Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


        恭喜你,来到了IdP上线的最后一步!!!本文档适用于认证对接方式为ldap、oauth、CAS的情况。

IdP端配置

        收到北京大学CARSI运行团队回复的上线成功邮件通知后,需要将IdP之前配置的预上线环境的联盟metadata文件替换成线上环境的联盟metadata文件,以完成IdP上线过程。采用以下方法中的一种即可。

方法一,从ds.carsi.edu.cn下载脚本,自动修改/opt/shibboleth-idp/conf/metadata-providers.xml配置:

Code Block
languagebash
[carsi@www ~]$ sudo curl -o /opt/shibboleth-idp/bin/putIdPOnline-jetty.sh  https://ds.carsi.edu.cn/4.1inst/v1/common/putIdPOnline-jetty.sh
[carsi@www ~]$ sudo chmod +x  /opt/shibboleth-idp/bin/putIdPOnline-jetty.sh
[carsi@www ~]$ sudo  sh /opt/shibboleth-idp/bin/putIdPOnline-jetty.sh
This script is used to put IdP into online environment from pre-online system.
Steps for putting Idp online(Excute the script with root or tomcat privilege.):


To put IdP online from pre-online, press Y,or press N for exit:Y  (请输入大写Y,开始执行操作,否则输入大写N并结束脚本)。

脚本执行。

方法二,手动修改/opt/shibboleth-idp/conf/metadata-providers.xml配置:

        收到CARSI联盟反馈的上线成功邮件通知后,修改/opt/shibboleth-idp/conf/metadata-providers.xml配置文件中的backingFile 和 metadataURL两个配置项,修改内容参考如下。修改完成后,请重启jetty以生效。

Code Block
languagebash
[carsi@www ~]$ sudo vi /opt/shibboleth-idp/conf/metadata-providers.xml
#参考下述内容修改backingFile和MetadataURL配置项设置
 <MetadataProvider id="HTTPMetadata"
         xsi:type="FileBackedHTTPMetadataProvider"
         backingFile="/opt/shibboleth-idp/metadata/carsifed-metadata.xml"
         minRefreshDelay="PT5M"
         maxRefreshDelay="PT10M"
         metadataURL="https://www.carsi.edu.cn/carsimetadata/carsifed-metadata.xml"
		 failFastInitialization="false"> 
        <MetadataFilter xsi:type="SignatureValidation" certificateFile="/opt/shibboleth-idp/credentials/dsmeta.pem" />
		<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
        <MetadataFilter xsi:type="EntityRoleWhiteListEntityRole">
            <RetainedRole>md:SPSSODescriptor</RetainedRole>
        </MetadataFilter>
    </MetadataProvider>

[carsi@www ~]$ sudo systemctl restart jetty

...

IdP512: 上线后验证(通过浏览器)