ubuntu14.04 安装Shibboleth idp

系统环境

ubuntu14.04(分配ip为10.0.5.115)

shibboleth 3.2.1

tomcat8

安装java环境

sudo apt-get install openjdk-7-jre

sudo apt-get install openjdk-7-jdk

添加JAVA_HOME

vi /etc/environment

JAVA_HOME="/usr/lib/jvm/java-7-openjdk-amd64"

source /etc/environment // 重新加载配置，让新添加的配置生效

下载安装shibboleth

wget http://shibboleth.net/downloads/identity-provider/3.2.1/shibboleth-identity-provider-3.2.1.tar.gz

tar xzvf shibboleth-identity-provider-3.2.1.tar.gz

cd ~/shibboleth-identity-provider-3.2.1/bin

install.sh

Source (Distribution) Directory: [/tmp/shibboleth-identity-provider-3.2.1] //默认（直接回车）

Installation Directory: [/opt/shibboleth-idp] //默认${SIDP_HOME}

Hostname: [localhost.localdomain]

10.0.5.115 //直接输入IP

SAML EntityID: [https://10.0.5.115/idp/shibboleth] //默认

Attribute Scope: [localdomain]

Backchannel PKCS12 Password: //${PKCS12_PASSWORD}

Re-enter password:

Cookie Encryption Key Password: //cookie password

Re-enter password:

Warning: /opt/shibboleth-idp/bin does not exist.

Warning: /opt/shibboleth-idp/dist does not exist.

Warning: /opt/shibboleth-idp/doc does not exist.

Warning: /opt/shibboleth-idp/system does not exist.

Warning: /opt/shibboleth-idp/webapp does not exist.

Generating Signing Key,CN = sidp URI = https://10.0.5.115/idp/shibboleth ...

...done

Creating Encryption Key,CN = sidp URI = https://10.0.5.115/idp/shibboleth ...

...done

Creating Backchannel keystore,CN = sidp URI = https://10.0.5.115/idp/shibboleth ...

...done

Creating cookie encryption key files...

...done

Rebuilding /opt/shibboleth-idp/war/idp.war ...

...done

BUILD SUCCESSFUL

Total time: 36 seconds

下载安装tomcat

wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.16/bin/apache-tomcat-8.5.16.zip

unzip apache-tomcat-8.5.16.zip //解压出来的文件夹即为 ${TOMCAT_HOME}

修改 ${TOMCATHOME}/conf/server.xml

添加，或解除注释并修改https配置

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

clientAuth="want" keystoreFile="/opt/shibboleth-idp/credentials/idp-backchannel.p12"

keystorePass="${PKCS12_PASSWORD}" keystoreType="PKCS12" trustManagerClassName="net.shibboleth.utilities.ssl.TrustAnyCertificate" />

注意替换${PKCS12_PASSWORD}

cd ${TOMCAT_HOME}/bin

sudo chmod a+x startup.sh

sudo chmod a+x catalina.sh

sudo chmod a+x shutdown.sh

启动tomcat

./startup.sh

自动会生成${TOMCATHOME}/conf/Catalina/localhost/这个目录，新建idp.xml文件，添加如下内容：

<Context docBase="/opt/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
swallowOutput="true" />

• 添加jstl依赖

如果${TOMCAT_HOME}/lib没有jstl-1.2.jar则下载该jar包并放入${TOMCAT_HOME}/lib下

wget http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar

• 添加idp-ssl依赖

下载trustany-ssl-1.0.0.jar并放入${TOMCAT_HOME}/lib下

wget https://build.shibboleth.net/nexus/service/local/repositories/releases/content/net/shibboleth/utilities/trustany-ssl/1.0.0/trustany-ssl-1.0.0.jar

验证Tomcat

关闭tomcat

./shutdown.sh

启动tomcate

./startup.sh

打开浏览器访问 http://10.0.5.115:8080/idp/status(tomcat使用默认端口) 页面显示如下信息表示成功：

###
Operating Environment Information
operating_system: Linux
operating_system_version: 3.13.0-116-generic
operating_system_architecture: amd64
jdk_version: 1.7.0_131
available_cores: 1
used_memory: 142 MB
maximum_memory: 237 MB  
.......

通过https://www.testshib.org 测试idp环境搭建情况(提供sp服务)

• 在配置文件/opt/shibboleth-idp/conf/Metadata-providers.xml，添加一个新的MetadataProvider节点

<MetadataProvider id="HTTPMetadataTESTSHIB"
                  xsi:type="FileBackedHTTPMetadataProvider"
                  backingFile="%{idp.home}/Metadata/testshib-providers.xml"
                MetadataURL="http://www.testshib.org/Metadata/testshib-providers.xml"/>

• 将/opt/shibboleth-idp/Metadata/idp-Metadata.xml这个xml文件重新命名一个独一无二的名字，然后在http://www.testshib.org/register.html 页面上传
• 重启Tomcat
• 访问https://sp.testshib.org/ 这个页面，填写entityID地址。例如：https://10.0.5.115/idp/shibboleth
• 也能正常重定向到https://10.0.5.115/idp/profile/SAML2/Redirect/SSO?execution=e1s1， 说明idp环境正常