belnet r&e federation workshop shibboleth idp deployment belnet – mario vandaele brussels –...
TRANSCRIPT
Belnet R&E Federation WorkshopShibboleth IdP Deployment
Belnet – Mario Vandaele Brussels – 15 March 2012
2Workshop Belnet R&E Federation15.03.2012
Login – Linux / MacOSX
Start terminal
Login into your virtual machine
– With # being your assigned group number
Insert password
ssh student@idp#.ws.belnet.be
57ud3n7
3Workshop Belnet R&E Federation15.03.2012
Login – Windows
Login
4Workshop Belnet R&E Federation15.03.2012
Output
5Workshop Belnet R&E Federation15.03.2012
Login – sudo
The “student” account doesn’t have “root”
priviliges, so let’s temporarily enable them
Insert password
sudo su -
57ud3n7
Shibboleth IdP installation
Extract Shibboleth IdP archive in your local
source directory
Check content of Shibboleth directory
6Workshop Belnet R&E Federation15.03.2012
cd /home/student/workshopcp shibboleth-identityprovider-2.3.5-bin.zip /usr/local/srcunzip shibboleth-identityprovider-2.3.5-bin.zip
cd /usr/local/src/shibboleth-identityprovider-2.3.5ls -l
Shibboleth IdP installation
7Workshop Belnet R&E Federation15.03.2012
…-rwxrwxrwx 1 root root 11357 2011-06-02 05:25 LICENSE.txt-rwxrwxrwx 1 root root 896 2011-06-02 05:25 install.bat-rwxr-xr-x 1 root root 2511 2011-06-08 10:52 install.sh-rwxrwxrwx 1 root root 458 2011-06-08 10:52 cpappend.batdrwxrwxrwx 2 root root 4096 2011-06-19 17:35 docdrwxrwxrwx 5 root root 4096 2011-11-09 06:36 srcdrwxrwxrwx 2 root root 4096 2011-11-09 06:36 libdrwxrwxrwx 2 root root 4096 2011-11-09 06:36 endorsed…
Output
Shibboleth IdP installation
8Workshop Belnet R&E Federation15.03.2012
Some extra java classes, bundled into jar files,
required by Shibboleth must be endorsed by
our java servlet engine (tomcat)
Check content of the new directory
mkdir /usr/share/tomcat6/endorsed/cp ./endorsed/*.jar /usr/share/tomcat6/endorsed/
ls -l /usr/share/tomcat6/endorsed
Shibboleth IdP installation
9Workshop Belnet R&E Federation15.03.2012
Output…-r--r--r-- 1 root root 3176148 2012-03-01 15:31 xalan-2.7.1.jar-r--r--r-- 1 root root 278286 2012-03-01 15:31 serializer-2.10.0.jar-r--r--r-- 1 root root 84091 2012-03-01 15:31xml-resolver-1.2.jar-r--r--r-- 1 root root 220536 2012-03-01 15:31 xml-apis-2.10.0.jar-r--r--r-- 1 root root 1363159 2012-03-01 15:31 xercesImpl-2.10.0.jar…
Shibboleth IdP installation
10Workshop Belnet R&E Federation15.03.2012
(Optional) Pre-build preparation: check java
environment
Output
update-alternatives --config java
Selection Path Priority Status---------------------------------------------------------- 0 /usr/lib/jvm/java-6-openjdk/jre/bin/java 1061 auto mode 1 /opt/java/64/jre1.6.0_31/bin/java 1 manual mode 2 /usr/lib/jvm/java-6-openjdk/jre/bin/java 1061 manual mode 3 /usr/lib/jvm/java-6-sun/jre/bin/java 63 manual mode
Shibboleth IdP installation
11Workshop Belnet R&E Federation15.03.2012
(Optional) Pre-build preparation: set & check
JAVA_HOME
Pre-build preparation: set & check IDP_HOME
export JAVA_HOME=/usr/lib/jvm/java-6-sun/jreecho $JAVA_HOME
export IDP_HOME=/opt/shibboleth-idpecho $IDP_HOME
/usr/lib/jvm/java-6-sun/jre
/opt/shibboleth-idp
/export IDP_SRC=/usr/local/shibboleth-identityprovider-2.3.5
Shibboleth IdP installation
12Workshop Belnet R&E Federation15.03.2012
(Optional) Set IdPCertLifetime for self-signed
server certificate
– If you want to overrule the default lifetime of 20 years for the
self-signed certificate, you must set the environment variable
IdPCertLifetime to a value of your choice
– This server certificate is NOT the same as the CA issued
(TERENA) server certificate for HTTPS, so don’t use this one
in your web server configuration (Apache)
env IdPCertLifetime=3
Shibboleth IdP installation
13Workshop Belnet R&E Federation15.03.2012
Build the Shibboleth IdP web application and
provide input when requested by the script
– Installation directory = /opt/shibboleth-idp
– FQDM = idp#.ws.belnet.be• With # being your assigned group number
– Keystore password = 57ud3n7
cd $IDP_SRC./install.sh
Shibboleth IdP installation
14Workshop Belnet R&E Federation15.03.2012
