true
# Time to wait for startTLS responses
#idp.authn.LDAP.startTLSTimeout                 = PT3S
# Time to wait for connections to open
#idp.authn.LDAP.connectTimeout                  = PT3S
# Time to wait for operation responses (e.g. search, bind)
#idp.authn.LDAP.responseTimeout                 = PT3S
# Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM
#idp.authn.LDAP.connectionStrategy               = ACTIVE_PASSIVE

## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
idp.authn.LDAP.sslConfig                       = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates                = /etc/ldap/ldap.institucija.ac.rs.crt
## If using keyStoreTrust above, set to the truststore path
#idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-server.truststore

## Return attributes during authentication
idp.authn.LDAP.returnAttributes                 = passwordExpirationTime,loginGraceRemaining

## DN resolution properties ##

# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN                           = ou=people,dc=institucija,dc=ac,dc=rs
idp.authn.LDAP.subtreeSearch                   = false
idp.authn.LDAP.userFilter                       = (uid={user})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
idp.authn.LDAP.bindDN                           = cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs

# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
#idp.authn.LDAP.dnFormat                         = uid=%s,ou=people,dc=example,dc=org

# pool passivator, either none, bind or anonymousBind
#idp.authn.LDAP.bindPoolPassivator                  = none

# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver configurations
idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout      = %{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout     = %{idp.authn.LDAP.responseTimeout:PT3S}
#idp.attribute.resolver.LDAP.connectionStrategy  = %{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE}
idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:true}
#idp.attribute.resolver.LDAP.startTLSTimeout     = %{idp.authn.LDAP.startTLSTimeout:PT3S}
idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter        = (uid=$resolutionContext.principal)

# LDAP pool configuration, used for both authn and DN resolution
#idp.pool.LDAP.minSize                          = 3
#idp.pool.LDAP.maxSize                          = 10
#idp.pool.LDAP.validateOnCheckout               = false
#idp.pool.LDAP.validatePeriodically             = true
#idp.pool.LDAP.validatePeriod                   = PT5M
#idp.pool.LDAP.validateDN                       =
#idp.pool.LDAP.validateFilter                   = (objectClass=*)
#idp.pool.LDAP.prunePeriod                      = PT5M
#idp.pool.LDAP.idleTime                         = PT10M
#idp.pool.LDAP.blockWaitTime                    = PT3S

idp.attribute.resolver.LDAP.exportAttributes    = uid cn givenName sn mail rsEduPersonAffiliation displayName eduPersonEntitlement rsEduPersonLocalNumber

Provera konektivnosti sa LDAP bazom

ldapsearch -x -H ldap://<FQDN ili IP adresa> -D '<DN_SISTEMSKOG_NALOGA>' -w '<IDPUSER_PASSWORD>' -b 'ou=people,dc=example,dc=org' '(uid=<KORISNIČKO_IME>)'

<FQDN ili IP adresa> zameniti podatkom o domenu (FQDN) ili IP adresi virtuelne mašine na kojoj je LDAP baza

<DN_SISTEMSKOG_NALOGA> zameniti podatkom o kreiranom sistemskom nalogu npr. cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs

<IDPUSER_PASSWORD> zameniti lozinkom sistemskog naloga

ou=people,dc=example,dc=org zameniti podatkom o delu LDAP baze gde su korisnički nalozi koji se autentifikuju npr. ou=people,dc=institucija,dc=ac,dc=rs

<KORISNIČKO_IME> zameniti podatkom o korisničkom imenu test naloga za kog se proverava uspešnost autentifikacije

Primer komande:

ldapsearch -x -H ldap://ldap.institucija.ac.rs -D 'cn=idpuser,ou=system,dc=institucija,dc=ac,dc=rs' -w 'mojalozinka123' -b 'ou=people,dc=institucija,dc=ac,dc=rs' '(uid=petar.petrovic)'

Ukoliko ste preneli OpenLDAP sertifikat sa druge mašine, neophodne je da mu se dodele određene privilegije

chown jetty:root /opt/shibboleth-idp/credentials/ldap-server.crt ; chmod 600 /opt/shibboleth-idp/credentials/ldap-server.crt

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta. Napomena: Ukoliko je izveštaj isti kao prethodni put sa konfiguracijom je sve u redu:

bash /opt/shibboleth-idp/bin/status.sh

Podesiti da Davaoc Identiteta kreira persistent NameID¶

Shibboleth Documentation: https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199507892/PersistentNameIDGenerationConfiguration

persistent NameID je jedinstveni trajni identifikator korisnika, koji Davalac Identiteta prosleđuje Davaocu Servisa.

Strategija A "Computed mode" (preporučena):¶

mv /opt/shibboleth-idp/conf/saml-nameid.properties /opt/shibboleth-idp/conf/saml-nameid.properties_default

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/saml-nameid.properties -O /opt/shibboleth-idp/conf/saml-nameid.properties

mv /opt/shibboleth-idp/conf/saml-nameid.xml /opt/shibboleth-idp/conf/saml-nameid_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/saml-nameid.xml -O /opt/shibboleth-idp/conf/saml-nameid.xml

openssl rand -base64 36

Rezultat komande je potrebno sačuvati/kopirati, jer se primenjuje u sledećem koraku

Rezultat komande je niz karaktera formata:

4Z4VL1gOzw*******************************

Izmena fajla secrets.properties Hint

vim /opt/shibboleth-idp/credentials/secrets.properties

Otkomentarisati liniju:

idp.persistentId.salt = changethistosomethingrandom

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = randomstring
idp.sealer.keyPassword = randomstring

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
#idp.persistentId.salt = changethistosomethingrandom

Deo changethistosomethingrandom izmeniti dobijenim nizom karaktera dobijenim kao rezultat prethodno primenjene komande (openssl rand -base64 36).

