Instalação Shibboleth SP

Roteiro para auxiliar na configuração de um Service Provider utilizando um sistema Ubuntu

Introdução

Este tutorial apresenta os passos necessários para se fazer a instalação do Shibboleth Service Provider (SP). Tal ferramenta será utilizada para atuar como provedor de serviços dentro da Federação CAFe.

A seguir serão apresentados os requisitos bem como roteiro para a referida instalação. É importante ressaltar que ao longo da instalação existem variáveis (que estão destacadas em negrito) que devem ser substituídas manualmente pelos seus respectivos valores.

Requisitos

Para executar este roteiro, espera-se que já tenham sido executados os seguintes roteiros anteriormente:

Clique aqui: Geração de Chave e Certificado para atender os itens 1, 2.1 e 2.4

Glossário de Variáveis

Ao longo deste roteiro serão utilizadas algumas variáveis que deverão ser substituídas para que ocorra o perfeito funcionamento dos arquivos de configuração. A seguir é apresentado um glossário para substituição das variáveis:

$DOMINIO_INST = Ex.: instituicao.br $ENDERECO_IP = Ex.: 111.222.333.444 $HOSTNAME = Ex.: servidor.instituicao.br

Roteiro

Inicialmente faça a instalação do Apache 2 bem como dos módulos para PHP5 e Shibboleth 2. Para tanto execute a linha de comando a seguir:

apt-get -y install apache2 libapache2-mod-php5 libapache2-mod-shib2

Verifique o arquivo /etc/apache2/ports.conf para constatar a presença das linhas Listen 80 e Listem 443. Caso tais linhas não existam ou estejam comentadas, adicione-as ao final do arquivo.

Faça a liberação do Shibboleth no arquivos de regras do firewall. Para tanto adicione as linhas abaixo no arquivo /etc/default/firewall.

# Liberação do Apache (Shibboleth-SP) 
#SHIB-SP
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT #SHIB-SP
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT #SHIB-SP
#SHIB-SP

Substitua o conteúdo do arquivo /etc/apache2/sites-available/default pelas linhas a seguir:

NameVirtualHost *
<VirtualHost *>
 ServerName $HOSTNAME
 ServerSignature Off
 # Redirecionamento para SSL
 RewriteEngine on
 RewriteCond %{HTTPS} !=on
 RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]
 DocumentRoot /var/www/
 <Directory /var/www/>
 Options Indexes FollowSymLinks MultiViews
 AllowOverride None
 Order allow,deny
 allow from all
 </Directory>
 ErrorLog /var/log/apache2/error.log
 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 LogLevel info
 CustomLog /var/log/apache2/sp-access-80.log combined
</VirtualHost>

É possível fazer o download do arquivo acima através da seguinte linha de comando:

wget https://svn.rnp.br/repos/CAFe/ubuntu/lucid/shibboleth-sp/default -O /etc/apache2/sites-available/default --no-check-certificate

Substitua o conteúdo do arquivo /etc/apache2/sites-available/shibboleth-sp2.conf pelas linhas a seguir:

<VirtualHost $ENDERECO_IP:443>
 ServerName $HOSTNAME
 ServerSignature Off
 SSLEngine on
 SSLCertificateFile /etc/ssl/certs/$HOSTNAME.crt
 SSLCertificateKeyFile /etc/ssl/private/$HOSTNAME.key
 #ShibURLScheme https
 DocumentRoot /var/www/
 <Directory /var/www/>
 Options -Indexes -FollowSymLinks -MultiViews
 AllowOverride None
 Order deny,allow
 Allow from all
 </Directory>
 <Location /secure>
 AuthType shibboleth
 ShibRequireSession On
 require valid-user
 Order allow,deny
 allow from all
 </Location>
# <Location /moodle/auth/shibboleth>
# AuthType shibboleth
# ShibRequireSession On
# require valid-user
# </Location>
 ErrorLog /var/log/apache2/error.log
 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 LogLevel info
 CustomLog /var/log/apache2/sp-access-443.log combined
</VirtualHost>

É possível fazer o download do arquivo acima através da seguinte linha de comando:

wget https://svn.rnp.br/repos/CAFe/ubuntu/lucid/shibboleth-sp/shibboleth-sp2 -O /etc/apache2/sites-available/shibboleth-sp2.conf --no-check-certificate

