{"id":5466,"date":"2019-07-31T16:45:48","date_gmt":"2019-07-31T07:45:48","guid":{"rendered":"https:\/\/kusanagi.tokyo\/kusanagi8\/?page_id=5466"},"modified":"2019-08-01T12:03:35","modified_gmt":"2019-08-01T03:03:35","slug":"shibboleth-sp-setting","status":"publish","type":"page","link":"https:\/\/kusanagi.tokyo\/kusanagi8\/document\/shibboleth-sp-setting\/","title":{"rendered":"\u30b7\u30dc\u30ec\u30b9\u8a8d\u8a3c\u306e\u8a2d\u5b9a"},"content":{"rendered":"<p><span style=\"color: #ff0000;\">\u203bShibboleth\u30e2\u30b8\u30e5\u30fc\u30eb\u306fKUSANAGI Business Edition\u306e\u307f\u5229\u7528\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002<\/span><br \/>\n<span style=\"color: #ff0000;\">\u52d5\u4f5c\u306f\u4e0b\u8a18\u30d0\u30fc\u30b8\u30e7\u30f3\u4ee5\u4e0a\u304c\u5fc5\u8981\u3067\u3059\u3002<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td>kusanagi<\/td>\n<td>8.4.3-1<\/td>\n<\/tr>\n<tr>\n<td>Nginx<\/td>\n<td>1.17.2-2<\/td>\n<\/tr>\n<tr>\n<td>kusanagi-biz<\/td>\n<td>1.1.0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>KUSANAGI\u6700\u65b0\u7248\u3078\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8<\/p>\n<pre>yum update kusanagi kusanagi-*<\/pre>\n<p>Shibboleth \u30e2\u30b8\u30e5\u30fc\u30eb\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/p>\n<pre>kusanagi addon install shibboleth<\/pre>\n<h2>Shibbleth SP \u306e\u69cb\u6210<\/h2>\n<p>\/etc\/shibboleth2.xml\u306e\u5909\u66f4<\/p>\n<p>SP\u306e EntityID \u3092\u5b9a\u7fa9\u3057\u307e\u3059\u3002<\/p>\n<pre>&lt;ApplicationDefaults entityID=\"https:\/\/&lt;SP ServerName&gt;\/shibboleth-sp\"<\/pre>\n<h3>\u8a8d\u8a3c\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u8a2d\u5b9a\u3000<span style=\"color: #ff0000;\">\u203b\u5fc5\u8981\u306a\u5834\u5408\u8a2d\u5b9a\u3057\u3066\u304f\u3060\u3055\u3044<\/span><\/h3>\n<p>secure\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u4ee5\u4e0b\u3078\u30a2\u30af\u30bb\u30b9\u3057\u305f\u5834\u5408\u3001\u8a8d\u8a3c\u304c\u5fc5\u8981<\/p>\n<h4>Nginx<\/h4>\n<p>RequestMapper\u30b5\u30f3\u30d7\u30eb\u3092\u30b3\u30d4\u30fc<\/p>\n<pre>cp -p \/etc\/shibboleth\/example-request-mapper.xml \/etc\/shibboleth\/request-mapper.xml<\/pre>\n<p>RequestMapper\u30d5\u30a1\u30a4\u30eb\u306e\u4e2d\u8eab<\/p>\n<pre>cat \/etc\/shibboleth\/request-mapper.xml\r\n&lt;RequestMap xmlns=\"urn:mace:shibboleth:3.0:native:sp:config\"&gt;\r\n    &lt;Host name=\"&lt;SP ServerName&gt;\" authType=\"shibboleth\"&gt;\r\n        &lt;Path name=\"secure\" requireSession=\"true\" redirectToSSL=\"443\"\/&gt;\r\n    &lt;\/Host&gt;\r\n&lt;\/RequestMap&gt;<\/pre>\n<p>\/etc\/shibboleth2.xml\u306bRequestMapper\u8aad\u307f\u8fbc\u3080\u306e\u8a2d\u5b9a\u3092\u8ffd\u52a0<\/p>\n<pre>&lt;RequestMapper type=\"XML\" path=\"request-mapper.xml\" \/&gt; \r\n\r\n&lt;ApplicationDefaults entityID=\"&lt;SP ServerName&gt;\/shibboleth-sp\"<\/pre>\n<h4>Apache<\/h4>\n<p>\/etc\/httpd\/conf.d\/shib.conf \u65e2\u306b\u8a18\u8f09\u3057\u3066\u3044\u308b\u306e\u3067\u3001\u5225\u9014\u8ffd\u52a0\u8a2d\u5b9a\u4e0d\u8981\u3067\u3059\u3002<br \/>\n\u8a2d\u5b9a\u7b87\u6240\u306e\u629c\u7c8b<\/p>\n<pre>&lt;Location \"\/secure\"&gt;\r\n  AuthType shibboleth\r\n  ShibRequestSetting requireSession 1\r\n  require