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = randomstring
idp.sealer.keyPassword = randomstring

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
idp.persistentId.salt = 4Z4VL1gOzw*******************************

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Strategija B "Stored mode" (korišćenje baze podataka za skladištenje persistent NameID)¶

Instalirati potrebne pakete:

apt install default-mysql-server libmariadb-java libcommons-dbcp2-java libcommons-pool2-java --no-install-recommends

Instalirati JDBCStorageService plugin:

/opt/shibboleth-idp/bin/plugin.sh -I net.shibboleth.plugin.storage.jdbc

Izveštaj pokrenute komande:

INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/admin/admin.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/ldap.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/authn/authn.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/saml-nameid.properties
INFO  - Including auto-located properties in /opt/shibboleth-idp/bin/../conf/services.properties
INFO  - Downloading from HTTPResource [http://shibboleth.net/downloads/identity-provider/plugins/jdbc/2.0.0/java-plugin-jdbc-storage-2.0.0.tar.gz]
INFO  - Downloading from HTTPResource [http://shibboleth.net/downloads/identity-provider/plugins/jdbc/2.0.0/java-plugin-jdbc-storage-2.0.0.tar.gz.asc]
INFO  - Plugin net.shibboleth.plugin.storage.jdbc: Trust store folder does not exist, creating
INFO  - Plugin net.shibboleth.plugin.storage.jdbc: Trust store does not exist, creating
INFO  - TrustStore does not contain signature 0x7D27E610B8A3DC52
Accept this key:
Signature:      0x7D27E610B8A3DC52
FingerPrint:    B5B5DD332142AD657E8D87AC7D27E610B8A3DC52
Username:       Philip David Smart <philip.smart@jisc.ac.uk>
 [yN] y
INFO  - Installing Plugin 'net.shibboleth.plugin.storage.jdbc' version 2.0.0
INFO  - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.2
INFO  - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/dist/plugin-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Creating war file /opt/shibboleth-idp/war/idp.war

Pokrenuti bazu:

systemctl start mariadb.service

Pokrenuti proces uspostavljanja bezbedonosne politike MariaDB baze podataka (ukoliko već nije uspostavljena):

mysql_secure_installation

Pokretanjem ove komande ulazi se u interaktivni mod, u okviru koga je potrebno odgovotiri na sledeća pitanja:

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none): pass123
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] n
 ... skipping.

You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n] n
 ... skipping.

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Kreirati shibpid tabelu u shibboleth bazi podataka:

wget  https://docs.amres.ac.rs/download/shibboleth/5.1.2/shib-pid-db.sql  -O /root/shib-pid-db.sql

Potrebno je editovati ###SHIBPID-USERNAME-CHANGEME### i ###SHIB-DB-USER-PASSWORD-CHANGEME### delove konfiguracije u fajlu /root/shib-pid-db.sql, čime ćete kreirati korisnika koji će biti korišćen kasnije.

Importovati bazu:

mysql -u root < /root/shib-pid-db.sql

Restartovati MariaDB servis:

systemctl restart mariadb.service

Pokrenuti build skripte za dodavanje neophodnih biblioteka:

mkdir /opt/shibboleth-idp/edit-webapp/WEB-INF/lib

ln -s /usr/share/java/mariadb-java-client.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib

ln -s /usr/share/java/commons-dbcp2.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib

ln -s /usr/share/java/commons-pool2.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib

bash /opt/shibboleth-idp/bin/build.sh

Omogućiti konekciju sa bazom izmenom sledećeg fajla:

vim /opt/shibboleth-idp/conf/global.xml

Dodati deo konfiguracije pre poslednjeg taga:

U delu ###SHIB-USERNAME-CHANGEME### i ###SHIB-DB-USER-PASSWORD-CHANGEME### unesite kredencijale prethodno kreiranog korisnika.

<bean id="shibpid.JDBCStorageService.DataSource"
      class="org.apache.commons.dbcp2.BasicDataSource" destroy-method="close" lazy-init="true"
      p:driverClassName="org.mariadb.jdbc.Driver"
      p:url="jdbc:mysql://localhost:3306/shibpid?autoReconnect=true"
      p:username="###_SHIBPID-USERNAME-CHANGEME_###"
      p:password="###_SHIBPID-DB-USER-PASSWORD-CHANGEME_###"
      p:maxTotal="10"
      p:maxIdle="5"
      p:maxWaitMillis="15000"
      p:testOnBorrow="true"
      p:validationQuery="select 1"
      p:validationQueryTimeout="5" />

Omogućite kreiranje persistent-id vrednosti preuzimanjem konfiguracionog fajla:

mv /opt/shibboleth-idp/conf/saml-nameid.properties /opt/shibboleth-idp/conf/saml-nameid.properties_default

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/saml-nameid_stored.properties -O /opt/shibboleth-idp/conf/saml-nameid.properties

mv /opt/shibboleth-idp/conf/saml-nameid.xml /opt/shibboleth-idp/conf/saml-nameid_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/saml-nameid.xml -O /opt/shibboleth-idp/conf/saml-nameid.xml

openssl rand -base64 36

Rezultat komande je potrebno sačuvati/kopirati, jer se primenjuje u sledećem koraku

Rezultat komande je niz karaktera formata:

4Z4VL1gOzw*******************************

Izmena fajla secrets.properties Hint

vim /opt/shibboleth-idp/credentials/secrets.properties

Otkomentarisati liniju:

idp.persistentId.salt = changethistosomethingrandom

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = randomstring
idp.sealer.keyPassword = randomstring

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
#idp.persistentId.salt = changethistosomethingrandom

Deo changethistosomethingrandom izmeniti dobijenim nizom karaktera dobijenim kao rezultat prethodno primenjene komande (openssl rand -base64 36).

