diff options
| -rwxr-xr-x | README.md | 49 | ||||
| -rw-r--r-- | apache-sp/entrypoint.sh | 5 | ||||
| -rw-r--r-- | apache-sp/run.sh | 2 | ||||
| -rw-r--r-- | apache-sp/shibd/shibboleth2.xml | 5 | ||||
| -rw-r--r-- | conf-from-container/conf/logback.xml | 40 | ||||
| -rw-r--r-- | install.properties | 8 | ||||
| -rw-r--r-- | nordu-ldap.properties | 2 | ||||
| -rw-r--r-- | run.sh | 3 |
8 files changed, 90 insertions, 24 deletions
@@ -21,7 +21,49 @@ and more File installer.properties Properties written out by the installer and used during upgrades. Scripts may create this ahead of time and feed it in to the installer in order to have a silent install. Deployers are not expected to modify this directly. +# planning +https://shibboleth.net/pipermail/users/2016-July/030260.html +http://shibboleth.1660669.n2.nabble.com/SAML-message-intended-destination-endpoint-did-not-match-the-recipient-endpoint-td7626468.html +We setup a new IdP on the 3.x branch. New hostname, new certificates, new +URL bindings, etc; but responding as the same entityID as the old IdP on +the 2.x version. +... + + + + +# Testing + +run.sh + +``` +#docker build -t $(basename $(pwd)) . && docker run -p80:80 -p 443:443 --rm -ti $(basename $(pwd)) +# shibboleth-docker +docker build -t $(basename $(pwd)) . && docker run --rm -ti --name shibboleth-docker $(basename $(pwd)) +``` + +``` +# Apache SP +docker build -t $(basename $(pwd)) . && docker run --rm -ti -p80:80 -p 443:443 -e SP_HOSTNAME=sp.nordu.dev --link shibboleth-docker $(basename $(pwd)) +``` + +``` +hlk@bujin:hlk$ cat /etc/hosts +## +# Host Database +# +# localhost is used to configure the loopback interface +# when the system is booting. Do not change this entry. +## +127.0.0.1 localhost +255.255.255.255 broadcasthost +::1 localhost + +127.0.0.1 idp.nordu.dev sp.nordu.dev +``` + +Then you should be able to go to: https://sp.nordu.dev/secure/ # Resources @@ -114,6 +156,13 @@ StaticPKIXX509Credential # Other Links + +https://shibboleth.net/products/metadata-aggregator.html +Metadata Aggregator provides a command line tool and REST-based web service to support publishers and consumers of metadata. +- kan måske lette noget arbejde med at vedligeholde filer? + + + https://wiki.shibboleth.net/confluence/display/IDP30/Installation+Directory+and+Configuration+Files describes the Installation Directory and Configuration Files diff --git a/apache-sp/entrypoint.sh b/apache-sp/entrypoint.sh index dc16803..a552c6c 100644 --- a/apache-sp/entrypoint.sh +++ b/apache-sp/entrypoint.sh @@ -1,4 +1,9 @@ #!/bin/sh + +# NORDUnet 2017 + +echo "Starting $0" + # Setup ssl keys KEYDIR=/etc/ssl export KEYDIR diff --git a/apache-sp/run.sh b/apache-sp/run.sh new file mode 100644 index 0000000..9d227b1 --- /dev/null +++ b/apache-sp/run.sh @@ -0,0 +1,2 @@ +# Apache SP +docker build -t $(basename $(pwd)) . && docker run --rm -ti -p80:80 -p 443:443 -e SP_HOSTNAME=sp.nordu.dev --link shibboleth-docker $(basename $(pwd)) diff --git a/apache-sp/shibd/shibboleth2.xml b/apache-sp/shibd/shibboleth2.xml index 2bc8b7a..c6a759f 100644 --- a/apache-sp/shibd/shibboleth2.xml +++ b/apache-sp/shibd/shibboleth2.xml @@ -1,7 +1,7 @@ <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" - xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" + xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <ApplicationDefaults entityID="https://__SP_HOSTNAME__/shibboleth" @@ -20,7 +20,7 @@ <!-- <SessionInitiator type="Chaining" Location="/Login/https" id="sidp.norud.dev" relayState="cookie" entityID="https://idp.nordu.dev/idp/shibboleth"> --> <!-- <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/> --> <!-- </SessionInitiator> --> - <SessionInitiator type="Chaining" Location="/Login/http" id="idp.norud.dev" relayState="cookie" entityID="https://idp.nordu.dev/idp/shibboleth"> + <SessionInitiator type="Chaining" Location="/Login/http" id="idp.nordu.dev" relayState="cookie" entityID="https://idp.nordu.dev/idp/shibboleth"> <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/> </SessionInitiator> </Sessions> @@ -35,4 +35,3 @@ <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> </SPConfig> - diff --git a/conf-from-container/conf/logback.xml b/conf-from-container/conf/logback.xml index 104ec4c..861ac26 100644 --- a/conf-from-container/conf/logback.xml +++ b/conf-from-container/conf/logback.xml @@ -5,21 +5,21 @@ Variables for simplifying logging configuration. http://logback.qos.ch/manual/configuration.html#variableSubstitution --> - + <variable name="idp.logfiles" value="${idp.home}/logs" /> <variable name="idp.loghistory" value="180" /> - + <!