Installation & configuration user guide of Ping Federate
Contents
1. 2006 2007 ASR Final Project dg Cubitus computer bashrc file bashrc executed by bash 1 for non login shells see usr share doc bash examples startup files in the package bash doc for examples If not running interactively don t do anything z PS1 amp amp return don t put duplicate lines in the history See bash 1 for more options export HISTCONTROL ignoredups check the window size after each command and if necessary update the values of LINES and COLUMNS shopt s checkwinsize make less more friendly for non text input files see lesspipe 1 x usr bin lesspipe amp amp eval S lesspipe set variable identifying the chroot you work in used in the prompt below if z debian chroot amp amp r etc debian chroot then debian chroot cat etc debian chroot fi set a fancy prompt non color unless we know we want color case TERM in xterm color PS 1 debian_chroot debian_chroot 033 01 32m u h 033 00m 033 01 34m w 033 00m 3 PS 1 debian_chroot debian_chroot Hu h w esac Comment in the above and uncomment this below for a color prompt PS 1 debian_chroot debian_chroot 033 01 32m u h 033 00m 033 01 34m w 033 00m If this is an xterm set the title to user host dir case TERM in xterm Irx vt PROMPT COMMAND echo ne 033 0 USER HOSTNAME PWD2. Adapter Mapping amp User Lookup Select Adapter Instance 2006 2007 ASR Final Project 39 Selected adapter Adapter Data Store Attribute location Adapter Contract Fulfillment userId SSO Service URLs Endpoint SLO Service URLs Endpoint All ble SAML Bindi Artifact POST Redirect Signature Policy Always sign AuthN requests Require digitally signed SAML Assertion Encryption Policy Status Credentials Digital Signature Settings Selected Certificate Include Key Info Signature Verification Certificate Selected Certificate activation amp S Status SPJava Use only the attributes available in the SSO Assertion SAML_SUBJECT Assertion URL idp SSO sami2 POST URL idp SLO saml2 POST false false false false Inactive CN Config Signing Cert O2 Sample Organization C US false CN Config Signing Cert O Sample Organization C US Active 2006 2007 ASR Final Project 40 IdP conection_ITAM_Summary Summary IdP Connection Role amp Protocol Connection Type IdP Protocol SAML v2 0 General Info Partner s Entity ID Connection ID oberon ipv6 itam mx Base Url http oberon ipv6 itam mx 9030 SAML Profiles IdP Initiated SSO true IdP Initiated SLO true Attribute Query false SP Initiated SSO true SP Initiated SLO true IdP Web SSO Identity Mapping Enable Account Mapping true Attribute Contract Attribute SAML SUBJECT Adapter Mapping amp User Lookup Adapter instance name SPJava
3. Adapter Mapping amp User Lookup Select Adapter Instance 2006 2007 ASR Final Project 41 Credentials Back Channel Authentication Outbound SOAP Authentication Type SOAP Authentication Type Outbound Username Digital Signature Settings Selected Certificate Include Key Info Signature Verification Certificate Selected Certificate HTTP Basic Edith CN Config Signing Cert O Sample Organization 05 false CN Default Config Signing Sert OU Dev O Ping L Denver ST CO C US 2006 2007 ASR Final Project 42 SP conection_INT_Summary Summary SP Connection Role amp Protocol Connection Type SP Protocol SAML v2 0 General Info Partner s Entity ID Connection ID INT SAML2 0 server Base Url http cubitus int evry fr 9030 tion Lifeti Assertion Minutes Before 5 Assertion Minutes After 5 SAML Profiles IdP Initiated SSO true IdP Initiated SLO true Attribute Query false SP Initiated SSO true SP Initiated SLO true SP Web SSO Enable Standard Identifier true Attribute Contract Attribute SAML_SUBJECT IdP Adapter Mapping 2006 2007 ASR Final Project 43 Adapter instance name IdP Adapter Mapping Select Adapter Instance Selected adapter iba hi o Adapter Data Store or Assertion Attribute Contract Fulfillment SAML_SUBJECT Assertion Consumer Service URL Endpoint SLO Service URLs Endpoint Allowable SAML Bindings Artifact POST Redirect Signature Policy Require digital
