diff options
Diffstat (limited to 'README.md')
| -rwxr-xr-x | README.md | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/README.md b/README.md new file mode 100755 index 0000000..7f0ea74 --- /dev/null +++ b/README.md @@ -0,0 +1,122 @@ +# Shibboleth IDP version 3 project + +# RTFM + +From +https://wiki.shibboleth.net/confluence/display/IDP30/Configuration + +To configure a new IdP from scratch, you will need to address these areas first: +* Metadata +* Authentication +* Attribute Resolver +* Attribute Filter + +If you need to dig into more advanced SAML configuration needs, or need to interoperate with commercial cloud services, you will usually need to tackle these areas: +* SAML NameID Generation +* Profiles and Per-RelyingParty Behavior +* Unsolicited (IdP-initiated) SAML + +and more + +File installer.properties +Properties written out by the installer and used during upgrades. Scripts may create this ahead of time and feed it in to the installer in order to have a silent install. Deployers are not expected to modify this directly. + + + + +# Resources +Links from Jesper Rosenkilde + +https://shibboleth.net/products/identity-provider.html +https://github.com/UNINETT/mod_auth_mellon + + +# Running a docker + +## Build +``` +docker build -t $(basename $(pwd)) . +``` + +## Run +``` +docker run -p80:80 -p 443:443 --rm -ti $(basename $(pwd)) +``` + +## Interactive shell +``` +hlk@bujin:shibboleth-docker$ docker ps +CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +b2b93c309396 shibboleth-docker "/docker-entrypoin..." 8 minutes ago Up 8 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 8080/tcp eager_borg +``` + +## Getting shell + +``` +hlk@bujin:shibboleth-docker$ docker exec -ti b2b93c309396 bash +bash-4.3# id +uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) +bash-4.3# hostname +b2b93c309396 +``` + +## Copy files out from container + + +docker cp `docker ps | cut -f 1 -d ' ' | grep -v "CONTAINER"`:/opt/shibboleth-idp/conf /Users/hlk/projects/shibboleth-docker/conf-from-container + +``` +docker cp c172ac9afb1b:/opt/shibboleth-idp/conf /Users/hlk/projects/shibboleth-docker/conf-from-container +``` + + + +# Changes in v2 to v3 + +Summary of changes +https://wiki.shibboleth.net/confluence/display/IDP30/ConfigurationFileSummary + +# Less changes + +Attribute resolver +https://wiki.shibboleth.net/confluence/display/IDP30/AttributeResolverConfiguration +V2 Compatibility +The overall content and structure is identical to V2. Sematically, the V3 IdP is nearly 100% compatible with V2 attribute configuration. All regressions should be reported via our issue tracker. +Some key exceptions are noted below. + + + + +# Changes to be made + +https://wiki.shibboleth.net/confluence/display/IDP30/AuthenticationConfiguration + +If the V2 UsernamePassword login handler was used, the V3 equivalent is the Password flow with the JAAS back-end; a similar JAAS configuration can typically be used, but the most common case (LDAP) is an exception because the underlying LDAP library has changed. By convention this configuration is placed in authn/jaas.config and the legacy-matching "ShibUserPassAuth" login configuration name is used (though this can be changed). The UI for password-based login is no longer strictly JSP-based as in V2, but is now a Web Flow view: this can use Velocity, JSP, or potentially other view technologies. The default login.vm view provided uses Velocity. Using an older login.jsp file will require some changes, although the V2 JSP taglibs for metadata-driven UI information should still work. We recommend modernizing to the use of Velocity, as this is much simpler in most cases. +... +So in short, activate flows with the idp.authn.flows property, transfer JAAS or web.xml and container configuration over, and you should have basic compatibility working, apart from the actual login UI for JAAS-based authentication. + +This is used in Nordunet config handler.xml + + + + +Source: https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration + +During the V2 to V3 upgrade process, the original V2 relying-party.xml file is copied to metadata-providers.xml, to serve as the metadata configuration for the new version. It's strongly advisable after upgrading to update that file by stripping it of the older content and promote the <MetadataProvider> element in it to the root of the file. In the interim all other content in the file except for <MetadataProvider> elements (and any referenced <security:TrustEngine> elements) is ignored. +The following non-relevant trust engine types often found in a legacy relying-party.xml file are ignored if seen and cannot be used for metadata verification: +Chaining +MetadataExplicitKey +MetadataPKIXX509Credential +MetadataExplicitKeySignature +MetadataPKIXSignature +StaticPKIXX509Credential + + +# Other Links + +https://wiki.shibboleth.net/confluence/display/IDP30/Installation+Directory+and+Configuration+Files +describes the Installation Directory and Configuration Files + + +https://github.com/malavolti/HOWTO-Install-and-Configure-Shibboleth-Identity-Provider/blob/master/HOWTO%20Install%20and%20Configure%20a%20Shibboleth%20v3.2.1%20on%20Ubuntu%20Linux%20LTS%2014.04%20with%20Tomcat%208%20only.md +a sample config - steps to configure 3.2 |