Migrazione dati da una precedente versione shib IdP

Da WIKI IDEM GARR.
Jump to navigation Jump to search

Queste istruzioni sono utili nel caso sia stata installata una nuova versione di Shibboleth Idp e sia necessario riconfigurarla per sostituire un Identity Provider già registrato nella Federazione IDEM.

Dati coinvolti nella migrazione:

  • entityID
  • certificati (autofirmati) inclusi nei metadata (da non confondere con certificati SSL per il web) e loro segreti ==> intera cartella credentials/
  • conf/attribute-resolver.xml
  • conf/attribute-filter.xml
  • conf/saml-nameid.properties
  • conf/ldap.properties
  • eventuali configurazioni verso database
  • eventuale database dei persistent-id (se presente)
  • eventuali configurazioni di speciali relying-party
  • eventuali configurazioni aggiuntive al file conf/services.xml

La lista non è esaustiva e dipende chiaramente dalla singola installazione.

Verifica della configurazione

Prima di operare a livello di dns e rendere l'idp ufficialmente operativo consigliamo di effettuare una fase di test lavorando in locale e modificando il file /etc/host del proprio computer.

Questo permetterà di fare tutti i test mantenendo ancora operativo il precedente idp, ad esempio:

  • test persistent-id/eduPersonTargetedID: il valore rilasciato dall'IdP in produzione e dall'IdP nuovo su cui si migra DEVE essere identico per entrambi


Backchannel: si o no?

Sulla Documentazione di Shibboleth IDP troviamo scritto:

Back-Channel Support (v5.x)

Historically, Shibboleth IdP deployments operated with a second HTTP connector for SOAP requests from Service Providers. This connector by convention usually listened on port 8443. The separate port was used primarily because the connector generally relied on client certificate authentication at the TLS layer to authenticate requests from SPs. It's possible to host these SOAP services on the same port as the rest of the IdP's services and this is STRONGLY RECOMMENDED nowadays, but this topic focuses on the "why" aspect.

Back-Channel Use Cases (v5.x)

Most newer SAML-only deployments do not need to support the back channel (at all, port notwithstanding. While there are a range of features that rely on the back channel, and probably more in the future, basic use of the IdP for SAML-based SSO does not require it. That said, the following features require a back channel, along with a brief explanation of why you might need them:

- Attribute Query (Most deployments do not need support for SAML 2.0 attribute queries, though they are also supported.)

- SAML Artifacts

- Back-Channel Logout

- Other Protocols


Se nessuna delle funzionalità elencate sopra viene utilizzata dal vostro IdP verso un qualunque SP federato in IDEM e/o eduGAIN, allora è possibile rimuovere dai metadata il certificato del "backchannel" e non utilizzarlo più. In questo modo vengono alleggeriti i vostri stessi metadata e, di conseguenza, quelli della Federazione IDEM.


Lo Shibboleth IdP v5, senza più il backchannel, risulterà avere un massimo di 2 certificati nei metadata:

- 1 per "signing"

- 1 per "encryption"


Ecco un esempio di metadata di Shibboleth IdP v5 'alleggerito' che consente la Login e la Logout verso le risorse federate (testato con https://sp.aai-test.garr.it):