shib-session\r\n&lt;\/Location&gt;<\/pre>\n<h3>IdP\u60c5\u5831\u3092SP\u306b\u8a2d\u5b9a<\/h3>\n<p>SSO\u9023\u643a\u3059\u308b IdP \u306e EntityID \u3092\u5b9a\u7fa9\u3057\u307e\u3059\u3002<\/p>\n<pre>&lt;SSO entityID=\"https:\/\/&lt;IdP ServerName&gt;\/idp\/shibboleth\"<\/pre>\n<p>IdP\u62c5\u5f53\u8005\u304b\u3089 SP\u3067\u4fdd\u6301\u3059\u308bIdP \u306e\u30e1\u30bf\u30c7\u30fc\u30bf\u3092\u53d7\u9818\u3057\u3001IdP\u306e\u30e1\u30bf\u30c7\u30fc\u30bf\u3092\u8aad\u307f\u8fbc\u3080\u8a2d\u5b9a\u3092\u5b9a\u7fa9\u3057\u307e\u3059\u3002<br \/>\n\u203bIdP\u304c\u30e1\u30bf\u30c7\u30fc\u30bf\u306eURL\u3092\u516c\u958b\u3057\u3001SP\u304c\u3053\u306eURL\u3092fetch\u3059\u308b\u65b9\u6cd5\u306a\u3069\u3042\u308a\u307e\u3059\u304c\u3053\u3053\u3067\u306f\u5272\u611b\u3057\u307e\u3059\u3002<br \/>\nURL\u3092fetch\u3059\u308b\u65b9\u6cd5\u8a73\u7d30\u306f<a class=\"loom-link-another backlog-card-checked\" href=\"https:\/\/meatwiki.nii.ac.jp\/confluence\/pages\/viewpage.action?pageId=12158187\" target=\"_blank\" rel=\"noopener noreferrer\">\u5b66\u8a8d\u30b5\u30a4\u30c8\u306eSP\u30bb\u30c3\u30c6\u30a3\u30f3\u30b0<\/a>\u3092\u53c2\u8003\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p>IdP\u30e1\u30bf\u30c7\u30fc\u30bf\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/p>\n<pre>&lt;MetadataProvider type=\"XML\" path=\"idp-metadata.xml\"\/&gt;<\/pre>\n<h3>SP\u5074\u306e SAML\u30c8\u30fc\u30af\u30f3\u7528\u306e\u8a3c\u660e\u66f8\u3068\u79d8\u5bc6\u9375\u3082shibboleth2.xml \u30d5\u30a1\u30a4\u30eb\u3067\u5b9a\u7fa9\u3057\u307e\u3059\u3002<\/h3>\n<p>\u203b\u3053\u3053\u3067\u306f\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u6642\u306b\u751f\u6210\u3055\u308c\u308b\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u8a3c\u660e\u66f8\u3068\u79d8\u5bc6\u9375\u3092\u6307\u5b9a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<pre>&lt;!-- Simple file-based resolvers for separate signing\/encryption keys. --&gt;\r\n&lt;CredentialResolver type=\"File\" use=\"signing\"\r\n    key=\"sp-signing-key.pem\" certificate=\"sp-signing-cert.pem\"\/&gt;\r\n&lt;CredentialResolver type=\"File\" use=\"encryption\"\r\n    key=\"sp-encrypt-key.pem\" certificate=\"sp-encrypt-cert.pem\"\/&gt;<\/pre>\n<h3>SP\u5074\u306e\u30e1\u30bf\u30c7\u30fc\u30bf\u3092\u751f\u6210\u3057\u307e\u3059<\/h3>\n<pre>\/etc\/shibboleth\/metagen.sh -c \/etc\/shibboleth\/sp-signing-cert.pem -h &lt;SP ServerName&gt; -e \"https:\/\/&lt;SP ServerName&gt;\/shibboleth-sp\" &gt; \/etc\/shibboleth\/shibboleth-sp-metadata.xml<\/pre>\n<h3>Shibboleth \u95a2\u9023\u30b5\u30fc\u30d3\u30b9\u3092\u8d77\u52d5<\/h3>\n<pre>systemctl start shibd\r\nsystemctl start shibauthorizer\r\nsystemctl start shibresponder<\/pre>\n<h3>Shibboleth SP \u3067 \u53d7\u3051\u53d6\u308bLDAP\u5c5e\u6027\u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u306f\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3055\u308c\u3066\u3044\u308b\u70ba\u3001\u53d7\u3051\u53d6\u308b\u5fc5\u8981\u304c\u3042\u308bLDAP\u5c5e\u6027\u3092\u30a2\u30f3\u30b3\u30e1\u30f3\u30c8\u3057\u307e\u3059\u3002<\/h3>\n<pre>vi \/etc\/shibboleth\/attribute-map.xml<\/pre>\n<p>OID\u60c5\u5831\u3092\u30a2\u30f3\u30b3\u30e1\u30f3\u30c8<\/p>\n<pre>&lt;Attribute name=\"urn:oid:0.9.2342.19200300.100.1.3\" id=\"mail\"\/&gt;<\/pre>\n<p>Attribute