4. 3 Adapter Attributes userId Figure 13 LDAP adapter summary Note that before installing this adapter you need to set the database connection e Data Store Main Manage Data Stores Data Store i x TES v summary E Please provide the details for configuring this LDAP connection Hostname cubitus int evry fr 9009 Bind Anonymously Username lcn admin o INT c FR Password remm use 551 Mask Values in Log Figure 14 Data Store configuration summary This menu allows connecting the database to the Ping Federate server with the parameters of the LDAP database s administrator cf LDAP part 2006 2007 ASR Final Project 9 SAML Metadata Export The metadata file xml can be automatically created under this menu You have the choice to edit the role from which the metadata is from and then send it to your partners e Configuring the partner s connections This part of Ping Federate mainly depends on the scenarios that you plan to deploy with your partners Refer to the manual for understanding the general overview and the notice for a more detailed presentation with our case study Note that the IdP s parameters of your partners are set in your IdP connections page where appear the SP adapter s you want them to use and the SP s parameters of your partners are set in your SP connections page where appear the IdP adapter s you want them to use Logically your part
5. Affichage Aller Messages Outils Aide amp 2 D X Relever crire Adresses R pondre R p tous Transf rer Supprimer Ind sirable Imprimer Dossiers Voir Tous 5 IP s Sujet ou exp diteur libert ry fr ejo Sujet sal Exp diteur s Date del P Courr rant TEST Pierre Weill Tessier 18 01 2007 test LIBERTY 18 01 2007 sujet test root 18 01 2007 Are test vers eunice la malice lt Eunice MONDESIR gt 18 01 2007 2 Bro ons Envoy s Corbeille E Dossi caux eth Mess ente Brouillons 1 Envoy s 12 Corbeille Test mma from n Pingred ura int evr 19 01 2007 H Debconf Configuration de root 24 01 2007 test cubitus 2 15 30 Sujet Test Message from PingFederate Server De IdpAdmin cubitus int evryfr Date 19 01 2007 14 06 Pour liberty cubitus int evryfr Dear Administrator This is a test message from your PingFederate server designed to verify that this email notification service is properly configured If you feel you received this message in error please contact your system administrator Regards Ping Support Team Non lus 0 Total 9 Figure 4 Thunderbird MailClient We have tried different use cases to test the sending receiving functions of our servers We can send to every email addresses but we can only receive from INT email addresses Nevertheless this is not very important since we supp
6. Le serveur cubitus int evry fr l adresse INT IdP Ping Federate requiert un nom d utilisateur et un mot de passe Avertissement ce serveur requiert que votre nom d utilisateur et votre mot de passe soient envoy s de Facon non s curis e authentification de base sans connexion s curis e Nom d utilisateur i Utilisateur Mot de passe J M moriser mon mot de passe e Figure 23 login popup to initiate SSO 2006 2007 ASR Final Project 27 APPENDIXES POSTFIX MAILSERVER CONFIGURATION FILE VENTENPOUPE COMPUTER BASHRC FILE CUBITUS COMPUTER BASHRC FILE IDP CONECTION INT SUMMARY IDP CONECTION ITAM SUMMARY SP CONECTION INT SUMMARY SP CONECTION ITAM SUMMARY 2006 2007 ASR Final Project 28 32 33 34 39 41 43 45 Configuration file for the LDAP server This is the main slapd configuration file See slapd conf 5 for more info on the configuration options HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Global Directives Features to permit allow bind v2 Schema and objectClass definitions include letc Idap schema core schema include letc Idap schema cosine schema include letc Idap schema nis schema include letc Idap schema inetorgperson schema Schema check allows for forcing entries to match schemas for their objectClasses s schemacheck on Where the pid file is put The init d script will not stop
7. Packages Manager postfix postfix dev postfix doc Configuration Postfix configuration can be found etc postfix main cf A copy of this file is in the appendix In this file myhostname is the name of the mailserver e home mailbox Maildir this line must be added to the configuration file in order to receive the mails by IMAP C IMAP server We have also installed an IMAP server as a MDA Mail Delivery Agent To do so we had two equivalent possibilities e installing courier imap package in Synaptic Packages Manager e making the following command gt sudo apt get install postfix courier imap We didn t choose to install a LDAP or other database Postfix package because there is only one administrator for the mail server PF server Therefore only one email account is needed The username password of this account are those of the Linux user account for this computer liberty liberty Courier imap configuration file can be found in etc courier imapd In this configuration file the last lign must changed as following MAILPATH Maildir Once this MAILPATH positioned the following command must be done in the HOME directory 2006 2007 ASR Final Project 7 gt maildirmake Maildir This will create the mailbox Maildir in the HOME directory D Launching The following command enables to launch postfix and courier imap gt sudo etc init d postfix re
