2014/06/27 T. FURUYA
2018/0115 modified by K.Mori
Apache2.4の各パスは以下の通り(カッコ内はApache2.2)
1. The binaries are now under /opt/local/sbin/
(rather than under /opt/local/apache2/bin/)
2. The configure files are now under /opt/local/etc/apache2/
(rather than under /opt/local/apache2/conf/)
3. The modules are now under /opt/local/lib/apache2/modules/
(rather than under /opt/local/apache2/modules/)
4. The web root is now located under /opt/local/www/apache2/html/
(rather than under /opt/local/apache2/htdocs/)
5. The cgi-bin is now located under /opt/local/www/apache2/cgi-bin/
(rather than under /opt/local/apache2/cgi-bin/)
6. The logs are now located under /opt/local/var/log/apache2/
(rather than under /opt/local/apache2/logs/)
7. The manual is now located under /opt/local/www/apache2/manual/
(rather than under /opt/local/apache2/manual/)
8. The manual (man) pages are still at /opt/local/share/apache2/man/
4. Shibbolethのインストール
$ sudo port install shibboleth
または
$ sudo port upgrade shibboleth
5. Shibbolethの既定Apache設定情報(httpd.conf)を指定の場所(ここではapache2/extra/)にコピー
$ sudo cp /opt/local/etc/shibboleth/apache24.config /opt/local/etc/apache2/extra/shib.conf
httpd.confの設定(以下を追加)
+ Include etc/apache2/extra/shib.conf
6. Apache2.4で使用しているサーバ証明書(server.crt)とサーバ秘密鍵(server.key)をShibbolethの設定ディレクトリ(/opt/local/etc/shibboleth)内にコピー
SSLCertificateFile
$ sudo cp server.crt /opt/local/etc/shibboleth/
SSLCertificateKeyFile
$ sudo cp server.key /opt/local/etc/shibboleth/
7. 指定されているIdPのメタデータ(IdP管理者に確認のこと)を取得して,/opt/local/etc/shibbolethにコピー
$ cd /opt/local/etc/shibboleth
$sudo wget https://(IdPのURL)/idp/profile/Metadata/SAML
(wgetがあれば...)
$sudo mv SAML idp-metadata.xml
8. サーバ証明書からSPメタデータを生成
$ cd /opt/local/etc/shibboleth
$ sudo ./metagen.sh -c server.crt -h host.hoge.jp -e "https://host.hoge.jp/shibboleth-sp" > sp-metadata.xml
9. 以下のファイルを修正
・/opt/local/etc/shibboleth/shibboleth2.xml の編集
--- shibboleth2.xml.dist 2013-12-03 02:30:17.000000000 +0900
+++ shibboleth2.xml 2013-12-16 16:30:36.534668457 +0900
@@ -20,7 +20,7 @@
-->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
- <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
+ <ApplicationDefaults entityID="https://hoge.cc.kagoshima-u.ac.jp/shibboleth-sp"
REMOTE_USER="eppn persistent-id targeted-id">
<!--
@@ -41,7 +41,7 @@
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
- <SSO entityID="https://idp.example.org/idp/shibboleth"
+ <SSO entityID="https://(IdPのURL)/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1
</SSO> @@ -80,9 +80,7 @@
-->
<!-- Example of locally maintained metadata. -->
-
- <!--
-
- <MetadataProvider type="XML" file="partner-metadata.xml"/>
-
- -->
validate="true"
backingFilePath="/opt/local/etc/shibboleth/metadata/idp-metadata-bak.xml"
maxRefreshDelay="86400">
</MetadataProvider>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> @@ -94,7 +92,7 @@
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
- <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+ <CredentialResolver type="File" key="/opt/local/etc/shibboleth/server.key" certificate="/etc/shibboleth/server.crt"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
・/opt/local/etc/shibboleth/attribute-map.xml の編集
<attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
と
<attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
が生きるようにコメント <!--, --> を調整してください。
10. Apache HTTPdの再起動
$ sudo apachectl restart
11. Shibbolethデーモンの起動と登録
$ sudo launchctl load -Fw /Library/LaunchDaemons/org.macports.shibd.plist
(デーモンの停止は)
$ sudo launchctl unload /Library/LaunchDaemons/org.macports.shibd.plist
12. Shibbolethデーモンのログを確認
$ tail -100 /opt/local/var/log/shibboleth/shibd.log | more
13. 何か設定を変更をしたときは,
Apacheの再起動(10)と,Shibbolethデーモンの停止→起動(11)