definition \u3092\u30a2\u30f3\u30b3\u30e1\u30f3\u30c8<\/p>\n<pre>&lt;Attribute name=\"urn:mace:dir:attribute-def:mail\" id=\"mail\"\/&gt;<\/pre>\n<p>\u30b5\u30fc\u30d3\u30b9\u3092\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002<\/p>\n<pre>systemctl restart shibd\r\nsystemctl status shibd<\/pre>\n<p><span style=\"color: #ff0000;\">\u203bApache\u306e\u5834\u5408\u306f\u4e0a\u8a18\u307e\u3067\u8a2d\u5b9a\u3059\u308c\u3070\u3001\u5c5e\u6027\u53d7\u3051\u53d6\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/span><\/p>\n<h3>nginx\u306b\u3064\u3044\u3066\u306f\u4ee5\u4e0b\u306e\u8ffd\u52a0\u8a2d\u5b9a\u304c\u5fc5\u8981<\/h3>\n<p>Nginx\u306eShibboleth \u8a2d\u5b9a\u3092\u6709\u52b9\u5316\u306b\u3059\u308b\u305f\u3081\u3001\u5bfe\u8c61\u30b3\u30f3\u30d5\u30a3\u30b0\u30d5\u30a1\u30a4\u30eb\u5909\u66f4<\/p>\n<pre>vi \/etc\/nginx\/conf.d\/xxxxx_http.conf\r\nvi \/etc\/nginx\/conf.d\/xxxxx_ssl.conf<\/pre>\n<p>Shibboleth \u95a2\u9023\u8a2d\u5b9a\u3092\u30a2\u30f3\u30b3\u30e1\u30f3\u30c8\u306b\u3059\u308b<\/p>\n<pre>include templates.d\/shibd.conf;\r\ninclude shib_fastcgi_params;\r\ninclude shib_clear_headers;<\/pre>\n<p>\u53d7\u3051\u53d6\u308b\u60c5\u5831\u3092\u6574\u5f62<\/p>\n<pre>vi \/etc\/nginx\/shib_fastcgi_params<\/pre>\n<pre>shib_request_set $shib_mail $upstream_http_variable_mail;\r\nfastcgi_param mail $shib_mail;<\/pre>\n<p>Nginx\u3092\u518d\u8d77\u52d5<\/p>\n<pre>kusanagi nginx<\/pre>\n<h2>IdP\u3068SP\u306e\u63a5\u7d9a\u78ba\u8a8d<\/h2>\n<p>\u5b66\u8a8d\u3067\u516c\u958b\u3057\u3066\u3044\u308b\u30da\u30fc\u30b8\u3092\u53c2\u8003\u3057\u3066\u304f\u3060\u3055\u3044\u3002<br \/>\n<a class=\"loom-link-another backlog-card-checked\" href=\"https:\/\/meatwiki.nii.ac.jp\/confluence\/pages\/viewpage.action?pageId=12158272\" target=\"_blank\" rel=\"noopener noreferrer\">LINK<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u203bShibboleth\u30e2\u30b8\u30e5\u30fc\u30eb\u306fKUSANAGI Business Edition\u306e\u307f\u5229\u7528\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002 \u52d5\u4f5c\u306f\u4e0b\u8a18\u30d0\u30fc\u30b8\u30e7\u30f3\u4ee5\u4e0a\u304c\u5fc5\u8981\u3067\u3059\u3002 kusanagi 8.4.3-1 Nginx 1.17.2-2 kusa [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":784,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-5466","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kusanagi.tokyo\/kusanagi8\/wp-json\/wp\/v2\/pages\/5466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kusanagi.tokyo\/kusanagi8\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/kusanagi.tokyo\/kusanagi8\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/kusanagi.tokyo\/kusanagi8\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/kusanagi.tokyo\/kusanagi8\/wp-json\/wp\/v2\/comments?post=5466"}],"version-history":[{"count":12,"href":"https:\/\/kusanagi.tokyo\/kusanagi8\/wp-json\/wp\/v2\/pages\/5466\/revisions"}],"predecessor-version":[{"id":5491,"href":"https:\/\/kusanagi.tokyo\/kusanagi8\/wp-json\/wp\/v2\/pages\/5466\/revisions\/5491"}],"up":[{"embeddable":true,"href":"https:\/\/kusanagi.tokyo\/kusanagi8\/wp-json\/wp\/v2\/pages\/784"}],"wp:attachment":[{"href":"https:\/\/kusanagi.tokyo\/kusanagi8\/wp-json\/wp\/v2\/media?parent=5466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}