Shibboleth SP -签名和加密密钥

Question

我在服务器2012 R2上安装了Shibboleth。我试图提交要导入到IDP中的元数据，并被告知，如果没有签名或加密密钥，它们将无法发送SP任何断言。

根据我在这方面的发现，Shibboleth SP拥有默认安装中包含的使用键。我相信这是包含在C:\opt\shibboleth-sp\etc\shibboleth文件夹中的sp-cert.pem和sp-key.pem。

我也不知道如何在Shibboleth2.xml文件中引用它。下面是我现在的shibboleth2.xml：

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="syslog.logger" clockSkew="180">

<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
<OutOfProcess logger="shibd.logger">

</OutOfProcess>

<!-- The InProcess section conrains settings affecting web server modules/filters. -->
<InProcess logger="native.logger">
    <ISAPI normalizeRequest="true">

        <Site id="1" name="sp-example.com"/>
    </ISAPI>
</InProcess>


<!-- This set of components stores sessions and other persistent data in daemon memory. -->
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>



<!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
<RequestMapper type="Native">
    <RequestMap applicationId="default">
        <Host name="sp-example.com" authType="shibboleth" requireSession="true"/>

    </RequestMap>
</RequestMapper>


<ApplicationDefaults id="default" policyId="default"
    entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com"
    homeURL="https://sp-example.com"
    REMOTE_USER="eppn persistent-id targeted-id"
    signing="false" encryption="false"
    >


    <Sessions lifetime="28800" timeout="3600" checkAddress="false"
        handlerURL="/Shibboleth.sso" handlerSSL="true"
        exportLocation="http://sp-example.com/Shibboleth.sso/GetAssertion" exportACL="165.91.23.32"
        idpHistory="false" idpHistoryDays="7" cookieProps="https" >


        <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
                relayState="cookie" entityID="urn:mace:university.edu:shibboleth:test:idp:university:administrative:cscn:idp-test.university.edu">
            <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
            <SessionInitiator type="Shib1" defaultACSIndex="5"/>
        </SessionInitiator>

        <md:AssertionConsumerService Location="/SAML2/POST" index="1"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
        <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
        <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
        <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
        <md:AssertionConsumerService Location="/SAML/POST" index="5"
            Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
        <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
            Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

        <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
        <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
            <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
            <LogoutInitiator type="Local"/>
        </LogoutInitiator>

        <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
        <md:SingleLogoutService Location="/SLO/SOAP"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
        <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
        <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
        <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

        <!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
        <md:ManageNameIDService Location="/NIM/SOAP"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
        <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
        <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
        <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>


        <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

        <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
        <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

        <!-- Status reporting service. -->
        <Handler type="Status" Location="/Status" acl="127.0.0.1"/>

        <!-- Session diagnostic service. -->
        <Handler type="Session" Location="/Session" showAttributeValues="false"/>

    </Sessions>


    <Errors session="sessionError.html"
        metadata="metadataError.html"
        access="accessError.html"
        ssl="sslError.html"
        localLogout="localLogout.html"
        globalLogout="globalLogout.html"
        supportContact="root@localhost"
        logoLocation="/shibboleth-sp/logo.jpg"
        styleSheet="/shibboleth-sp/main.css"/>


    <!-- Chains together all your metadata sources. -->
    <MetadataProvider type="Chaining">
        <!-- Example of remotely supplied batch of signed metadata. -->
        <MetadataProvider type="XML" uri="https://idp-test.university.edu/universityfed-test-metadata-signed.xml"
             backingFilePath="C:\opt\shibboleth-sp\etc\shibboleth\universityfed-test-metadata-signed.xml" reloadInterval="7200">
        </MetadataProvider>
    </MetadataProvider>

    <!-- Chain the two built-in trust engines together. -->
    <TrustEngine type="Chaining">
        <TrustEngine type="ExplicitKey"/>
        <TrustEngine type="PKIX"/>
    </TrustEngine>

    <!-- Map to extract attributes from SAML assertions. -->
    <AttributeExtractor type="XML" path="attribute-map.xml"/>

    <!-- Use a SAML query if no attributes are supplied during SSO. -->
    <AttributeResolver type="Query"/>

    <!-- Default filtering policy for recognized attributes, lets other data pass. -->
    <AttributeFilter type="XML" path="attribute-policy.xml"/>


</ApplicationDefaults>

<!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
    <!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
    <Policy id="default" validate="false">
        <Rule type="MessageFlow" checkReplay="true" expires="60"/>
        <Rule type="ClientCertAuth" errorFatal="true"/>
        <Rule type="XMLSigning" errorFatal="true"/>
        <Rule type="SimpleSigning" errorFatal="true"/>
    </Policy>
</SecurityPolicies>

根据我收到的一封邮件，我需要包括<md:KeyDescriptor use="encryption">和<md:KeyDescriptor use="signing">

根据我在网上发现的，它应该类似于：

<md:SPSSODescriptor>
<md:KeyDescriptor>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
            <ds:X509Certificate>
                hash found in sp-cert.pem file
            </ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</md:KeyDescriptor>

我不知道该把这个放在Shibboleth.xml文件中的哪个位置。

有人能帮我走上正确的轨道吗？我看过很多不同机构的文件和指南，但没有找到任何方向。

Answer 1

答案是将以下行添加到Shibboleth2.xml (在ApplicationDefaults部分中)：

<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

sp-key.pem和sp-cert.pem都包含在Shibboleth装置中。它们与Shibboleth2.xml文件位于同一个文件夹中。

我还改变了台词：

<ApplicationDefaults id="default" policyId="default" entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com"
    homeURL="https://sp-example.com"
    REMOTE_USER="eppn persistent-id targeted-id"
    signing="false" encryption="false"
    >

至：

<ApplicationDefaults id="default" policyId="default"
 entityID="urn:mace:university.edu:shibboleth:test:sp:university:administrative:cscn:sp-example.com"
    homeURL="https://sp-example.com"
    REMOTE_USER="eppn persistent-id targeted-id"
    signing="true" encryption="true"
    >

添加行时，元数据包含证书的条目，需要重新导入到IDP。