consortiumgarr / idem-tutorials Goto Github PK

I think that the following could be usefull for security reasons

idp.cookie.secure = true
idp.frameoptions = DENY

Hello,

I'm trying to install Shibboleth Idp4.X on CentOS 8. I saw this error when came to the step below:

[root@XXShibboleth ~]# yum install -y java-11-amazon-corretto-devel
Last metadata expiration check: 0:12:44 ago on Wed 28 Oct 2020 03:24:44 PM CST.
No match for argument: java-11-amazon-corretto-devel

Could you please let me know how to fix this?

Thanks,
Peng

hello, this URL is no longer working:
http://www.marcocappellacci.info/repository/nginx_1.10.1-1~jessie_amd64.deb

p.s.: it would be interesting to have scripts to compile the packages for different OSs (namely create rpm and deb).

Errori e miglioramenti notati da Scott Cantor. Processiamoli uno alla volta aprendo una issue per ognuno.

[email protected] Scott Cantor added a comment - 5 days ago

I'll try and cover all the problems here as best I can. I'm not just closing out the bug because I still think it's a bug (though not ours), but this is really more of a "how not to configure the IdP" set of issues.

1. You're using a database for a bunch of things you absolute do NOT want to use one for and don't need to be. I doubt you're even using SAML artifact support, are you? if you don't have a back channel, you can't be. So that doesn't matter much. But you most definitely do NOT want to use a database for sessions. You should use client side sessions unless you can provide a strong argument as to why you shouldn't. We provide the software defaulting to that for a reason.

2. You have the computed ID strategy property there uncommented, so your identifiers must be, for the most, all coming from the original salted hash approach and just being stored in the database that way. You can look at the stored ID table and check, and if they're all long and base64 or base32-encoded, and not just simple UUIDs, then you don't need a database for them at all. Dump the stored ID approach and leave it configured to produce them with the computed approach alone. Major problem solved there.

3. You're sharing the same DataSource bean across two different subsystems when you could easily separate them into two, and have the StoredID support (which you don't need most likely, see #2) separate from the StorageService support. That solves the "nothing works when consent fails" problem. Isolation is good.

4. I still have to assume the problem here is your driver and/or the settings. We don't really provide support for that layer but offhand I don't see anything obvious. Without much more logging, there's really nothing I can say about the driver (other than make sure it's the absolute newest one you can get).

I do think you created the storage service database with the wrong schema, perhaps. The context and key columns have to be be case sensitively handling the primary key constraint, which should make the new records non-conflicting with the originals that had the mixed case. If that's not possible in the database you're using, it can't be used, but I assume it just wasn't created correctly. It could also be a Hibernate limitation, I don't know anything about it, but I'll ask the author. It seems like it must be finding the old records on a case-insensitive search, so that might be the root of it.

After the fact, getting the records updated to fix the mixed case would seem like the obvious fix to me. You can't make it work any other way if it's going to keep failing to create those new records, even if the connections didn't become unstable when it failed.

Ho eseguito passo passo la guida:

HOWTO Install and Configure a Shibboleth IdP v3.4.x on CentOS 7 with Apache2 + Jetty9

Arrivato al punto 11 della sezione "Install Jetty 9 Web Server" denominato "Check if the Apache Welcome page is available:" non ho rilevato alcun servizio apache in esecuzione.

NOTA: Il link per il download di jetty andrebbe modificato in :

• https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.26.v20200117/jetty-distribution-9.4.26.v20200117.tar.gz

• need to add nano and wget to install

• after adding key for nginx sources 'apt-get update' required

• nginx 1.16.0 is current build

• need instructions for key genertion or link https://www.akadia.com/services/ssh_test_certificate.html

• Add metadataprovider should have a pointer to where to add xml it qould be assumed to be inside the 'session' tag but should be outside

• the header files aren't moved to the correct dicrectory

Failing package is: shibboleth-3.3.0-1.x86_64
Issue: GPG key is broken

Key URL: https://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/repodata/repomd.xml.key
error on line 1 at column 1: Document is empty

my workaround has been to disable the GPG Keys check
yum install shibboleth --nogpgcheck

This works fine but would be considered a temporary fix.

The following line refers to a Debian/Ubuntu install of Apache (apache2). While the rest of the instructions are for Centos Apache (httpd):

"Modify the file /etc/apache2/sites-available/default-ssl.conf as follows:"

This line et. al. should be changed to "/etc/httpd/sites-available" with mkdir and adding "IncludeOptional sites-enabled/*.conf" to "/etc/httpd/conf/httpd.conf" as the provided instructions will not work.

Is there any docker implementation coming soon?

There are tutorials for Apache/CentOS: https://github.com/ConsortiumGARR/idem-tutorials/blob/master/idem-fedops/HOWTO-Shibboleth/Service%20Provider/CentOS/HOWTO%20Install%20and%20Configure%20a%20Shibboleth%20SP%20v3.x%20on%20CentOS%207%20(x86_64).md

and Nginx/Debian: https://github.com/ConsortiumGARR/idem-tutorials/blob/master/idem-community/HOWTO-Shibboleth/Service-Provider/Debian/HOW%20TO%20SETUP%20A%20SHIBBOLETH%20SP%20WITH%20NGINX.md

But, greatly missing Nginx/Cent OS that's a popular combination for many live servers.

Already someone noted it https://stackoverflow.com/questions/49498613/how-to-configure-shibboleth-sp-running-on-nginx-web-server-on-centos-7

(For the sake of record, I tried combination of such tutorials; but none of them builds nginx-http-shibboleth.so)

Dears,

I dont know if anyone encountered this problem before as I am having difficulty solving it.
Debian with Spv3 on apache and tomecat backend is extracting two duplicate attribute values for SchacHoneOrganization and Eppn. Any idea why this is happening two duplicate values instead of one value? Sur name and displayName are working fine.
Also note that IDP is sending one value for each as I have checked it using the aacli script.

Thank you

Opinione di Scott Cantor

But you most definitely do NOT want to use a database for sessions. You should use client side sessions
unless you can provide a strong argument as to why you shouldn't. We provide the software defaulting to that for a reason.