Shibboleth

Shibboleth 2 用户指引

安装

Ubuntu 16/18 LTS

apt install shibboleth-sp2-utils

macOS

# macOS 上安装 Shibboleth
$ brew install shibboleth-sp
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/core).
==> Installing dependencies for shibboleth-sp: icu4c, boost, log4shib, xerces-c, xml-security-c, xml-tooling-c, opensaml, libtool and unixodbc
==> Installing shibboleth-sp dependency: icu4c
==> Downloading https://homebrew.bintray.com/bottles/icu4c-63.1.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring icu4c-63.1.sierra.bottle.tar.gz
==> Caveats
icu4c is keg-only, which means it was not symlinked into /usr/local,
because macOS provides libicucore.dylib (but nothing else).

If you need to have icu4c first in your PATH run:
  echo 'export PATH="/usr/local/opt/icu4c/bin:$PATH"' >> ~/.bash_profile
  echo 'export PATH="/usr/local/opt/icu4c/sbin:$PATH"' >> ~/.bash_profile

For compilers to find icu4c you may need to set:
  export LDFLAGS="-L/usr/local/opt/icu4c/lib"
  export CPPFLAGS="-I/usr/local/opt/icu4c/include"

For pkg-config to find icu4c you may need to set:
  export PKG_CONFIG_PATH="/usr/local/opt/icu4c/lib/pkgconfig"

==> Summary
?  /usr/local/Cellar/icu4c/63.1: 254 files, 68.3MB
==> Installing shibboleth-sp dependency: boost
==> Downloading https://homebrew.bintray.com/bottles/boost-1.68.0_1.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring boost-1.68.0_1.sierra.bottle.tar.gz
?  /usr/local/Cellar/boost/1.68.0_1: 13,712 files, 460.0MB
==> Installing shibboleth-sp dependency: log4shib
==> Downloading https://homebrew.bintray.com/bottles/log4shib-1.0.9.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring log4shib-1.0.9.sierra.bottle.tar.gz
?  /usr/local/Cellar/log4shib/1.0.9: 53 files, 852.2KB
==> Installing shibboleth-sp dependency: xerces-c
==> Downloading https://homebrew.bintray.com/bottles/xerces-c-3.2.2.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring xerces-c-3.2.2.sierra.bottle.tar.gz
?  /usr/local/Cellar/xerces-c/3.2.2: 1,686 files, 30MB
==> Installing shibboleth-sp dependency: xml-security-c
==> Downloading https://homebrew.bintray.com/bottles/xml-security-c-2.0.2.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring xml-security-c-2.0.2.sierra.bottle.tar.gz
?  /usr/local/Cellar/xml-security-c/2.0.2: 166 files, 3.9MB
==> Installing shibboleth-sp dependency: xml-tooling-c
==> Downloading https://homebrew.bintray.com/bottles/xml-tooling-c-3.0.2_4.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring xml-tooling-c-3.0.2_4.sierra.bottle.tar.gz
?  /usr/local/Cellar/xml-tooling-c/3.0.2_4: 548 files, 6.8MB
==> Installing shibboleth-sp dependency: opensaml
==> Downloading https://homebrew.bintray.com/bottles/opensaml-3.0.0.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring opensaml-3.0.0.sierra.bottle.tar.gz
?  /usr/local/Cellar/opensaml/3.0.0: 105 files, 7MB
==> Installing shibboleth-sp dependency: libtool
==> Downloading https://homebrew.bintray.com/bottles/libtool-2.4.6_1.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring libtool-2.4.6_1.sierra.bottle.tar.gz
==> Caveats
In order to prevent conflicts with Apple's own libtool we have prepended a "g"
so, you have instead: glibtool and glibtoolize.
==> Summary
?  /usr/local/Cellar/libtool/2.4.6_1: 70 files, 3.7MB
==> Installing shibboleth-sp dependency: unixodbc
==> Downloading https://homebrew.bintray.com/bottles/unixodbc-2.3.7.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring unixodbc-2.3.7.sierra.bottle.tar.gz
?  /usr/local/Cellar/unixodbc/2.3.7: 46 files, 1.8MB
==> Installing shibboleth-sp
==> Downloading https://homebrew.bintray.com/bottles/shibboleth-sp-3.0.2_4.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring shibboleth-sp-3.0.2_4.sierra.bottle.tar.gz
==> Caveats
You must manually edit httpd.conf to include
LoadModule mod_shib /usr/local/opt/shibboleth-sp/lib/shibboleth/mod_shib_24.so
You must also manually configure
  /usr/local/etc/shibboleth/shibboleth2.xml
as per your own requirements. For more information please see
  https://wiki.shibboleth.net/confluence/display/EDS10/3.1+Configuring+the+Service+Provider

