Idp oidc

Da sia.
Vai alla navigazione Vai alla ricerca

Shibboleth IdP as an OIDC identity provider

Installation

Add: 

   idp.searchForProperties=true

to idp.properties; or (same file) edit: 

   idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/oidc.properties, /credentials/secrets.properties

Install plugins: 

  sudo ./bin/plugin.sh -I net.shibboleth.oidc.common
  sudo ./bin/plugin.sh -I net.shibboleth.idp.plugin.oidc.op
  sudo JAVA_HOME=/usr/lib/jvm/latest ./bin/plugin.sh -l
  sudo JAVA_HOME=/usr/lib/jvm/latest ./bin/module.sh -e idp.oidc.OP

last command creates quite a lot of files: 

Enabling idp.oidc.OP...
        conf/oidc.properties created
        conf/oidc-clientinfo-resolvers.xml created
        conf/oidc-credentials.xml created
        conf/attributes/oidc-claim-rules.xml created
        conf/authn/oauth2client-authn-config.xml created
        conf/examples/oidc-attribute-filter.xml created
        conf/examples/oidc-attribute-resolver.xml created
        static/openid-configuration.json created
        bin/jwtgen.sh created
        bin/jwtgen.bat created
        bin/lib/json-web-key-generator-0.8.2-jar-with-dependencies.jar created
        bin/issue-access-token.sh created
        bin/issue-access-token.bat created
        bin/oidc-clients.sh created
        bin/oidc-clients.bat created
[OK]

See documentation for additional instructions to enable the OP module.

I edited:

  • conf/credentials.xml;
  • conf/services.xml (per aggiungere i file oidc per attribute-resolver ed attribute-filter);
  • conf/relying-party.xml (4 profili per DefaultRelyngParty e due per unverified);
  • conf/oidc.properties (modificare almeno idp.oidc.issuer);
  • conf/oidc-clientinfo-resolvers.xml (due modifiche, guarda il wiki di Shibboleth-IdP);
  • static/openid-configuration.json (modificare il service_name).

OP Discovery

Allow clients to browse IdP's oidc properties. Add to apache2 vh: 

   ProxyPass /.well-known/openid-configuration http://127.0.0.1:8080/idp/profile/oidc/configuration connectiontimeout=5 timeout=15

Allow unverified clients to browse oidc configuration endpoint. Add to relying-party.xml: 

<bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
    <property name="profileConfigurations">
        <list>
            <bean parent="OIDC.Configuration" />
        </list>
    </property>
</bean>

reload service: 

   sudo JAVA_HOME=/usr/lib/jvm/latest ./bin/reload-service.sh -id shibboleth.RelyingPartyResolverService -u http://localhost:8080/idp

Edit relying party

   sudo JAVA_HOME=/usr/lib/jvm/latest ./bin/reload-service.sh -id shibboleth.RelyingPartyResolverService -u http://localhost:8080/idp


Simulate client

$ sudo ./bin/oidc-clients.sh -c 596aae40-7073-425d-9b5b-2a92ca3a557d -u http://localhost:8080/idp
{"grant_types":["authorization_code"],"client_secret_expires_at":0,"scope":"openid email profile","client_secret":"my-secret","redirect_uris":["https:\/\/rimbaud.dmz-ext.unimo.it\/cgi-bin\/redirect_uri"],"client_id":"596aae40-7073-425d-9b5b-2a92ca3a557d","response_types":["code"]}

Seen sometimes

ERROR [net.shibboleth.idp.saml.metadata.impl.AttributeMappingNodeProcessor:112] - Attribute transcoding service unavailable

Remove 

<import resource="oidc-claim-rules.xml" />

from $IDP_HOME/conf/attributes/default-rules.xml. 

2022-08-25 14:42:36,840 - WARN [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:591] - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'shibboleth.oidc.DefaultRSSigningCredential' defined in file [/opt/shibboleth-idp/conf/oidc-credentials.xml]: Could not resolve placeholder 'idp.signing.oidc.rs.key' in value "%{idp.signing.oidc.rs.key}"; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'idp.signing.oidc.rs.key' in value "%{idp.signing.oidc.rs.key}"
Estratto da "https://wiki.unimore.it/index.php?title=Idp_oidc&oldid=18454"