设置新的 Shibboleth IdP 以与现有 SAML SP 配合使用 [英] Setting up a new Shibboleth IdP to work with an existing SAML SP

问题描述

希望这不是重复或太宽泛.我只是觉得我需要的信息比我能找到的任何其他信息都要多.

Hopefully this isn't a duplicate or too broad. I just have a feeling I need a bit more information than anything else I've been able to find.

我有一个程序/服务器，它已经内置了一个正常运行的 SAML SP.我正在尝试将它连接到运行 Windows Server 的内部服务器上的测试 Shibboleth IdP (V3.3.3).我已经安装并连接到我们的 Active Directory 用户.文档非常适合达到这一点.

I have a program/server that already has a functioning SAML SP built in to it. I'm trying to get it connected to a test Shibboleth IdP (V3.3.3) on an internal server running Windows Server. I have it installed and connected to our Active Directory users. The documentation was great for getting to that point.

现在我不知道如何进行.我看到很多关于在 SP 和 IdP 之间交换配置/XML 信息和证书的信息.我相信我有一个有效的 SP XML 和证书可以提供给 IdP，但我不知道:

Now I have no earthly clue how to proceed. I see a lot of information about exchanging configuration/XML info and certificates between SPs and IdPs. I believe I have a valid SP XML and certificate to give to the IdP, but I don't know:

1. 将 SP XML 信息放置在 IdP 安装中的位置
2. 将 SP 证书放置在 IdP 安装中的位置(或设置/配置证书的路径)
3. 从哪里获取 IdP 证书(我认为默认设置会为我生成一些东西?不清楚)
4. IdP 登录路径在哪里
5. 我是否需要配置其他任何东西才能让两人交谈

1 到 4 可能是我最大的困惑，我似乎找不到相关信息.Shibboleth 文档似乎假设我比我更熟悉配置 IdP.它告诉我在哪里可以配置任何/所有可能的东西，但我不知道我应该配置什么.

1 through 4 are probably my biggest confusions that I can't seem to find info on. The Shibboleth documentation seems to assume I am far more familiar with configuring an IdP than I am. It tells me where to configure literally anything/everything possible, but I don't know what I should be configuring.

无论如何，感谢您对此的任何帮助.我一直在浪费大量时间试图弄清楚这一点.

Anyhow, thanks for any help on this. I've been wasting a pitiful amount of time trying to figure this out.

推荐答案

为了回答您的五 (5) 个问题，不失一般性，我们假设

To answer your five (5) questions, without loss of generality, we assume that

(一)SAML IdP的元数据文件是idpsaml-metadata.xml

(I) the metadata file of SAML IdP is idpsaml-metadata.xml

(二)SAML SP的元数据文件是sp-example-org.xml

(II) the metadata file of SAML SP is sp-example-org.xml

问答

1. 将 SP XML 信息放置在 IdP 安装中的位置

答案:/opt/shibboleth-idp/metadata/sp-example-org.xml

Answer: /opt/shibboleth-idp/metadata/sp-example-org.xml

1. 将 SP 证书放置在 IdP 安装中的位置(或设置/配置证书的路径)

答案:SAML SP 的元数据文件由 SP 证书组成.SAML IdP 将从 SAML SP 的元数据(例如 sp-example-org.xml)中提取 SP 证书

Answer: The metadata file of SAML SP consists of the SP certificate. SAML IdP will extract SP certificate from SAML SP's metadata (e.g., sp-example-org.xml)

1. 从哪里获取 IdP 证书(我认为默认设置会为我生成一些东西?不清楚)

答案:SAML IdP 的元数据文件包含所有 IdP 证书(由 SAML IdP 的默认设置生成).

Answer: The metadata file of SAML IdP consists of all the IdP certificates (which have been generated by the default setup of SAML IdP).

您需要将 SAML IdP 的元数据文件(例如 idpsaml-metadata.xml)放入 SAML SP 的主目录，例如/etc/shibboleth/idpsaml-metadata.xml

You need to place the metadata file of SAML IdP (e.g., idpsaml-metadata.xml) into the SAML SP's home directory, e.g., /etc/shibboleth/idpsaml-metadata.xml

1. IdP 登录路径在哪里

答案:通常 SAML SP 使用 HTTP-POST 端点作为 SAML IdP 登录路径，例如，

Answer: Usually SAML SP uses HTTP-POST endpoint as SAML IdP login path, e.g.,

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://IdP-Server-URL/idp/profile/SAML2/POST/SSO"/>

您还需要使用 LDAP 用户身份验证配置 Shibboleth IdP.

You also need to configure Shibboleth IdP with LDAP user authentication.

/opt/shibboleth-idp/conf/idp.properties

/opt/shibboleth-idp/conf/idp.properties

/opt/shibboleth-idp/conf/ldap.properties

/opt/shibboleth-idp/conf/ldap.properties

/opt/shibboleth-idp/conf/attribute-filter.xml

/opt/shibboleth-idp/conf/attribute-filter.xml

/opt/shibboleth-idp/conf/attribute-resolver-full.xml

/opt/shibboleth-idp/conf/attribute-resolver-full.xml

1. 我是否需要配置其他任何东西才能让两人交谈

答案:为了让 SAML IdP 为 SAML SP 提供身份认证，SAML IdP 和 SAML SP 都需要交换它们的元数据.然后您需要使用 SAML SP 配置 SAML IdP.

Answer: To allow SAML IdP to provide identity authentication for SAML SP, both SAML IdP and SAML SP need to exchange their metadata. Then you need to configure SAML IdP with SAML SP.

SAML IdP/opt/shibboleth-idp/conf/metadata-providers.xml

SAML IdP /opt/shibboleth-idp/conf/metadata-providers.xml

/opt/shibboleth-idp/conf/relying-party.xml

/opt/shibboleth-idp/conf/relying-party.xml

SAML SP

/etc/shibboleth/shibboleth2.xml

/etc/shibboleth/shibboleth2.xml

/etc/shibboleth/attribute-map.xml

/etc/shibboleth/attribute-map.xml

备注:

如何使用 Docker 容器构建和运行 Shibboleth SAML IdP 和 SP 在 GitHub 存储库中提供了 Shibboleth IdP 和 SP 的示例配置文件.

How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the sample configuration files for Shibboleth IdP and SP.

这篇关于设置新的 Shibboleth IdP 以与现有 SAML SP 配合使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！