# This is a reserved spot for most properties containing passwords or other secrets.
# Created by install at 2022-01-30T18:18:22.776427Z

# Access to internal AES encryption key
idp.sealer.storePassword = randomstring
idp.sealer.keyPassword = randomstring

# Default access to LDAP authn and attribute stores.
idp.authn.LDAP.bindDNCredential              = myServicePassword
idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}

# Salt used to generate persistent/pairwise IDs, must be kept secret
idp.persistentId.salt = 4Z4VL1gOzw*******************************

mv /opt/shibboleth-idp/conf/c14n/subject-c14n.xml /opt/shibboleth-idp/conf/c14n/subject-c14n.xml_default

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/subject-c14n.xml -O /opt/shibboleth-idp/conf/c14n/subject-c14n.xml

mv /opt/shibboleth-idp/conf/c14n/subject-c14n.properties /opt/shibboleth-idp/conf/c14n/subject-c14n.properties_default

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/subject-c14n.properties -O /opt/shibboleth-idp/conf/c14n/subject-c14n.properties

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Podešavanje attribute-resolver.xml fajla¶

Preuzeti fajl attribute-resolver.xml:

mv /opt/shibboleth-idp/conf/attribute-resolver.xml /opt/shibboleth-idp/conf/attribute-resolver_default.xml

U slučaju da ste odabrali Strategiju A "Computed mode" (preporučena) za persistent NameID, preuzimate sledeći fajl:

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/attribute-resolver.xml -O /opt/shibboleth-idp/conf/attribute-resolver.xml

U slučaju da ste odabrali Strategiju B "Stored mode" za persistent NameID, preuzimate sledeći fajl:

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/attribute-resolver_stored.xml -O /opt/shibboleth-idp/conf/attribute-resolver.xml

U fajlu treba izmeniti sledeće:

vim /opt/shibboleth-idp/conf/attribute-resolver.xml

Neophodno je izmeniti #sHO# podatak:

#sHO# predstavlja SCHAC code institucije koja je registrovana u Erazmus+ projektu. Spisak institucija možete pronaći na linku https://wiki.geant.org/display/SM/ECHE+Whitelist (pretražite RS country code). Više o tome na https://docs.amres.ac.rs/uputstva/shibboleth/esi/#o-esi-atributu .

        <Attribute id="schacHomeOrganization">
            <Value>#sHO#</Value>
        </Attribute>

Umesto dela Naziv Vaše institucije uneti naziv Vaše institucije.

        <Attribute id="o">
            <Value>Naziv Vaše institucije</Value>
        </Attribute>

Dodatno objašnjenje sadržaja fajla attribute-resolver.xml

U okviru fajla dodata je definicija za Pairwise identifikator koji ima istu ulogu kao eduPersonTargetedID atribut i kreira se od iste persistentId vrednosti. Bitno je napomenuti da će uskoro eduPersonTargetedID atribut prestati da se koristi.

Ukoliko želite da učestvujete u Erazmus+ projektu i imate HEI ulogu, potrebno je da dodate konfiguraciju za ESI atribut.

Promeniti vlasnika fajla:

chown jetty /opt/shibboleth-idp/conf/attribute-resolver.xml

Instalirati plugin koji omogućava definiciju ScriptedAttribute:

cd  /opt/shibboleth-idp/bin

./plugin.sh -I net.shibboleth.idp.plugin.nashorn

Izveštaj pokrenute komande:

INFO  - Including auto-located properties in ./../conf/admin/admin.properties
INFO  - Including auto-located properties in ./../conf/ldap.properties
INFO  - Including auto-located properties in ./../conf/authn/authn.properties
INFO  - Including auto-located properties in ./../conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in ./../conf/saml-nameid.properties
INFO  - Including auto-located properties in ./../conf/services.properties
INFO  - Downloading from HTTPResource [http://shibboleth.net/downloads/identity-provider/plugins/scripting/2.0.0/idp-plugin-nashorn-jdk-dist-2.0.0.tar.gz]
....................................
INFO  - Downloading from HTTPResource [http://shibboleth.net/downloads/identity-provider/plugins/scripting/2.0.0/idp-plugin-nashorn-jdk-dist-2.0.0.tar.gz.asc]
INFO  - Plugin net.shibboleth.idp.plugin.nashorn: Trust store folder does not exist, creating
INFO  - Plugin net.shibboleth.idp.plugin.nashorn: Trust store does not exist, creating
INFO  - TrustStore does not contain signature 0x1483F262A4B3FF0
Accept this key:
Signature:      0x1483F262A4B3FF0
FingerPrint:    4AF4D83EEDDF43DA3C06CB3101483F262A4B3FF0
Username:       Rod Widdowson <rdw@steadingsoftware.com>
 [yN] y
INFO  - Installing Plugin 'net.shibboleth.idp.plugin.nashorn' version 2.0.0
INFO  - Rebuilding /opt/shibboleth-idp/war/idp.war, Version 5.1.2
INFO  - Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/dist/plugin-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
INFO  - Creating war file /opt/shibboleth-idp/war/idp.war

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Podesiti da Shibboleth Identity Provider oslobađa eduPersonTargetedID¶

Trajni identifikator korisnika koji razmenjuju Davalac Servisa i Davalac Identiteta (Shibboleth IdP). Nikada se ne dodeljuje ponovo i ne sadrži nikakve podatke o korisniku. Davalac Identiteta smešta persistentId vrednost u eduPersonTargetedID atribut kada komunicira sa određenim Davaocem Servisa ukoliko on to zahteva.

Dodatno objašnjenje:

U okviru fajla attribute-resolver.xml dodata je definicija za Pairwise identifikator koji ima istu ulogu kao eduPersonTargetedID atribut i kreira se od iste persistentId vrednosti. Bitno je napomenuti da će uskoro eduPersonTargetedID atribut prestati da se koristi.

Ovaj deo je već podešen u okviru fajla attribute-resolver.xml koji ste preuzeli i izmenili u prethodnim koracima.

