Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Shibboleth Metadata
03-06-2018, 11:00 PM (This post was last modified: 06-06-2018 11:45 AM by qiracle.)
Post: #1
Shibboleth Metadata
Sourceļ¼šhttps://wiki.shibboleth.net/confluence/d...https://wiki.shibboleth.net/confluence/display/CONCEP

"There are several metadata schemas defined by different specifications or software, but Shibboleth is currently designed around the SAML 2.0 Metadata specification standardized by OASIS.

Shibboleth, in its current state, does not offer tools to import or export SAML metadata. Rather, it consumes the XML directly as a configuration mechanism that enumerates the set of trusted partners and tells the software how to communicate securely with them.

The IdP consumes metadata by looking for entities that act in SP roles. Conversely, the SP consumes metadata by looking for entities that act in IdP roles. In other words, each type of provider needs metadata about its opposite. In a few isolated cases, the IdP also relies on metadata about itself.

In all cases, it is critical that the metadata supplied to other systems be "in sync" with the configuration of the system it describes, or many different kinds of errors will result. In fact, most of the errors that people encounter with SAML software are caused by mismatches of this nature."

generate new Certificate in metadata

SP
in /etc/shibboleth, run keygen.sh
Code:
keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert] [-n filename prefix (default 'sp')]

It will generate a sp-key.pem and sp-cert.pem in output directory

Then run metagen.sh under /etc/shibboleth.
Code:
metagen [-12ADLNO] -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]

Output as follow:
Code:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://sp.shufangkeji.com/shibboleth">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
    <md:KeyDescriptor>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
MIID9jCCAl6gAwIBAgIJAKAMdaRjCEDxMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV
BAMTAnNwMCAXDTE4MDMwNzEzMjUwMloYDzQwMzQxMTAzMTMyNTAyWjANMQswCQYD
VQQDEwJzcDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOWrVSfkCyLF
1UlhDvOI5Ua7yP0W5Zzlkjt1o4wM0JbMoCsdE74q+04cd1cdozMf2itDhGbheWbo
tgv6ICdRnGCtLxqsN4wgLiI+D3FSZFbVi9UfRqYEelH5aNjfvfoFAtrLSkuJqgja
Hiyh69QsTjKLUZhweWWnKPkPe93LVJJwyrZPHIwcL7vg/XtTVVvMRDflhXukDGbS
k2fyQhZyHqE/q+Mk4jjs6ITrp8xVmvSYNr6mvrO5Te6+ltflgv7ziKT3vxNyUyG2
mUEt6UUe3rs1xNbod6weTTGTlfpBsgb0RoGCX66dOZ+9R9K+rOcLCwUxW0j2j2fu
U+QjiayEb/M3cyJZ3VhXdNBOQa/xaB6oQ3qrjyW09ZMU9PQ9G65H5fCYPH0Ku/en
CR/z18nxwxda7kz94MaRdjuDGw5R1qaz+aJpbtd2KqwMiEDbXmg1OrlYnGvRXgkR
ippIuprF0PKpY693Pu9VvVD8MjlI1dEOz8FkziVDM5xjKj11Q99uCwIDAQABo1cw
VTA0BgNVHREELTArggJzcIYlaHR0cHM6Ly9zcC5zaHVmYW5na2VqaS5jb20vc2hp
YmJvbGV0aDAdBgNVHQ4EFgQUEiGV0kyROGCQTEUDwlosb6ZXrAswDQYJKoZIhvcN
AQELBQADggGBAMbtP4EGY93meN4YHGAVcg0RWYnFG6aqgLilwn62EuMGXDA6I3eU
jiryxW7OSsxid2USAdlBL8UhtOYJK67Z7SsOYxj1+qvDEFWPKRiMfHiL19K/R1e4
AUfP46flTxvCs4k1syHQIA1CCpspHr09vmcYVB+1m7FjrKBMv31zUTTvRwJlDWSp
RPVxnL6lI0COdB3jbAM6TvwWxZbxpGp9kx4jqDchgQn2tBgvkGjGwWqPhMCB3SKz
yUt9nlwV+gA7JxMdDauT09l5iqYfaC1p05bwN2mFNtKWqSYGRVugdyxhYG80+RAQ
DEIiwsqwdSTuoBcThY5qTGYwwPbRXRFhGtTU9bKISdFwNhHeaazyDhkygS5+2pXL
825OOH9D7NWRy6vGtVCbfR1lgRYmtPqpXMDTbSsM8FL4uCdP63DuWG1lxcCtv/tZ
3gZ57r0t0UXza4U1whPSukJzeuQReVLYIWqx/7kkqtrytpdz+nUPHuCa/LSK9H8b
qAqgF0BKLszhdQ==
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp/Shibboleth.sso/SAML2/POST" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://sp/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://sp/Shibboleth.sso/SAML2/ECP" index="3"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://sp/Shibboleth.sso/SAML/POST" index="4"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

IdP

In /opt/shibboleth-opt/bin, run keygen.sh

Code:
./keygen.sh --hostname xxx --certfile filePath --keyfile filePath

It will generate key file and cert file.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: