Encryption
Shibboleth SP - 簽名和加密密鑰
我在 Server 2012 R2 上安裝了 Shibboleth SP。我嘗試送出要導入 IDP 的元數據,並被告知如果沒有簽名或加密密鑰,他們將無法向 SP 發送任何斷言。
根據我的發現,Shibboleth SP 的密鑰包含在預設安裝中。我相信這是 C:\opt\shibboleth-sp\etc\shibboleth 文件夾中包含的 sp-cert.pem 和 sp-key.pem。
我也不確定如何在 Shibboleth2.xml 文件中引用它。這是我現在的 shibboleth2.xml:
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" logger="syslog.logger" clockSkew="180"> <!-- The OutOfProcess section contains properties affecting the shibd daemon. --> <OutOfProcess logger="shibd.logger"> </OutOfProcess> <!-- The InProcess section conrains settings affecting web server modules/filters. --> <InProcess logger="native.logger"> <ISAPI normalizeRequest="true"> <Site id="1" name="sp-example.com"/> </ISAPI> </InProcess> <!-- This set of components stores sessions and other persistent data in daemon memory. --> <StorageService type="Memory" id="mem" cleanupInterval="900"/> <SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/> <ReplayCache StorageService="mem"/> <ArtifactMap artifactTTL="180"/> <!-- To customize behavior, map hostnames and path components to applicationId and other settings. --> <RequestMapper type="Native"> <RequestMap applicationId="default"> <Host name="sp-example.com" authType="shibboleth" requireSession="true"/> </RequestMap> </RequestMapper> <ApplicationDefaults id="default" policyId="default" entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com" homeURL="https://sp-example.com" REMOTE_USER="eppn persistent-id targeted-id" signing="false" encryption="false" > <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/Shibboleth.sso" handlerSSL="true" exportLocation="http://sp-example.com/Shibboleth.sso/GetAssertion" exportACL="165.91.23.32" idpHistory="false" idpHistoryDays="7" cookieProps="https" > <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="urn:mace:university.edu:shibboleth:test:idp:university:administrative:cscn:idp-test.university.edu"> <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/> <SessionInitiator type="Shib1" defaultACSIndex="5"/> </SessionInitiator> <md:AssertionConsumerService Location="/SAML2/POST" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/> <md:AssertionConsumerService Location="/SAML2/Artifact" index="3" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/> <md:AssertionConsumerService Location="/SAML2/ECP" index="4" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/> <md:AssertionConsumerService Location="/SAML/POST" index="5" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/> <md:AssertionConsumerService Location="/SAML/Artifact" index="6" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/> <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. --> <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie"> <LogoutInitiator type="SAML2" template="bindingTemplate.html"/> <LogoutInitiator type="Local"/> </LogoutInitiator> <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. --> <md:SingleLogoutService Location="/SLO/SOAP" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/> <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/> <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. --> <md:ManageNameIDService Location="/NIM/SOAP" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/> <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/> <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/> <!-- Extension service that generates "approximate" metadata based on SP configuration. --> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> <!-- Status reporting service. --> <Handler type="Status" Location="/Status" acl="127.0.0.1"/> <!-- Session diagnostic service. --> <Handler type="Session" Location="/Session" showAttributeValues="false"/> </Sessions> <Errors session="sessionError.html" metadata="metadataError.html" access="accessError.html" ssl="sslError.html" localLogout="localLogout.html" globalLogout="globalLogout.html" supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> <!-- Chains together all your metadata sources. --> <MetadataProvider type="Chaining"> <!-- Example of remotely supplied batch of signed metadata. --> <MetadataProvider type="XML" uri="https://idp-test.university.edu/universityfed-test-metadata-signed.xml" backingFilePath="C:\opt\shibboleth-sp\etc\shibboleth\universityfed-test-metadata-signed.xml" reloadInterval="7200"> </MetadataProvider> </MetadataProvider> <!-- Chain the two built-in trust engines together. --> <TrustEngine type="Chaining"> <TrustEngine type="ExplicitKey"/> <TrustEngine type="PKIX"/> </TrustEngine> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" path="attribute-map.xml"/> <!-- Use a SAML query if no attributes are supplied during SSO. --> <AttributeResolver type="Query"/> <!-- Default filtering policy for recognized attributes, lets other data pass. --> <AttributeFilter type="XML" path="attribute-policy.xml"/> </ApplicationDefaults> <!-- Each policy defines a set of rules to use to secure messages. --> <SecurityPolicies> <!-- The predefined policy enforces replay/freshness and permits signing and client TLS. --> <Policy id="default" validate="false"> <Rule type="MessageFlow" checkReplay="true" expires="60"/> <Rule type="ClientCertAuth" errorFatal="true"/> <Rule type="XMLSigning" errorFatal="true"/> <Rule type="SimpleSigning" errorFatal="true"/> </Policy> </SecurityPolicies>
根據我收到的一封電子郵件,我需要包括
<md:KeyDescriptor use="encryption">
和<md:KeyDescriptor use="signing">
根據我在網上找到的,它應該類似於:
<md:SPSSODescriptor> <md:KeyDescriptor> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> hash found in sp-cert.pem file </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor>
我不知道我應該把它放在 Shibboleth.xml 文件的什麼地方。
任何人都可以幫助我走上正軌嗎?我已經閱讀了來自不同機構的大量文件和指南,但沒有找到任何方向。
答案是將以下行添加到 Shibboleth2.xml(在該
ApplicationDefaults
部分中):<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
sp-key.pem
並sp-cert.pem
包含在 Shibboleth 安裝中。它們與文件位於同一文件夾中Shibboleth2.xml
。我也改了行:
<ApplicationDefaults id="default" policyId="default" entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com" homeURL="https://sp-example.com" REMOTE_USER="eppn persistent-id targeted-id" signing="false" encryption="false" >
到:
<ApplicationDefaults id="default" policyId="default" entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com" homeURL="https://sp-example.com" REMOTE_USER="eppn persistent-id targeted-id" signing="true" encryption="true" >
添加該行後,元數據具有證書條目,需要重新導入 IDP。