基于Shibbloet实现的SSO单点登录

单点登录可以做到在不记录用户密码的情况下，实现不同系统之间的资源共享，自动登录不安全，单点登录，一处登录，处处都可用，不用做多余的登录操作。它是目前比较流行的企业业务整合的解决方案之一

• 环境描述：

Hyper-V6.3

操作系统：Centos6.5-x64

每台虚机一块公网网卡

IDP Server：192.168.2.230

SP Client：192.168.2.227

软件包：

jdk-6u27-linux-x64.bin

apache-tomcat-6.0.32.tar.gz

ApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628.tar

tomcat6-dta-ssl-1.0.0.jar

shibboleth-identityprovider-2.4.2-bin

apacheds-1.5.7-x86_64.bin

Xmanager-5.0

软件提供打包下载

http://pan.baidu.com/s/1o6MHxUE

本次实施过程参考文章(注：此文章仅参考，请不要完全按照这篇英文文章搭建，有几个错误)：

http://csrdu.org/blog/2011/07/04/shibboleth-idp-sp-installation-configuration/

注意：安装配置过程中会添加修改很多的配置文件，复制黏贴本文内容时请注意格式问题，特别是shibboleth文件，推荐用vim编辑，便于区分各种变量、注释。

• 具体实施

默认禁用掉selinux、iptables 规则清空保存重启。操作系统安装选择Desktop 方便后面LDAP建立用户，以及测试。

IDP Server端

1、       安装jdk

[[email protected] tmp]# mkdir /usr/local/java

[[email protected] tmp]# mv/tmp/jdk-6u27-linux-x64.bin /usr/local/java/

[[email protected] tmp]# cd /usr/local/java/

[[email protected] java]# ll

total 83420

-rw-r--r-- 1 root root 85418489 Apr 2211:45 jdk-6u27-linux-x64.bin

[[email protected] java]# chmod +xjdk-6u27-linux-x64.bin

[[email protected] java]# ./jdk-6u27-linux-x64.bin

编辑 /etc/profile 设置相关的环境变量包括java tomcat idp-home 提前设置好在文件末尾加入以下：

exportJAVA_HOME=/usr/local/java/jdk1.6.0_27

exportJRE_HOME=/usr/local/java/jdk1.6.0_27/jre

exportCLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JRE_HOME/lib

export PATH=$PATH:$JAVA_HOME/bin

export CATALINA_HOME=/usr/local/tomcat6

export CATALINA_BASE=/usr/local/tomcat6

export IDP_HOME=/opt/shibboleth-idp

2、       安装apache-tomcat-6.0.32.tar.gz

[[email protected] tmp]# tar -zxfapache-tomcat-6.0.32.tar.gz -C /usr/local/

[[email protected] tmp]# cd /usr/local/

[[email protected] local]# mv apache-tomcat-6.0.32/tomcat6/

[[email protected] local]# vim/usr/local/tomcat6/bin/catalina.sh

在文件JAVA_OPTS 处加入以下内容注意不要加在注释里面

JAVA_OPTS="-Djava.awt.headless=true-Xmx512M -XX:MaxPermSize=128M -Dcom.sun.security.enableCRLDP=true"

[[email protected] local]# vim/usr/local/tomcat6/conf/server.xml

找到这个webapps几个属性修改成以下值

<Host  appBase="webapps" unpackWARs="true" autoDeploy="false"

xmlValidation="false" xmlNamespaceAware="false">

[[email protected]]# /usr/local/tomcat6/bin/catalina.sh start

3、       安装shibboleth IDP端

[[email protected] local]# cd /tmp/

[[email protected] tmp]# unzipshibboleth-identityprovider-2.4.2-bin.zip

[[email protected] tmp]# cdshibboleth-identityprovider-2.4.2

[[email protected] shibboleth-identityprovider-2.4.2]#chmod +x install.sh

[[email protected] shibboleth-identityprovider-2.4.2]#cp -r endorsed/ /usr/local/tomcat6

[[email protected] shibboleth-identityprovider-2.4.2]#export JAVA_ENDORSED_DIRS=/usr/local/tomcat6/endorsed

[[email protected] shibboleth-identityprovider-2.4.2]#vi ~/.bash_profile

文件末尾加入以下内容

IDP_HOME=/opt/shibboleth-idp

export IDP_HOME

[[email protected] shibboleth-identityprovider-2.4.2]#source /etc/profile

[[email protected] shibboleth-identityprovider-2.4.2]#./install.sh

安装过程会提示安装路径默认即可

主机名输入idp.csrdu.org，密码123456，记住这个主机名和密码，我们后面会用到。

[[email protected]]# ln -s /opt/shibboleth-idp/conf/etc/shibboleth

[[email protected]]# ln -s /opt/shibboleth-idp/logs/var/log/shibboleth

[[email protected]~]# cd /tmp/

[[email protected]]# cp tomcat6-dta-ssl-1.0.0.jar /usr/local/tomcat6/lib/

[[email protected]]# vim /usr/local/tomcat6/conf/server.xml

加入以下内容不要加在注释里

<Connectorport="8443"

protocol="org.apache.coyote.http11.Http11Protocol"

SSLImplementation="edu.internet2.middleware.security.tomcat7.DelegateToApplicationJSSEImplementation"

scheme="https"  SSLEnabled="true"clientAuth="true"

keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"

keystorePass="123456"/>

此处密码即是安装时输入的密码

[[email protected] tmp]# vi/usr/local/tomcat6/conf/Catalina/localhost/idp.xml

创建并新建此路径的idp.xml文件加入以下内容

<ContextdocBase="/opt/shibboleth-idp/war/idp.war"

privileged="true"antiResourceLocking="false"

antiJARLocking="false"unpackWAR="false"

swallowOutput="true"/>

# [[email protected] tmp]# vi  /etc/hosts

127.0.0.1   idp.csrdu.org    idp

[[email protected]]# /usr/local/tomcat6/bin/catalina.sh stop

[[email protected]]# /usr/local/tomcat6/bin/catalina.sh start

[[email protected]]# firefox http://idp.csrdu.org:8080/idp/profile/Status &

http://idp.csrdu.org:8080/idp/profile/Status显示ok页面则为正常，若其他显示包括404则需查看日志。

4、创建证书文件

[[email protected] ~]# mkdir idpcerts/

[[email protected] ~]# keytool -genkey -aliastomcat -keyalg RSA -keystore ~/idpcerts/idpself.keystore

Enter keystore password:

Re-enter new password:

输入密码 123456 记住这个密码其他选项请按照此设置。

[[email protected] ~]# vim/usr/local/tomcat6/conf/server.xml

加入以下内容不要加在注释里

<Connector port="443"protocol="HTTP/1.1" SSLEnabled="true"

maxThreads="150"scheme="https" secure="true" clientAuth="false"

sslProtocol="TLS"

keystoreFile="/root/idpcerts/idpself.keystore"

keystorePass="123456" />

密码为生成证书是输入的密码

[[email protected] ~]#/usr/local/tomcat6/bin/catalina.sh stop

[[email protected] ~]#/usr/local/tomcat6/bin/catalina.sh start

[[email protected] idpcerts]# firefoxhttps://idp.csrdu.org/idp/profile/Status &

显示ok页面则为正常，若其他显示包括404则需查看日志。

[[email protected] idpcerts]# vim/opt/shibboleth-idp/conf/handler.xml

注释掉以下内容

<!-- Login Handlers -->

<!--

<ph:LoginHandler xsi:type="ph:RemoteUser">

<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

</ph:AuthenticationMethod>

</ph:LoginHandler>

-->

对于这部分内容去掉注释

<!--  Username/password login handler -->

<ph:LoginHandler xsi:type="ph:UsernamePassword"

jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">

<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:

PasswordProtectedTransport</ph:AuthenticationMethod>

</ph:LoginHandler>

6、安装ApacheDirectoryStudio 这是ldap链接工具图形化界面

[[email protected] tmp]# tar -zxfApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628.tar.gz

[[email protected] tmp]# cdApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628

[[email protected] tmp]# mvApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628 /opt/apachedir

7、安装Apacheds-1.5.7(注：参考文章这里安装的是1.5.2，这个版本有问题，在最后测试的时候即使输入正确密码也会出现crenditial is not recongised，验证通不过)

[[email protected] tmp]# chmod +x apacheds-1.5.7-x86_64.bin

[[email protected] tmp]# ./apacheds-1.5.7-x86_64.

几个选项默认回车即可

8、建立ldap账户

[[email protected] tmp]# /etc/init.d/apacheds-1.5.2-defaultstart

[[email protected] tmp]# cd /opt/apachedir/

[[email protected] apachedir]#./ApacheDirectoryStudio &

开始打开ldap管理平台建立账户

a

b

c

d

选完直接FINISH即可

e

F

G

H

I

J

K

L

M

9、编辑login_config，shibboleth访问ldap文件

[[email protected] apachedir]# vim/opt/shibboleth-idp/conf/login.config

去掉注释编辑以下内容

ShibUserPassAuth {

edu.vt.middleware.ldap.jaas.LdapLoginModulerequired

host="ldap://localhost:10389"base="ou=users,ou=system"

ssl="false"userField="uid";

};

10、编辑attribute-resolver.xml

[[email protected] apachedir]# vim/opt/shibboleth-idp/conf/attribute-resolver.xml

添加以下内容，注意嵌套的标签，不要复制错位置

<resolver:AttributeDefinitionxsi:type="ad:Simple"xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="commonName"sourceAttributeID="cn">

<resolver:Dependencyref="myLDAP" />

<resolver:AttributeEncoderxsi:type="enc:SAML1String"xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:mace:dir:attribute-def:cn" />

<resolver:AttributeEncoderxsi:type="enc:SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:oid:2.5.4.3" friendlyName="cn" />

</resolver:AttributeDefinition>

<resolver:AttributeDefinitionxsi:type="ad:Simple"xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="surname"sourceAttributeID="sn">

<resolver:Dependencyref="myLDAP" />

<resolver:AttributeEncoderxsi:type="enc:SAML1String"

xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:mace:dir:attribute-def:sn" />

<resolver:AttributeEncoderxsi:type="enc:SAML2String"

xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:oid:2.5.4.4"

friendlyName="sn" />

</resolver:AttributeDefinition>

文件的末尾位置找到以下内容去掉注释并编辑

<resolver:DataConnectorxsi:type="dc:LDAPDirectory" id="myLDAP"

ldapURL="ldap://localhost:10389"

baseDN="ou=users,ou=system" principal="uid=admin,ou=system"

principalCredential="secret">

<dc:FilterTemplate>

<![CDATA[(uid=$requestContext.principalName) ]]>

</dc:FilterTemplate>

</resolver:DataConnector>

11、编辑 attribute-filter.xml 文件

添加以下内容，注意嵌套的标签，不要复制错位置

<afp:AttributeRule attributeID="commonName">

<afp:PermitValueRulexsi:type="basic:ANY" />

</afp:AttributeRule>

<afp:AttributeRuleattributeID="surname">

<afp:PermitValueRulexsi:type="basic:ANY" />

</afp:AttributeRule>

IDP端暂时0k

记得把IDP的hosts文件拷给sp，使用scp命令或者sftp都可以

SP端：

1、编辑Centos-Base.repo添加以下内容：

[security_shibboleth]

name=Shibboleth (CentOS_6)

type=rpm-md

baseurl=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_CentOS-6/

gpgcheck=1

gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_CentOS-6/repodata/repomd.xml.key

