Shibboleth Testes

DiscoFeed

Shibboleth

[[1]]

[https://samltest.id/download/]

apt install shibboleth-sp-utils

Para testar

shibd -t

Instalando o Apache2

apt-get install libapache2-mod-shib2
a2enmod shib

apt install mod_proxy
a2enmod proxy_ajp

Configurações do Apache2

<IfModule mod_ssl.c>
<VirtualHost *:443>
       ServerName vitrinedadosabertos.rnp.br
       ServerAdmin renefgj@gmail.com
#      ErrorLog ${APACHE_LOG_DIR}/error.log
#      CustomLog ${APACHE_LOG_DIR}/access.log combined
       DocumentRoot "/var/www/html/"
#
       ProxyPass /s1 !
       ProxyPass /dataview !
       ProxyPass /dvn !
       ProxyPass /Shibboleth.sso !
#      ProxyPass
       <Directory "/var/www/dataverse/branding/">
               Options Indexes FollowSymLinks MultiViews
               AllowOverride None
               Order allow,deny
               allow from all
               Require all granted
       </Directory>
#
       SSLCertificateFile /etc/letsencrypt/live/vitrinedadosabertos-dev.rnp.br/fullchain.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/vitrinedadosabertos-dev.rnp.br/privkey.pem
       Include /etc/letsencrypt/options-ssl-apache.conf
#
       # don't pass paths used by Shibboleth to Payara
       ProxyPassMatch ^/Shibboleth.sso !
       ProxyPassMatch ^/shibboleth-ds !
       # pass everything else to Payara
       ProxyPass / ajp://localhost:8009/
       <Location /shib.xhtml>
         AuthType shibboleth
         ShibRequestSetting requireSession 1
         require valid-user
       </Location>
</VirtualHost>
</IfModule>

Mods

shib
proxy
proxy_ajp
ssl

Veja o hostname

VirtualHost

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName vitrinedadosabertos.rnp.br
        ServerAdmin renefgj@gmail.com
#       ErrorLog ${APACHE_LOG_DIR}/error.log
#       CustomLog ${APACHE_LOG_DIR}/access.log combined
        DocumentRoot "/var/www/html/"

        ProxyPass /s1 !
        ProxyPass /dataview !
        ProxyPass /dvn !
        ProxyPass /Shibboleth.sso !
#       ProxyPass


        Alias "/s1/" "/var/www/html/s2"
        Alias "/dataview/" "/data/DataView/public/"

        <Directory "/data/DataView/public/">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                Require all granted
        </Directory>

        SSLCertificateKeyFile /etc/letsencrypt/live/vitrinedadosabertos.rnp.br/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

        # don't pass paths used by Shibboleth to Payara
        ProxyPassMatch ^/Shibboleth.sso !
        ProxyPassMatch ^/shibboleth-ds !
        # pass everything else to Payara
        ProxyPass / ajp://localhost:8009/

        <Location /shib.xhtml>
          AuthType shibboleth
          ShibRequestSetting requireSession 1
          require valid-user
        </Location>
</VirtualHost>
</IfModule>

Instalando o Java

apt-get install default-jdk -y
java --version

Download 4.1.4

wget https://shibboleth.net/downloads/identity-provider/4.2.1/shibboleth-identity-provider-4.2.1.tar.gz
tar -xvzf shibboleth-identity-provider-4.2.1.tar.gz
cd shibboleth-identity-provider-4.2.1/bin
./install.sh
chown -R payara /opt/shibboleth-idp

Ubuntu

apt install shibd

Install AJP

$PAYARA/bin/asadmin create-network-listener --protocol http-listener-1 --listenerport 8009 --jkenabled true jk-connector

Install

Create a self-signed certificate(SSL).

sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

APT Install

sudo apt-get install libapache2-mod-shib2

Now set the shibboleth certificate using the following command.

sudo shib-keygen -h localhost
openssl x509 -text -noout -in /etc/shibboleth/sp-cert.pem

Open the shibboleth SP configuration file.

sudo nano /etc/shibboleth/shibboleth2.xml

Gerar Certificado Local

Arquivo:Keygen.zip

Testar Erros

shibd -t

Ver os logs

pico /var/log/shibboleth/shibd.log

Schollar Ship - Atributos

Arquivos do Dataverse Shibboleth Sp:

/etc/shibboleth/shibboleth2.xml

Arquivos do Shibboleth IDP:

/opt/shibboleth-idp/conf/attribute-filter.xml
/opt/shibboleth-idp/conf/attribute-resolver.xml

Atributos IDP

No arquivo

attribute-map.xml

é possível criar alias para variáveis não disponíveis, exemplos:

Cria um attributo givenName

<Attribute name="urn:oid:2.5.4.3" id="cn" aliases="givenName"/>

Cria doisattributo givenName e cedap

<Attribute name="urn:oid:2.5.4.3" id="cn" aliases="givenName cedap"/>

Teste

Para ativar a visaulização das Sesões do Login deve-se ativar o paramentro "true" do showAttributeValues no arquivo shibboleth2.xml

<Handler type="Session" Location="/Session" showAttributeValues="true"/>

Para ver os atribuitos:

[https://vitrinedadosabertos-dev.rnp.br/Shibboleth.sso/Session]

Teste no Chimarrão RNP

Pode-se ver os atributos fornecidos pelos IdP

[https://ds.chimarrao.cafe.rnp.br/]

Credential Resolver

       <CredentialResolver type="File" use="signing"
           key="cert/sp-key.pem" certificate="cert/sp-cert.pem"/>
       <CredentialResolver type="File" use="encryption"
           key="cert/sp-key.pem" certificate="cert/sp-cert.pem"/>

Data Provider

Definindo o DataProvider para autenticação

       <MetadataProvider type="XML" validate="true"
               url="https://ds.cafe.rnp.br/metadata/cafe-metadata.xml"
               backingFilePath="/etc/shibboleth/cache/CAFE.xml">
       </MetadataProvider>

Para manter o arquivo sem cache (fixo) sem atualizar, alterar de backingFilePath para path
       <MetadataProvider
               type="XML"
               path="/etc/shibboleth/chimarrao-unic.xml">
       </MetadataProvider>

IdP

• Embrapa
• Fiocruz

• UFG
• Metadata Cafe
• UFRA
• Search IdP
• RNP
• RNP Chimarrão