Dodatno, potrebno je preuzeti fajl eduPersonTargetedID.properties.

wget https://docs.amres.ac.rs/download/shibboleth/eduPersonTargetedID.properties -O /opt/shibboleth-idp/conf/attributes/custom/eduPersonTargetedID.properties ; chown jetty:root /opt/shibboleth-idp/conf/attributes/custom/eduPersonTargetedID.properties

Restartovati Jetty proces:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Uneti dodatne šeme za definisanje atributa¶

rm /opt/shibboleth-idp/conf/attributes/eduPerson.xml ; wget https://docs.amres.ac.rs/download/shibboleth/eduPerson.xml -O /opt/shibboleth-idp/conf/attributes/eduPerson.xml

chown jetty:root /opt/shibboleth-idp/conf/attributes/eduPerson.xml

rm /opt/shibboleth-idp/conf/attributes/inetOrgPerson.xml ; wget https://docs.amres.ac.rs/download/shibboleth/inetOrgPerson.xml -O /opt/shibboleth-idp/conf/attributes/inetOrgPerson.xml

chown jetty:root /opt/shibboleth-idp/conf/attributes/inetOrgPerson.xml

rm /opt/shibboleth-idp/conf/attributes/samlSubject.xml ; wget https://docs.amres.ac.rs/download/shibboleth/samlSubject.xml -O /opt/shibboleth-idp/conf/attributes/samlSubject.xml

chown jetty:root /opt/shibboleth-idp/conf/attributes/samlSubject.xml

Preuzeti rsEdu.xml i schac.xml šemu na lokaciju /opt/shibboleth-idp/conf/attributes/

wget https://docs.amres.ac.rs/download/shibboleth/rsEdu.xml -O /opt/shibboleth-idp/conf/attributes/rsEdu.xml ; chown jetty:root /opt/shibboleth-idp/conf/attributes/rsEdu.xml

wget https://docs.amres.ac.rs/download/shibboleth/schac.xml -O /opt/shibboleth-idp/conf/attributes/schac.xml ; chown jetty:root /opt/shibboleth-idp/conf/attributes/schac.xml

Preuzeti fajl default-rules.xml :

mv /opt/shibboleth-idp/conf/attributes/default-rules.xml /opt/shibboleth-idp/conf/attributes/default-rules_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/default-rules.xml -O /opt/shibboleth-idp/conf/attributes/default-rules.xml

Konfiguracija Shibboleth IdP Logova¶

Konfiguracija logova vezanih za LDAP greške u autentifikaciji:

mv /opt/shibboleth-idp/conf/logback.xml /opt/shibboleth-idp/conf/logback_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/logback.xml -O /opt/shibboleth-idp/conf/logback.xml

Podešavanje interfejsa¶

Preuzeti korisnički interfejs na lokaciju /opt/shibboleth-idp/:

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/css.tar.gz -O /opt/shibboleth-idp/edit-webapp/css.tar.gz ; rm -Ir /opt/shibboleth-idp/edit-webapp/css

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/images.tar.gz -O /opt/shibboleth-idp/edit-webapp/images.tar.gz ; rm -Ir /opt/shibboleth-idp/edit-webapp/images

tar -xzf /opt/shibboleth-idp/edit-webapp/css.tar.gz && rm -f /opt/shibboleth-idp/edit-webapp/css.tar.gz

tar -xzf /opt/shibboleth-idp/edit-webapp/images.tar.gz && rm -f /opt/shibboleth-idp/edit-webapp/images.tar.gz

Uneti logo vaše institucije u direktorijum: /opt/shibboleth-idp/edit-webapp/images

Imate mogućnost da unesete 2 logo fajla, jedan na srpskom i engleskom i shodno tome treba dati naziv formata npr. institucija_logo_sr.jpg i institucija_logo_en.jpg
Dimenzije: širina do 200px.
Podatak o logou institucije treba uneti u kasnijim koracima u fajlove messages_sr.properties i messages_en.properties

Prevod interfejsa i sistemskih poruka se preuzima u direktorijum /opt/shibboleth-idp/messages

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/messages_sr.properties -O /opt/shibboleth-idp/messages/messages_sr.properties

Potrebno je izmeniti preuzet fajl messages_sr.properties i dodati adekvatne podatke vezane za naziv vaše institucije,naziv logo fotografije i imejl adresu administratora koji će održavati ovaj IdP

vim /opt/shibboleth-idp/messages/messages_sr.properties

Izmeniti parametre:

idp.title=Institucija Web SSO
idp.logo=/images/institucija_logo_sr.jpg
idp.footer=Kontaktirajte nas na imejl adresu xxxxxxx
root.title=Institucija Web SSO
idp.userprefs.title=Institucija Web SSO
runtime-error.message=.... Molimo Vas da prijavite ovaj problem službi za podršku na imejl xxxxx.
invalid-event.message=Molimo Vas da prijavite ovaj problem službi za podršku na imejl xxxxx.

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/messages_en.properties -O /opt/shibboleth-idp/messages/messages_en.properties

Potrebno je izmeniti preuzet fajl messages_en.properties i dodati adekvatne podatke vezane za naziv logo fotografije i imejl adresu administratora koji će održavati ovaj IdP

vim /opt/shibboleth-idp/messages/messages_en.properties

Izmeniti parametre:

idp.logo=/images/institucija_logo.jpg
idp.footer=Contact us by email xxxxxxxx

Potrebno je izmeniti fajl /opt/shibboleth-idp/messages/messages.properties

vim /opt/shibboleth-idp/messages/messages.properties

Uneti sledeću liniju:

idp.css = /css/amres.css

Uneti sledeću liniju uz navođenje podatka vezanog za naziv logo fotografije:

idp.logo=/images/institucija_logo_sr.jpg

Sledi prikaz pozicije i okvirnih dimenzija logo fotografije, kao primer je prikazan logo institucije AMRES. Ova slika je informativnog karaktera za sada, tek kada se izvrši celokupna konfiguracija ova stranica vašeg IdP-a će biti dostupna za pregled.

