Я бы хотел защитить свои веб-приложения (на Tomcat 5.5) с помощью ADFS SSO. Доступ к веб-приложениям осуществляется снаружи через Apache2 и его модуль перезаписи.
Есть несколько шагов, чтобы заставить это работать (случайный порядок):
а. ADFS - ADDS
б. Шибболет - ADFS
с. Apache2 - Shibboleth
д. XXXXX - Tomcat
Каждый учебник не понятен, содержит много ошибок или устарел, поэтому у меня проблемы со всеми вышеуказанными шагами.
ADFS и ADDS работают на Windows Server 2008 R2
Shibboleth, Apache2, Tomcat работают на Centos 5.5
Посоветуйте, пожалуйста, как подключить все вышеперечисленные технологии.
Вот Конфигурация Shibboleth , которая работает для меня:
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!--
To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands.
See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://centos.my.domain.com/"
REMOTE_USER="eppn persistent-id targeted-id" encryption="true" signing="true">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="http://WinServer2008.my.domain.com/adfs/services/trust"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="lgrzywacz@xtm-intl.com"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" uri="https://WinServer2008.my.domain.com/FederationMetadata/2007-06/FederationMetadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="Signature" certificate="/etc/shibboleth/WinServer2008.my.domain.com.cer"/>
</MetadataProvider>
-->
<!-- Example of locally maintained metadata. -->
<MetadataProvider type="XML" file="metadata.xml"/>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="/etc/pki/tls/private/ca.key" certificate="/etc/pki/tls/certs/ca.crt" password="PASSWORD"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Вот Конфигурация Apache :
#
# Load the Shibboleth module.
#
LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
#
# Used for example logo and style sheet in error templates.
#
<IfModule mod_alias.c>
<Location /shibboleth-sp>
Allow from all
</Location>
Alias /shibboleth-sp/main.css /usr/share/doc/shibboleth-2.4.3/main.css
Alias /shibboleth-sp/logo.jpg /usr/share/doc/shibboleth-2.4.3/logo.jpg
</IfModule>
#
# Configure the module for content.
#
# You MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
#
<Location />
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
ShibUseHeaders On
</Location>
<Location /Shibboleth.sso>
Satisfy Any
</Location>
<VirtualHost *:443>
ServerName centos.my.domain.com
ServerAlias www.centos.my.domain.com
ServerAlias www.centos.ad.xml-intl.com
ServerAlias centos.ad.xml-intl.com
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
RewriteCond %{SERVER_NAME} !centos.my.domain.com
RewriteRule ^/(.*) https://centos.my.domain.com/$1 [R]
</VirtualHost>
Я также добавил Доверие проверяющей стороны в ADFS 2.0 со следующими свойствами:
Relying party identifiers = https://centos.my.domain.com/
Display name = Centos
Encryption certificate = this is the ca.crt file mentioned in configs above
Secure hash algorithm = SHA-1
Я также добавил Конечная точка получателя подтверждения SAML с:
Binding = POST
Index = 1
URL = https://centos.my.domain.com/Shibboleth.sso/SAML2/POST
Я не уверен, что что-то пропустил.
Теперь у меня новая проблема. Браузер знает, если я вошел в систему, но мне нужно знать, кто вошел в систему на стороне веб-приложения (есть такие свойства, как HTTP_EMAIL , но все они пусты.