Shibboleth Service Provider SP 安装

于 2024-08-13 15:38:34 发布
阅读量374 收藏 18
点赞数 14
文章标签: Shibboleth SP
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/asd54090/article/details/141164942
版权

This pages requires Javascript! If javascript is not enabled, most functions will not work.

Shibboleth Service Provider (SP) 3.4 Installation Guide

Table of contents

  1. Introduction
  2. Recommendations
  3. Installation
  4. Quick Test
  5. Service Provider Configuration
  6. Additional Information

Note regarding Upgrades to Shibboleth SP 3

Shibboleth SP v3 supports the SP v2 configuration format, so the SP v2 configuration files are forward-compatible with SP v3.
Check the shibd.log for deprecation warnings for legacy configuration elements.
The Migration guide documents how to update your configuration to get rid of the deprecation warnings for legacy configuration elements.

1. Introduction

This guide describes the installation of a Shibboleth Service Provider (SP) 3.4 on the operating systems Windows and Linux/Unix as supported by the Shibboleth Consortium. The instructions are generic, not federation specific.
We did not test the SP on all OS versions, so please report any issue you encounter.

Check and confirm the Shibboleth SP 3 System Requirements before proceeding.

Select the type of operating system on the host where the Shibboleth Service Provider gets installed:

Red Hat Enterprise Linux 7/8/9, Rocky Linux 8/9, Ubuntu 22/23/24, Debian 11/12 or CentOS Linux 7 or Amazon Linux 2/2023
Windows Server 2008 and later (32-bit and 64-bit Windows)

If you use a Linux distribution not listed above that includes an up-to-date Shibboleth SP package, you can try to install that one.

If the Service Provider is already installed, please continue to our federation-specific Switch Shibboleth Service Provider Configuration Guide.

Note regarding CentOS 8

Since September 2023, the Shibboleth Consortium no longer supports CentOS 8 as officially supported platform.

Note for Debian and Ubuntu installations that used the former pkg.switch.ch repository:

As previously announced, the https://pkg.switch.ch/switchaai/ repository is no longer available. Use the packages from the official Debian and Ubuntu distribution channels.

To remove the SWITCHaai package repository from your system, uninstall packages shibboleth and switchaai-apt-source, then remove any remaining APT configuration for this repository (if any). This won’t uninstall the Shibboleth SP and the currently-installed SWITCHaai SP packages will remain until a newer version is available from the distribution’s official repository.

copypop-up

apt remove shibboleth apt-mark manual libapache2-mod-shib apt purge switchaai-apt-source rm /etc/apt/trusted.gpg.d/SWITCHaai-swdistrib.gpg /etc/apt/sources.list.d/SWITCHaai-swdistrib.list apt update

2. Recommendations

The Shibboleth project maintains its own shibboleth repository that provides the official Shibboleth Service Provider binaries and its dependencies for RPM-based Linux distributions. This repository contains always up-to-date version of the Shibboleth Service Provider. Therefore, prefer this repository and its packages over packages that may be provided by the OS distribution.

The following software is optional but recommended to be installed for installation and operation of the Service Provider.

NTP

Servers running Shibboleth must have the system time synchronized in order to avoid clock-skew errors. Therefore, it is recommended to activate ntp, chrony or some other time synchronisation mechanism.

sudo

We recommend installing sudo for commands that require root privileges.
As root user sudo can be installed with:

Debian, Ubuntu

copypop-up

apt install sudo

Red Hat Enterprise Linux, CentOS

copypop-up

yum install sudo

Red Hat Enterprise Linux, Rocky Linux

copypop-up

dnf install sudo

curl

To download software and configuration files we recommend curl but of course you can also use wget or another tool. Just replace the curl commands in the following instructions with the tool you prefer using. Curl can be installed with:

Debian, Ubuntu

copypop-up

apt install curl

Red Hat Enterprise Linux, CentOS 7

copypop-up

sudo yum install curl

Red Hat Enterprise Linux, Rocky Linux 8/9

copypop-up

sudo dnf install curl

SSL enabled for Apache

It is strongly recommended to enable and configure the Apache SSL module mod_ssl to support HTTPS (e.g. with sudo a2enmod ssl; sudo a2ensite default-ssl on Debian/Ubuntu). By default, the Shibboleth messages containing user attributes are encrypted. Therefore, they can also be sent via the insecure HTTP protocol. However, any session-based access to a web page via the insecure HTTP is prone to session hijacking attacks. This also includes the Shibboleth session. Relying on HTTPS mitigates this risk.

