Shibboleth : Différence entre versions

De Wiki_DR13
Aller à : navigation, rechercher
(Configuration apache)
Ligne 96 : Ligne 96 :
  
  
== Configuration apache  ==
+
=== Configuration apache  ===
  
  Shibboleth Service Provider Access Rules
+
Shibboleth Service Provider Access Rules
  
 
It is the resource administrator's responsibility to configure the correct access rules for a protected resource. A resource either can be protected with acces rules defined in the web server configuration or by the application itself by checking certain Shibboleth attributes. In both cases, a Shibboleth session must be enforced on the file, location or directory to protect. Second, there must be an authorization rule based on attributes that determines how access is granted.
 
It is the resource administrator's responsibility to configure the correct access rules for a protected resource. A resource either can be protected with acces rules defined in the web server configuration or by the application itself by checking certain Shibboleth attributes. In both cases, a Shibboleth session must be enforced on the file, location or directory to protect. Second, there must be an authorization rule based on attributes that determines how access is granted.
Ligne 120 : Ligne 120 :
 
For first testing purposes (in Apache) it is OK to start with the most simple access rule that grants access to any user with a valid AAI login and redirects all non-ssl http requets to https before processing by Shibboleth, which is recommended:
 
For first testing purposes (in Apache) it is OK to start with the most simple access rule that grants access to any user with a valid AAI login and redirects all non-ssl http requets to https before processing by Shibboleth, which is recommended:
  
AuthType shibboleth
+
AuthType shibboleth
ShibRequireSession On
+
ShibRequireSession On
ShibRedirectToSSL 443
+
ShibRedirectToSSL 443
require valid-user
+
require valid-user
  
 
In the following some common rules (based on an  example page by University of Zurich) are shown together with a description of what effect they have.   
 
In the following some common rules (based on an  example page by University of Zurich) are shown together with a description of what effect they have.   
 
More information on this topic can also be found in the corresponding Shibboleth Wiki page.
 
More information on this topic can also be found in the corresponding Shibboleth Wiki page.
  
All users with an AAI login
+
'''All users with an AAI login'''
  
AuthType shibboleth
+
AuthType shibboleth
ShibRequireSession On
+
ShibRequireSession On
require valid-user
+
require valid-user
  
All university users with an AAI login
+
'''All university users with an AAI login'''
  
AuthType shibboleth
+
AuthType shibboleth
ShibRequireSession On
+
ShibRequireSession On
require homeOrganizationType university
+
require homeOrganizationType university
  
All users from university of Zurich
+
'''All users from university of Zurich'''
  
AuthType shibboleth
+
AuthType shibboleth
ShibRequireSession On
+
ShibRequireSession On
require homeOrganization unizh.ch
+
require homeOrganization unizh.ch
  
All staff members from university of Zurich (with regular expression example)
+
'''All staff members from university of Zurich (with regular expression example)'''
  
AuthType shibboleth
+
AuthType shibboleth
ShibRequireSession On
+
ShibRequireSession On
ShibRequireAll On
+
ShibRequireAll On
require affiliation staff
+
require affiliation staff
require homeOrganization ~ ^unizh.ch$
+
require homeOrganization ~ ^unizh.ch$
  
People whose email address match a regular expression (in this case all D-ITET students from ETHZ)
+
'''People whose email address match a regular expression (in this case all D-ITET students from ETHZ)'''
  
AuthType shibboleth
+
AuthType shibboleth
ShibRequireSession On
+
ShibRequireSession On
ShibRequireAll On
+
ShibRequireAll On
require affiliation staff
+
require affiliation staff
require homeOrganization ~ .*@ee.ethz.ch$
+
require homeOrganization ~ .*@ee.ethz.ch$
  
All users from university of Zurich or ETH Zurich
+
'''All users from university of Zurich or ETH Zurich'''
  
AuthType shibboleth
+
AuthType shibboleth
ShibRequireSession On
+
ShibRequireSession On
require homeOrganization unizh.ch ethz.ch
+
require homeOrganization unizh.ch ethz.ch
  