Output (1/3)Buildfile: src/installer/resources/build.xml
install:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]
What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org]
idp#.ws.belnet.be
Shibboleth IdP installation
15Workshop Belnet R&E Federation15.03.2012
Output (2/3)A keystore is about to be generated for you. Please enter a password that will be used to protect it.57ud3n7Updating property file: /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer/resources/install.propertiesCreated dir: /opt/shibboleth-idpCreated dir: /opt/shibboleth-idp/binCreated dir: /opt/shibboleth-idp/confCreated dir: /opt/shibboleth-idp/credentialsCreated dir: /opt/shibboleth-idp/libCreated dir: /opt/shibboleth-idp/lib/endorsedCreated dir: /opt/shibboleth-idp/logsCreated dir: /opt/shibboleth-idp/metadataCreated dir: /opt/shibboleth-idp/warGenerating signing and encryption key, certificate, and keystore.
Shibboleth IdP installation
16Workshop Belnet R&E Federation15.03.2012
Output (3/3)Copying 5 files to /opt/shibboleth-idp/binCopying 8 files to /opt/shibboleth-idp/confCopying 1 file to /opt/shibboleth-idp/metadataCopying 51 files to /opt/shibboleth-idp/libCopying 5 files to /opt/shibboleth-idp/lib/endorsedCopying 1 file to /usr/local/src/shibboleth-identityprovider-2.3.5/src/installerBuilding war: /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer/idp.warCopying 1 file to /opt/shibboleth-idp/warDeleting: /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer/web.xmlDeleting: /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer/idp.warBUILD SUCCESSFUL
Shibboleth IdP installation
17Workshop Belnet R&E Federation15.03.2012
Check content of IDP_HOME
Output
ls -l $IDP_HOME
drwxr-xr-x 2 root root 4096 2012-03-02 13:42 bindrwxr-xr-x 2 root root 4096 2012-03-02 13:42 confdrwxr-xr-x 2 root root 4096 2012-03-02 13:42 credentialsdrwxr-xr-x 3 root root 4096 2012-03-02 13:42 libdrwxr-xr-x 2 root root 4096 2012-03-02 13:42 logsdrwxr-xr-x 2 root root 4096 2012-03-02 13:42 metadatadrwxr-xr-x 2 root root 4096 2012-03-02 13:42 war
Shibboleth IdP installation
18Workshop Belnet R&E Federation15.03.2012
IDP/bin command line tools
– aacli.sh: attribute authority cli to simulate attribute resolving
and filtering
– version.sh: provides the version of Shibboleth IdP
-rw-r--r-- 1 root root 1045 2011-06-08 10:52 aacli.bat-rwxr-xr-x 1 root root 1118 2011-06-08 10:52 aacli.sh-rw-r--r-- 1 root root 445 2011-06-08 10:52 cpappend.bat-rw-r--r-- 1 root root 895 2011-06-08 10:52 version.bat-rwxr-xr-x 1 root root 1043 2011-06-08 10:52 version.sh
ls -l $IDP_HOME/bin
Shibboleth IdP installation
19Workshop Belnet R&E Federation15.03.2012
IDP_HOME/conf configuration files
-rw-r--r-- 1 root root 3468 2011-10-09 07:34 attribute-filter.xml-rw-r--r-- 1 root root 22171 2011-10-09 07:38 attribute-resolver.xml-rw-r--r-- 1 root root 6442 2011-10-09 07:41 handler.xml-rw-r--r-- 1 root root 12069 2011-10-09 07:41 internal.xml-rw-r--r-- 1 root root 3108 2011-06-08 10:52 logging.xml-rw-r--r-- 1 root root 1631 2011-07-11 14:13 login.config-rw-r--r-- 1 root root 14134 2011-10-09 07:37 relying-party.xml-rw-r--r-- 1 root root 3892 2011-10-09 07:44 service.xml
ls -l $IDP_HOME/bin
Shibboleth IdP installation
20Workshop Belnet R&E Federation15.03.2012
IDP_HOME/credentials private keys & public certificate & keystore
– The private key (idp.key) is used for signing SAML messages
– The public key (idp.crt) is published via the metadata and can
be used to encrypt SAML messages from the SP to the IdP
– different from credentials used for HTTPS Apache
configuration uses CA issued server certificates
-rw-r--r-- 1 root root 1200 2012-03-02 13:42 idp.crt-rw-r--r-- 1 root root 2214 2012-03-02 13:42 idp.jks-rw-r--r-- 1 root root 1679 2012-03-02 13:42 idp.key
ls -l $IDP_HOME/credentials
Shibboleth IdP installation
21Workshop Belnet R&E Federation15.03.2012
IDP_HOME/credentials private keys & public
certificate & keystore– For this workshop we have generated self-signed credentials
which are already present in the federation metadata
