Encryption

Shibboleth SP - 簽名和加密密鑰

  • March 31, 2015

我在 Server 2012 R2 上安裝了 Shibboleth SP。我嘗試送出要導入 IDP 的元數據,並被告知如果沒有簽名或加密密鑰,他們將無法向 SP 發送任何斷言。

根據我的發現,Shibboleth SP 的密鑰包含在預設安裝中。我相信這是 C:\opt\shibboleth-sp\etc\shibboleth 文件夾中包含的 sp-cert.pem 和 sp-key.pem。

我也不確定如何在 Shibboleth2.xml 文件中引用它。這是我現在的 shibboleth2.xml:

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="syslog.logger" clockSkew="180">

<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
<OutOfProcess logger="shibd.logger">

</OutOfProcess>

<!-- The InProcess section conrains settings affecting web server modules/filters. -->
<InProcess logger="native.logger">
   <ISAPI normalizeRequest="true">

       <Site id="1" name="sp-example.com"/>
   </ISAPI>
</InProcess>


<!-- This set of components stores sessions and other persistent data in daemon memory. -->
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>



<!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
<RequestMapper type="Native">
   <RequestMap applicationId="default">
       <Host name="sp-example.com" authType="shibboleth" requireSession="true"/>

   </RequestMap>
</RequestMapper>


<ApplicationDefaults id="default" policyId="default"
   entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com"
   homeURL="https://sp-example.com"
   REMOTE_USER="eppn persistent-id targeted-id"
   signing="false" encryption="false"
   >


   <Sessions lifetime="28800" timeout="3600" checkAddress="false"
       handlerURL="/Shibboleth.sso" handlerSSL="true"
       exportLocation="http://sp-example.com/Shibboleth.sso/GetAssertion" exportACL="165.91.23.32"
       idpHistory="false" idpHistoryDays="7" cookieProps="https" >


       <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
               relayState="cookie" entityID="urn:mace:university.edu:shibboleth:test:idp:university:administrative:cscn:idp-test.university.edu">
           <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
           <SessionInitiator type="Shib1" defaultACSIndex="5"/>
       </SessionInitiator>

       <md:AssertionConsumerService Location="/SAML2/POST" index="1"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
       <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
       <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
       <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
       <md:AssertionConsumerService Location="/SAML/POST" index="5"
           Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
       <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
           Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

       <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
       <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
           <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
           <LogoutInitiator type="Local"/>
       </LogoutInitiator>

       <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
       <md:SingleLogoutService Location="/SLO/SOAP"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
       <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
       <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
       <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

       <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
       <md:ManageNameIDService Location="/NIM/SOAP"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
       <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
       <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
       <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>


       <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
           Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

       <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
       <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

       <!-- Status reporting service. -->
       <Handler type="Status" Location="/Status" acl="127.0.0.1"/>

       <!-- Session diagnostic service. -->
       <Handler type="Session" Location="/Session" showAttributeValues="false"/>

   </Sessions>


   <Errors session="sessionError.html"
       metadata="metadataError.html"
       access="accessError.html"
       ssl="sslError.html"
       localLogout="localLogout.html"
       globalLogout="globalLogout.html"
       supportContact="root@localhost"
       logoLocation="/shibboleth-sp/logo.jpg"
       styleSheet="/shibboleth-sp/main.css"/>


   <!-- Chains together all your metadata sources. -->
   <MetadataProvider type="Chaining">
       <!-- Example of remotely supplied batch of signed metadata. -->
       <MetadataProvider type="XML" uri="https://idp-test.university.edu/universityfed-test-metadata-signed.xml"
            backingFilePath="C:\opt\shibboleth-sp\etc\shibboleth\universityfed-test-metadata-signed.xml" reloadInterval="7200">
       </MetadataProvider>
   </MetadataProvider>

   <!-- Chain the two built-in trust engines together. -->
   <TrustEngine type="Chaining">
       <TrustEngine type="ExplicitKey"/>
       <TrustEngine type="PKIX"/>
   </TrustEngine>

   <!-- Map to extract attributes from SAML assertions. -->
   <AttributeExtractor type="XML" path="attribute-map.xml"/>

   <!-- Use a SAML query if no attributes are supplied during SSO. -->
   <AttributeResolver type="Query"/>

   <!-- Default filtering policy for recognized attributes, lets other data pass. -->
   <AttributeFilter type="XML" path="attribute-policy.xml"/>


</ApplicationDefaults>

<!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
   <!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
   <Policy id="default" validate="false">
       <Rule type="MessageFlow" checkReplay="true" expires="60"/>
       <Rule type="ClientCertAuth" errorFatal="true"/>
       <Rule type="XMLSigning" errorFatal="true"/>
       <Rule type="SimpleSigning" errorFatal="true"/>
   </Policy>
</SecurityPolicies>

根據我收到的一封電子郵件,我需要包括<md:KeyDescriptor use="encryption"><md:KeyDescriptor use="signing">

根據我在網上找到的,它應該類似於:

<md:SPSSODescriptor>
<md:KeyDescriptor>
   <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:X509Data>
           <ds:X509Certificate>
               hash found in sp-cert.pem file
           </ds:X509Certificate>
       </ds:X509Data>
   </ds:KeyInfo>
</md:KeyDescriptor>

我不知道我應該把它放在 Shibboleth.xml 文件的什麼地方。

任何人都可以幫助我走上正軌嗎?我已經閱讀了來自不同機構的大量文件和指南,但沒有找到任何方向。

答案是將以下行添加到 Shibboleth2.xml(在該ApplicationDefaults部分中):

<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

sp-key.pemsp-cert.pem包含在 Shibboleth 安裝中。它們與文件位於同一文件夾中Shibboleth2.xml

我也改了行:

<ApplicationDefaults id="default" policyId="default" entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com"
   homeURL="https://sp-example.com"
   REMOTE_USER="eppn persistent-id targeted-id"
   signing="false" encryption="false"
   >

到:

<ApplicationDefaults id="default" policyId="default"
entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com"
   homeURL="https://sp-example.com"
   REMOTE_USER="eppn persistent-id targeted-id"
   signing="true" encryption="true"
   >

添加該行後,元數據具有證書條目,需要重新導入 IDP。

引用自:https://serverfault.com/questions/666947