eduPersonTargetedID属性定义(ova第4/6步,手动第4/9步)

        eduPersonTargtedID是一个永久可用的用户唯一id。通过hash算法加密之后,可读性不强。适用于需要区分不同用户的应用场景,同时保护了用户个人隐私。

        共两种配置方式。一种是通过数据库永久存放用户ePTID(eduPersonTargetedID),另一种是依据一定的算法每次计算用户的ePTID。两种方式选用一种即可。

第一种方式:依据一定的算法每次计算用户的ePTID,释放给所有SP

        此种方式依据事先配置好的ePTID生成算法,在每次需属性释放时进行计算,无需配置数据库,方法简单。不重装系统、不修改配置的情况下,同一用户对同一SP的ePTID唯一。

  • 属性定义(/opt/shibboleth-idp/conf/attribute-resolver.xml文件)

        {{salt="xxxxxxxxxxxxxxxxxxxx"}}为加密盐值,长度≥16,改成随机字符串

        可以使用openssl命令生成随机字符串

openssl rand 32 -base64
#新增
<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
    <InputDataConnector ref="ComputedIDConnector" attributeNames="computedID"/>
    <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false"/>
    <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false"/>
</AttributeDefinition> 
<DataConnector id="ComputedIDConnector" xsi:type="ComputedId" generatedAttributeID="computedID" salt="xxxxxxxxxxxxxxxxxxxx" encoding="BASE64">
    <InputAttributeDefinition ref="eduPersonPrincipalName" />
</DataConnector> 

        {{<InputAttributeDefinition ref="eduPersonPrincipalName"/>}}为将eduPersonPrincipalName作为生成eduPersonTargetedID的源属性,将IdP对外释放的ePTID属性和eduPersonPrincipalName属性进行关联。

  • 属性释放(/opt/shibboleth-idp/conf/attribute-filter.xml文件)(注:ova配置方式已经定义好属性释放,无需进行此步骤的修改操作)
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />

• 重启tomcat

[root@www ~]#systemctl restart tomcat

• 关于日志

这种方式由于没有存储persistentId与用户id的映射关系,因此是无法通过persistentId反查某一时间点的用户id,可在已知用户uid的情况下,通过以下方法重新生成针对某一个SP的persistentId属性,不建议继续采用。

IdP的Audit日志中记录了用户的uid信息,有时候需要查询某一个uid登录某一个SP出现异常的情况,SP往往需要提供对应的persistentId属性。

可以使用以下perl脚本生成:

yum install install perl-Digest-SHA.x86_64
perl -e 'use Digest::SHA qw(sha1_base64); $digest = sha1_base64("sp_entityid!attribute!salt"); $eqn = length($digest) % 4; print $digest; print "=" x (4-$eqn) . "\n"'

请将sp_entityid改为SP的EntityID,attribute改为eduPersonPrincipalName的值(注意,如果该属性的type是scopped类型的,则这里的值是@前面的部分,如果怕出错,可以分别生成包括@和不包括@的值,均提供给SP排查),salt改为IdP中配置的salt值。

备注:具体逻辑参见:https://github.com/UniconLabs/shib-idp3/blob/master/idp-saml-impl/src/main/java/net/shibboleth/idp/saml/attribute/resolver/impl/ComputedIDDataConnector.java

第二种方式:采用数据库永久存放用户ePTID

        出于安全考虑,建议数据库只允许本地访问、删除匿名用户、禁止远程登录、删除test数据库。

• 安装数据库

{{bind-address=127.0.0.1}}只允许本地访问

[root@www ~]#yum -y install mariadb mariadb-server
[root@www ~]#vi /etc/my.cnf
add follows within [mysqld] section
[mysqld]
character-set-server=utf8
bind-address=127.0.0.1
[root@www ~]#systemctl start mariadb
[root@www ~]#systemctl enable mariadb

• 数据库配置

[root@www ~]#mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

# 回车
Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

# 设置root密码
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

# 删除匿名账户
Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

# 禁止远程登陆
Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

# 删除test数据库
Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

# 刷新权限
Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

• 安装mysql-connector-java

[root@www ~]#yum -y install mysql-connector-java
[root@www ~]#ln -s /usr/share/java/mysql-connector-java.jar /usr/share/tomcat/lib/

数据库初始化

包括建一个IdP工作账号,建一张idp_db表,用于存放ePTID相关信息。

        先用root账号登录,创建用户IdP使用的账户,username为用户名,password为密码

[root@www ~]# mysql -u root -p
create user 'username'@'localhost' identified by 'password';