Ilustracija logo fotografije za IdP

Preimenovanje postojećih i preuzimanje novih fajlova logout-propagate.vm, logout-complete.vm, error.vm, login.vm i logout.vm

mv /opt/shibboleth-idp/views/logout-propagate.vm /opt/shibboleth-idp/views/logout-propagate_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/logout-propagate.vm -O /opt/shibboleth-idp/views/logout-propagate.vm

mv /opt/shibboleth-idp/views/logout-complete.vm /opt/shibboleth-idp/views/logout-complete_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/logout-complete.vm -O /opt/shibboleth-idp/views/logout-complete.vm

mv /opt/shibboleth-idp/views/error.vm /opt/shibboleth-idp/views/error_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/error.vm -O /opt/shibboleth-idp/views/error.vm

mv /opt/shibboleth-idp/views/login.vm /opt/shibboleth-idp/views/login_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/login.vm -O /opt/shibboleth-idp/views/login.vm

mv /opt/shibboleth-idp/views/logout.vm /opt/shibboleth-idp/views/logout_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/logout.vm -O /opt/shibboleth-idp/views/logout.vm

mv /opt/shibboleth-idp/views/admin/hello.vm /opt/shibboleth-idp/views/admin/hello_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/hello.vm -O /opt/shibboleth-idp/views/admin/hello.vm

mv /opt/shibboleth-idp/views/client-storage/client-storage-read.vm /opt/shibboleth-idp/views/client-storage/client-storage-read_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/client-storage-read.vm -O /opt/shibboleth-idp/views/client-storage/client-storage-read.vm

mv /opt/shibboleth-idp/views/client-storage/client-storage-write.vm /opt/shibboleth-idp/views/client-storage/client-storage-write_default.vm ; wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/client-storage-write.vm -O /opt/shibboleth-idp/views/client-storage/client-storage-write.vm

Restartovati Jetty servis:

systemctl restart jetty.service

Pokretanje build skripte

cd /opt/shibboleth-idp/bin ; ./build.sh

Izveštaj pokretanja skripte

INFO  - net.shibboleth.idp.installer.impl.IdPBuildArguments@57fa26b7
INFO  - Rebuilding /opt/shibboleth-idp/bin/./../war/idp.war, Version 5.1.2
INFO  - Initial populate from ./../dist/webapp to ./../webpapp.tmp
INFO  - Overlay from ./../dist/plugin-webapp to ./../webpapp.tmp
INFO  - Overlay from ./../edit-webapp to ./../webpapp.tmp
INFO  - Creating war file ./../war/idp.war

Restartovati Jetty servis:

systemctl restart jetty.service

Izmeniti fajl idp-metadata.xml¶

Pre bilo koje izmene ovog fajla najsigurnije je napraviti njegovu kopiju

Ovaj fajl je veoma značajan i unikatan. Iz tog razloga treba vrlo pažljivo izvršiti sve potrebne izmene i u slučaju potrebe zgodno je imati mogućnost povratka na početno stanje.

cp /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idp-metadata_default.xml

vim /opt/shibboleth-idp/metadata/idp-metadata.xml

Obrisati kompletno sledeći komentar:

<!--
 This is example metadata only. Do *NOT* supply it as is without review,
and do *NOT* provide it in real time to your partners.
This metadata is not dynamic - it will not change as your configuration changes.
On Demand Metadata Generation available from the metadatagen plugin.
-->

Kompletno obrisati sledeći segment:

            <mdui:UIInfo>
                <mdui:DisplayName>A name for the IdP at idp.institucija.ac.rs</mdui:DisplayName>
                <mdui:Description>Enter a description for the IdP at idp.institucija.ac.rs</mdui:Description>
                <mdui:Logo xml:lang="en" width="80" height="80">https://idp.institucija.ac.rs/path/to/logo.png</mdui:Logo>
            </mdui:UIInfo>

Umesto tog segmenta, na istoj lokaciji dodati sledeći segment:

        <!-- UIInfo -->
           <mdui:UIInfo>
               <mdui:DisplayName xml:lang="sr">Naziv institucije</mdui:DisplayName>
               <mdui:DisplayName xml:lang="en">Name of the Institution</mdui:DisplayName>
               <mdui:Description xml:lang="sr">IDP za zaposlene u instituciji</mdui:Description>
               <mdui:Description xml:lang="en">IDP for staff in the Institution</mdui:Description>
               <mdui:Logo height="50" width="50">https://amres.ac.rs/dokumenti/amres_idp.png</mdui:Logo>
           </mdui:UIInfo>

Izmeniti sledeće podatke:

Naziv institucije: Uneti pun naziv institucije.
Name of the Institution: Uneti pun naziv institucije na engleskom jeziku.
IDP za zaposlene u instituciji: Svrha korišćenja IdP-a, npr. IDP za zaposlene u instituciji.
IDP for staff in the Institution: Svrha korišćenja IdP-a na engleskom jeziku , npr. IDP for staff in the Institution.
https://amres.ac.rs/dokumenti/amres_idp.png : Logo fotografija dostupna putem linka koji se navodi, širine i visine 50px.

Sledi prikaz pozicije i okvirnih dimenzija logo fotografije, kao primer je dat logo institucije AMRES. Ova logo fotografija bi se prikazala prilikom odabira Vaše institucije (Davaoca Identiteta) prilikom autentifikacije na željeni servis.

Ilustracija logo fotografije za IdP, koja se unosi putem linka

Sledeći korak:

Dodati linije

Ispod linije:

        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/ArtifactResolution" />

Dodati sledeću liniju i izmeniti podatak idp.institucija.ac.rs sa FQDN vašeg IdP-a:

        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SLO"/>

Sledeći korak:

Dodati linije Hint

Dodati sledeće 2 linije tačno ispod linije <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SLO"/> a pre linije <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SSO" />:

        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>

...
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/ArtifactResolution" />
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SLO"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SSO" />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SSO" />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST/SSO" />
        ...

Ispod linije </md:IDPSSODescriptor> a iznad linije </md:EntityDescriptor> dodati sledeću sekciju:

Izmeniti sledeće podatke:

Naziv institucije: Pun naziv Vaše institucije
Name of the Institution: Pun naziv Vaše institucije na engleskom jeziku
Naziv (akronim) institucije: Akronim Vaše institucije
Naziv (akronim) institucije: Akronim Vaše institucije na engleskom
https://institucija.ac.rs/: Link do verzije sajta institucije na srpskom jeziku
https://institucija.ac.rs/en: Link do verzije sajta institucije na engleskom jeziku
Ime: Ime osobe za kontakt
Prezime: Prezime osobe za kontakt
primer@institucija.ac.rs: Imejl adresa osobe za kontak

 <md:Organization>
  <md:OrganizationName xml:lang="sr">Naziv institucije</md:OrganizationName>
  <md:OrganizationName xml:lang="en">Name of the Institution</md:OrganizationName>
  <md:OrganizationDisplayName xml:lang="sr">Naziv (akronim) institucije</md:OrganizationDisplayName>
  <md:OrganizationDisplayName xml:lang="en">Short name of the Institution</md:OrganizationDisplayName>
  <md:OrganizationURL xml:lang="sr">https://institucija.ac.rs/</md:OrganizationURL>
  <md:OrganizationURL xml:lang="en">https://institucija.ac.rs/en</md:OrganizationURL>
 </md:Organization>
 <md:ContactPerson contactType="technical">
  <md:GivenName>Ime</md:GivenName>
  <md:SurName>Prezime</md:SurName>
  <md:EmailAddress>primer@institucija.ac.rs</md:EmailAddress>
 </md:ContactPerson>

Fajl idp-metadata.xml nakon svih navedenih izmena:

<md:EntityDescriptor entityID="https://idp.institucija.ac.rs/idp/shibboleth" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:Extensions>
            <shibmd:Scope regexp="false">idp.institucija.ac.rs</shibmd:Scope>
        <!-- UIInfo -->
           <mdui:UIInfo>
              <mdui:DisplayName xml:lang="sr">Naziv institucije</mdui:DisplayName>
              <mdui:DisplayName xml:lang="en">Name of the Institution</mdui:DisplayName>
              <mdui:Description xml:lang="sr">IDP za zaposlene u instituciji</mdui:Description>
              <mdui:Description xml:lang="en">IDP for staff in the Institution</mdui:Description>
              <mdui:Logo height="50" width="50">https://amres.ac.rs/dokumenti/amres_idp.png</mdui:Logo>
           </mdui:UIInfo>
        </md:Extensions>
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
...
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
...
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="encryption">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
...
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/SOAP/ArtifactResolution" />
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SLO"/>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/POST-SimpleSign/SSO" />
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.institucija.ac.rs/idp/profile/SAML2/Redirect/SSO" />
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.institucija.ac.rsidp/profile/SAML2/POST/SSO" />
    </md:IDPSSODescriptor>
 <md:Organization>
  <md:OrganizationName xml:lang="sr">Naziv institucije</md:OrganizationName>
  <md:OrganizationName xml:lang="en">Name of the Institution</md:OrganizationName>
  <md:OrganizationDisplayName xml:lang="sr">Naziv (akronim) institucije</md:OrganizationDisplayName>
  <md:OrganizationDisplayName xml:lang="en">Short name of the Institution</md:OrganizationDisplayName>
  <md:OrganizationURL xml:lang="sr">https://institucija.ac.rs/</md:OrganizationURL>
  <md:OrganizationURL xml:lang="en">https://institucija.ac.rs/en</md:OrganizationURL>
 </md:Organization>
 <md:ContactPerson contactType="technical">
  <md:GivenName>Ime</md:GivenName>
  <md:SurName>Prezime</md:SurName>
  <md:EmailAddress>primer@institucija.ac.rs</md:EmailAddress>
 </md:ContactPerson>
</md:EntityDescriptor>

Nakon izvršenih izmena metapodaci vašeg Davaoca Identiteta dostupni su na linku https://idp.institucija.ac.rs/idp/shibboleth

Podešavanje kolačića i ostalih podataka¶

Preuzeti skriptu updateIDPsecrets.sh na lokaciju /opt/shibboleth-idp/bin/:

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/updateIDPsecrets.sh -O /opt/shibboleth-idp/bin/updateIDPsecrets.sh

Toj skripti treba dati potrebnu dozvolu za izvršavanje:

chmod +x /opt/shibboleth-idp/bin/updateIDPsecrets.sh

Preuzeti CRON skriptu (/etc/cron.daily/updateIDPsecrets) koja će da je pokreće:

wget https://docs.amres.ac.rs/download/shibboleth/updateIDPsecrets -O /etc/cron.daily/updateIDPsecrets

Toj skripti treba dati potrebnu dozvolu za izvršavanje:

chmod +x /etc/cron.daily/updateIDPsecrets

Proveriti da li će se skripta pokretati svakog dana (daily) :

run-parts --test /etc/cron.daily

Izveštaj provere:

/etc/cron.daily/apache2
/etc/cron.daily/apt-compat
/etc/cron.daily/dpkg
/etc/cron.daily/logrotate
/etc/cron.daily/man-db
/etc/cron.daily/updateIDPsecrets

Kreirati direktorijum tmp/httpClientCache

mkdir -p /opt/shibboleth-idp/tmp/httpClientCache ; chown jetty /opt/shibboleth-idp/tmp/httpClientCache

Preuzeti fajl services.xml:

mv /opt/shibboleth-idp/conf/services.xml /opt/shibboleth-idp/conf/services_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/services.xml -O /opt/shibboleth-idp/conf/services.xml

Restartovati Jetty servis:

systemctl restart jetty.service

Proveriti status Davaoca Identiteta:

bash /opt/shibboleth-idp/bin/status.sh

Pridruživanje iAMRES Federaciji¶

Pridruživanje iAMRES Federaciji podrazumeva razmenu metapodataka konfigurisanog Davaoca Identiteta i postojećih Davalaca Servisa. U narednim koracima potrebno je preuzeti metapodatke Davalaca Servisa iAMRES Federacije.

Preuzeti sertifikat za potpis metapodatka na lokaciju: /opt/shibboleth-idp/metadata/

wget https://docs.amres.ac.rs/download/shibboleth/md.iamres.ac.rs.crt -O /opt/shibboleth-idp/metadata/md.iamres.ac.rs.crt

Preuzeti skriptu za preuzimanje metapodataka SP entiteta iAMRES Federacije (metadata.sh) na lokaciju: /opt/shibboleth-idp/metadata/

wget https://docs.amres.ac.rs/download/shibboleth/metadata.sh -O /opt/shibboleth-idp/metadata/metadata.sh

Dati skripti odgovarajuću privilegiju za izvršavanje:

chmod +x /opt/shibboleth-idp/metadata/metadata.sh

Pokrenuti skriptu:

cd /opt/shibboleth-idp/metadata/

./metadata.sh

Rezultat pokretanja skripte je kreiranje fajla iamres_federacija_metadata.xml

Ovaj fajl predstavlja skup metapodataka Davaoca Servisa iAMRES Federacije.

Preuzeti fajl metadata-providers.xml na lokaciju /opt/shibboleth-idp/conf/:

mv /opt/shibboleth-idp/conf/metadata-providers.xml /opt/shibboleth-idp/conf/metadata-providers.xml_default

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/metadata-providers.xml -O /opt/shibboleth-idp/conf/metadata-providers.xml

Pregled fajla metadata-providers.xml sa tumačenjem njegovog sadržaja:

U prikazanom delu fajla navode se Davaoci Servisa iAMRES Federacije, čiji su metapodaci preuzeti skriptom (./metadata.sh) i čitaju se iz gore pomenutog fajla (iamres_federacija_metadata.xml). Ovi metapodaci su potpisani sertifikatom md.iamres.ac.rs.crt.

<MetadataProvider
    id="iAMRES"
    xsi:type="FilesystemMetadataProvider"
    metadataFile="%{idp.home}/metadata/iamres_federacija_metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="/opt/shibboleth-idp/metadata/md.iamres.ac.rs.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P10D"/>

<MetadataFilter xsi:type="EntityRole">

    <RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>   

    <MetadataFilter xsi:type="Algorithm">

        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
        <Entity>https://testsp3.amres.ac.rs/simplesaml/module.php/saml/sp/metadata.php/default-sp</Entity>
        <Entity>https://ucionica.amres.ac.rs/auth/saml2/sp/metadata.php</Entity>
        <Entity>https://proxy.iamres.amres.ac.rs/simplesaml/module.php/saml/sp/metadata.php/amres.ac.rs</Entity>
    </MetadataFilter>
</MetadataProvider>

U prikazanom delu fajla navode se Davaoci Servisa eduGAIN Interfederacije, čiji se metapodaci dinamički preuzimaju sa linka (http://md.iamres.ac.rs/iamres_metadata/iamres-interfederation-sp-metadata.xml). Pored toga kreira se i njihov backingFile (eduGAIN-metadata.xml). Ovi metapodaci su potpisani sertifikatom md.iamres.ac.rs.crt.

<MetadataProvider
id="eduGAIN"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/eduGAIN-metadata.xml"
metadataURL="http://md.iamres.ac.rs/iamres_metadata/iamres-interfederation-sp-metadata.xml">

<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="/opt/shibboleth-idp/metadata/md.iamres.ac.rs.crt"/>

<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P10D"/>

    <MetadataFilter xsi:type="Algorithm">

        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<!--        <Entity>https://ucionica.amres.ac.rs/auth/saml2/sp/metadata.php</Entity>-->
    </MetadataFilter>

</MetadataProvider>

U prikazanom delu fajla navode se Davaoci Servisa čiji se metapodaci unose ručno u posebnim fajlovima, u okviru direktorijuma /opt/shibboleth-idp/metadata/sourceDirectory/:

<MetadataProvider
    id="iAMRESlocalDynamic"
    xsi:type="LocalDynamicMetadataProvider"
    sourceDirectory="%{idp.home}/metadata/sourceDirectory">


    <MetadataFilter xsi:type="Algorithm">

        <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
        <Entity>https://filesender-test.amres.ac.rs/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</Entity>
    </MetadataFilter>
</MetadataProvider>

Ukoliko budete imali potrebu za ručnim dodavanjem Davaoca Servisa u okviru direktorijuma /opt/shibboleth-idp/metadata/sourceDirectory/ fajlove kreirate tako što je naziv jednog xml fajla SHA-1 heš sažetak entityID vrednosti Davaoca Servisa, na koji je dodata ekstenzija ".xml" i dobija se na sledeći način:
Primer generisanja naziva fajla koristeći OpenSSL iz komandne linije i entityID vrednost urn:test:foobar :

$ echo -n "urn:test:foobar" | openssl sha1
d278c9975472a6b4827b1a8723192b4e99aa969c

Nakon preuzetih fajlova, restartovanja jetty procesa i pokretanja skripte sadržaj direktorijuma /opt/shibboleth-idp/metadata/ je sledeći:

[root@idp metadata]# ll
-rw-rw-r-- 1 jetty jetty 25921531 Aug  4 14:22 eduGAIN-metadata.xml
-rw-r--r-- 1 root  root    263457 Aug  4 13:55 iamres_federacija_metadata.xml
-rw-r--r-- 1 root  root     15043 Feb  7 23:16 idp-metadata_default.xml
-rw-r--r-- 1 root  root     15081 Jul 21 10:56 idp-metadata.xml
-rw-r--r-- 1 root  root      1980 Feb  8 10:27 md.iamres.ac.rs.crt
-rwxr-xr-x 1 root  root       192 Feb  8 10:27 metadata.sh

Nakon izvršene konfiguracije i preuzimanja metapodataka, potrebno je registrovati metapodatke vašeg Davaoca Identiteta na iAMRES Federaciju, slanjem mejla sa linkom https://institucija.ac.rs/idp/shibboleth na helpdesk@amres.ac.rs.

