Current location - Quotes Website - Signature design - Is shibboleth in windows the same as shibboleth in linux?
Is shibboleth in windows the same as shibboleth in linux?
Shibboleth device (Shibboleth device)

Shibboleth contains several independent components: Identity Provider (IdP), Service Provider (SP) and Discovery Service (DS). You can according to yourself

You need to choose to deploy one or more components. Before you begin, you need to know the following steps:

1. Before installation, you must read and understand Shibboleth's documentation and workflow introduction.

2. If you encounter problems during installation, please check according to the following points.

1) See the installation and configuration files.

2) Check the troubleshooting guide.

3) Check the user's mailing list archive to see if others have encountered the same problem and have any solutions.

4) Ask the user's mailing list for help.

3. After the installation is completed, you should also be able to subscribe to Shibboleth's announcement, which is about the new version, updating the old version to the latest, and releasing security vulnerabilities.

First, prepare the installation environment.

Domain name required to prepare the installation environment:

1.sp.machine is the domain name of sp, for example: exm1.sea.sp.com.

2.idp.machine is the domain name of idp, for example, exm2.sea.idp.com.

The domain names of SP and IDP I prepared locally are exm 1.sea.sp.com, exm2.sea.idp.com. Before use, you must first configure the mapping of the above domain name in the Hosts file under the C: \ windows \ System32 \ Drivers \ etc path of Windows, and the configuration is as follows:

127.0.0. 1 local host

127 . 0 . 0 . 1 exm 1 . sea . sp . com

127 . 0 . 0 . 1 exm2.sea.idp.com

Prepare to install the required hardware devices (SP and IDP can be installed on different computers or different virtual machines, or they can be installed on the same computer! )。

1) you need to open ports 80 and 443 (to ensure that no other program is occupying them). Pay attention to the access rights of the firewall to the port.

2) It is easiest to use the RedHat environment. I use windows here, and the installation process is basically the same.

3) Ensure that the clock setting of the hardware environment is correct.

Second, install IDP.

1. Download and install JDK 1.5+, Tomcat 6.0. 17+ and Apache 2.2+ to ensure that the JAVA_HOME environment variables are set correctly. I use JDK 1.6, Tomcat6.0.29 and Apache 2.2 here.

Note: it must be downloaded from f -new -out my-server.csr

(Note that my -server is my own name, and my -server mentioned in the following steps is also my own name. This step needs to set a series of questions, including the password (this password should be remembered and used later). After all, a my-server.csr and privkey.pem file will be generated in the bin folder. )

3) Run

OpenSSL RSA-in priv key . PEM-out my-server . key

(Enter the password at this time, which is the password set in the second step. )

4) Run

OpenSSL x509-in my-server . CSR-out my-server . cert-req-sign key my-server . key-days 4000

This will create a certificate that will expire in 4000 days.

5) Run

OpenSSL x509-in my-server . cert-out my-server . DER . CRT-out form DER

6) After running all these commands, six files will be generated in the bin folder:

. (cannot) can't

privkey.pem

my-server.der.crt

my-server.scr

my-server.key

my-server.cert

(Move these files to the conf/ssl directory (if the directory does not exist, create one, or put it in another directory at this step. The key is to remember the location of the file, which will be used in the following settings).

Set Apache to support SSL

Note: This setup procedure applies to Apache version 2.2.x.. If you are using Apache version 2.0.x, please explore similar settings.

Open /shibboleth with a text editor in Apache's conf directory)

2) Change the entityID of the node element to

/idp/shibboleth)

3) Uncomment the remote metadata example node, where you will describe your IDP to SP and change this uri to /idp/profile/Metadata/SAML.

4) Comment or delete the node of signature type, because this metadata is unsigned.

For example:

backing file path = " Federation-metadata . XML " reload interval = " 7200 " >

(This report will be submitted without comment and deletion: the metadata of the identity provider cannot be located. I don't know why, but it needs to be solved! )

The configuration file of IDP is located in the IDP_HOME/conf directory:

IdP: relying-party.xml:

1) Uncomment the metadata MetadataProvider node element read from the URL and change the metadataURL attribute of the node element to.

http://sp.machine/Shibboleth.sso/Metadata。 For more advanced deployments, you need to manually edit the metadata to match.

2) Comment out the MetadataFilter node element contained in the MetadataProvider element. This metadata is unsigned, so this filter may cause metadata loading to fail!

The changed example is: