Roteiro para auxiliar na configuração de um Service Provider utilizando um sistema Ubuntu
Introdução
Este tutorial apresenta os passos necessários para se fazer a instalação do Shibboleth Service Provider (SP). Tal ferramenta será utilizada para atuar como provedor de serviços dentro da Federação CAFe.
A seguir serão apresentados os requisitos bem como roteiro para a referida instalação. É importante ressaltar que ao longo da instalação existem variáveis (que estão destacadas em negrito) que devem ser substituídas manualmente pelos seus respectivos valores.
Requisitos
Para executar este roteiro, espera-se que já tenham sido executados os seguintes roteiros anteriormente:
Glossário de Variáveis
Ao longo deste roteiro serão utilizadas algumas variáveis que deverão ser substituídas para que ocorra o perfeito funcionamento dos arquivos de configuração. A seguir é apresentado um glossário para substituição das variáveis:
$DOMINIO_INST = Ex.: instituicao.br
$ENDERECO_IP = Ex.: 111.222.333.444
$HOSTNAME = Ex.: servidor.instituicao.br
Roteiro
Inicialmente faça a instalação do Apache 2 bem como dos módulos para PHP5 e Shibboleth 2. Para tanto execute a linha de comando a seguir:
Copy apt-get -y install apache2 libapache2-mod-php5 libapache2-mod-shib2 Verifique o arquivo /etc/apache2/ports.conf para constatar a presença das linhas Listen 80 e Listem 443. Caso tais linhas não existam ou estejam comentadas, adicione-as ao final do arquivo.
Faça a liberação do Shibboleth no arquivos de regras do firewall. Para tanto adicione as linhas abaixo no arquivo /etc/default/firewall.
Copy # Liberação do Apache (Shibboleth-SP)
#SHIB-SP
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT #SHIB-SP
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT #SHIB-SP
#SHIB-SP Substitua o conteúdo do arquivo /etc/apache2/sites-available/default pelas linhas a seguir:
Copy NameVirtualHost *
<VirtualHost *>
ServerName $HOSTNAME
ServerSignature Off
# Redirecionamento para SSL
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]
DocumentRoot /var/www/
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
CustomLog /var/log/apache2/sp-access-80.log combined
</VirtualHost> É possível fazer o download do arquivo acima através da seguinte linha de comando:
Copy wget https://svn.rnp.br/repos/CAFe/ubuntu/lucid/shibboleth-sp/default -O /etc/apache2/sites-available/default --no-check-certificate
Substitua o conteúdo do arquivo /etc/apache2/sites-available/shibboleth-sp2.conf pelas linhas a seguir:
Copy <VirtualHost $ENDERECO_IP:443>
ServerName $HOSTNAME
ServerSignature Off
SSLEngine on
SSLCertificateFile /etc/ssl/certs/$HOSTNAME.crt
SSLCertificateKeyFile /etc/ssl/private/$HOSTNAME.key
#ShibURLScheme https
DocumentRoot /var/www/
<Directory /var/www/>
Options -Indexes -FollowSymLinks -MultiViews
AllowOverride None
Order deny,allow
Allow from all
</Directory>
<Location /secure>
AuthType shibboleth
ShibRequireSession On
require valid-user
Order allow,deny
allow from all
</Location>
# <Location /moodle/auth/shibboleth>
# AuthType shibboleth
# ShibRequireSession On
# require valid-user
# </Location>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
CustomLog /var/log/apache2/sp-access-443.log combined
</VirtualHost> É possível fazer o download do arquivo acima através da seguinte linha de comando:
Copy wget https://svn.rnp.br/repos/CAFe/ubuntu/lucid/shibboleth-sp/shibboleth-sp2 -O /etc/apache2/sites-available/shibboleth-sp2.conf --no-check-certificate
Ative o módulo Rewrite, Shibboleth e SSL no Apache através das seguintes linhas de comando:
Copy a2enmod shib2
a2enmod ssl
a2enmod rewrite
Habilite o site bem como faça a exclusão dos arquivos desnecessários. Para tanto, execute as linhas de comando a seguir:
Copy a2ensite shibboleth-sp2
rm -rf /var/www/index.html
rm -rf /etc/shibboleth/IQ-metadata.xml
Substitua o conteúdo do arquivo /etc/shibboleth/shibboleth2.xml pelas linhas a seguir:
Copy <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="syslog.logger" clockSkew="180">
<OutOfProcess logger="shibd.logger">
</OutOfProcess>
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="1" name="sp.example.org"/>
</ISAPI>
</InProcess>
<UnixListener address="shibd.sock"/>
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="$HOSTNAME">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<ApplicationDefaults id="default" policyId="default"
entityID="https://$HOSTNAME/shibboleth-sp2"
