0.前言
本文介紹了如何搭建Shibboleth,實(shí)現(xiàn)Shibboleth+Ldap的SSO解決方案
1.什么是Shibboleth
Shibboleth是一個(gè)基于標(biāo)準(zhǔn)的����,實(shí)現(xiàn)組織內(nèi)部或跨組織的網(wǎng)頁(yè)單點(diǎn)登錄的開(kāi)源軟件包�。它允許站點(diǎn)為處于私有保護(hù)方式下的受保護(hù)的在線資源做出被通知的認(rèn)證決定。
Shibboleth軟件工具廣泛使用聯(lián)合的身份標(biāo)準(zhǔn),主要是OASIS安全聲稱(chēng)標(biāo)記語(yǔ)言(SAML)�����,來(lái)提供一個(gè)聯(lián)合單點(diǎn)登錄和屬性交換框架�����。一個(gè)用戶(hù)用他的組織的證書(shū)認(rèn)證����,組織(或IdP)傳送最少的必要的身份信息給SP實(shí)現(xiàn)認(rèn)證決定����。Shibboleth也提供擴(kuò)展的隱私功能,允許一個(gè)用戶(hù)和他們的主站點(diǎn)來(lái)控制釋放給每一個(gè)應(yīng)用的屬性。
Shibboleth項(xiàng)目作為一個(gè)Internet2中間件活動(dòng)啟動(dòng)于2000年,這年晚些時(shí)候該項(xiàng)目和OASIS SAML工作組的工作相聯(lián)系。Shibboleth1.0 于2003年發(fā)布,并快速被全世界的研究和教育機(jī)構(gòu)使用��。隨著2005年SAML2.0的發(fā)布����,2006年Shibboleth2.0也發(fā)布,SAML標(biāo)準(zhǔn)升級(jí)到包含所有的多邊,由Shibboleth首創(chuàng)的元數(shù)據(jù)驅(qū)動(dòng)方法。
Shibboleth作為開(kāi)源軟件開(kāi)發(fā)�,在Apache 軟件許可證下發(fā)布�。關(guān)于個(gè)別部件的更多信息可以在產(chǎn)品頁(yè)面看到����。
2.安裝Shibboleth Identity Provider v3.2.1
- 切換成root
sudo su
2.下載Shibboleth Identity Provider v3.2.1
wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-3.2.1.tar.gz tar -xzvf shibboleth-identity-provider-3.2.1.tar.gz cd shibboleth-identity-provider-3.2.1
3.安裝Shibboleth Idenentity Provider:
sh-3.2# ./install.sh Source (Distribution) Directory (press <enter> to accept default): [/Users/zhaoyu.zhaoyu/Applications/shibboleth-identity-provider-3.3.2] Installation Directory: [/opt/shibboleth-idp] Hostname: [localhost.localdomain] testdomain.com SAML EntityID: [https://testdomain.com/idp/shibboleth] Attribute Scope: [localdomain] Backchannel PKCS12 Password: Re-enter password: Cookie Encryption Key Password: Re-enter password: Warning: /opt/shibboleth-idp/bin does not exist. Warning: /opt/shibboleth-idp/dist does not exist. Warning: /opt/shibboleth-idp/doc does not exist. Warning: /opt/shibboleth-idp/system does not exist. Warning: /opt/shibboleth-idp/webapp does not exist. Generating Signing Key, CN = testdomain.com URI = https://testdomain.com/idp/shibboleth ... ...done Creating Encryption Key, CN = testdomain.com URI = https://testdomain.com/idp/shibboleth ... ...done Creating Backchannel keystore, CN = testdomain.com URI = https://testdomain.com/idp/shibboleth ... ...done Creating cookie encryption key files... ...done Rebuilding /opt/shibboleth-idp/war/idp.war ... ...done BUILD SUCCESSFUL Total time: 1 minute 14 seconds
(from now "{idp.home}" == /opt/shibboleth-idp/)
4.導(dǎo)入 JST library (status界面會(huì)用到):
cd /opt/shibboleth-idp/edit-webapp/WEB-INF/lib wget https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar cd /opt/shibboleth-idp/bin ./build.sh -Didp.target.dir=/opt/shibboleth-idp