All students from university of Zurich or ETH Zurich
+
'''All students from university of Zurich or ETH Zurich'''
  
AuthType shibboleth
+
AuthType shibboleth
ShibRequireSession On
+
ShibRequireSession On
ShibRequireAll On
+
ShibRequireAll On
require affiliation student
+
require affiliation student
require homeOrganization unizh.ch ethz.ch
+
require homeOrganization unizh.ch ethz.ch
  
Only users with the following e-Mail addresses
+
'''Only users with the following e-Mail addresses'''
  
AuthType shibboleth
+
AuthType shibboleth
ShibRequireSession On
+
ShibRequireSession On
require mail user-x@switch.ch user-y@switch.ch
+
require mail user-x@switch.ch user-y@switch.ch
  
Only users with the following uniqueIDs
+
'''Only users with the following uniqueIDs'''
  
AuthType shibboleth
+
AuthType shibboleth
ShibRequireSession On
+
ShibRequireSession On
require uniqueID 000123@switch.ch 000455@switch.c
+
require uniqueID 000123@switch.ch 000455@switch.c

Version du 30 juin 2009 à 09:51

Installation Shibboleth-sp

Debian

* Prerequis : 

apt-get install build-essential libssl0.9.8 libssl-dev libcurl3 libcurl3-dev apache2-threaded-dev


* log4shib: 

wget http://shibboleth.internet2.edu/downloads/log4shib/1.0/log4shib-1.0.tar.gz
tar xvzf log4shib-1.0.tar.gz
./configure --disable-static --disable-doxygen --prefix=/opt/shibboleth-sp
make && make install


* Xerces-C: cd xerces-c-src_2_8_0 

wget http://archive.apache.org/dist/xml/xerces-c/sources/xerces-c-src_2_8_0.tar.gz
tar xvzf xerces-c-src_2_7_0.tar.gz
cd xerces-c-src_2_8_0
export XERCESCROOT=`pwd`
cd src/xercesc
./runConfigure -p linux -r pthread -P /opt/shibboleth-sp
make && make install


* XML-Security-C: 

wget http://xml.apache.org/security/dist/c-library/xml-security-c-1.4.0.tar.gz
tar xvzf xml-security-c-1.4.0.tar.gz
cd xml-security-c-1.4.0
./configure --without-xalan --prefix=/opt/shibboleth-sp
make && make install


* XMLTooling-C: 

wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/latest/xmltooling-1.1.tar.gz
tar xvzf xmltooling-1.1.tar.gz
cd xmltooling-1.1
./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C


* OpenSAML-C: 

wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/latest/opensaml-2.1.tar.gz
tar xvzf opensaml-2.1.tar.gz
./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
make && make install


* Shibboleth: 

wget http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/shibboleth-sp-2.1.tar.gz
tar xvzf shibboleth-sp-2.1.tar.gz
cd shibboleth-2.1
./configure --with-log4shib=/opt/shibboleth-sp 
make && make install

cp /opt/shibboleth-sp/etc/shibboleth/shibd-debian /etc/init.d/shibd

Red Hat

* log4shib: 

wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/log4shib-1.0-1.i386.rpm
rpm -ivh log4shib-1.0-1.i386.rpm


* Xerces: 

wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/xerces-c-2.8.0-1.i386.rpm
rpm -ivh xerces-c-2.8.0-1.i386.rpm

* xml-security: 

wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/xml-security-c-1.4.0-1.i386.rpm
rpm -ivh xml-security-c-1.4.0-1.i386.rpm


* xmltooling: 

wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/xmltooling-1.1-1.i386.rpm
rpm -ivh xmltooling-1.1-1.i386.rpm


* opensaml: 

wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/opensaml-2.1-1.i386.rpm
rpm -ivh opensaml-2.1-1.i386.rpm


* Shibboleth-sp: 

wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/shibboleth-2.1-1.i386.rpm
rpm -ivh shibboleth-2.1-1.i386.rpm