Crontab¶

Potrebno je da se podesi da se skripta metadata.sh pokreće na svaki pun sat (u 00) svakog dana:

crontab -e

0 * * * * /opt/shibboleth-idp/metadata/metadata.sh

Uslovi korišćenja i saglasnost za slanje podataka¶

Uvesti Consent modul (modul za davanje saglasnosti):

cd /opt/shibboleth-idp/

bin/module.sh -t idp.intercept.Consent || bin/module.sh -e idp.intercept.Consent

Rezultat komande

INFO  - Including auto-located properties in bin/../conf/admin/admin.properties
INFO  - Including auto-located properties in bin/../conf/ldap.properties
INFO  - Including auto-located properties in bin/../conf/authn/authn.properties
INFO  - Including auto-located properties in bin/../conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in bin/../conf/saml-nameid.properties
INFO  - Including auto-located properties in bin/../conf/services.properties
INFO  - Including auto-located properties in bin/../conf/admin/admin.properties
INFO  - Including auto-located properties in bin/../conf/ldap.properties
INFO  - Including auto-located properties in bin/../conf/authn/authn.properties
INFO  - Including auto-located properties in bin/../conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in bin/../conf/saml-nameid.properties
INFO  - Including auto-located properties in bin/../conf/services.properties
Enabling idp.intercept.Consent...
        conf/intercept/consent-intercept-config.xml created
        views/intercept/attribute-release.vm created
        views/intercept/terms-of-use.vm created
[OK]

Omogućiti Consent Module preuzimanjem fajla /opt/shibboleth-idp/conf/relying-party.xml

mv /opt/shibboleth-idp/conf/relying-party.xml /opt/shibboleth-idp/conf/relying-party_default.xml

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/relying-party.xml -O /opt/shibboleth-idp/conf/relying-party.xml

Preuzeti fajl /opt/shibboleth-idp/views/intercept/attribute-release.vm:

mv /opt/shibboleth-idp/views/intercept/attribute-release.vm /opt/shibboleth-idp/views/intercept/attribute-release_default.vm

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/attribute-release.vm -O /opt/shibboleth-idp/views/intercept/attribute-release.vm

Preuzeti fajl /opt/shibboleth-idp/views/intercept/terms-of-use.vm:

mv /opt/shibboleth-idp/views/intercept/terms-of-use.vm /opt/shibboleth-idp/views/intercept/terms-of-use_default.vm

wget https://docs.amres.ac.rs/download/shibboleth/5.1.2/terms-of-use.vm -O /opt/shibboleth-idp/views/intercept/terms-of-use.vm

Pokretanje build skripte

cd /opt/shibboleth-idp/bin ; ./build.sh

Izveštaj pokretanja skripte

Treba enter negde

[root@idp messages]# cd /opt/shibboleth-idp/bin ; ./build.sh
INFO  - net.shibboleth.idp.installer.impl.IdPBuildArguments@6bc168e5
INFO  - Rebuilding /opt/shibboleth-idp/bin/./../war/idp.war, Version 5.1.2
INFO  - Initial populate from ./../dist/webapp to ./../webpapp.tmp
INFO  - Overlay from ./../dist/plugin-webapp to ./../webpapp.tmp
INFO  - Overlay from ./../edit-webapp to ./../webpapp.tmp
INFO  - Creating war file ./../war/idp.war

Restartovati Jetty servis:

systemctl restart jetty.service

Testiranje slanja atributa iz komandne linije¶

Ovu komandu je moguće koristiti nakon pridruživanje iAMRES federaciji, u cilju testiranja slanja atributa ka Test servisu.

bash /opt/shibboleth-idp/bin/aacli.sh -n <UID> -r https://testsp.amres.ac.rs/shibboleth --saml2

Napomena: Umesto uneti odgovorajuće korisničko ime iz baze. Umesto entityID vrednosti Test servisa možete uneti entityID servisa čiju konekciju testirate.

Pregled korisnih logova¶

Jetty logovi:¶

cd /opt/jetty/logs

ls -l *.stderrout.log

Shibboleth IdP logovi:¶

cd /opt/shibboleth-idp/logs

Audit Log:

vim idp-audit.log

Consent Log:

vim idp-consent-audit.log

Warn Log:

tail -f idp-warn.log

Process Log:

tail -f idp-process.log

Instalacija Davaoca Identiteta (Shibboleth IdP 5.1.2) - Debian/Ubuntu

Priprema pred instalaciju¶

Hardverski zahtevi¶

Softver koji će biti instaliran¶

Podesiti IP TABLES¶

Podesiti hosta¶

Konfiguracija okruženja¶

Instalacija neophodnih softverskih paketa¶

Instalirati Apache web server¶

Instalirati Amazon Corretto JDK¶

Instalirati Jetty Servlet Container¶

Instalacija Davaoca Identiteta ( Shibboleth IdP 5.1.2 )¶

Onemogućiti Jetty Directory indeksiranje¶

Konfiguracija Apache Web servera¶

Komercijalni SSL sertifikat¶

Konfiguracija Jetty Context Descriptor za Davaoca Identiteta¶

Konfiguracija - Apache2 (front-end Jetty)¶

Konfiguracija skladišta Davaoca Identiteta¶

Integracija sa OpenLDAP bazom podataka¶

Fajl secrets.properties¶

Fajl ldap.properties¶

Podesiti da Davaoc Identiteta kreira persistent NameID¶

Strategija A "Computed mode" (preporučena):¶

Strategija B "Stored mode" (korišćenje baze podataka za skladištenje persistent NameID)¶

Podešavanje attribute-resolver.xml fajla¶

Podesiti da Shibboleth Identity Provider oslobađa eduPersonTargetedID¶

Uneti dodatne šeme za definisanje atributa¶

Konfiguracija Shibboleth IdP Logova¶

Podešavanje interfejsa¶

Izmeniti fajl idp-metadata.xml¶

Podešavanje kolačića i ostalih podataka¶

Konfigurisati IdP da koristi adekvatan Attribute Filter Policy dokument¶

Pridruživanje iAMRES Federaciji¶

Crontab¶

Uslovi korišćenja i saglasnost za slanje podataka¶

Testiranje slanja atributa iz komandne linije¶

Pregled korisnih logova¶

Jetty logovi:¶

Shibboleth IdP logovi:¶