Ative o módulo Rewrite, Shibboleth e SSL no Apache através das seguintes linhas de comando:

a2enmod shib2
a2enmod ssl
a2enmod rewrite

Habilite o site bem como faça a exclusão dos arquivos desnecessários. Para tanto, execute as linhas de comando a seguir:

a2ensite shibboleth-sp2
rm -rf /var/www/index.html
rm -rf /etc/shibboleth/IQ-metadata.xml

Substitua o conteúdo do arquivo /etc/shibboleth/shibboleth2.xml pelas linhas a seguir:

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
 xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 logger="syslog.logger" clockSkew="180">
 <OutOfProcess logger="shibd.logger">
 </OutOfProcess>
 <InProcess logger="native.logger">
 <ISAPI normalizeRequest="true" safeHeaderNames="true">
 <Site id="1" name="sp.example.org"/>
 </ISAPI>
 </InProcess>
 <UnixListener address="shibd.sock"/>
 <StorageService type="Memory" id="mem" cleanupInterval="900"/>
 <SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
 <ReplayCache StorageService="mem"/>
 <ArtifactMap artifactTTL="180"/>
 <RequestMapper type="Native">
 <RequestMap applicationId="default">
 <Host name="$HOSTNAME">
 <Path name="secure" authType="shibboleth" requireSession="true"/>
 </Host>
 </RequestMap>
 </RequestMapper>
 <ApplicationDefaults id="default" policyId="default"
 entityID="https://$HOSTNAME/shibboleth-sp2"
 REMOTE_USER="eppn persistent-id targeted-id"
 signing="false" encryption="false">
 <Sessions lifetime="28800" timeout="3600" checkAddress="false"
 handlerURL="/Shibboleth.sso" handlerSSL="false"
 exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
 idpHistory="false" idpHistoryDays="7">
 <SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
 <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
 <SessionInitiator type="Shib1" defaultACSIndex="5"/>
 <SessionInitiator type="SAMLDS" URL="https://ds.chimarrao.cafe.rnp.br/WAYF"/>
 </SessionInitiator>
 <md:AssertionConsumerService Location="/SAML2/POST" index="1"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
 <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
 <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
 <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
 <md:AssertionConsumerService Location="/SAML/POST" index="5"
 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
 <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
 <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
 <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
 <LogoutInitiator type="Local"/>
 </LogoutInitiator>
 <md:SingleLogoutService Location="/SLO/SOAP"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
 <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
 <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
 <md:ManageNameIDService Location="/NIM/SOAP"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
 <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
 <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
 <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
 <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
 <Handler type="Session" Location="/Session" showAttributeValues="false"/>
 </Sessions>
 <Errors supportContact="root@localhost"
 logoLocation="/shibboleth-sp2/logo.jpg"
 styleSheet="/shibboleth-sp2/main.css"/>
 <MetadataProvider type="Chaining">
 <MetadataProvider type="XML" uri="https://ds.chimarrao.cafe.rnp.br/metadata/chimarrao-metadata.xml"
 backingFilePath="/etc/shibboleth/chimarrao-metadata.xml" validate="true" reloadInterval="300">
 </MetadataProvider>
 </MetadataProvider>
 <TrustEngine type="Chaining">
 <TrustEngine type="ExplicitKey"/>
 <TrustEngine type="PKIX"/>
 </TrustEngine>
 <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
 <AttributeResolver type="Query" subjectMatch="true"/>
 <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
 <CredentialResolver type="File" key="/etc/ssl/private/$HOSTNAME.key"
 certificate="/etc/ssl/certs/$HOSTNAME.crt"
 keyName="$HOSTNAME"/>
 </ApplicationDefaults>
 <SecurityPolicies>
 <Policy id="default" validate="false">
 <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
 <PolicyRule type="Conditions">
 <PolicyRule type="Audience"/>
 </PolicyRule>
 <PolicyRule type="ClientCertAuth" errorFatal="true"/>
 <PolicyRule type="XMLSigning" errorFatal="true"/>
 <PolicyRule type="SimpleSigning" errorFatal="true"/>
 </Policy>
 </SecurityPolicies>
</SPConfig>