        切换到创建好的账号,username为刚创建好的账户

[root@www ~]# mysql -u username -p
CREATE DATABASE idp_db CHARACTER SET utf8 COLLATE utf8_bin;
use idp_db;
CREATE TABLE shibpid (
    localEntity VARCHAR(255) NOT NULL,
    peerEntity VARCHAR(255) NOT NULL,
    persistentId VARCHAR(50) NOT NULL,
    principalName VARCHAR(50) NOT NULL,
    localId VARCHAR(50) NOT NULL,
    peerProvidedId VARCHAR(50) NULL,
    creationDate TIMESTAMP NOT NULL,
    deactivationDate TIMESTAMP NULL,
    PRIMARY KEY (localEntity, peerEntity, persistentId)
);

IdP配置

包括:开启NameID生成器自动生成ePTID,定义ePTID属性,将ePTID释放给所有SP。

        开启NameID生成器

[root@www ~]# vi /opt/shibboleth-idp/conf/saml-nameid.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
                           
       default-init-method="initialize"
       default-destroy-method="destroy">

    <!-- ========================= SAML NameID Generation ========================= -->

    <!--
    These generator lists handle NameID/Nameidentifier generation going forward. By default,
    transient IDs for both SAML versions are enabled. The commented examples are for persistent IDs
    and generating more one-off formats based on resolved attributes. The suggested approach is to
    control their use via release of the underlying source attribute in the filter policy rather
    than here, but you can set a property on any generator called "activationCondition" to limit
    use in the most generic way.
    
    Most of the relevant configuration settings are controlled using properties; an exception is
    the generation of arbitrary/custom formats based on attribute information, examples of which
    are shown below.
    
    -->
    
    


    <!-- SAML 2 NameID Generation -->
    <util:list id="shibboleth.SAML2NameIDGenerators">
    
        <ref bean="shibboleth.SAML2TransientGenerator" />
        
        <!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
        
        <ref bean="shibboleth.SAML2PersistentGenerator" />
        

        <!--
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:omitQualifiers="true"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'mail'} }" />
        -->
                
    </util:list>

    <!-- SAML 1 NameIdentifier Generation -->
    <util:list id="shibboleth.SAML1NameIdentifierGenerators">

        <ref bean="shibboleth.SAML1TransientGenerator" />

        <!--
        <bean parent="shibboleth.SAML1AttributeSourcedGenerator"
            p:omitQualifiers="true"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'mail'} }" />
        -->
                
    </util:list>
    
</beans>

        配置NameID参数,依赖某个可唯一代表用户的id类属性作为原属性,比如eduPersonPrincipalName、uid等,{{idp.persistentId.salt = xxxxxxxxxxxxxxxxxxxx}}为加密盐值,长度≥16,改成随机字符串

        可以使用openssl命令生成随机字符串

openssl rand 32 -base64

#有部分老师反映再ubuntu系统,该命令应为:
openssl rand -base64 32
[root@www ~]# vi /opt/shibboleth-idp/conf/saml-nameid.properties
idp.persistentId.sourceAttribute = eduPersonPrincipalName
idp.persistentId.salt = xxxxxxxxxxxxxxxxxxxx
idp.persistentId.encoding = BASE64
idp.persistentId.dataSource = MyDataSource

        属性定义

[root@www ~]# vi /opt/shibboleth-idp/conf/attribute-resolver.xml
增加
<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
    <InputDataConnector ref="myStoredId" attributeNames="persistentID"/>
    <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" encodeType="false"/>
    <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" encodeType="false"/>
</AttributeDefinition>
<DataConnector id="myStoredId" xsi:type="StoredId" generatedAttributeID="persistentID" salt="%{idp.persistentId.salt}" queryTimeout="0">
    <InputAttributeDefinition ref="%{idp.persistentId.sourceAttribute}"/>
    <BeanManagedConnection>MyDataSource</BeanManagedConnection>
</DataConnector>

        属性释放

[root@www ~]# vi /opt/shibboleth-idp/conf/attribute-filter.xml

        在{{<PolicyRequirementRule xsi:type="ANY">}}新增

<AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />

        定义IdP和数据库的连接,{{p:username}}改成数据库用户名,{{p:password}}改成数据库的密码

[root@www ~]# vi /opt/shibboleth-idp/conf/global.xml
增加
<bean id="MyDataSource" class="org.apache.commons.dbcp2.BasicDataSource"
p:driverClassName="com.mysql.jdbc.Driver"
p:url="jdbc:mysql://localhost:3306/idp_db"
p:username="username"
p:password="password"    
p:maxIdle="5"
p:maxWaitMillis="15000"
p:testOnBorrow="true"
p:validationQuery="select 1"
p:validationQueryTimeout="5" />

• 重启tomcat

[root@www ~]#systemctl restart tomcat

版权所有©北京大学计算中心