单点登录可以做到在不记录用户密码的情况下,实现不同系统之间的资源共享,自动登录不安全,单点登录,一处登录,处处都可用,不用做多余的登录操作。它是目前比较流行的企业业务整合的解决方案之一
- 环境描述:
Hyper-V6.3
操作系统:Centos6.5-x64
每台虚机一块公网网卡
IDP Server:192.168.2.230
SP Client:192.168.2.227
软件包:
jdk-6u27-linux-x64.bin
apache-tomcat-6.0.32.tar.gz
ApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628.tar
tomcat6-dta-ssl-1.0.0.jar
shibboleth-identityprovider-2.4.2-bin
apacheds-1.5.7-x86_64.bin
Xmanager-5.0
软件提供打包下载
http://pan.baidu.com/s/1o6MHxUE
本次实施过程参考文章(注:此文章仅参考,请不要完全按照这篇英文文章搭建,有几个错误):
http://csrdu.org/blog/2011/07/04/shibboleth-idp-sp-installation-configuration/
注意:安装配置过程中会添加修改很多的配置文件,复制黏贴本文内容时请注意格式问题,特别是shibboleth文件,推荐用vim编辑,便于区分各种变量、注释。
- 具体实施
默认禁用掉selinux、iptables 规则清空保存重启。操作系统安装选择Desktop 方便后面LDAP建立用户,以及测试。
IDP Server端
1、 安装jdk
[[email protected] tmp]# mkdir /usr/local/java
[[email protected] tmp]# mv/tmp/jdk-6u27-linux-x64.bin /usr/local/java/
[[email protected] tmp]# cd /usr/local/java/
[[email protected] java]# ll
total 83420
-rw-r--r-- 1 root root 85418489 Apr 2211:45 jdk-6u27-linux-x64.bin
[[email protected] java]# chmod +xjdk-6u27-linux-x64.bin
[[email protected] java]# ./jdk-6u27-linux-x64.bin
编辑 /etc/profile 设置相关的环境变量包括java tomcat idp-home 提前设置好在文件末尾加入以下:
exportJAVA_HOME=/usr/local/java/jdk1.6.0_27
exportJRE_HOME=/usr/local/java/jdk1.6.0_27/jre
exportCLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JRE_HOME/lib
export PATH=$PATH:$JAVA_HOME/bin
export CATALINA_HOME=/usr/local/tomcat6
export CATALINA_BASE=/usr/local/tomcat6
export IDP_HOME=/opt/shibboleth-idp
2、 安装apache-tomcat-6.0.32.tar.gz
[[email protected] tmp]# tar -zxfapache-tomcat-6.0.32.tar.gz -C /usr/local/
[[email protected] tmp]# cd /usr/local/
[[email protected] local]# mv apache-tomcat-6.0.32/tomcat6/
[[email protected] local]# vim/usr/local/tomcat6/bin/catalina.sh
在文件JAVA_OPTS 处加入以下内容注意不要加在注释里面
JAVA_OPTS="-Djava.awt.headless=true-Xmx512M -XX:MaxPermSize=128M -Dcom.sun.security.enableCRLDP=true"
[[email protected] local]# vim/usr/local/tomcat6/conf/server.xml
找到这个webapps几个属性修改成以下值
<Host appBase="webapps" unpackWARs="true" autoDeploy="false"
xmlValidation="false" xmlNamespaceAware="false">
[[email protected]]# /usr/local/tomcat6/bin/catalina.sh start
3、 安装shibboleth IDP端
[[email protected] local]# cd /tmp/
[[email protected] tmp]# unzipshibboleth-identityprovider-2.4.2-bin.zip
[[email protected] tmp]# cdshibboleth-identityprovider-2.4.2
[[email protected] shibboleth-identityprovider-2.4.2]#chmod +x install.sh
[[email protected] shibboleth-identityprovider-2.4.2]#cp -r endorsed/ /usr/local/tomcat6
[[email protected] shibboleth-identityprovider-2.4.2]#export JAVA_ENDORSED_DIRS=/usr/local/tomcat6/endorsed
[[email protected] shibboleth-identityprovider-2.4.2]#vi ~/.bash_profile
文件末尾加入以下内容
IDP_HOME=/opt/shibboleth-idp
export IDP_HOME
[[email protected] shibboleth-identityprovider-2.4.2]#source /etc/profile
[[email protected] shibboleth-identityprovider-2.4.2]#./install.sh
安装过程会提示安装路径默认即可
主机名输入idp.csrdu.org,密码123456,记住这个主机名和密码,我们后面会用到。
[[email protected]]# ln -s /opt/shibboleth-idp/conf/etc/shibboleth
[[email protected]]# ln -s /opt/shibboleth-idp/logs/var/log/shibboleth
[[email protected]~]# cd /tmp/
[[email protected]]# cp tomcat6-dta-ssl-1.0.0.jar /usr/local/tomcat6/lib/
[[email protected]]# vim /usr/local/tomcat6/conf/server.xml
加入以下内容不要加在注释里
<Connectorport="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLImplementation="edu.internet2.middleware.security.tomcat7.DelegateToApplicationJSSEImplementation"
scheme="https" SSLEnabled="true"clientAuth="true"
keystoreFile="/opt/shibboleth-idp/credentials/idp.jks"
keystorePass="123456"/>
此处密码即是安装时输入的密码
[[email protected] tmp]# vi/usr/local/tomcat6/conf/Catalina/localhost/idp.xml
创建并新建此路径的idp.xml文件加入以下内容
<ContextdocBase="/opt/shibboleth-idp/war/idp.war"
privileged="true"antiResourceLocking="false"
antiJARLocking="false"unpackWAR="false"
swallowOutput="true"/>
# [[email protected] tmp]# vi /etc/hosts
127.0.0.1 idp.csrdu.org idp
[[email protected]]# /usr/local/tomcat6/bin/catalina.sh stop
[[email protected]]# /usr/local/tomcat6/bin/catalina.sh start
[[email protected]]# firefox http://idp.csrdu.org:8080/idp/profile/Status &
http://idp.csrdu.org:8080/idp/profile/Status显示ok页面则为正常,若其他显示包括404则需查看日志。
4、创建证书文件
[[email protected] ~]# mkdir idpcerts/
[[email protected] ~]# keytool -genkey -aliastomcat -keyalg RSA -keystore ~/idpcerts/idpself.keystore
Enter keystore password:
Re-enter new password:
输入密码 123456 记住这个密码其他选项请按照此设置。
[[email protected] ~]# vim/usr/local/tomcat6/conf/server.xml
加入以下内容不要加在注释里
<Connector port="443"protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150"scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS"
keystoreFile="/root/idpcerts/idpself.keystore"
keystorePass="123456" />
密码为生成证书是输入的密码
[[email protected] ~]#/usr/local/tomcat6/bin/catalina.sh stop
[[email protected] ~]#/usr/local/tomcat6/bin/catalina.sh start
[[email protected] idpcerts]# firefoxhttps://idp.csrdu.org/idp/profile/Status &
显示ok页面则为正常,若其他显示包括404则需查看日志。
[[email protected] idpcerts]# vim/opt/shibboleth-idp/conf/handler.xml
注释掉以下内容
<!-- Login Handlers -->
<!--
<ph:LoginHandler xsi:type="ph:RemoteUser">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</ph:AuthenticationMethod>
</ph:LoginHandler>
-->
对于这部分内容去掉注释
<!-- Username/password login handler -->
<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:
PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
6、安装ApacheDirectoryStudio 这是ldap链接工具图形化界面
[[email protected] tmp]# tar -zxfApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628.tar.gz
[[email protected] tmp]# cdApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628
[[email protected] tmp]# mvApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628 /opt/apachedir
7、安装Apacheds-1.5.7(注:参考文章这里安装的是1.5.2,这个版本有问题,在最后测试的时候即使输入正确密码也会出现crenditial is not recongised,验证通不过)
[[email protected] tmp]# chmod +x apacheds-1.5.7-x86_64.bin
[[email protected] tmp]# ./apacheds-1.5.7-x86_64.
几个选项默认回车即可
8、建立ldap账户
[[email protected] tmp]# /etc/init.d/apacheds-1.5.2-defaultstart
[[email protected] tmp]# cd /opt/apachedir/
[[email protected] apachedir]#./ApacheDirectoryStudio &
开始打开ldap管理平台建立账户
a
b
c
d
选完直接FINISH即可
e
F
G
H
I
J
K
L
M
9、编辑login_config,shibboleth访问ldap文件
[[email protected] apachedir]# vim/opt/shibboleth-idp/conf/login.config
去掉注释编辑以下内容
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModulerequired
host="ldap://localhost:10389"base="ou=users,ou=system"
ssl="false"userField="uid";
};
10、编辑attribute-resolver.xml
[[email protected] apachedir]# vim/opt/shibboleth-idp/conf/attribute-resolver.xml
添加以下内容,注意嵌套的标签,不要复制错位置
<resolver:AttributeDefinitionxsi:type="ad:Simple"xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="commonName"sourceAttributeID="cn">
<resolver:Dependencyref="myLDAP" />
<resolver:AttributeEncoderxsi:type="enc:SAML1String"xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:mace:dir:attribute-def:cn" />
<resolver:AttributeEncoderxsi:type="enc:SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:oid:2.5.4.3" friendlyName="cn" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinitionxsi:type="ad:Simple"xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="surname"sourceAttributeID="sn">
<resolver:Dependencyref="myLDAP" />
<resolver:AttributeEncoderxsi:type="enc:SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:mace:dir:attribute-def:sn" />