SSL enabled for Microsoft IIS

The IIS website should have an appropriate x509 certificate installed and SSL enabled.

Before continuing to the next section, please ensure that the requirements above are met on the system where the Shibboleth Service Provider will be installed.

3. Installation

Install the Shibboleth Service Provider.

Shibboleth Service Provider Installation

  1. If there was an older version of a Service Provider already installed on the system, you might be asked whether to keep the existing configuration files or overwrite them with the package default files. The old configuration files should be kept.
    You can continue to use the old files in most cases. However, you should update them to get rid of deprecation warnings for legacy configuration elements. Generally, it is recommended to perform a clean configuration as is described in the configuration guide mentioned below.
    1. For Debian and Ubuntu install the shibboleth package with:
 sudo apt install libapache2-mod-shib
  1. For Redhat, Centos, Rocky Linux, Amazon Linux fetch the appropriate RPM repository file and then install the shibboleth package with:

配置 repo 目录:/etc/yum.repo.d/shibboleth.repo
2.1. Centos9 (RHEL 9)

[shibboleth]
name=Shibboleth (rockylinux9)
# Please report any problems to https://shibboleth.atlassian.net/jira
type=rpm-md
mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/rockylinux9
gpgcheck=1
gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
        https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
enabled=1

2.2. Centos8 (RHEL 8)

[shibboleth]
name=Shibboleth (rockylinux8)
# Please report any problems to https://shibboleth.atlassian.net/jira
type=rpm-md
mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/rockylinux8
gpgcheck=1
gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
        https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
enabled=1

2.3. Centos7 (RHEL 7)

[shibboleth]
name=Shibboleth (CentOS_7)
# Please report any problems to https://shibboleth.atlassian.net/jira
type=rpm-md
mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7
gpgcheck=1
gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
        https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
enabled=1

安装命令:

sudo yum install shibboleth
  1. If none of the above apply, follow the instructions on the Shibboleth Wiki Page Linux Installation to configure the shibboleth repository or install from source, then come back here to proceed,
  2. After having installed the package, you need to start and enable the shibd daemon:
sudo systemctl start shibd.service

sudo systemctl enable shibd.service
  1. The Shibboleth Consortium does not support the SP in conjunction with SELinux. Check out the Common Errors topic on SELinux.

Optional proxy settings
Shibboleth will automatically download metadata and CRL files. If your network policy does not allow outgoing connections on port 80 by default, then it is recommended to configure an HTTP proxy for outgoing connections.
Add the following line in /etc/sysconfig/shibd
export http_proxy=proxy.example.org:8080

3.1. Result

The Service Provider should now be installed on the system. Of particular interests are the directories:

/etc/shibboleth
Configuration directory of Shibboleth. The main configuration file is shibboleth2.xml.
/var/log/shibboleth
Log directory where logs are written to. The most important log file is the shibd.log file that should be consulted in case of problems.
/run/shibboleth
Runtime directory where process ID and socket files are stored.
/var/cache/shibboleth
Cache directory where metadata backup and CRL files are stored.

4. Quick Test

After the installation a quick test shows whether the Service Provider was installed properly.

Shibboleth SP Configuration Check

In the command line, execute the following command to see whether the Shibboleth Service Provider can load the default configuration:

For Debian, Ubuntu, Rocky Linux, CentOS:

sudo shibd -t

For Red Hat Enterprise Linux:

sudo LD_LIBRARY_PATH=/opt/shibboleth/lib64 shibd -t

Important is that the last line of the output is:

overall configuration is loadable, check console for non-fatal problems

If there are any ERROR log entries, it is strongly recommended to have a look at the problem.
Messages with log level WARN are generally not problematic but it is recommended to examine the causes of these warning messages.

Apache Configuration Check

Also test the Apache configuration with the command:

sudo apachectl configtest

The output of this command should be:

Syntax OK

Shibboleth Quick Test

(Re-) Start the web server and then access the URL: https://``/Shibboleth.sso/Session.

The web server (or rather the Shibboleth daemon respectively) should return a page that says:

A valid session was not found.

This message shows that the Shibboleth module is loaded by the webserver and is communicating with the shibd process.

5. Service Provider Configuration

After the above tests were successful, continue to the Shibboleth SP configuration. Note that the configuration and migration guides are only for Switch edu-ID Participants who configure a Service Provider for the Switch edu-ID Federation (or the AAI Test Federation). In all other cases refer to the configuration pages in the Shibboleth Wiki.

Mistakes and Improvements?