3.安裝指引
3.1 安裝apache tomcat 8
1.切換成root
sudo su -
2.修改tomcat的%{CATALINA_HOME}/conf/server.xml
將8080端口和8443端口的地方分別改成80和443
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />
3.生成證書(shū)文件
[chengxu@local]keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore "./tomcat.keystore" 輸入密鑰庫(kù)口令: 再次輸入新口令: 您的名字與姓氏是什么? [Unknown]: cheng 您的組織單位名稱(chēng)是什么? [Unknown]: testdomain.com 您的組織名稱(chēng)是什么? [Unknown]: testdomain.com 您所在的城市或區(qū)域名稱(chēng)是什么? [Unknown]: 您所在的省/市/自治區(qū)名稱(chēng)是什么? [Unknown]: 該單位的雙字母國(guó)家/地區(qū)代碼是什么? [Unknown]: CN=cheng, OU=testdomain.com, O=testdomain.com, L=Unknown, ST=Unknown, C=Unknown是否正確? [否]: 是 輸入 <tomcat> 的密鑰口令 (如果和密鑰庫(kù)口令相同, 按回車(chē)): 再次輸入新口令: [chengxu@local]
4.修改tomcat的%{CATALINA_HOME}/conf/server.xml����,使支持https協(xié)議
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/Users/chengxu/Shibboleth/tomcat/tomcat.keystore" keystorePass="xxx"/>
5.發(fā)布Idp Web Application到Tomcat 8 container
vim %{CATALINA_HOME}/conf/Catalina/localhost/idp.xml
<Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false" swallowOutput="true"/>
4.配置host
vim /etc/host 127.0.0.1 testdomain.com
5.重啟tomcat
%{CATALINA_HOME}/bin/catalina.sh stop
%{CATALINA_HOME}/bin/catalina.sh start
6.檢測(cè)是否服務(wù)啟動(dòng)正常
訪問(wèn)https://testdomain/idp/status
或者/opt/shibboleth-idp/bin; ./status.sh
3.2 配置shibboleth連接ldap
編輯修改ldap.properties
vim /opt/shibboleth/conf/ldap.properties idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldap://ldap.example.it:389 idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = false idp.authn.LDAP.baseDN = cn=Users,dc=example,dc=org idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = cn=admin,cn=Users,dc=example,dc=org idp.authn.LDAP.bindDNCredential = ###LDAP ADMIN PASSWORD###
6.修改shibboleth ldap配置
vim /opt/shibboleth/conf/services.xml 把 <value>%{idp.home}/conf/attribute-resolver.xml</value> 改為 <value>%{idp.home}/conf/attribute-resolver-full.xml</value>
vim /opt/shibboleth-idp/conf/attribute-resolver-full.xml 注釋掉下列代碼,如果已經(jīng)注釋掉了就不動(dòng)了(有些版本已經(jīng)注釋了) <!-- <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> <sec:Certificate>% {idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> </dc:StartTLSTrustCredential> -->
重啟tomcat
7.獲取idp metadata.xml
https://testdomain.com/idp/shibboleth
注意metadata.xml文件中的validUntil屬性����,如果過(guò)期了則修改為未來(lái)的某個(gè)時(shí)間點(diǎn)
4.小結(jié)
至此我們完成了Shibboleth與LDAP集成的安裝過(guò)程
下篇: 實(shí)現(xiàn)Shibboleth+Ldap到阿里云的單點(diǎn)登錄
來(lái)自:https://yq.aliyun.com/articles/350531?tdsourcetag=s_pcqq_aiomsg&do=login&accounttraceid=87b0f203-5d81-4cb7-a986-49615e3962e2&do=login&do=login