enabled=1

[[email protected] yum.repos.d]# yum installshibboleth mod_ssl openssl -y

[[email protected] yum.repos.d]# vim/etc/httpd/conf/httpd.conf

修改Servername 为sp.csrdu.org UseCanonicalName改为on

[[email protected] yum.repos.d]# service httpdstart

[[email protected] yum.repos.d]#/etc/init.d/shibd start

[[email protected] yum.repos.d]# openssl genrsa-out ca.key 1024

[[email protected] yum.repos.d]# openssl genrsa-out ca.key 1024

[[email protected] yum.repos.d]# openssl req-new -x509 -days 3650 -key ca.key -out ca.crt

[[email protected] yum.repos.d]# cp ca.crt/etc/pki/tls/certs/

[[email protected] yum.repos.d]# cp ca.key/etc/pki/tls/private/

[[email protected] yum.repos.d]# vi/etc/httpd/conf.d/ssl.conf

编辑SSLCertificateFile 和 SSLCertificateKeyFile文件位置为新的文件

IDP需要SP 端sp-metadata.xml作为认证识别文件，同样sp端需要IDP端idp-metadata.xml作为认证识别文件，这里我们用作者提供的sp-metadata.xml传送给IDP端；同时，把IDP端的idp-metadata.xml拷给SP端，这里需要编辑sp-metadata.xml文件，将SP端/etc/shibboleth/下的sp-cert.pem密钥内容替换掉sp-metadata.xml同时还需修改以下几个地方，

IDP端的sp-metadata.xml位置

SP端的idp-metadata.xml位置

编辑IDP端

[[email protected] apachedir]# vim/etc/shibboleth/relying-party.xml

在如下位置添加以下内容

<!-- Load the SP‘s metadata.  -->

<metadata:MetadataProviderxsi:type="FilesystemMetadataProvider"xmlns="urn:mace:shibboleth:2.0:metadata" id="SPMETADATA"metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml" />

编辑SP端

[[email protected] yum.repos.d]# vim/etc/shibboleth/shibboleth2.xml

在如下位置添加修改以下内容，注意不要复制到注释里

<RequestMapper type="Native">

<RequestMapapplicationId="default">

<Hostname="sp.csrdu.org">

<Pathname="secure" authType="shibboleth"requireSession="true"/>

</Host>

</RequestMap>

</RequestMapper>

Vim 看行数用:set nu 尽量不要换行

[[email protected]SPclient yum.repos.d]# vim/etc/shibboleth/attribute-map.xml

在如下位置去掉注释

[[email protected]]# vim /etc/httpd/conf.d/shib.conf

在文件末尾删掉默认的<Location /secure></Location>

添加以下内容

<Location/secure>

AuthTypeshibboleth

ShibRequireSessionOn

requirevalid-user

</Location>

<Location/unsecure>

AuthTypeshibboleth

ShibRequireSessionOff

require shibboleth

</Location>

重启一下相关服务

[[email protected] yum.repos.d]# /etc/init.d/shibd stop

[[email protected]]# service httpd stop

[[email protected]]# service httpd start

[[email protected]]# /etc/init.d/shibd start

• 测试

建立保护目录及保护文件、忽略保护目录及文件

[[email protected]]# mkdir /var/www/html/secure

[[email protected]]#vim /var/www/html/secure/222.html

[[email protected]]# mkdir /var/www/html/unsecure

[[email protected]]#vim /var/www/html/unsecure/111.html

我们在SP端访问保护目录

[[email protected]]# firefox https://sp.csrdu.org/secure &

页面直接跳转到IDP服务器

输入我们建立的zhaoliu 及密码 123456就可以访问了

关掉浏览器再测试忽略保护目录

Ok 我们可以不用输入用户名密码直接访问到。

注：两台服务器时间需要同步，手动改或ntpstat都可以