cp /home/student/workshop/idp.key $IDP_HOME/credentials/cp /home/student/workshop/idp.crt $IDP_HOME/credentials/
Shibboleth IdP installation
22Workshop Belnet R&E Federation15.03.2012
IDP_HOME/lib
– Contains all java libraries (jar-files) which make up the IdP
– These files are copies of those present in the war-file
– Only used by the command line tools
– Java libraries < JAR < WAR < EAR
-rw-r--r-- 1 root root 62983 2011-07-18 06:11 activation-1.1.jar…-rw-r--r-- 1 root root 623568 2011-10-23 16:36 xmltooling-1.3.3.jar
ls -l $IDP_HOME/lib
Shibboleth IdP installation
23Workshop Belnet R&E Federation15.03.2012
IDP/logs
– To be configured in logging.xml
– Process log: detailed description of IdP processing requests
– Access log: record of all clients which connect to IdP
– Audit log: record of all information sent out by IdP
– Soon audit logging will be available on SP side as well
ls -l $IDP_HOME/logs…
Shibboleth IdP installation
24Workshop Belnet R&E Federation15.03.2012
IDP_HOME/metadata
– Default location where local metadata and backups of remote
metadata files are stored
– The IdP does not automatically load any metadata IdP
must be explicitly told where to look for metadata relying-
party.xml
-rw-r--r-- 1 root root 5499 2011-06-08 10:52 idp-metadata.xml
ls -l $IDP_HOME/metadata
Shibboleth IdP installation
25Workshop Belnet R&E Federation15.03.2012
IDP_HOME/war
– The actual file used by Tomcat the deploy the IdP web
application
– Tomcat must be told where to find the war-file
-rw-r--r-- 1 root root 16613597 2012-03-02 13:42 idp.war
ls -l $IDP_HOME/war
Shibboleth IdP installation
26Workshop Belnet R&E Federation15.03.2012
Context descriptor for IdP in Tomcat– Create file /etc/tomcat6/Catalina/localhost/idp.xml where idp
will be the path
– Workshop specific:
<Context docBase="/opt/shibboleth-idp/war/idp.war"privileged="true"antiResourceLocking="false"antiJARLocking="false"unpackWAR="false"swallowOutput="true" />
cd /home/student/workshop/cp catalina-idp.xml /etc/tomcat6/Catalina/localhost/idp.xmlcp idp-workshop.war /opt/shibboleth-idp/war/idp.war
Tomcat Configuration
27Workshop Belnet R&E Federation15.03.2012
Define communication ports between Tomcat
and Apache– Configure /etc/tomcat6/server.xml
– Put in comment connector on port 8080
… <!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" redirectPort="8443" enableLookups="false" />…
vim /etc/tomcat6/server.xml
Tomcat Configuration
28Workshop Belnet R&E Federation15.03.2012
Restart tomcat and check listening port/etc/init.d/tomcat6 restart * Stopping Tomcat servlet engine tomcat6 [ OK ] * Starting Tomcat servlet engine tomcat6 [ OK ]netstat –nlActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8009 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 127.0.0.1:8005 :::* LISTEN
CA-issued Server Certificate
29Workshop Belnet R&E Federation15.03.2012
Request server certificate: https://dcs.belnet.be
– Workshop specific: The chain file comodo-chain.pem is
already present in /etc/ssl/certs/ don’t forget to download
and install this chain certificate when requesting your IdP
server certificate for your own environment
cd /home/student/workshopcp idp#.ws.belnet.be.key /etc/ssl/private/cp idp#.ws.belnet.be.pem /etc/ssl/certs/
Apache configuration
30Workshop Belnet R&E Federation15.03.2012
Create specific configuration file for IdP– Create file /etc/apache2/sites-available/idp
– Workshop specific:
– Replace [#] with your assigned group number– Press [ESC]– :%s/\[#\]/your number/g
cd /home/student/workshopcp apache-your-idp-site-config /etc/apache2/sites-available/idpvim /etc/apache2/sites-available/idp
Apache configuration
31Workshop Belnet R&E Federation15.03.2012
Two important sections in configuration file:– Virtual host listening on port 443:
• TERENA SSL certificate• AJP connector to Tomcat
– Virtual host listening on port 8443:• Self-signed certificate• SSL client authentication to identify SP’s (based on trust in
metadata)• AJP connector to Tomcat
Apache configuration
32Workshop Belnet R&E Federation15.03.2012
Enable the IdP configuration file
Enable ssl_mod
Enable ajp_mod
a2ensite idp
a2enmod ssl