8. SHOME 007 2006 2007 ASR Final Project 34 Alias definitions You may want to put all your additions into a separate file like bash_aliases instead of adding them here directly See usr share doc bash doc examples in the bash doc package if f bash_aliases then bash_aliases enable color support of Is and also add handy aliases if STERM dumb then eval dircolors b alias 15 18 color auto alias 1 15 color auto format vertical alias vdir Is color auto format long fi some more 15 aliases alias 18 alias la Is alias 1 15 CF enable programmable completion features you don t need to enable this if it s already enabled in etc bash bashrc etc profile sources etc bash bashrc if f etc bash completion then letc bash completion fi export JAVA HOME home alliance jdk1 5 0 10 export PATH JAVA_HOME bin PATH export CATALINA HOME home alliance apache tomcat 5 5 20 export PATH CATALINA_HOME bin PATH export CLASSPATH CLASSPATH CATALINA_HOME webapps axis WEB INF lib axis ant jar export CLASSPATH CLASSPATH CATALINA_HOME webapps axis WEB INF lib saaj jar export CLASSPATH CLASSPATH CATALINA_HOME webapps axis WEB INF lib commons discovery 0 2 jar export CLASSPATH CLASSPATH CATALINA_HOME webapps axis WEB INF lib jaxrpc jar export CLASSPATH CLASSPATH CATALINA_HOME webapps axis WEB INF lib axi
9. apache catalina UserDatabase lt resource env ref type gt lt resource env ref gt lt security constraint gt lt web resource collection gt lt web resource name gt Secure Page lt web resource name gt lt url pattern gt lt url pattern gt lt web resource collection gt lt auth constraint gt lt description gt These roles are allowed access lt description gt lt role name gt user lt role name gt lt auth constraint gt lt security constraint gt lt login config gt lt auth method gt BASIC lt auth method gt lt realm name gt INT lt realm name gt lt login config gt lt security role gt description role is required to log in to the INTest Application lt description gt lt role name gt user lt role name gt lt security role gt lt web app gt Figure 8 example of web xml for the INTest application 2006 2007 ASR Final Project 13 In the authen method tag BASIC refers to a login popup from the browser cf following figure This is the easiest way of configuring the identification e The role name tag you must indicate the user s role that is allowed to use the application The url pattern tag allows configuring the scope of the security constraint The path you specify is a relative path from the context path of Tomcat See the Tomcat Doc for more detail You can add as many tags as you wish according to the scope you choose You can check fo
10. is ITAM s IdP titania computer is ITAM s SP 2006 2007 ASR Final Project 22 To set properly the configuration you should use the metadata files that your partner gives you If you do not have them you need their own Ping Federate server s IdP and SP connections summaries to retrieve their configuration Some of the configurations requirements such as artefact and redirect bindings were not given in the Quick Start Guide of Ping Federate That is why you really have to pay attention of what the partner gives you for information The following extract shows the parameters in our case that we had set up for working with ITAM s configuration Adapter Mapping amp User Lookup Select Adapter Instance Selected adapter SPJava Adapter Data Store Attribute location Use only the attributes available in the SSO Assertion Adapter Contract Fulfillment userId SAML_SUBJECT Assertion SSO Service URLs Endpoint URL idp SSO saml2 POST SLO Service URLs Endpoint URL fidp SLO saml2 Allowable SAML Bindings Artifact true POST true Redirect true Artifact Resolver Locations Artifact Resolution Endpoint Figure 18 screenshot of ITAM s IdP connection settings in our server 2006 2007 ASR Final Project 23 IdP Adapter Mapping Select Adapter Instance Selected adapter IdPJava Assertion Mapping Adapter PF4 LDAP Authentication Service v1 0 Data Store or Assertion Use only the Adapter Contract