REMOTE_USER="eppn persistent-id targeted-id"
signing="false" encryption="false">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie">
<SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
<SessionInitiator type="SAMLDS" URL="https://ds.chimarrao.cafe.rnp.br/WAYF"/>
</SessionInitiator>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
</Sessions>
<Errors supportContact="root@localhost"
logoLocation="/shibboleth-sp2/logo.jpg"
styleSheet="/shibboleth-sp2/main.css"/>
<MetadataProvider type="Chaining">
<MetadataProvider type="XML" uri="https://ds.chimarrao.cafe.rnp.br/metadata/chimarrao-metadata.xml"
backingFilePath="/etc/shibboleth/chimarrao-metadata.xml" validate="true" reloadInterval="300">
</MetadataProvider>
</MetadataProvider>
<TrustEngine type="Chaining">
<TrustEngine type="ExplicitKey"/>
<TrustEngine type="PKIX"/>
</TrustEngine>
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="/etc/ssl/private/$HOSTNAME.key"
certificate="/etc/ssl/certs/$HOSTNAME.crt"
keyName="$HOSTNAME"/>
</ApplicationDefaults>
<SecurityPolicies>
<Policy id="default" validate="false">
<PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
<PolicyRule type="Conditions">
<PolicyRule type="Audience"/>
</PolicyRule>
<PolicyRule type="ClientCertAuth" errorFatal="true"/>
<PolicyRule type="XMLSigning" errorFatal="true"/>
<PolicyRule type="SimpleSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>
</SPConfig>
Substitua o conteúdo do arquivo /etc/shibboleth/attribute-map.xml pelas linhas a seguir:
Copy <Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
</Attribute>
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
</Attribute>
<!-- Schema: Core schema attributes-->
<!-- mail -->
<Attribute name="urn:mace:dir:attribute-def:mail"
id="Shib-inetOrgPerson-mail"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3"
id="Shib-inetOrgPerson-mail"/>
<!-- cn -->
<Attribute name="urn:mace:dir:attribute-def:cn"
id="Shib-inetOrgPerson-cn"/>
<Attribute name="urn:oid:2.5.4.3"
id="Shib-inetOrgPerson-cn"/>
<!-- sn -->
<Attribute name="urn:mace:dir:attribute-def:sn"
id="Shib-inetOrgPerson-sn"/>
<Attribute name="urn:oid:2.5.4.4"
id="Shib-inetOrgPerson-sn"/>
<!-- Schema: brEduPerson -->
<!-- brEduAffiliationType -->
<Attribute name="urn:mace:rnp.br:attribute-def:brEduAffiliationType"
id="Shib-brEduPerson-brEduAffiliationType"/>
<Attribute name="urn:oid:1.3.6.1.4.1.15996.100.1.1.2.1"
id="Shib-brEduPerson-brEduAffiliationType"/>
<!-- Atributos brPersonCPF e brPersonPassport não são habilitados na configuração default -->
<!-- brPersonCPF -->
<!--
<Attribute name="urn:mace:rnp.br:attribute-def:brPersonCPF"
id="Shib-brPerson-brPersonCPF"/>
<Attribute name="urn:oid:1.3.6.1.4.1.15996.100.1.1.1.1"
id="Shib-brPerson-brPersonCPF"/>
-->
<!-- brPersonPassport -->
<!--
<Attribute name="urn:mace:rnp.br:attribute-def:brPersonPassport"
id="Shib-brPerson-brPersonPassport"/>
<Attribute name="urn:oid:1.3.6.1.4.1.15996.100.1.1.1.2"
id="Shib-brPerson-brPersonPassport"/>
-->
<!-- Schema: eduPerson attributes -->
<!-- eppn - eduPersonPrincipalName -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
id="Shib-eduPerson-eduPersonPrincipalName">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
id="Shib-eduPerson-eduPersonPrincipalName">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"
id="Shib-eduPerson-eduPersonAffiliation"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
id="Shib-eduPerson-eduPersonAffiliation"/>
</Attributes>
Substitua o conteúdo do arquivo /etc/shibboleth/attribute-policy.xml pelas linhas a seguir:
Copy <afp:AttributeFilterPolicyGroup
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:afp="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Shared rule for affiliation values. -->
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
<Rule xsi:type="AttributeValueString" value="faculty"/>
<Rule xsi:type="AttributeValueString" value="student"/>
<Rule xsi:type="AttributeValueString" value="staff"/>
<Rule xsi:type="AttributeValueString" value="alum"/>
<Rule xsi:type="AttributeValueString" value="member"/>
<Rule xsi:type="AttributeValueString" value="affiliate"/>
<Rule xsi:type="AttributeValueString" value="employee"/>
<Rule xsi:type="AttributeValueString" value="library-walk-in"/>
</afp:PermitValueRule>
<!--
Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
an AttributeRule for each attribute you want to check.