a2enmod proxy_ajp
Apache configuration
33Workshop Belnet R&E Federation15.03.2012
Check & restart Apache
Syntax OK
apache2ctl -t
apache2ctl -k restartnetstat -nl
Shibboleth IdP Configuration
34Workshop Belnet R&E Federation15.03.2012
Set IdP directory & file permissionschown tomcat6 $IDP_HOME/metadatachown tomcat6 $IDP_HOME/logs chown -R tomcat6 $IDP_HOME/credentialschmod 750 $IDP_HOME/credentialscd $IDP_HOME/credentialschmod 440 idp.key chmod 644 idp.crt
Shibboleth IdP Configuration
35Workshop Belnet R&E Federation15.03.2012
Download R&E Test Federation certificate
– The Test Federation metadata is signed with this certificate, so
your IdP can check the authenticity during download
– Workshop specific: certificate.federation.belnet.be.pem is
already present in /etc/ssl/certs/
– Don’t forget to also put the TERENA chain file in /etc/ssl/certs/
cd $IDP_HOME/credentialswget https://federation.belnet.be/certificate.federation.belnet.be.pem
Shibboleth IdP Configuration
36Workshop Belnet R&E Federation15.03.2012
Create IdP metadata file– The IdP must be made aware of it’s own identity
– Workshop specific:
– Fill in your organization information, which is required for
Belnet R&E Federation
ls -l $IDP_HOME/metadata
cp /home/student/workshop/idp-metadata.xml $IDP_HOME/metadata/idp-metadata.xmlvim $IDP_HOME/metadata/idp-metadata.xml
Shibboleth IdP Configuration
37Workshop Belnet R&E Federation15.03.2012
Configure the Relying Party elements
IdP’s own metadata configuration
– No changes required
vim $IDP_HOME/conf/relying-party.xml
<!-- Load the IdP's own metadata. This is necessary for artifact support. --> <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:ResourceBackedMetadataProvider"> <metadata:MetadataResource xsi:type="resource:FilesystemResource" xmlns="urn:mace:shibboleth:2.0:metadata" file="/opt/shibboleth-idp/metadata/idp-medata.xml"/> </metadata:MetadataProvider>
Shibboleth IdP Configuration
38Workshop Belnet R&E Federation15.03.2012
Security configuration for IdP
–No changes required
<security:Credential id="IdPCredential" xsi:type="security:X509Filesystem"> <security:PrivateKey>/opt/shibboleth-idp/credentials/idp.key</security:PrivateKey> <security:Certificate>/opt/shibboleth-idp/credentials/idp.crt</security:Certificate> </security:Credential>
Shibboleth IdP Configuration
39Workshop Belnet R&E Federation15.03.2012
Metadata configuration – Test Federation <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider" metadataURL="https://federation.belnet.be/testfederation-metadata.xml” backingFile="/opt/shibboleth-idp/metadata/testfederation-metadata.xml"> <metadata:MetadataFilter xsi:type="metadata:ChainingFilter"> <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil" maxValidityInterval=”P10D" /> <metadata:MetadataFilter xsi:type="metadata:SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" requireSignedMetadata="true" /> <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList"> <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole> </metadata:MetadataFilter> </metadata:MetadataFilter> </metadata:MetadataProvider>
Shibboleth IdP Configuration
40Workshop Belnet R&E Federation15.03.2012
Security configuration – Test Federation
– Uncomment this trust engine
– Location of the Test Federation certificate used by IdP to validate
the Test Federation metadata during download
<!-- Trust engine used to evaluate the signature on loaded metadata. -->
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem"> <security:Certificate>/opt/shibboleth-idp/credentials/certificate.federation.belnet.be.pem</security:Certificate> </security:Credential> </security:TrustEngine>
Shibboleth IdP Configuration
41Workshop Belnet R&E Federation15.03.2012
Set log-level to DEBUG
– Replace INFO, ERROR, WARN by DEBUG
vim $IDP_HOME/conf/logging.xml
User Authentication
42Workshop Belnet R&E Federation15.03.2012
Define what user authentication mechanism will be
used– Define username and password mechanism in
IDP_HOME/conf/handler.xml
– Take out of comment and put in comment Login Handler “RemoteUser”