To have launchd start shibboleth-sp now and restart at startup:
  sudo brew services start shibboleth-sp
Or, if you don't want/need a background service you can just run:
  shibd
==> Summary
?  /usr/local/Cellar/shibboleth-sp/3.0.2_4: 160 files, 4.9MB
==> Caveats
==> icu4c
icu4c is keg-only, which means it was not symlinked into /usr/local,
because macOS provides libicucore.dylib (but nothing else).

If you need to have icu4c first in your PATH run:
  echo 'export PATH="/usr/local/opt/icu4c/bin:$PATH"' >> ~/.bash_profile
  echo 'export PATH="/usr/local/opt/icu4c/sbin:$PATH"' >> ~/.bash_profile

For compilers to find icu4c you may need to set:
  export LDFLAGS="-L/usr/local/opt/icu4c/lib"
  export CPPFLAGS="-I/usr/local/opt/icu4c/include"

For pkg-config to find icu4c you may need to set:
  export PKG_CONFIG_PATH="/usr/local/opt/icu4c/lib/pkgconfig"

==> libtool
In order to prevent conflicts with Apple's own libtool we have prepended a "g"
so, you have instead: glibtool and glibtoolize.
==> shibboleth-sp
You must manually edit httpd.conf to include
LoadModule mod_shib /usr/local/opt/shibboleth-sp/lib/shibboleth/mod_shib_24.so
You must also manually configure
  /usr/local/etc/shibboleth/shibboleth2.xml
as per your own requirements. For more information please see
  https://wiki.shibboleth.net/confluence/display/EDS10/3.1+Configuring+the+Service+Provider

To have launchd start shibboleth-sp now and restart at startup:
  sudo brew services start shibboleth-sp
Or, if you don't want/need a background service you can just run:
  shibd
# sock 文件路径
/usr/local/var/run/shibboleth/shibd.sock

# log 文件路径
/usr/local/var/log/shibboleth
/usr/local/var/log/shibboleth-www

常用配置

FastCGI 运行 authorizer 和 reponsder

# Ubuntu 16.04
# 安装 FastCGI 管理器
sudo apt-get install shibboleth-sp-utils supervisor
# 配置 Supervisor 管理 Shibboleth FastCGI,运行在 60001/60002 端口上
# vim /etc/supervisor/conf.d/shib.conf
[fcgi-program:shibauthorizer]
command=/usr/lib/x86_64-linux-gnu/shibboleth/shibauthorizer
#socket=unix:///var/run/shibboleth/shibauthorizer.sock
#socket_owner=_shibd:_shibd
#socket_mode=0660
socket=tcp://0.0.0.0:60001
user=_shibd
stdout_logfile=/var/log/supervisor/shibauthorizer.log
stderr_logfile=/var/log/supervisor/shibauthorizer.error.log

[fcgi-program:shibresponder]
command=/usr/lib/x86_64-linux-gnu/shibboleth/shibresponder
#socket=unix:///var/run/shibboleth/shibresponder.sock
#socket_owner=_shibd:_shibd
#socket_mode=0660
socket=tcp://0.0.0.0:60002
user=_shibd
stdout_logfile=/var/log/supervisor/shibresponder.log
stderr_logfile=/var/log/supervisor/shibresponder.error.log
# 重启并确认 supervisor 状态
service supervisor restart
service supervisor status

# 确认 Shibboleth FastCGI 开始侦听
netstat -l | grep 6000

# 确认 Shibboleth FastCGI 日志
tail -f /var/log/supervisor/shibauthorizer.log
tail -f /var/log/supervisor/shibresponder.log

解决 Rewrite 冲突

Shibboleth 默认用 Shibboleth.sso URI 接收登录信息,常常会被 WordPress/Drupal 自带 .htaccess 中的 rewrite 规则改写,返回 404,可通过以下配置绕过:

# 放在 RewriteEngine On 之后
RewriteRule ^Shibboleth.sso - [L,NC]
Author: njun
njun's picture
Updated: 2019/11/23