便便代码人生

关注技术, 偶尔动动手

«
»

[原] Shibboleth 2.0 Identity Provider (IdP) LDAP认证配置指南

Posted by bianbian on 2008-05-14 13:15

本文Tags: , , , ,

首先佩服老外:1)把简单的东西搞得很复杂 2)很会创造标准和协议
这次遇到的Shibboleth就是这么个东西,看了两天英文,对人为复杂、创造协议痛恨中。简单写个配置指南,给其他人做个参考,少走弯路。

注意:
1) 系统时间必须设置正确
2) apache 需要 mod_ssl mod_proxy_ajp,假设安装在 /etc/httpd
3) 必须使用 tomcat-5.5.x+,假设安装在 /opt/apache-tomcat-5.5.26
4) 如果需要改变安装目录重新安装,必须退到解压那步(否则很多和目录有关的代码不会重新编译,导致严重错误–啊!我整整一天的痛苦啊!)

# 取消tomcat的AJP身份认证
vi /opt/apache-tomcat-5.5.26/conf/server.xml
# 找到 Define an AJP 1.3 Connector 那,初始为:

  1. <Connector port="8009" 
  2.                enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

# 修改为(端口改变没有特殊目的,只是我系统上跑了好几个tomcat,防止冲突):

  1. <Connector port="8019" 
  2.                enableLookups="false" redirectPort="8443" protocol="AJP/1.3"
  3.                request.tomcatAuthentication="false" address="127.0.0.1" />

# apache httpd 配置AJP反向代理
vi /etc/httpd/conf.d/proxy_ajp.conf
# 添加:
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
ProxyPass /idp/ ajp://localhost:8019/idp/

# 安装Shibboleth 2.0 Identity Provider (IdP)
unzip shibboleth-idp-2.0.0-bin.zip
cd identityprovider
cp endorsed/*.jar /opt/apache-tomcat-5.5.26/common/endorsed/
sh ant.sh install
# 提示是否新安装,yes
# 提示选择安装目录,/opt/idp
# 提示hostname,根据实际填写
# 提示加密密匙,随便写

# 部署war
vi /opt/apache-tomcat-5.5.26/conf/Catalina/localhost/idp.xml
# 内容:

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <Context docBase="/opt/idp/war/idp.war"
  3.          privileged="true"
  4.          antiResourceLocking="false"
  5.          antiJARLocking="false"
  6.          unpackWAR="false" />

# 测试:应该能看到“ok”
httpd -k restart
links http://127.0.0.1/idp/profile/Status

# 配置用户名/密码认证方式
vi /opt/idp/conf/handler.xml
# 找到 Login Handlers 那,注释掉”RemoteUser”认证方式,启用UsernamePassword方式。修改为:

  1. <LoginHandler xsi:type="UsernamePassword" 
  2.                   jaasConfigurationLocation="file:///opt/idp/conf/login.config">
  3.         <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod>
  4.         <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod>
  5.     </LoginHandler>

# 配置LDAP连接方式
vi /opt/idp/conf/login.config

  1. ShibUserPassAuth {
  2.    edu.vt.middleware.ldap.jaas.LdapLoginModule required
  3.       host="ldap.bianbian.org"
  4.       base="dc=test,dc=bianbian,dc=org"
  5.       serviceUser="cn=Directory Manager"
  6.       serviceCredential="11111111"
  7.       subtreeSearch="true"
  8.       userField="uid";
  9. };

# 配置SP(关键!加入SP的Metadata描述)
vi /opt/idp/conf/relying-party.xml
# 找到 MetadataProvider 那,注意修改id和backingFile要不同
# 假设某通过apache模块工作的SP位于 http://bianbian.org/

  1. <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
  2.                metadataURL="http://bianbian.org/Shibboleth.sso/Metadata" 
  3.                backingFile="/opt/idp/metadata/bianbian.org-metadata.xml" />

# 配置传递属性,这跟每个SP有关,要与SP联合配置

标签: , , , ,

遵守创作共用协议,转载请链接形式注明来自http://bianbian.org 做人要厚道

相关日志

This entry was posted on Wednesday, May 14th, 2008 at 01:15:19 and is filed under Java, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

12 Responses to “[原] Shibboleth 2.0 Identity Provider (IdP) LDAP认证配置指南”

  1. Monex Says:
    December 19th, 2010 at 01:05:33

    This document explains how to connect Tomcat to the popular open source web server Apache. to learn how to setup the working entities between your web server and Tomcat Engines.

  2. zhaochangxin Says:
    April 14th, 2011 at 03:41:05

    配置传递属性,有如下错误,请教?
    2011-04-14 15:24:16 WARN Shibboleth.ISAPI [3540] isapi_shib: rule requires attribute (uid), not found in session

    IDP的attribute-resolver.xml内容如下:






    IDP的attribute-filter.xml 内容如下:

    SP的shibboleth2.xml文件中添加了如下内容:
    AccessControl> user3 user5

    请问是这样配置的吗?应该怎么做?还望不吝赐教。

  3. zhaochangxin Says:
    April 14th, 2011 at 03:43:14

    代码贴不上,如果你有空的话,可以给我发邮件,真的希望得到你的指点。

  4. Panama foundation Says:
    August 7th, 2011 at 10:24:47

    ….mod proxy ajp is an Apache module which can be used to forward a client …..To respond to the question here is a small recap ..

  5. business review Says:
    August 18th, 2011 at 03:49:29

    The shibboleth Idp deploy problem bother me for days until I read your blog.

  6. privatekrankenversicherungvergleichstiftungwarentest.de Says:
    September 25th, 2011 at 12:07:00

    vorteile nachteile pkv…

    [...]» [原] Shibboleth 2.0 Identity Provider (IdP) LDAP认证配置指南 » » 便便代码人生[...]…

  7. cheap pearl jewelry,cheap body jewelry, free shipping Says:
    October 15th, 2011 at 09:48:04

    cheap pearl jewelry,cheap body jewelry, free shipping…

    [...]» [原] Shibboleth 2.0 Identity Provider (IdP) LDAP认证配置指南 » » 便便代码人生[...]…

  8. Current news about business. Says:
    October 18th, 2011 at 07:58:02

    Current news about business….

    [...]» [原] Shibboleth 2.0 Identity Provider (IdP) LDAP认证配置指南 » » 便便代码人生[...]…

  9. links of london bracelet Says:
    November 12th, 2011 at 11:14:51

    links of london bracelet…

    [...]» [原] Shibboleth 2.0 Identity Provider (IdP) LDAP认证配置指南 » » 便便代码人生[...]…

  10. baby game Says:
    November 29th, 2011 at 06:43:01

    baby games…

    [...]» [原] Shibboleth 2.0 Identity Provider (IdP) LDAP认证配置指南 » » 便便代码人生[...]…

  11. wholesale costume jewelry Says:
    December 16th, 2011 at 08:41:20

    wholesale costume jewelry…

    [...]» [原] Shibboleth 2.0 Identity Provider (IdP) LDAP认证配置指南 » » 便便代码人生[...]…

  12. London Houses Says:
    January 27th, 2012 at 03:18:07

    London Houses…

    [...]» [原] Shibboleth 2.0 Identity Provider (IdP) LDAP认证配置指南 » » 便便代码人生[...]…

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«
»