<!-- Username/password login handler --> <ph:LoginHandler xsi:type="ph:UsernamePassword" jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod> </ph:LoginHandler>
User Authentication
43Workshop Belnet R&E Federation15.03.2012
Report correct authentication method with SSO
–Add reportPreviousSessionAuthnMethod=“true”
–Report previous session authentication method whenever SSO
is used
<!-- Removal of this login handler will disable SSO support, that is it will require the user to authenticate on every request. --> <ph:LoginHandler xsi:type="ph:PreviousSession” reportPreviousSessionAuthnMethod=“true”> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod> </ph:LoginHandler>
User Authentication
44Workshop Belnet R&E Federation15.03.2012
Define JAAS LDAP authentication – Configure JAAS in IDP_HOME/conf/login.config
– Edit the LDAP section and remove comments
– See Shibboleth wiki
edu.vt.middleware.ldap.jaas.LdapLoginModule required ldapUrl="ldap://ldap.ws.belnet.be:389" baseDn="dc=belnet,dc=be" bindDn="cn=idp,dc=belnet,dc=be" bindCredential="workshop" ssl="false" userFilter="uid={0}" subtreeSearch="true";
vim $IDP_HOME/conf/login.config
Attribute Resolving
45Workshop Belnet R&E Federation15.03.2012
Define how IdP will search for user attributes– Configure LDAP access in “Data Connector” section of
IDP_HOME/conf/attribute-resolver.xml
<!-- Example LDAP Connector --> <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldap://ldap.ws.belnet.be" baseDN="dc=belnet,dc=be" principal="cn=idp,dc=belnet,dc=be" searchScope="SUBTREE" principalCredential="workshop"> <dc:FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </dc:FilterTemplate> </resolver:DataConnector>
cp /home/student/workshop/attribute-resolver.xml $IDP_HOME/conf/
Basic Attributes Configuration
46Workshop Belnet R&E Federation15.03.2012
Mapping of SAML attributes to LDAP attributes– Configure in “Attribute Definitions” section of
IDP_HOME/conf/attribute-resolver.xml
– Warning! The Belnet R&E Federation requires the eduPerson
schema extension:
– Platform specific instructions: https://spaces.internet2.edu/dis
play/macedir/LDIFs
Basic Attribute Filter Policy Configuration
47Workshop Belnet R&E Federation15.03.2012
Release all known attributes to all SP (1/2)– Add content to IDP_HOME/conf/attribute-filter.xml
<AttributeFilterPolicy id="releaseToAll"> <PolicyRequirementRule xsi:type="basic:ANY" /> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="uid"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="commonName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="organizationalUnit"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonNickname"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule>
Basic Attribute Filter Policy Configuration
48Workshop Belnet R&E Federation15.03.2012
Release all known attributes to all SP (2/2) <AttributeRule attributeID="eduPersonOrgDN"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrimaryAffiliation"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="organizationName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="preferredLanguage"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonEntitlement"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="surname"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy>
Test IdP Attributes
49Workshop Belnet R&E Federation15.03.2012
Test Resolver
• Test Resolver & Filter
cd $IDP_HOME/bin./aacli.sh –configDir $IDP_HOME/conf/ --principal ‘student#@ws.belnet.be’
cd $IDP_HOME/bin./aacli.sh –configDir $IDP_HOME/conf/ --principal ‘student#@ws.belnet.be’ –requester ‘https://sptest.ws.belnet.be/shibboleth-sp’
Registration IdP metadata
50Workshop Belnet R&E Federation15.03.2012
• Get your IdP metadata:– https://idp#.ws.belnet.be/profile/Metadata/SAML
• Surf to Belnet R&E Federation management – https://federation.belnet.be
– Login with username student & password workshop
– Submit the IdP metadata
– Wait till Admin has accepted & reloaded metadata
• Restart tomcat
* Stopping Tomcat servlet engine tomcat6 [OK] * Starting Tomcat servlet engine tomcat6 [OK]
/etc/init.d/tomcat6 restart