Migrazione dati da una precedente versione shib IdP

Da WIKI IDEM GARR.
Vai alla navigazione Vai alla ricerca

Queste istruzioni sono utili nel caso sia stata installata una nuova versione di Shibboleth Idp e sia necessario riconfigurarla per sostituire un Identity Provider già registrato nella Federazione IDEM.

Dati coinvolti nella migrazione:

  • entityID
  • certificati (autofirmati) inclusi nei metadata (da non confondere con certificati SSL per il web) e loro segreti ==> intera cartella credentials/
  • conf/attribute-resolver.xml
  • conf/attribute-filter.xml
  • conf/saml-nameid.properties
  • conf/ldap.properties
  • eventuali configurazioni verso database
  • eventuale database dei persistent-id (se presente)
  • eventuali configurazioni di speciali relying-party
  • eventuali configurazioni aggiuntive al file conf/services.xml

La lista non è esaustiva e dipende chiaramente dalla singola installazione.

Verifica della configurazione

Prima di operare a livello di dns e rendere l'idp ufficialmente operativo consigliamo di effettuare una fase di test lavorando in locale e modificando il file /etc/host del proprio computer.

Questo permetterà di fare tutti i test mantenendo ancora operativo il precedente idp, ad esempio:

  • test persistent-id/eduPersonTargetedID: il valore rilasciato dall'IdP in produzione e dall'IdP nuovo su cui si migra DEVE essere identico per entrambi


Backchannel: si o no?

Sulla Documentazione di Shibboleth IDP troviamo scritto:

Back-Channel Support (v5.x)

Historically, Shibboleth IdP deployments operated with a second HTTP connector for SOAP requests from Service Providers. This connector by convention usually listened on port 8443. The separate port was used primarily because the connector generally relied on client certificate authentication at the TLS layer to authenticate requests from SPs. It's possible to host these SOAP services on the same port as the rest of the IdP's services and this is STRONGLY RECOMMENDED nowadays, but this topic focuses on the "why" aspect.

Back-Channel Use Cases (v5.x)

Most newer SAML-only deployments do not need to support the back channel (at all, port notwithstanding. While there are a range of features that rely on the back channel, and probably more in the future, basic use of the IdP for SAML-based SSO does not require it. That said, the following features require a back channel, along with a brief explanation of why you might need them:

- Attribute Query (Most deployments do not need support for SAML 2.0 attribute queries, though they are also supported.)

- SAML Artifacts

- Back-Channel Logout

- Other Protocols


Se nessuna delle funzionalità elencate sopra viene utilizzata dal vostro IdP verso un qualunque SP federato in IDEM e/o eduGAIN, allora è possibile rimuovere dai metadata il certificato del "backchannel" e non utilizzarlo più. In questo modo vengono alleggeriti i vostri stessi metadata e, di conseguenza, quelli della Federazione IDEM.


Lo Shibboleth IdP v5, senza più il backchannel, risulterà avere un massimo di 2 certificati nei metadata:

- 1 per "signing"

- 1 per "encryption"


Ecco un esempio di metadata di Shibboleth IdP v5 'alleggerito' che consente la Login e la Logout verso le risorse federate (testato con https://sp.aai-test.garr.it):

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="https://shib-idp-dev.aai-test.garr.it/idp/shibboleth" 
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" 
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <md:Extensions>
            <shibmd:Scope regexp="false">shib-idp-dev.aai-test.garr.it</shibmd:Scope>
            <mdui:UIInfo>
                <mdui:DisplayName xml:lang="en">Shibboleth IdP DEV</mdui:DisplayName>
                <mdui:Description xml:lang="en">Identity Provider of Shibboleth IdP DEV</mdui:Description>
            </mdui:UIInfo>
        </md:Extensions>

        <md:KeyDescriptor use="signing">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>

MIIEYDCCAsigAwIBAgIUSPNIx0f4CwsTO0e5tLCgkIaBRy0wDQYJKoZIhvcNAQEL
BQAwKDEmMCQGA1UEAwwdc2hpYi1pZHAtZGV2LmFhaS10ZXN0LmdhcnIuaXQwHhcN
MjQwOTI3MTM1OTQ4WhcNNDQwOTI3MTM1OTQ4WjAoMSYwJAYDVQQDDB1zaGliLWlk
cC1kZXYuYWFpLXRlc3QuZ2Fyci5pdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC
AYoCggGBALRVv6jWiz5i5fdJQKl6M0RPMK9vcAwoat11Zw0OfZutKlcPi3/A1vaH
EWk8TaMQuMg+khqzY86xxk+yHJ5zMn3Ioim5C2yEotFnIGBx1CZSQU80i4ucObu2
X4nchTafMcvGUpYIOo1TVdUMyJpkuSSWIfTDZqQGcMiiqMsR0khCvD1QW/kXdu1o
EyBKWWvbRfyvM5mRpf3/qW1Zd8MJk9RebWQDllNzYzqeUhlKcaDP2zLCMCx1mqgD
1H3qOCdH+psjajzeOQMgGWxS9dby+MohVaFb91CKkU4jwq3Re3rrW+Igr7cGQxTk
1DdQfl37OVcFkm1G9tNZIQgf4WXGzm43xW5DnP9rKAochaRdLTfU4UfPAA9sKmsR
sMy1II/t7eKGfpunCSwRBVy/wKYc9n4bY57l6q5AONfRcffHFGGS5UnOpJzewEX9
C+7LcX75lXWy+DPgudGVN5w/XDqZQKTYRTA6oPaYDewXUsnFbhT85LbrE5MkpIaL
bRu2D//8JQIDAQABo4GBMH8wHQYDVR0OBBYEFHMsrTw6RRQ9+kNZqvG4Ff3I1Gdm
MF4GA1UdEQRXMFWCHXNoaWItaWRwLWRldi5hYWktdGVzdC5nYXJyLml0hjRodHRw
czovL3NoaWItaWRwLWRldi5hYWktdGVzdC5nYXJyLml0L2lkcC9zaGliYm9sZXRo
MA0GCSqGSIb3DQEBCwUAA4IBgQAteNXCfN+/uSr6yrJd7zVM031l/B+L9lVGmjvw
gbgf1OOMbG9O0Vdma3oFEEufVXih9kCo+i6OgSFJvom9V4EsmmmYaBEuNGEUPYAn
PahEK/o0CS7JwHgI83ARbECsol1pd31BaLRq1fdL9UhZzFO82oG4QW0zfUhhITLq
d41Eqa2C0o4S8ktPbf9YL6cytoe40bAcMLIFVfh08j+WY9eOhGEaCxN1RWL+6nEA
6qAPBlUvX6lxFO1UdfWSewf4fftGbRogHwpO3hhW+AZnko8mNNzHXqK6FNK33J2v
BSCetmXPzhuwwqCIuVUqM26+7fg5epkZ2j+dvYUMN3eD1B8GGtfjjKLH07Ka2aXO
8VdUBsKcT1RCVjh9TGxLLip7FATMfXm4Pa32+phtxh232OViLu76yKgtXt0yGcXT
jZd+BfpHaYuMaaydqFi4pCNbmpcSUhgzLtBkg2pBRtu1k0SP9V2Or/5YNps6bzNY
LK4a9cT2ScoVGhx2MNaeTPbvCII=

                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>

        <md:KeyDescriptor use="encryption">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>