<resolver:AttributeEncoderxsi:type="enc:SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"name="urn:oid:2.5.4.4"
friendlyName="sn" />
</resolver:AttributeDefinition>
文件的末尾位置找到以下内容去掉注释并编辑
<resolver:DataConnectorxsi:type="dc:LDAPDirectory" id="myLDAP"
ldapURL="ldap://localhost:10389"
baseDN="ou=users,ou=system" principal="uid=admin,ou=system"
principalCredential="secret">
<dc:FilterTemplate>
<![CDATA[(uid=$requestContext.principalName) ]]>
</dc:FilterTemplate>
</resolver:DataConnector>
11、编辑 attribute-filter.xml 文件
添加以下内容,注意嵌套的标签,不要复制错位置
<afp:AttributeRule attributeID="commonName">
<afp:PermitValueRulexsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRuleattributeID="surname">
<afp:PermitValueRulexsi:type="basic:ANY" />
</afp:AttributeRule>
IDP端暂时0k
记得把IDP的hosts文件拷给sp,使用scp命令或者sftp都可以
SP端:
1、编辑Centos-Base.repo添加以下内容:
[security_shibboleth]
name=Shibboleth (CentOS_6)
type=rpm-md
baseurl=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_CentOS-6/
gpgcheck=1
gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_CentOS-6/repodata/repomd.xml.key
enabled=1
[[email protected] yum.repos.d]# yum installshibboleth mod_ssl openssl -y
[[email protected] yum.repos.d]# vim/etc/httpd/conf/httpd.conf
修改Servername 为sp.csrdu.org UseCanonicalName改为on
[[email protected] yum.repos.d]# service httpdstart
[[email protected] yum.repos.d]#/etc/init.d/shibd start
[[email protected] yum.repos.d]# openssl genrsa-out ca.key 1024
[[email protected] yum.repos.d]# openssl genrsa-out ca.key 1024
[[email protected] yum.repos.d]# openssl req-new -x509 -days 3650 -key ca.key -out ca.crt
[[email protected] yum.repos.d]# cp ca.crt/etc/pki/tls/certs/
[[email protected] yum.repos.d]# cp ca.key/etc/pki/tls/private/
[[email protected] yum.repos.d]# vi/etc/httpd/conf.d/ssl.conf
编辑SSLCertificateFile 和 SSLCertificateKeyFile文件位置为新的文件
IDP需要SP 端sp-metadata.xml作为认证识别文件,同样sp端需要IDP端idp-metadata.xml作为认证识别文件,这里我们用作者提供的sp-metadata.xml传送给IDP端;同时,把IDP端的idp-metadata.xml拷给SP端,这里需要编辑sp-metadata.xml文件,将SP端/etc/shibboleth/下的sp-cert.pem密钥内容替换掉sp-metadata.xml同时还需修改以下几个地方,
IDP端的sp-metadata.xml位置
SP端的idp-metadata.xml位置
编辑IDP端
[[email protected] apachedir]# vim/etc/shibboleth/relying-party.xml
在如下位置添加以下内容
<!-- Load the SP‘s metadata. -->
<metadata:MetadataProviderxsi:type="FilesystemMetadataProvider"xmlns="urn:mace:shibboleth:2.0:metadata" id="SPMETADATA"metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml" />
编辑SP端
[[email protected] yum.repos.d]# vim/etc/shibboleth/shibboleth2.xml
在如下位置添加修改以下内容,注意不要复制到注释里
<RequestMapper type="Native">
<RequestMapapplicationId="default">
<Hostname="sp.csrdu.org">
<Pathname="secure" authType="shibboleth"requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
Vim 看行数用:set nu 尽量不要换行
[[email protected]SPclient yum.repos.d]# vim/etc/shibboleth/attribute-map.xml
在如下位置去掉注释
[[email protected]]# vim /etc/httpd/conf.d/shib.conf
在文件末尾删掉默认的<Location /secure></Location>
添加以下内容
<Location/secure>
AuthTypeshibboleth
ShibRequireSessionOn
requirevalid-user
</Location>
<Location/unsecure>
AuthTypeshibboleth
ShibRequireSessionOff
require shibboleth
</Location>
重启一下相关服务
[[email protected] yum.repos.d]# /etc/init.d/shibd stop
[[email protected]]# service httpd stop
[[email protected]]# service httpd start
[[email protected]]# /etc/init.d/shibd start
- 测试
建立保护目录及保护文件、忽略保护目录及文件
[[email protected]]# mkdir /var/www/html/secure
[[email protected]]#vim /var/www/html/secure/222.html
[[email protected]]# mkdir /var/www/html/unsecure
[[email protected]]#vim /var/www/html/unsecure/111.html
我们在SP端访问保护目录
[[email protected]]# firefox https://sp.csrdu.org/secure &
页面直接跳转到IDP服务器
输入我们建立的zhaoliu 及密码 123456就可以访问了
关掉浏览器再测试忽略保护目录
Ok 我们可以不用输入用户名密码直接访问到。
注:两台服务器时间需要同步,手动改或ntpstat都可以