Certificats

openssl genrsa 1024 > /tmp/dr13.cnrs.fr.key 
openssl req -new -x509 -nodes -sha1 -days 7300 -subj "/C=FR/O=CNRS/CN=dr13.cnrs.fr" -key /tmp/dr13.cnrs.fr.key  >/tmp/dr13.cnrs.fr.crt
openssl x509 -noout -fingerprint -text < /tmp/dr13.cnrs.fr.crt >> /tmp/dr13.cnrs.fr.crt
mv /tmp/dr13.cnrs.fr.* /etc/shibboleth/ssl/



Configuration apache

Shibboleth Service Provider Access Rules

It is the resource administrator's responsibility to configure the correct access rules for a protected resource. A resource either can be protected with acces rules defined in the web server configuration or by the application itself by checking certain Shibboleth attributes. In both cases, a Shibboleth session must be enforced on the file, location or directory to protect. Second, there must be an authorization rule based on attributes that determines how access is granted.

When using web server access rules, there are three ways to define rules:

Web Server config file E.g. you can directly set rules for a directory, file or loacation in the httpd.conf of Apache. The downside of this method is that the web server has to be restarted each time the configuration file is changed. Directory config file In Apache you can use so-called '.htaccess' files in directories to overwrite the web server static configuration settings. The rules defined in that file are dynamic, which means that they can be changed without restarting the web server. This also can be used to set Shibboleth access rules. Be sure to check that the directory you use a '.htaccess' file is configured with 'AllowOverride AuthConfig' file to allow usage of '.htaccess' files. The downside of this method that you cannot protect locations but only existing files and directories. XML Access rules in Shibboleth config (for IIS) Especially needed for the IIS web server, there is a way to define access rules directly within the Shibboleth configuration file or in a linked external file that contains access rules which are define using a special XML syntax. The inline access rules as well as the externally linked file are loaded dynamically by Shibboleth and thus are also suitable to protect locations for Apache.

Once your resource is ready for use, you have to configure access rules which properly protect your resource.

Examples of Apache Access Rules

For first testing purposes (in Apache) it is OK to start with the most simple access rule that grants access to any user with a valid AAI login and redirects all non-ssl http requets to https before processing by Shibboleth, which is recommended: 

AuthType shibboleth
ShibRequireSession On
ShibRedirectToSSL 443
require valid-user

In the following some common rules (based on an example page by University of Zurich) are shown together with a description of what effect they have. More information on this topic can also be found in the corresponding Shibboleth Wiki page.

All users with an AAI login 

AuthType shibboleth
ShibRequireSession On
require valid-user

All university users with an AAI login 

AuthType shibboleth
ShibRequireSession On
require homeOrganizationType university

All users from university of Zurich 

AuthType shibboleth
ShibRequireSession On
require homeOrganization unizh.ch

All staff members from university of Zurich (with regular expression example) 

AuthType shibboleth
ShibRequireSession On
ShibRequireAll On
require affiliation staff
require homeOrganization ~ ^unizh.ch$

People whose email address match a regular expression (in this case all D-ITET students from ETHZ) 

AuthType shibboleth
ShibRequireSession On
ShibRequireAll On
require affiliation staff
require homeOrganization ~ .*@ee.ethz.ch$

All users from university of Zurich or ETH Zurich 

AuthType shibboleth
ShibRequireSession On
require homeOrganization unizh.ch ethz.ch

All students from university of Zurich or ETH Zurich 

AuthType shibboleth
ShibRequireSession On
ShibRequireAll On
require affiliation student
require homeOrganization unizh.ch ethz.ch

Only users with the following e-Mail addresses 

AuthType shibboleth
ShibRequireSession On
require mail user-x@switch.ch user-y@switch.ch

Only users with the following uniqueIDs 

AuthType shibboleth
ShibRequireSession On
require uniqueID 000123@switch.ch 000455@switch.c
Récupérée de « https://wiki.dr13.cnrs.fr/wiki/index.php?title=Shibboleth&oldid=3190 »