Shibboleth

De BrapciWiki
Revisão de 21h04min de 19 de janeiro de 2023 por Renefgj (discussão | contribs) (→‎Teste)
Ir para navegação Ir para pesquisar

Shibboleth Testes

DiscoFeed

Shibboleth

[[1]]

[https://samltest.id/download/] 

apt install shibboleth-sp-utils

Para testar 

shibd -t

Instalando o Apache2

apt-get install libapache2-mod-shib2
a2enmod shib

apt install mod_proxy
a2enmod proxy_ajp

Configurações do Apache2

<IfModule mod_ssl.c>
<VirtualHost *:443>
       ServerName vitrinedadosabertos.rnp.br
       ServerAdmin renefgj@gmail.com
#      ErrorLog ${APACHE_LOG_DIR}/error.log
#      CustomLog ${APACHE_LOG_DIR}/access.log combined
       DocumentRoot "/var/www/html/"
#
       ProxyPass /s1 !
       ProxyPass /dataview !
       ProxyPass /dvn !
       ProxyPass /Shibboleth.sso !
#      ProxyPass
       <Directory "/var/www/dataverse/branding/">
               Options Indexes FollowSymLinks MultiViews
               AllowOverride None
               Order allow,deny
               allow from all
               Require all granted
       </Directory>
#
       SSLCertificateFile /etc/letsencrypt/live/vitrinedadosabertos-dev.rnp.br/fullchain.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/vitrinedadosabertos-dev.rnp.br/privkey.pem
       Include /etc/letsencrypt/options-ssl-apache.conf
#
       # don't pass paths used by Shibboleth to Payara
       ProxyPassMatch ^/Shibboleth.sso !
       ProxyPassMatch ^/shibboleth-ds !
       # pass everything else to Payara
       ProxyPass / ajp://localhost:8009/
       <Location /shib.xhtml>
         AuthType shibboleth
         ShibRequestSetting requireSession 1
         require valid-user
       </Location>
</VirtualHost>
</IfModule>


Mods 

shib
proxy
proxy_ajp
ssl

Veja o hostname

VirtualHost

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName vitrinedadosabertos.rnp.br
        ServerAdmin renefgj@gmail.com
#       ErrorLog ${APACHE_LOG_DIR}/error.log
#       CustomLog ${APACHE_LOG_DIR}/access.log combined
        DocumentRoot "/var/www/html/"

        ProxyPass /s1 !
        ProxyPass /dataview !
        ProxyPass /dvn !
        ProxyPass /Shibboleth.sso !
#       ProxyPass


        Alias "/s1/" "/var/www/html/s2"
        Alias "/dataview/" "/data/DataView/public/"

        <Directory "/data/DataView/public/">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                Require all granted
        </Directory>

        SSLCertificateKeyFile /etc/letsencrypt/live/vitrinedadosabertos.rnp.br/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

        # don't pass paths used by Shibboleth to Payara
        ProxyPassMatch ^/Shibboleth.sso !
        ProxyPassMatch ^/shibboleth-ds !
        # pass everything else to Payara
        ProxyPass / ajp://localhost:8009/

        <Location /shib.xhtml>
          AuthType shibboleth
          ShibRequestSetting requireSession 1
          require valid-user
        </Location>
</VirtualHost>
</IfModule>


Instalando o Java

 apt-get install default-jdk -y
 java --version


Download 4.1.4

 wget https://shibboleth.net/downloads/identity-provider/4.2.1/shibboleth-identity-provider-4.2.1.tar.gz
 tar -xvzf shibboleth-identity-provider-4.2.1.tar.gz
 cd shibboleth-identity-provider-4.2.1/bin
 ./install.sh
 chown -R payara /opt/shibboleth-idp


Ubuntu

 apt install shibd


Install AJP

 $PAYARA/bin/asadmin create-network-listener --protocol http-listener-1 --listenerport 8009 --jkenabled true jk-connector


Install

Create a self-signed certificate(SSL).

 sudo mkdir /etc/apache2/ssl
 sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt


APT Install

 sudo apt-get install libapache2-mod-shib2

Now set the shibboleth certificate using the following command.

 sudo shib-keygen -h localhost
 openssl x509 -text -noout -in /etc/shibboleth/sp-cert.pem

Open the shibboleth SP configuration file.
 sudo nano /etc/shibboleth/shibboleth2.xml


Gerar Certificado Local

 Arquivo:Keygen.zip


Testar Erros

 shibd -t


Ver os logs

 pico /var/log/shibboleth/shibd.log


Schollar Ship - Atributos

Arquivos do Dataverse Shibboleth Sp:
 /etc/shibboleth/shibboleth2.xml

Arquivos do Shibboleth IDP:
 /opt/shibboleth-idp/conf/attribute-filter.xml
 /opt/shibboleth-idp/conf/attribute-resolver.xml


Atributos IDP

No arquivo 
 attribute-map.xml
é possível criar alias para variáveis não disponíveis, exemplos:

Cria um attributo givenName
 <Attribute name="urn:oid:2.5.4.3" id="cn" aliases="givenName"/>

Cria doisattributo givenName e cedap
 <Attribute name="urn:oid:2.5.4.3" id="cn" aliases="givenName cedap"/>


Teste

Para ativar a visaulização das Sesões do Login deve-se ativar o paramentro "true" do showAttributeValues no arquivo 'shibboleth2.xml'
 <Handler type="Session" Location="/Session" showAttributeValues="true"/>
Para ver os atribuitos:
 [https://vitrinedadosabertos-dev.rnp.br/Shibboleth.sso/Session]


Teste no Chimarrão RNP

Pode-se ver os atributos fornecidos pelos IdP
 [https://ds.chimarrao.cafe.rnp.br/]



IdP

* Embrapa
* Fiocruz



* Metadata Cafe
* UFRA
* Search IdP
* RNP
* RNP Chimarrão
Disponível em “https://brapci.inf.br/wiki/index.php?title=Shibboleth&oldid=1130