If you found an error or a typo or if you have suggestions for improvements, please let us know. Your contributions are appreciated very much and they will help your colleagues.

6. Additional Information

6.1. References

6.2. Version Information

Copyright: Switch
Author: aai@switch.ch
URL: [https://help.switch.ch/aai/guides/sp/installation/](https://help.switch.ch/aai/guides/sp/installation/)

转至:https://help.switch.ch/aai/guides/sp/installation/?os=unix

LuckyTHP
关注
  • 14
    点赞
  • 18
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
Shibboleth集成OpenLDAP实现SAML单点登录
hejunyan的博客
03-04 3662
摘 要Shibboleth是一套优秀的开源SAML单点登录软件,可以与OpenLDAP集成方便地实现用户身份管理和单点登录功能。 关键词开源SAML SSO Shibboleth OpenLDAP 目录 1前言 2 Service Provider搭建 2.1SP软件下载 2.2SP软件安装 2.3Service Provider在WEB服务器IIS上的部署 ...
Shibboleth Installation(Shibboleth安装
11-21
它分为两个主要组件:Identity Provider (IdP) 和 Service Provider (SP)。在这个场景中,我们将专注于安装Shibboleth的Identity Provider部分,即`shibboleth-identityprovider-2.4.3`。 **Shibboleth Identity ...
Shibboleth IDP 的安装和部署配置步骤(Tomcat部署)
wwwcomy的程序猿感悟
10-13 8562
Shibboleth是个基于SAML标准的单点登录实现。http://shibboleth.net/products/ SAML2的简介见: 1. 我眼中的SAML 2. OASIS官方文档 闲扯两句SAML: 在SAML2的Web SSO(基于浏览器的单点登录,不包括app的用户认证)模型中,包括两个重要角色:Service Provider(SP)和Identity Provider(
安装配置Shibboleth
weixin_34014555的博客
01-12 1764
0.前言 本文介绍了如何搭建Shibboleth,实现Shibboleth+Ldap的SSO解决方案 1.什么是Shibboleth Shibboleth是一个基于标准的,实现组织内部或跨组织的网页单点登录的开源软件包。它允许站点为处于私有保护方式下的受保护的在线资源做出被通知的认证决定。 Shibboleth软件工具广泛使用联合的身份标准,主要是OAS...
基于SSO开源产品Shibboleth安装
lihaiyang2的博客
09-13 727
                          Shibboleth Installation(Shibboleth安装)         Shibboleth包含几个单独的组件: the identity provider(IdP), service provider(SP), and discovery service(DS)。你可以根据自 己的需要选择部署一个或更多的组件...
基于shibboleth的分布式认证之SP配置
DaemonSu
04-23 5368
本文为shibboleth SP配置文档。其中涉及到apache整合反向代理tomcat的配置,SSL配置以及访问控制等。这不是本文的重点,所以,本文只是表述了配置方式,如果要更改相应的配置或者进行其他个性化配置,参考相应的配置文档。 对应的SP的配置,以及如何同DS,IDP建立shibboleth联盟,则需要参照对应的SP和IDP,DS说明文档。本文也是给出的最基本的配置。 1:安装apac
Shibboleth体验
科华在线
01-21 1377
2019/4/13 又回到了问题“Unknown or Unusable Identity Provider” IDP使用配置文件metadata-providers.xml加载SP元数据,SP使用配置文件shibboleth2.xml加载IDP元数据。如果都是从本地文件中加载元数据,启动IDP和SP时不报错,访问受保护的应用时报错“Unknown or Unusable Identity ...
ubuntu14.04 安装Shibboleth idp
weixin_34279184的博客
07-25 261
为什么80%的码农都做不了架构师?>>> ...
Shibboleth开源框架的理解
lihaiyang2的博客
09-13 956
理解 Shibboleth Shibboleth 是一个免费,开源的 Web 单点登录系统,具有丰富属性的开放标准,主要是基于 SAML 协议的。这是一个联合系统,支持安全访问跨安全域的资源。有关用户的信息是从身份提供者( IDP )发送到服务提供商( SP ),它准备对受保护的内容或应用信息进行保护。所谓的联盟,而不是一个纯粹的技术建造,通常可以用来帮助提供...
Shibboleth搭建idp之Unsolicited/SSO