MIIEYDCCAsigAwIBAgIUANIVut9uokKei3EDbaB036qoCsMwDQYJKoZIhvcNAQEL
BQAwKDEmMCQGA1UEAwwdc2hpYi1pZHAtZGV2LmFhaS10ZXN0LmdhcnIuaXQwHhcN
MjQwOTI3MTM1OTQ5WhcNNDQwOTI3MTM1OTQ5WjAoMSYwJAYDVQQDDB1zaGliLWlk
cC1kZXYuYWFpLXRlc3QuZ2Fyci5pdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC
AYoCggGBAK1e34xClv4hndPlOXEJ0HWEYAonjKaZbbkYzTHz1GZ3OGquZkf03FxR
L+DIIcytPUK4ObsPyWnP6ZHKuWV5UZRYatEn3dqALNH5G8/kb/Ee/qqb3HMPtLOx
63Q0IpQkoyW0SaYMUuYtIHbLEJ4z8aNThJO5IVZxV/pczx8UspsxQMSbB0ATUy6D
XLnariaYG8h3NnrPh8fQNowTu75fyD8grxGEQa4C4WkY1HC3Y8nsNhqS8EciGCli
J5YpEDWFyRnmp6S7OtTAm0IuwyoVeHehV73dfWsQNUxqO863yXvmT37r7hVk2bGa
MOP6XXjZvcIje2B0N9u47pRHyqy5/G7PiLrjY4pNIMKRDC6ySTfcF1b0u7UnfBMq
TKwi0wq552TuV5ovbFIyRuBlG7Ah2PiG+ZeU3CgMmt6SKbA8Vp55PxtU1xL7SYWs
s4JlgjJkZ4Wccp1o382lzCuEM2v2V1AUxco75pB8RDyOZzAZuJ6uhvSni7W+u+x9
Ezj6PI5SEwIDAQABo4GBMH8wHQYDVR0OBBYEFM3ROTbE6Z8gBWIeH4rD+DjuhTol
MF4GA1UdEQRXMFWCHXNoaWItaWRwLWRldi5hYWktdGVzdC5nYXJyLml0hjRodHRw
czovL3NoaWItaWRwLWRldi5hYWktdGVzdC5nYXJyLml0L2lkcC9zaGliYm9sZXRo
MA0GCSqGSIb3DQEBCwUAA4IBgQAmiLbNRNx86JT3NX5XAkeVhx80wCZoo7snNG1A
LH2QUdOYO/Uz5nYxnCmoupEnE4JLFVsU9zxmmIgCZrrYVrrO2f56RRNUV6SyYEFn
5NXOG2Jwsm42pWIPIakIKBcfMNTRsCkCkiRd6oBS/Iuz7I97zZDdRExy2Cbzkn6O
cWhnpybfxXkuYaTuCnouDQsKTDvY+1Sjx23IjAwmhLM+ElS7iB4XZel4Tp9M04J1
rqOBLn6dIDK4arm8Fv6tbHStrqXmsIdfQWRmZXmkephZ+k+l/Ord2kHdIPOJKyvp
YrbZCwvClXn2oNY5CYNgyyt26EDR4Gw9UVdXcEs1kMrz6SDmcHAS6Beoc8/gOruj
W1m0bTevdxjBQ6FspTdNVf+BsBOOuAZFrgSoRzfztpZKhyusjmW3+zh74gORbBqs
V9YFIL0nMF2/hp6HRFk1ELA07ST2Z7kL855jJcw7WBJYzRLh2Iq9ofPNbPr8l8TD
+3X98eogyN/6P/LmjhswuNarPx0=

                        </ds:X509Certificate>
                    </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>

        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shib-idp-dev.aai-test.garr.it/idp/profile/SAML2/SOAP/SLO"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shib-idp-dev.aai-test.garr.it/idp/profile/SAML2/Redirect/SLO"/>

        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>

        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shib-idp-dev.aai-test.garr.it/idp/profile/SAML2/POST/SSO"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://shib-idp-dev.aai-test.garr.it/idp/profile/SAML2/POST-SimpleSign/SSO"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shib-idp-dev.aai-test.garr.it/idp/profile/SAML2/Redirect/SSO"/>
    </md:IDPSSODescriptor>
    <md:Organization>
        <md:OrganizationName xml:lang="en">Shibboleth IdP DEV</md:OrganizationName>
        <md:OrganizationDisplayName xml:lang="en">Shibboleth IdP DEV</md:OrganizationDisplayName>
        <md:OrganizationURL xml:lang="en">https://www.garr.it/en</md:OrganizationURL>
    </md:Organization>
    <md:ContactPerson contactType="technical">
        <md:EmailAddress>mailto:marco.malavolti@garr.it</md:EmailAddress>
    </md:ContactPerson>
</md:EntityDescriptor>
Estratto da "https://wiki.idem.garr.it/index.php?title=Migrazione_dati_da_una_precedente_versione_shib_IdP&oldid=13453"