  1 <?xml version="1.0" encoding="UTF-8"?>
  2 <md:EntityDescriptor entityID="https://shib-idp-dev.aai-test.garr.it/idp/shibboleth" 
  3 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
  4 xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" 
  5 xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" 
  6 xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  7     <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  8 
  9         <md:Extensions>
 10             <shibmd:Scope regexp="false">shib-idp-dev.aai-test.garr.it</shibmd:Scope>
 11             <mdui:UIInfo>
 12                 <mdui:DisplayName xml:lang="en">Shibboleth IdP DEV</mdui:DisplayName>
 13                 <mdui:Description xml:lang="en">Identity Provider of Shibboleth IdP DEV</mdui:Description>
 14             </mdui:UIInfo>
 15         </md:Extensions>
 16 
 17         <md:KeyDescriptor use="signing">
 18             <ds:KeyInfo>
 19                     <ds:X509Data>
 20                         <ds:X509Certificate>
 21 
 22 MIIEYDCCAsigAwIBAgIUSPNIx0f4CwsTO0e5tLCgkIaBRy0wDQYJKoZIhvcNAQEL
 23 BQAwKDEmMCQGA1UEAwwdc2hpYi1pZHAtZGV2LmFhaS10ZXN0LmdhcnIuaXQwHhcN
 24 MjQwOTI3MTM1OTQ4WhcNNDQwOTI3MTM1OTQ4WjAoMSYwJAYDVQQDDB1zaGliLWlk
 25 cC1kZXYuYWFpLXRlc3QuZ2Fyci5pdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC
 26 AYoCggGBALRVv6jWiz5i5fdJQKl6M0RPMK9vcAwoat11Zw0OfZutKlcPi3/A1vaH
 27 EWk8TaMQuMg+khqzY86xxk+yHJ5zMn3Ioim5C2yEotFnIGBx1CZSQU80i4ucObu2
 28 X4nchTafMcvGUpYIOo1TVdUMyJpkuSSWIfTDZqQGcMiiqMsR0khCvD1QW/kXdu1o
 29 EyBKWWvbRfyvM5mRpf3/qW1Zd8MJk9RebWQDllNzYzqeUhlKcaDP2zLCMCx1mqgD
 30 1H3qOCdH+psjajzeOQMgGWxS9dby+MohVaFb91CKkU4jwq3Re3rrW+Igr7cGQxTk
 31 1DdQfl37OVcFkm1G9tNZIQgf4WXGzm43xW5DnP9rKAochaRdLTfU4UfPAA9sKmsR
 32 sMy1II/t7eKGfpunCSwRBVy/wKYc9n4bY57l6q5AONfRcffHFGGS5UnOpJzewEX9
 33 C+7LcX75lXWy+DPgudGVN5w/XDqZQKTYRTA6oPaYDewXUsnFbhT85LbrE5MkpIaL
 34 bRu2D//8JQIDAQABo4GBMH8wHQYDVR0OBBYEFHMsrTw6RRQ9+kNZqvG4Ff3I1Gdm
 35 MF4GA1UdEQRXMFWCHXNoaWItaWRwLWRldi5hYWktdGVzdC5nYXJyLml0hjRodHRw
 36 czovL3NoaWItaWRwLWRldi5hYWktdGVzdC5nYXJyLml0L2lkcC9zaGliYm9sZXRo
 37 MA0GCSqGSIb3DQEBCwUAA4IBgQAteNXCfN+/uSr6yrJd7zVM031l/B+L9lVGmjvw
 38 gbgf1OOMbG9O0Vdma3oFEEufVXih9kCo+i6OgSFJvom9V4EsmmmYaBEuNGEUPYAn
 39 PahEK/o0CS7JwHgI83ARbECsol1pd31BaLRq1fdL9UhZzFO82oG4QW0zfUhhITLq
 40 d41Eqa2C0o4S8ktPbf9YL6cytoe40bAcMLIFVfh08j+WY9eOhGEaCxN1RWL+6nEA
 41 6qAPBlUvX6lxFO1UdfWSewf4fftGbRogHwpO3hhW+AZnko8mNNzHXqK6FNK33J2v
 42 BSCetmXPzhuwwqCIuVUqM26+7fg5epkZ2j+dvYUMN3eD1B8GGtfjjKLH07Ka2aXO
 43 8VdUBsKcT1RCVjh9TGxLLip7FATMfXm4Pa32+phtxh232OViLu76yKgtXt0yGcXT
 44 jZd+BfpHaYuMaaydqFi4pCNbmpcSUhgzLtBkg2pBRtu1k0SP9V2Or/5YNps6bzNY
 45 LK4a9cT2ScoVGhx2MNaeTPbvCII=
 46 
 47                         </ds:X509Certificate>
 48                     </ds:X509Data>
 49             </ds:KeyInfo>
 50         </md:KeyDescriptor>
 51 
 52         <md:KeyDescriptor use="encryption">
 53             <ds:KeyInfo>
 54                     <ds:X509Data>
 55                         <ds:X509Certificate>
 56 
 57 MIIEYDCCAsigAwIBAgIUANIVut9uokKei3EDbaB036qoCsMwDQYJKoZIhvcNAQEL
 58 BQAwKDEmMCQGA1UEAwwdc2hpYi1pZHAtZGV2LmFhaS10ZXN0LmdhcnIuaXQwHhcN