你是我一生的追求
10-16 2375
sso配置 1.idp安装,配置 nameid为啥没有生效 attribute-filter.xml配置文件没有写对 <!--value="https://signin.aliyun.com/xxxxxx/saml/SSO" 要和主账号ID的sso配置相同 --> <AttributeFilterPolicy id="aliyun"> <P...
ShibbolethServiceProvider安装与配置
07-16
它通过 Shibboleth Service Provider (SP) 和 Identity Provider (IdP) 的交互,实现了单点登录(Single Sign-On, SSO)功能。本文将深入探讨Shibboleth ServiceProvider安装与配置过程,以及涉及的相关安装包。 ...
Shibboleth idp-configure-with-sp
07-16
Shibboleth Identity Provider(IDP)是 Shibboleth 身份联盟框架中的核心组件,用于管理和验证用户身份,并向服务提供者(Service Provider, SP)提供身份验证信息。本教程将深入探讨如何配置 Shibboleth IDP 以便...
django-shibboleth-remoteuser:在Django中使用Shibboleth的中间件
02-05
Shibboleth通过Web服务器插件和 Shibboleth Identity Provider (IdP) 以及Service Provider (SP) 实现这一功能。 3. **SAML协议**:SAML是一种XML标准,用于在不同的安全域之间传递身份验证和授权信息。Shibboleth...
install_shibboleth
02-15
如果你还没有IDP,需要下载并安装Shibboleth Identity Provider,配置过程与SP类似。 7. 配置Shibboleth SP 创建 `/etc/shibboleth/shibboleth2.xml` 配置文件,定义SP属性、认证方式、安全策略等。 8. 生成SSL...
人力资源+大数据+薪酬报告+涨薪调薪,在学习、工作生活中,越来越多的事务都会使用到报告,通常情况下,报告的内容含量大、篇幅较长
08-12
人力资源+大数据+薪酬报告+涨薪调薪,在学习、工作生活中,越来越多的事务都会使用到报告,通常情况下,报告的内容含量大、篇幅较长。那么什么样的薪酬报告才是有效的呢?以下是小编精心整理的调薪申请报告,欢迎大家分享。相信老板看到这样的报告,一定会考虑涨薪的哦。
SEQ投诉处理与VONR信令及特性介绍
08-12
SEQ平台5G分析模块介绍 投诉分析处理 VoNR信令及特性介绍
毕业设计php企业进销存管理系统-qkrp源码含文档工具包
最新发布
08-12
毕业设计php企业进销存管理系统-qkrp源码含文档工具包 php,数据库mysql,jdk1.8,开发工具用ecplise、myecplise、sts、idea都可以 类型管理 商品管理 库存查看 库存查看 入库查看 出库查看 用户管理 包含:源码、数据库脚本、论文、环境工具包、相同框架项目的安装教程(在说明文档中)
大学生电子设计大赛-《高频电子线路》实验指导书.rar
08-12
大学生电子设计大赛-《高频电子线路》实验指导书.rar
Zabbix服务器上安装SAML插件
05-10
Zabbix是一款流行的开源监控系统,可以监控网络设备、服务器和应用程序等各种设备。SAML插件可以为Zabbix提供单点登录(SSO)功能,使用户可以使用他们的身份验证凭据登录到多个系统,而不必在每个系统中单独进行身份验证。 以下是在Zabbix服务器上安装SAML插件的步骤: 1. 下载并安装mod_auth_mellon模块:在CentOS中,可以使用以下命令安装该模块:sudo yum install mod_auth_mellon 2. 生成SAML元数据:可以使用Shibboleth SP生成SAML元数据,也可以使用其他SAML实现。 3. 配置mod_auth_mellon:在Apache配置文件中添加以下行: LoadModule auth_mellon_module modules/mod_auth_mellon.so <Location /mellon> MellonEnable "auth" MellonSPPrivateKeyFile /etc/httpd/conf.d/sp.key MellonSPCertFile /etc/httpd/conf.d/sp.crt MellonIdP "<IDP EntityID>" MellonEndpointPath "/mellon" MellonMetadataFile /etc/httpd/conf.d/idp-metadata.xml MellonUser "<NameIDFormat>" </Location> 其中,<IDP EntityID>应替换为IDP的实体ID,<NameIDFormat>应替换为使用的NameID格式。 4. 将元数据导入到Zabbix:在Zabbix管理界面中,导入元数据文件,并为每个用户指定一个唯一的标识符。 5. 配置Zabbix SSO选项:在Zabbix管理界面中,选择“Administration” -> “Authentication”,将“SSO options”设置为“SAML”。 6. 测试SSO:使用SAML凭据登录到Zabbix,并检查是否成功登录。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

LuckyTHP

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值