Substitua o conteúdo do arquivo /etc/shibboleth/attribute-map.xml pelas linhas a seguir:

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
 <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
 </Attribute>
 <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
 <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
 </Attribute>
 <!-- Schema: Core schema attributes-->
 <!-- mail -->
 <Attribute name="urn:mace:dir:attribute-def:mail"
 id="Shib-inetOrgPerson-mail"/>
 <Attribute name="urn:oid:0.9.2342.19200300.100.1.3"
 id="Shib-inetOrgPerson-mail"/>
 <!-- cn -->
 <Attribute name="urn:mace:dir:attribute-def:cn"
 id="Shib-inetOrgPerson-cn"/>
 <Attribute name="urn:oid:2.5.4.3"
 id="Shib-inetOrgPerson-cn"/>
 <!-- sn -->
 <Attribute name="urn:mace:dir:attribute-def:sn"
 id="Shib-inetOrgPerson-sn"/>
 <Attribute name="urn:oid:2.5.4.4"
 id="Shib-inetOrgPerson-sn"/>
 <!-- Schema: brEduPerson -->
 <!-- brEduAffiliationType -->
 <Attribute name="urn:mace:rnp.br:attribute-def:brEduAffiliationType"
 id="Shib-brEduPerson-brEduAffiliationType"/>
 <Attribute name="urn:oid:1.3.6.1.4.1.15996.100.1.1.2.1"
 id="Shib-brEduPerson-brEduAffiliationType"/>
 <!-- Atributos brPersonCPF e brPersonPassport não são habilitados na configuração default -->
 <!-- brPersonCPF -->
 <!--
 <Attribute name="urn:mace:rnp.br:attribute-def:brPersonCPF"
 id="Shib-brPerson-brPersonCPF"/>
 <Attribute name="urn:oid:1.3.6.1.4.1.15996.100.1.1.1.1"
 id="Shib-brPerson-brPersonCPF"/>
 -->
 <!-- brPersonPassport -->
 <!--
 <Attribute name="urn:mace:rnp.br:attribute-def:brPersonPassport"
 id="Shib-brPerson-brPersonPassport"/>
 <Attribute name="urn:oid:1.3.6.1.4.1.15996.100.1.1.1.2"
 id="Shib-brPerson-brPersonPassport"/>
 -->
 <!-- Schema: eduPerson attributes -->
 <!-- eppn - eduPersonPrincipalName -->
 <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
 id="Shib-eduPerson-eduPersonPrincipalName">
 <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
 </Attribute>
 <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
 id="Shib-eduPerson-eduPersonPrincipalName">
 <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
 </Attribute>
 <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"
 id="Shib-eduPerson-eduPersonAffiliation"/>
 <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
 id="Shib-eduPerson-eduPersonAffiliation"/>
</Attributes>

Substitua o conteúdo do arquivo /etc/shibboleth/attribute-policy.xml pelas linhas a seguir:

<afp:AttributeFilterPolicyGroup
 xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
 xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
 xmlns:afp="urn:mace:shibboleth:2.0:afp"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <!-- Shared rule for affiliation values. -->
 <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
 <Rule xsi:type="AttributeValueString" value="faculty"/>
 <Rule xsi:type="AttributeValueString" value="student"/>
 <Rule xsi:type="AttributeValueString" value="staff"/>
 <Rule xsi:type="AttributeValueString" value="alum"/>
 <Rule xsi:type="AttributeValueString" value="member"/>
 <Rule xsi:type="AttributeValueString" value="affiliate"/>
 <Rule xsi:type="AttributeValueString" value="employee"/>
 <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
 </afp:PermitValueRule>
 <!--
 Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
 an AttributeRule for each attribute you want to check.
 -->
 <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
 <Rule xsi:type="NOT">
 <Rule xsi:type="AttributeValueRegex" regex="@"/>
 </Rule>
 <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
 </afp:PermitValueRule>
 <afp:AttributeFilterPolicy>
 <!-- This policy is in effect in all cases. -->
 <afp:PolicyRequirementRule xsi:type="ANY"/>
 <!-- Filter out undefined affiliations and ensure only one primary. -->
 <afp:AttributeRule attributeID="affiliation">
 <afp:PermitValueRule xsi:type="AND">
 <RuleReference ref="eduPersonAffiliationValues"/>
 <RuleReference ref="ScopingRules"/>
 </afp:PermitValueRule>
 </afp:AttributeRule>
 <afp:AttributeRule attributeID="unscoped-affiliation">
 <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
 </afp:AttributeRule>
 <afp:AttributeRule attributeID="primary-affiliation">
 <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
 </afp:AttributeRule>
 <afp:AttributeRule attributeID="eppn">
 <afp:PermitValueRuleReference ref="ScopingRules"/>
 </afp:AttributeRule>
 <afp:AttributeRule attributeID="targeted-id">
 <afp:PermitValueRuleReference ref="ScopingRules"/>
 </afp:AttributeRule>
 <!-- Catch-all that passes everything else through unmolested. -->
 <afp:AttributeRule attributeID="*">
 <afp:PermitValueRule xsi:type="ANY"/>
 </afp:AttributeRule>
 </afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>