-->
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
</afp:PermitValueRule>
<afp:AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<afp:PolicyRequirementRule xsi:type="ANY"/>
<!-- Filter out undefined affiliations and ensure only one primary. -->
<afp:AttributeRule attributeID="affiliation">
<afp:PermitValueRule xsi:type="AND">
<RuleReference ref="eduPersonAffiliationValues"/>
<RuleReference ref="ScopingRules"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<afp:AttributeRule attributeID="unscoped-affiliation">
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="primary-affiliation">
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eppn">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="targeted-id">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<!-- Catch-all that passes everything else through unmolested. -->
<afp:AttributeRule attributeID="*">
<afp:PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>
Substitua o conteúdo do arquivo /root/$HOSTNAME -metadata-sp.xml pelas linhas abaixo. (o arquivo é criado manualmente)
Copy <EntityDescriptor entityID="https://$HOSTNAME/shibboleth-sp2">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
<Extensions>
<mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
<mdui:DisplayName xml:lang="en">Nome por extenso do serviço - SIGLA DO SERVIÇO</mdui:DisplayName>
<mdui:Description xml:lang="en">Uma breve descrição do serviço.</mdui:Description>
</mdui:UIInfo>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
INSIRA_AQUI_O_CONTEUDO_DO_ARQUIVO_DO_CERTIFICADO
INSIRA_AQUI_O_CONTEUDO_DO_ARQUIVO_DO_CERTIFICADO
INSIRA_AQUI_O_CONTEUDO_DO_ARQUIVO_DO_CERTIFICADO
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://$HOSTNAME/Shibboleth.sso/SAML2/POST" index="1"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://$HOSTNAME/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://$HOSTNAME/Shibboleth.sso/SAML2/Artifact" index="3"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://$HOSTNAME/Shibboleth.sso/SAML2/ECP" index="4"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://$HOSTNAME/Shibboleth.sso/SAML/POST" index="5"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://$HOSTNAME/Shibboleth.sso/SAML/Artifact" index="6"/>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en">Sigla - descricao instituicao</OrganizationName>
<OrganizationDisplayName xml:lang="en">Sigla - descricao instituicao</OrganizationDisplayName>
<OrganizationURL xml:lang="en">http://$DOMINIO_INST</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<SurName>TI</SurName>
<EmailAddress>email@dominio</EmailAddress>
</ContactPerson>
</EntityDescriptor>
O conteúdo do certificado que deve ser incluído no arquivo acima é referente ao certificado gerado e armazenado no arquivo /etc/ssl/certs/$HOSTNAME .crt
Para instalar a aplicação de homologação, execute a linha de comando a seguir:
Copy mkdir /var/www/secure
wget https://svn.rnp.br/repos/CAFe/ubuntu/lucid/shibboleth-sp/index.php -O /var/www/secure/index.php --no-check-certificate
Editar o arquivo " /etc/init.d/shibd " se o SO for Ubuntu 14.04. Encontrar as linhas abaixo e editar para que fique igual ao exemplo.
Caso seja Ubuntu 18.04lts o arquivo está em /lib/systemd/system/shibd.service
#DAEMON_USER=_shibd - comentar a linha
DAEMON_USER=root - adicionar esta nova linha
** Após realizar a alteração, executar o stop do shibd e depois o start.