11. values in the SAML assertion Attribute Contract Fulfillment SAML SUBJECT userId Adapter Assertion Consumer Service URL Endpoint URL http titania ipv6 itam mx 9030 sp ACS saml2 POST Endpoint URL http titania ipv6 itam mx 9030 sp ACS saml2 Artifact SLO Service URLs Endpoint URL sp SLO saml2 Redirect Endpoint URL sp SLO saml2 POST Allowable SAML Bindings Artifact true POST true Redirect true Artifact Lifetime Artifact Lifetime in seconds 60 Artifact Resolver Locations Artifact Resolution Endpoint index 0 sp ARS ssaml2 Figure 19 screenshot of ITAM s SP connection settings in our server Please refer to our Ping Federate server s IdP connection and SP connection pages that are placed in the appendixes for more information when setting the connections parameters Since the sample applications are the same for both INT and ITAM we have made a change in the pingfederate idp demo users props The username Joe and its password have been replaced by the username Eunice password Eunice This can prove that the Federation Identity between INT s and ITAM s circles of trust efficiently works Indeed we have been able to connect to the SP application sample of ITAM with a local INT profile Eunice account didn t appear in ITAM accounts configuration file but only in our local INT accounts configuration file The SP login page the IdP an SP main pages of the service
12. web application that allows you to configure the server according the settings you want In our case the login and password for administrating the Ping Federate server are administrator e PWTa24ae2 A Configuration Once again PingFederate_Admin_Manual pdf is documented enough for you to configure the server Nevertheless the next figures and explanations will provide you some information you may require according to our configuration 2006 2007 ASR Final Project 17 e Local settings The figure below shows the settings you must enter if you choose to activate email notification You must specify the address and the port from the server you want to use for sending a notification email under the account you specify in the From Address field to a account Both email addresses must contain the same domain part The user part of the From Address can be not related to an existing account Main Local Settings Y System Administration System Info Notification Options Y IdP Adapter Selection Y IdP Events Y SP Adapter Selection Y Local Settings Summary Information Summary Info Local Settings System Administration Multiple Administrators false System Info My Company Name INT Contact Name Maryline Maknavicius Contact Email mar yline maknavicius int evry fr Notification Options License Events true Email Notification From Address IdpAdmin cubitus int e
13. ALINA_HOME server lib servlets manager jar export CLASSPATH CLASSPATH CATALINA_HOME server lib servlets common jar export CLASSPATH CLASSPATH CATALINA_HOME server lib servlets default jar export CLASSPATH CLASSPATH CATALINA_HOME server lib ldapsec jar export CLASSPATH CLASSPATH CATALINA_HOME server lib jndi jar export CLASSPATH SCLASSPATH SCATALINA HOME server lib ldapbp jar export CLASSPATH CLASSPATH CATALINA_HOME server lib providerutil jar export CLASSPATH CLASSPATH CATALINA_HOME server lib ldap jar export CLASSPATH CLASSPATH CATALINA_HOME server lib jakarta regexp 1 3 jar export CLASSPATH CLASSPATH SCATALINA HOME server lib commons beanutils jar export CLASSPATH CLASSPATH CATALINA_HOME server lib commons digester jar export CLASSPATH CLASSPATH CATALINA_HOME server webapps admin WEB INH lib struts jar export CLASSPATH SCLASSPATH SCATALINA HOME server webapps manager WEB INF lib commons fileupload 1 0 jar export CLASSPATH CLASSPATH CATALINA_HOME server webapps manager WEB INF lib catalina manager jar export CLASSPATH CLASSPATH CATALINA_HOME server webapps host manager WEB INF lib catalina host manager jar 2006 2007 ASR Final Project T export CLASSPATH CLASSPATH CATALINA_HOME webapps INTest lib commons codec 1 3 jar export CLASSPATH CLASSPATH CATALINA_HOME webapps INTest lib pf4 pftoken agent 1 1 jar export CLASSPATH CLASSPATH CATALINA_HOME bin bootstrap jar exp
