Konfigurationerna under denna sida fungerar endast för Shibboleth 2 eller senare. För simpleSAMLphp och ADFS2 kan konfigurationsexemplen endast användas som inspiration. |
Konfiguration för shibboleth 2.x Identity Provider för SWAMID SAML WebSSO.
relying-party.xml
Stoppa in följande 2 block XML på relevant plats i relying-party.xml. Spara certifikatet från SAML Metadata and Trust i filen
/opt/shibboleth-idp/credentials/md-signer.crt
|
C:/Program Files (x86)/Shibboleth/IdP/metadata/md-signer.crt
|
Definera att det nedladdade certifikatet ska användas för kontroll av signatur av Swamids metadata:
<!-- SWAMID-METADATA-Trustengine and SWAMID-TESTING-METADATA-Trustengine -->
<security:TrustEngine id="swamid-metadata-signer" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/md-signer.crt</security:Certificate>
</security:Credential>
</security:TrustEngine>
|
<!-- SWAMID-METADATA-Trustengine and SWAMID-TESTING-METADATA-Trustengine -->
<security:TrustEngine id="swamid-metadata-signer" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<security:Certificate>C:/Program Files (x86)/Internet2/Shib2Idp/metadata/md-signer.crt</security:Certificate>
</security:Credential>
</security:TrustEngine>
|
Hämta metadata för SWAMID 2.0 med följande konfiguration:
<!-- SWAMID 2.0 METADATA PROVIDER -->
<MetadataProvider id="Swamid2MD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://md.swamid.se/md/swamid-2.0.xml"
backingFile="/opt/shibboleth-idp/metadata/swamid-2.0.xml">
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="swamid-metadata-signer"
requireSignedMetadata="true" />
</MetadataFilter>
</MetadataProvider>
|
<!-- SWAMID 2.0 METADATA PROVIDER -->
<MetadataProvider id="Swamid2MD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://md.swamid.se/md/swamid-2.0.xml"
backingFile="C:/Program Files (x86)/Internet2/Shib2Idp/metadata/swamid-2.0.xml">
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="swamid-metadata-signer"
requireSignedMetadata="true" />
</MetadataFilter>
</MetadataProvider>
|
Ni behöver även hämta metadata för SWAMIDs testfederation för att tillåta realistiska tester för ej driftsatta tjänsteleverantörer (SP):
<!-- SWAMID TEST METADATA PROVIDER -->
<MetadataProvider id="SwamidTestMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://md.swamid.se/md/swamid-testing-1.0.xml"
backingFile="/opt/shibboleth-idp/metadata/swamid-testing-1.0.xml">
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="swamid-metadata-signer"
requireSignedMetadata="true" />
</MetadataFilter>
</MetadataProvider>
|
<!-- SWAMID TEST METADATA PROVIDER -->
<MetadataProvider id="SwamidTestMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://md.swamid.se/md/swamid-testing-1.0.xml"
backingFile="C:/Program Files (x86)/Internet2/Shib2Idp/metadata/swamid-testing-1.0.xml">
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="swamid-metadata-signer"
requireSignedMetadata="true" />
</MetadataFilter>
</MetadataProvider>
|