Shibboleth : Différence entre versions
(→Configuration apache) |
(→Debian) |
||
| Ligne 5 : | Ligne 5 : | ||
'''* Prerequis :''' | '''* Prerequis :''' | ||
| − | apt-get install build-essential libssl0.9.8 libssl-dev libcurl3 libcurl3-dev apache2-threaded-dev | + | apt-get install build-essential libssl0.9.8 libssl-dev libcurl3 libcurl3-dev apache2-threaded-dev gcc |
| − | |||
'''* log4shib:''' | '''* log4shib:''' | ||
Version du 6 mai 2010 à 06:56
Sommaire
Installation Shibboleth-sp
Debian
* Prerequis :
apt-get install build-essential libssl0.9.8 libssl-dev libcurl3 libcurl3-dev apache2-threaded-dev gcc
* log4shib:
wget http://shibboleth.internet2.edu/downloads/log4shib/1.0/log4shib-1.0.tar.gz tar xvzf log4shib-1.0.tar.gz ./configure --disable-static --disable-doxygen --prefix=/opt/shibboleth-sp make && make install
* Xerces-C: cd xerces-c-src_2_8_0
wget http://archive.apache.org/dist/xml/xerces-c/sources/xerces-c-src_2_8_0.tar.gz tar xvzf xerces-c-src_2_7_0.tar.gz cd xerces-c-src_2_8_0 export XERCESCROOT=`pwd` cd src/xercesc ./runConfigure -p linux -r pthread -P /opt/shibboleth-sp make && make install
* XML-Security-C:
wget http://xml.apache.org/security/dist/c-library/xml-security-c-1.4.0.tar.gz tar xvzf xml-security-c-1.4.0.tar.gz cd xml-security-c-1.4.0 ./configure --without-xalan --prefix=/opt/shibboleth-sp make && make install
* XMLTooling-C:
wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/latest/xmltooling-1.1.tar.gz tar xvzf xmltooling-1.1.tar.gz cd xmltooling-1.1 ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
* OpenSAML-C:
wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/latest/opensaml-2.1.tar.gz tar xvzf opensaml-2.1.tar.gz ./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C make && make install
* Shibboleth:
wget http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/shibboleth-sp-2.1.tar.gz tar xvzf shibboleth-sp-2.1.tar.gz cd shibboleth-2.1 ./configure --with-log4shib=/opt/shibboleth-sp make && make install
cp /opt/shibboleth-sp/etc/shibboleth/shibd-debian /etc/init.d/shibd
Red Hat
* log4shib:
wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/log4shib-1.0-1.i386.rpm rpm -ivh log4shib-1.0-1.i386.rpm
* Xerces:
wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/xerces-c-2.8.0-1.i386.rpm rpm -ivh xerces-c-2.8.0-1.i386.rpm
* xml-security:
wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/xml-security-c-1.4.0-1.i386.rpm rpm -ivh xml-security-c-1.4.0-1.i386.rpm
* xmltooling:
wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/xmltooling-1.1-1.i386.rpm rpm -ivh xmltooling-1.1-1.i386.rpm
* opensaml:
wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/opensaml-2.1-1.i386.rpm rpm -ivh opensaml-2.1-1.i386.rpm
* Shibboleth-sp:
wget ftp://ftp.cru.fr/pub/shibboleth/shibboleth/cppsp/latest/RPMS/i386/RHE/4/shibboleth-2.1-1.i386.rpm rpm -ivh shibboleth-2.1-1.i386.rpm
Certificats
openssl genrsa 1024 > /tmp/dr13.cnrs.fr.key openssl req -new -x509 -nodes -sha1 -days 7300 -subj "/C=FR/O=CNRS/CN=dr13.cnrs.fr" -key /tmp/dr13.cnrs.fr.key >/tmp/dr13.cnrs.fr.crt openssl x509 -noout -fingerprint -text < /tmp/dr13.cnrs.fr.crt >> /tmp/dr13.cnrs.fr.crt mv /tmp/dr13.cnrs.fr.* /etc/shibboleth/ssl/
Configuration apache
Shibboleth Service Provider Access Rules
It is the resource administrator's responsibility to configure the correct access rules for a protected resource. A resource either can be protected with acces rules defined in the web server configuration or by the application itself by checking certain Shibboleth attributes. In both cases, a Shibboleth session must be enforced on the file, location or directory to protect. Second, there must be an authorization rule based on attributes that determines how access is granted.
When using web server access rules, there are three ways to define rules:
Web Server config file E.g. you can directly set rules for a directory, file or loacation in the httpd.conf of Apache. The downside of this method is that the web server has to be restarted each time the configuration file is changed. Directory config file In Apache you can use so-called '.htaccess' files in directories to overwrite the web server static configuration settings. The rules defined in that file are dynamic, which means that they can be changed without restarting the web server. This also can be used to set Shibboleth access rules. Be sure to check that the directory you use a '.htaccess' file is configured with 'AllowOverride AuthConfig' file to allow usage of '.htaccess' files. The downside of this method that you cannot protect locations but only existing files and directories. XML Access rules in Shibboleth config (for IIS) Especially needed for the IIS web server, there is a way to define access rules directly within the Shibboleth configuration file or in a linked external file that contains access rules which are define using a special XML syntax. The inline access rules as well as the externally linked file are loaded dynamically by Shibboleth and thus are also suitable to protect locations for Apache.
Once your resource is ready for use, you have to configure access rules which properly protect your resource.
Examples of Apache Access Rules
For first testing purposes (in Apache) it is OK to start with the most simple access rule that grants access to any user with a valid AAI login and redirects all non-ssl http requets to https before processing by Shibboleth, which is recommended:
AuthType shibboleth ShibRequireSession On ShibRedirectToSSL 443 require valid-user
In the following some common rules (based on an example page by University of Zurich) are shown together with a description of what effect they have. More information on this topic can also be found in the corresponding Shibboleth Wiki page.
All users with an AAI login
AuthType shibboleth ShibRequireSession On require valid-user
All university users with an AAI login
AuthType shibboleth ShibRequireSession On require homeOrganizationType university
All users from university of Zurich
AuthType shibboleth ShibRequireSession On require homeOrganization unizh.ch
All staff members from university of Zurich (with regular expression example)
AuthType shibboleth ShibRequireSession On ShibRequireAll On require affiliation staff require homeOrganization ~ ^unizh.ch$
People whose email address match a regular expression (in this case all D-ITET students from ETHZ)
AuthType shibboleth ShibRequireSession On ShibRequireAll On require affiliation staff require homeOrganization ~ .*@ee.ethz.ch$
All users from university of Zurich or ETH Zurich
AuthType shibboleth ShibRequireSession On require homeOrganization unizh.ch ethz.ch
All students from university of Zurich or ETH Zurich
AuthType shibboleth ShibRequireSession On ShibRequireAll On require affiliation student require homeOrganization unizh.ch ethz.ch
Only users with the following e-Mail addresses
AuthType shibboleth ShibRequireSession On require mail user-x@switch.ch user-y@switch.ch
Only users with the following uniqueIDs
AuthType shibboleth ShibRequireSession On require uniqueID 000123@switch.ch 000455@switch.c