14. Click on the link for Single Logout Single Logout Local Logout El Click on the link for Local logout Local Logout Figure 16 main page of the IdP application sample case 1 Service Provider Main Page This is the main page of the SP Sample Application You can initiate Single Sign on to any of the configured IdP connections or perform single logout IdP Connection El Connection Id INT SAML2 0 server Click on the image to initiate Single sign on ForceAuthn E User Attributes El userid sp Single Logout El t isPassive Click on the link for Single logout Single Logout Local Logout H Click on the link for Local logout Local Loqout Figure 17 main page of the SdP application sample case 2 B Second case test with ITAM This case tests both application samples of ITAM and INT setting a federation of our circles of trust to perform Federated Identity process In this case INT remains an IdP and a SP Therefore the test above could still be performed However we add in the partners connections menu of the Ping Federate server ITAM configuration so that our servers can communicate ITAM had chosen to separate the IdP and the SP roles on two servers It was really important then to comprehend which ITAM s computer plays either the IdP or the SP role According the configuration ITAM explained oberon computer
15. LKIT INSTALLATION D SETTING UP THE USERS AUTHENTICATION 1 DEFAULT CONFIGURATION 2 LDAP USING CONFIGURATION E USEFUL LINKS V INSTALLING AND CONFIGURING PING FEDERATE A CONFIGURATION VI THE SCENARIOS WE HAVE TESTED FIRST CASE LOCAL TEST B SECOND CASE TEST WITH ITAM C THIRD CASE TEST WITH LDAP APPENDIXES 2006 2007 ASR Final Project Ans BR D x o 00 1 10 17 21 21 22 26 28 We had two computers to work with The first we have been given cubitus computer had 6GiB memory available with fixed IP address 157 159 103 165 The second computer provided ventenpoupe computer had 31 50 GiB memory available with fixed IP address 157 159 100 76 We installed Ubuntu O S on each computer The LDAP server Postfix mail server and Ping Federate server were installed on cubitus computer because it was the only computer we had at this time The Tomcat server was installed on ventenpoupe computer 1 LDAP SERVER INSTALLATION AND CONFIGURATION Ping Federate aims to federate identities which suggests databases or directories such as LDAP Indeed before adding a Ping Federate server some services already exist with associated authentication via databases or directories Initial user authentication can use an application or IdM Identity Management system logon module for a set of internal services proposed within a same enterprise for example Including Ping Federate serve
16. MONDESIR Eunice WEILL TESSIER Pierre Wd TELECOMBIR Installation amp configuration user guide of Ping Federate penLDAP http www OpenLDAP org This is the main page of the SP Sample Application You can initiate Single Sign on to any of the configured IdP connections or perform single logout Connection Id oberon ipv6 itam mx Click on the image to initiate Single sign on ForceAuthn E IsPassive E Click on the link for Single logout Single Logout f Main Manage Data Stores Data Store DT Tei V Summary E Please provide the details for configuring this LDAP connection Hostname cubitus int evry fr 9009 Bind Anonymously Username cn admin o INT c FR Password use 551 Mask Values in Log ASR 2006 2007 Final Project Supervisers Maryline Maknavicius Laurent Guy Bernard SOMMAIRE LDAP SERVER INSTALLATION AND CONFIGURATION A SERVER INSTALLATION B SERVER CONFIGURATION C RUNNING THE SERVER D CREATING ENTRIES E LDAP CLIENT F SOME LINKS POSTFIX MAILSERVER INSTALLATION A INSTALLATION CONFIGURATION C IMAP SERVER D LAUNCHING E SENDING E MAIL WITH TERMINAL MODE F MAIL CLIENT G SOME LINKS J2SE INSTALLATION IV TOMCAT SERVER INSTALLATION A STANDARD INSTALLATION B RUNNING THE SERVER C ADMINISTRATION TOO