-- Much higher performance if you operate on DEBUG. --> <!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> --> - + <!-- Logging level shortcuts. --> <variable name="idp.loglevel.idp" value="INFO" /> - <variable name="idp.loglevel.ldap" value="WARN" /> - <variable name="idp.loglevel.messages" value="INFO" /> + <variable name="idp.loglevel.ldap" value="DEBUG" /> + <variable name="idp.loglevel.messages" value="DEBUG" /> <variable name="idp.loglevel.encryption" value="INFO" /> - <variable name="idp.loglevel.opensaml" value="INFO" /> + <variable name="idp.loglevel.opensaml" value="DEBUG" /> <variable name="idp.loglevel.props" value="INFO" /> - + <!-- Don't turn these up unless you want a *lot* of noise. --> <variable name="idp.loglevel.spring" value="ERROR" /> <variable name="idp.loglevel.container" value="ERROR" /> @@ -30,7 +30,7 @@ we load the main property file for you. --> <variable file="${idp.home}/conf/idp.properties" /> - + <!-- =========================================================== --> <!-- ============== Logging Categories and Levels ============== --> <!-- =========================================================== --> @@ -40,10 +40,10 @@ <!-- Logs OpenSAML, but not IdP, messages --> <logger name="org.opensaml.saml" level="${idp.loglevel.opensaml:-INFO}"/> - + <!-- Logs LDAP related messages --> <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/> - + <!-- Logs inbound and outbound protocols messages at DEBUG level --> <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages:-INFO}" /> @@ -64,11 +64,11 @@ <!-- =========================================================== --> <!-- ============== Low Level Details or Changes =============== --> <!-- =========================================================== --> - + <!-- Process log. --> <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>${idp.logfiles}/idp-process.log</File> - + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern> <maxHistory>${idp.loghistory:-180}</maxHistory> @@ -102,19 +102,19 @@ <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> <level>WARN</level> </filter> - + <File>${idp.logfiles}/idp-warn.log</File> - + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern> <maxHistory>${idp.loghistory:-180}</maxHistory> </rollingPolicy> - + <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"> <charset>UTF-8</charset> <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern> </encoder> - + <!-- Ignore Velocity status page error. --> <filter class="ch.qos.logback.core.filter.EvaluatorFilter"> <evaluator> @@ -127,7 +127,7 @@ <OnMatch>DENY</OnMatch> </filter> </appender> - + <!-- Audit log. --> <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>${idp.logfiles}/idp-audit.log</File> @@ -142,7 +142,7 @@ <Pattern>%msg%n</Pattern> </encoder> </appender> - + <!-- Consent audit log. --> <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>${idp.logfiles}/idp-consent-audit.log</File> @@ -177,10 +177,10 @@ <logger name="Shibboleth-Consent-Audit" level="ALL"> <appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/> </logger> - + <root level="${idp.loglevel.root:-INFO}"> <appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/> <appender-ref ref="${idp.warn.appender:-IDP_WARN}" /> </root> -</configuration>
\ No newline at end of file +</configuration> diff --git a/install.properties b/install.properties index 3eec93d..a052dcb 100644 --- a/install.properties +++ b/install.properties @@ -9,6 +9,14 @@ idp.keystore.password=password # Found via build.xml ldap.merge.properties=/opt/nordu-ldap.properties +# Skinning it +idp.title = IDP Dev Web Login Service +idp.title.suffix = Error +idp.logo = /images/dummylogo.png +idp.logo.alt-text = Replace or remove this logo +idp.message = An unidentified error occurred. +idp.footer = IDP dev footer text. + #PROPERTIES: #The following properties are used. If they are not specified on the command line then #they will be prompted for if needed. diff --git a/nordu-ldap.properties b/nordu-ldap.properties index 71e1301..dd43f21 100644 --- a/nordu-ldap.properties +++ b/nordu-ldap.properties @@ -1,6 +1,6 @@ idp.authn.LDAP.ldapURL=ldaps://ldap.nordu.net idp.authn.LDAP.authenticator = bindSearchAuthenticator -idp.authn.LDAP.useStartTLS = false +idp.authn.LDAP.useStartTLS = true idp.authn.LDAP.useSSL = false idp.authn.LDAP.sslConfig = certificateTrust #idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt @@ -0,0 +1,3 @@ +#docker build -t $(basename $(pwd)) . && docker run -p80:80 -p 443:443 --rm -ti $(basename $(pwd)) +# shibboleth-docker +docker build -t $(basename $(pwd)) . && docker run --rm -ti --name shibboleth-docker $(basename $(pwd)) |