 59 MjQwOTI3MTM1OTQ5WhcNNDQwOTI3MTM1OTQ5WjAoMSYwJAYDVQQDDB1zaGliLWlk
 60 cC1kZXYuYWFpLXRlc3QuZ2Fyci5pdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC
 61 AYoCggGBAK1e34xClv4hndPlOXEJ0HWEYAonjKaZbbkYzTHz1GZ3OGquZkf03FxR
 62 L+DIIcytPUK4ObsPyWnP6ZHKuWV5UZRYatEn3dqALNH5G8/kb/Ee/qqb3HMPtLOx
 63 63Q0IpQkoyW0SaYMUuYtIHbLEJ4z8aNThJO5IVZxV/pczx8UspsxQMSbB0ATUy6D
 64 XLnariaYG8h3NnrPh8fQNowTu75fyD8grxGEQa4C4WkY1HC3Y8nsNhqS8EciGCli
 65 J5YpEDWFyRnmp6S7OtTAm0IuwyoVeHehV73dfWsQNUxqO863yXvmT37r7hVk2bGa
 66 MOP6XXjZvcIje2B0N9u47pRHyqy5/G7PiLrjY4pNIMKRDC6ySTfcF1b0u7UnfBMq
 67 TKwi0wq552TuV5ovbFIyRuBlG7Ah2PiG+ZeU3CgMmt6SKbA8Vp55PxtU1xL7SYWs
 68 s4JlgjJkZ4Wccp1o382lzCuEM2v2V1AUxco75pB8RDyOZzAZuJ6uhvSni7W+u+x9
 69 Ezj6PI5SEwIDAQABo4GBMH8wHQYDVR0OBBYEFM3ROTbE6Z8gBWIeH4rD+DjuhTol
 70 MF4GA1UdEQRXMFWCHXNoaWItaWRwLWRldi5hYWktdGVzdC5nYXJyLml0hjRodHRw
 71 czovL3NoaWItaWRwLWRldi5hYWktdGVzdC5nYXJyLml0L2lkcC9zaGliYm9sZXRo
 72 MA0GCSqGSIb3DQEBCwUAA4IBgQAmiLbNRNx86JT3NX5XAkeVhx80wCZoo7snNG1A
 73 LH2QUdOYO/Uz5nYxnCmoupEnE4JLFVsU9zxmmIgCZrrYVrrO2f56RRNUV6SyYEFn
 74 5NXOG2Jwsm42pWIPIakIKBcfMNTRsCkCkiRd6oBS/Iuz7I97zZDdRExy2Cbzkn6O
 75 cWhnpybfxXkuYaTuCnouDQsKTDvY+1Sjx23IjAwmhLM+ElS7iB4XZel4Tp9M04J1
 76 rqOBLn6dIDK4arm8Fv6tbHStrqXmsIdfQWRmZXmkephZ+k+l/Ord2kHdIPOJKyvp
 77 YrbZCwvClXn2oNY5CYNgyyt26EDR4Gw9UVdXcEs1kMrz6SDmcHAS6Beoc8/gOruj
 78 W1m0bTevdxjBQ6FspTdNVf+BsBOOuAZFrgSoRzfztpZKhyusjmW3+zh74gORbBqs
 79 V9YFIL0nMF2/hp6HRFk1ELA07ST2Z7kL855jJcw7WBJYzRLh2Iq9ofPNbPr8l8TD
 80 +3X98eogyN/6P/LmjhswuNarPx0=
 81 
 82                         </ds:X509Certificate>
 83                     </ds:X509Data>
 84             </ds:KeyInfo>
 85         </md:KeyDescriptor>
 86 
 87         <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shib-idp-dev.aai-test.garr.it/idp/profile/SAML2/SOAP/SLO"/>
 88         <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shib-idp-dev.aai-test.garr.it/idp/profile/SAML2/Redirect/SLO"/>
 89 
 90         <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
 91         <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
 92 
 93         <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shib-idp-dev.aai-test.garr.it/idp/profile/SAML2/POST/SSO"/>
 94         <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://shib-idp-dev.aai-test.garr.it/idp/profile/SAML2/POST-SimpleSign/SSO"/>
 95         <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shib-idp-dev.aai-test.garr.it/idp/profile/SAML2/Redirect/SSO"/>
 96     </md:IDPSSODescriptor>
 97     <md:Organization>
 98         <md:OrganizationName xml:lang="en">Shibboleth IdP DEV</md:OrganizationName>
 99         <md:OrganizationDisplayName xml:lang="en">Shibboleth IdP DEV</md:OrganizationDisplayName>
100         <md:OrganizationURL xml:lang="en">https://www.garr.it/en</md:OrganizationURL>
101     </md:Organization>
102     <md:ContactPerson contactType="technical">
103         <md:EmailAddress>mailto:marco.malavolti@garr.it</md:EmailAddress>
104     </md:ContactPerson>
105 </md:EntityDescriptor>
Estratto da "https://wiki.idem.garr.it/w/index.php?title=Migrazione_dati_da_una_precedente_versione_shib_IdP&oldid=13453"