Substitua o conteúdo do arquivo /root/$HOSTNAME-metadata-sp.xml pelas linhas abaixo. (o arquivo é criado manualmente)

<EntityDescriptor entityID="https://$HOSTNAME/shibboleth-sp2">
 <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
 <Extensions>
 <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
 <mdui:DisplayName xml:lang="en">Nome por extenso do serviço - SIGLA DO SERVIÇO</mdui:DisplayName>
 <mdui:Description xml:lang="en">Uma breve descrição do serviço.</mdui:Description>
 </mdui:UIInfo>
 </Extensions>
 <KeyDescriptor>
 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:X509Data>
 <ds:X509Certificate>
INSIRA_AQUI_O_CONTEUDO_DO_ARQUIVO_DO_CERTIFICADO
INSIRA_AQUI_O_CONTEUDO_DO_ARQUIVO_DO_CERTIFICADO
INSIRA_AQUI_O_CONTEUDO_DO_ARQUIVO_DO_CERTIFICADO
 </ds:X509Certificate>
 </ds:X509Data>
 </ds:KeyInfo>
 </KeyDescriptor>
 <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://$HOSTNAME/Shibboleth.sso/SAML2/POST" index="1"/>
 <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://$HOSTNAME/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
 <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://$HOSTNAME/Shibboleth.sso/SAML2/Artifact" index="3"/>
 <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://$HOSTNAME/Shibboleth.sso/SAML2/ECP" index="4"/>
 <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://$HOSTNAME/Shibboleth.sso/SAML/POST" index="5"/>
 <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://$HOSTNAME/Shibboleth.sso/SAML/Artifact" index="6"/>
 </SPSSODescriptor>
 <Organization>
 <OrganizationName xml:lang="en">Sigla - descricao instituicao</OrganizationName>
 <OrganizationDisplayName xml:lang="en">Sigla - descricao instituicao</OrganizationDisplayName>
 <OrganizationURL xml:lang="en">http://$DOMINIO_INST</OrganizationURL>
 </Organization>
 <ContactPerson contactType="technical">
 <SurName>TI</SurName>
 <EmailAddress>email@dominio</EmailAddress>
 </ContactPerson>
</EntityDescriptor>

O conteúdo do certificado que deve ser incluído no arquivo acima é referente ao certificado gerado e armazenado no arquivo /etc/ssl/certs/$HOSTNAME.crt

Para instalar a aplicação de homologação, execute a linha de comando a seguir:

mkdir /var/www/secure
wget https://svn.rnp.br/repos/CAFe/ubuntu/lucid/shibboleth-sp/index.php -O /var/www/secure/index.php --no-check-certificate

Editar o arquivo " /etc/init.d/shibd " se o SO for Ubuntu 14.04. Encontrar as linhas abaixo e editar para que fique igual ao exemplo.

Caso seja Ubuntu 18.04lts o arquivo está em /lib/systemd/system/shibd.service

#DAEMON_USER=_shibd - comentar a linha

DAEMON_USER=root - adicionar esta nova linha

** Após realizar a alteração, executar o stop do shibd e depois o start.

Last updated