Annexes
Annexe 1 : Installation de
Mysql-server
#apt-get install mysql-server
#/usr/bin/mysqladmin -u root password
`0123456789'
Créons la base de données « shibboleth »
et la table « shibpid »
#mysql -u root -p
mysql> SET NAMES 'utf8';
SET CHARACTER SET utf8;
CHARSET utf8;
CREATE DATABASE IF NOT EXISTS shibboleth CHARACTER SET=utf8;
USE shibboleth;
CREATE TABLE IF NOT EXISTS shibpid (
localEntity TEXT NOT NULL,
peerEntity TEXT NOT NULL,
principalName VARCHAR(255) NOT NULL DEFAULT '',
localId VARCHAR(255) NOT NULL,
persistentId VARCHAR(36) NOT NULL,
peerProvidedId VARCHAR(255) DEFAULT NULL,
creationDate timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
ON UPDATE CURRENT_TIMESTAMP,
deactivationDate TIMESTAMP NULL DEFAULT NULL,
KEY persistentId (persistentId),
KEY persistentId_2 (persistentId, deactivationDate),
KEY localEntity (localEntity(16), peerEntity(16), localId),
KEY localEntity_2 (localEntity(16), peerEntity(16),
localId, deactivationDate)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
Créons un utilisateur shibboleth avec pour mot de passe
« demo » et limiter les permissions à la base de
données shibboleth.
USE mysql;
INSERT INTO user (Host,User,Password,Select_priv,
Insert_priv,Update_priv,Delete_priv,Create_tmp_table_priv,
Lock_tables_priv,Execute_priv) VALUES
('localhost','shibboleth',PASSWORD('demo'),
'Y','Y','Y','Y','Y','Y','Y');
FLUSH PRIVILEGES;
GRANT ALL ON shibboleth.* TO 'shibboleth'@'localhost'
IDENTIFIED BY 'demo';
FLUSH PRIVILEGES;
QUIT
Annexe 2 : fichier de configuration
d'apache
...
ServerName pcserver.iut-fv.cm
<VirtualHost _default_:443>
ServerName pcserver.iut-fv.cm:443
ServerAdmin admin@iut-fv.cm
DocumentRoot /var/www
SSLEngine On
SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol all -SSLv2
SSLCertificateFile /etc/ssl/certs/pcserver.iut-fv.crt
SSLCertificateKeyFile
/etc/ssl/private/pcserver.iut-fv.key
SSLCertificateChainFile
/etc/ssl/certs/qvsslica.crt.pem
<Proxy ajp://localhost:8009>
Allow from all
</Proxy>
ProxyPass /idp ajp://localhost:8009/idp retry=5
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
<VirtualHost _default_:8443>
ServerName pcserver.iut-fv.cm:8443
ServerAdmin admin@iut-fv.cm
DocumentRoot /var/www
SSLEngine On
SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol all -SSLv2
SSLCertificateFile /opt/shibboleth-idp/credentials/idp.crt
SSLCertificateKeyFile /opt/shibboleth-idp/credentials/idp.key
SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
<Proxy ajp://localhost:8009>
Allow from all
</Proxy>
ProxyPass /idp ajp://localhost:8009/idp retry=5
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
Annexe 3 : fichier de configuration
/opt/shibbolethidp/metadata/metadata.aaitest.xml
<!--
...
-->
<!-- ========================================== -->
<!-- Relying Party Configurations -->
<!-- ========================================== -->
<rp:AnonymousRelyingParty
provider="https://pcserver.iut-fv.cm/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential" />
<rp:DefaultRelyingParty
provider="https://pcserver.iut-fv.cm/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
<
<rp:ProfileConfiguration
xsi:type="saml:SAML2ArtifactResolutionProfile" />
</rp:DefaultRelyingParty>
<!-- See https://www.switch.ch/aai/SAML1/Attribute-Push
for more information -->
<rp:RelyingParty
id="https://www.switch.ch/aai/SAML1/Attribute-Push"
provider="https://pcserver.iut-fv.cm/idp/shibboleth"
---
Annexe 4 : fichier
/opt/shibboleth-idp/conf/attribute-resolver.xml
---
<!-- Example LDAP Connector -->
<resolver:DataConnector id="myLDAP"
xsi:type="dc:LDAPDirectory"
ldapURL="ldap://ldap.iut-fv.cm"
baseDN="ou=people,dc=iut-fv,dc=cm"
principal="cn=admin,dc=iut-fv,dc=cm"
principalCredential="secret-password">
<dc:FilterTemplate>
<
