我在 Server 2012 R2 上安装了 Shibboleth SP。我尝试提交要导入 IDP 的元数据,但被告知如果没有签名或加密密钥,他们将无法向 SP 发送任何断言。
从我找到的信息来看,Shibboleth SP 在默认安装中包含了要使用的密钥。我相信那是 C:\opt\shibboleth-sp\etc\shibboleth 文件夹中包含的 sp-cert.pem 和 sp-key.pem。
我也不确定如何在 Shibboleth2.xml 文件中引用它。这是我目前的 shibboleth2.xml:
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="syslog.logger" clockSkew="180">
<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
<OutOfProcess logger="shibd.logger">
</OutOfProcess>
<!-- The InProcess section conrains settings affecting web server modules/filters. -->
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true">
<Site id="1" name="sp-example.com"/>
</ISAPI>
</InProcess>
<!-- This set of components stores sessions and other persistent data in daemon memory. -->
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>
<!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="sp-example.com" authType="shibboleth" requireSession="true"/>
</RequestMap>
</RequestMapper>
<ApplicationDefaults id="default" policyId="default"
entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com"
homeURL="https://sp-example.com"
REMOTE_USER="eppn persistent-id targeted-id"
signing="false" encryption="false"
>
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="true"
exportLocation="http://sp-example.com/Shibboleth.sso/GetAssertion" exportACL="165.91.23.32"
idpHistory="false" idpHistoryDays="7" cookieProps="https" >
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
relayState="cookie" entityID="urn:mace:university.edu:shibboleth:test:idp:university:administrative:cscn:idp-test.university.edu">
<SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
</Sessions>
<Errors session="sessionError.html"
metadata="metadataError.html"
access="accessError.html"
ssl="sslError.html"
localLogout="localLogout.html"
globalLogout="globalLogout.html"
supportContact="root@localhost"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Chains together all your metadata sources. -->
<MetadataProvider type="Chaining">
<!-- Example of remotely supplied batch of signed metadata. -->
<MetadataProvider type="XML" uri="https://idp-test.university.edu/universityfed-test-metadata-signed.xml"
backingFilePath="C:\opt\shibboleth-sp\etc\shibboleth\universityfed-test-metadata-signed.xml" reloadInterval="7200">
</MetadataProvider>
</MetadataProvider>
<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
<TrustEngine type="ExplicitKey"/>
<TrustEngine type="PKIX"/>
</TrustEngine>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" path="attribute-policy.xml"/>
</ApplicationDefaults>
<!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
<!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
<Policy id="default" validate="false">
<Rule type="MessageFlow" checkReplay="true" expires="60"/>
<Rule type="ClientCertAuth" errorFatal="true"/>
<Rule type="XMLSigning" errorFatal="true"/>
<Rule type="SimpleSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>
根据我收到的电子邮件,我需要包括<md:KeyDescriptor use="encryption">并<md:KeyDescriptor use="signing">
从我在网上找到的资料来看,它应该是类似的:
<md:SPSSODescriptor>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
hash found in sp-cert.pem file
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
我不知道应该把它放在 Shibboleth.xml 文件的什么位置。
有人能帮我找到正确的方向吗?我查阅了不同机构的大量文档和指南,但还是没有找到任何方向。
答案1
答案是将以下行添加到 Shibboleth2.xml(在ApplicationDefaults部分中):
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
sp-key.pem并sp-cert.pem包含在 Shibboleth 安装中。它们位于与Shibboleth2.xml文件相同的文件夹中。
我还改变了这一行:
<ApplicationDefaults id="default" policyId="default" entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com"
homeURL="https://sp-example.com"
REMOTE_USER="eppn persistent-id targeted-id"
signing="false" encryption="false"
>
到:
<ApplicationDefaults id="default" policyId="default"
entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com"
homeURL="https://sp-example.com"
REMOTE_USER="eppn persistent-id targeted-id"
signing="true" encryption="true"
>
添加该行后,元数据包含证书的条目,需要重新导入到 IDP。