17. are 4 or 5 depending on the number of messages displayed The h parameter specifies the port number of the server The parameter specifies the configuration file to be read by the server from http www public int evry fr gardie LDAP TP TP 1 cadre html D Creating entries Entries are generally sent to the server from text files describing the attributes and their values for each entry The format of these text files is standardized it uses the LDIF syntax The database file Idif and utf8 are saved under home liberty base ldap These are the Idif files that we used to fill the LDAP directory dn cn Eunice o INT c FR objectclass inetOrgPerson cn Eunice sn Mondesir mail eunice mondesir int evry fr userPassword stella dn cn Pierre o INT c FR objectclass inetOrgPerson cn Pierre sn Weill Tessier mail pierre weill tessier int evry fr userPassword antoine Figure 1 file int 1 1017 dn cnzMaryline o INT c FR objectclass inetOrgPerson cn Maryline sn MAKNAVICIUS mail Maryline MAKNAVICIUS int evry fr userPassword mdpMaryline title user dn cn Francisco c FR objectclass inetOrgPerson cn Francisco sn MENDEZ mail truc machin int evry fr 2006 2007 ASR Final Project 4 userPassword mdpFrancisco title bidon dn cn Uciel o INT c FR objectclass inetOrgPerson cn Uciel sn FRAGOSO mail truc machin G int evry fr userPasswor
18. d mdpUciel title admin Figure 2 file ajout ldif The title attribute will be used for the authentication to access our test service INTest under Tomcat cf Tomcat server installation part To convert an LDIF file into an UTFS file the following command must be typed gt iconv f ISO 8859 1 t UTF 8 o file utf8 file Idif It is useful if the LDIF contains special characters such as 6 or B or To add entries the following command must be done gt ldapadd w secret D cn Manager o INT c FR x H Idap hostname 9009 f file utf8 In which The w parameter gives the required password to be authenticated by the server rootpw The D parameter indicates the manager name of the database rootdn The x parameter tells that the authentication method is simple The H parameter indicates the host name Idap host port and the port needed to access to the server e And finally the f parameter gives the file name of an LDIF UTFS file E LDAP Client To manage the LDAP base it is possible to install LDAP clients allowing easy modifications of the base We installed Idapbrowser client because its installation and use were quite simple For a future use we advise to use an LDAP client who already integrates the inetOrgPerson class or to seek if it is possible to add this class in Idapbrowser The entries added in our LDAP directory can be seen on thi
19. d add to the variable PATH the folder CATALINA_HOME bin and all the jar libraries to the CLASSPATH variable To check how to set up these variables ventenpoupe s bashrc file has been added to the appendixes B Running the server The Tomcat server can be launched or stopped by the following commands gt CATALINA_HOME bin startup sh to launch gt CATALINA_HOME bin shutdown sh to stop The main page of Tomcat is reachable once you have started the server by the URL http lt tomcat_server_address gt lt tomcat_port gt e g http ventenpoupe int evry fr 8080 Apacne romcau 3 zu winuows muernet cxpiorer TAM 6 v Efhttniiventenpoupeunt evry fr 8080 xe Es X ao TB Be Be d apache Tomcatis 5 20 n aog Apache Tomcat 5 5 20 The Apache Software Foundation http www apache org Administration If you re seeing this page via a web browser it means you ve setup Tomcat successfully Congratulations As you may have guessed by now this is the default Tomcat home page It can be found on the local filesystem at CATALINA HOME webapps ROOT index jsp where SCATALINA HOME is the root of the Tomcat installation directory If you re seeing this page and you don t think you should be then either _ you re either a user who has arrived at new installation of Tomcat or you re an administrator who hasn t got his her setup quite right Providing th
20. doc index html 2006 2007 ASR Final Project 4 e indicate tomcat how to find the terminal Configuration of Tomcat to reach the LDAP database is made in the file server xml in the directory CATALINA HOME config Here are indications to set it up accordingly with our environment In the Server Service Engine add the following tag Realm className org apache catalina realm JNDIRealm debug 99 connectionURL Idap cubitus int evry fr userBase o INT c FR userSearch cn 0 userRoleName title Figure 9 realm tag in server xml in Tomcat The className attribute specify which adapter Tomcat must us as we said there are many ways to configure authentication but the value indicated here is the only one to use when working with JNDI and LDAP The connectionURL attribute specify the database address The userBase is the root DN of the LDAP database The userSearch is the filter on the database to identify the user from the login entered in the popup against the LDAP database The token 0 is related to the login entered The userRoleName is the attribute in LDAP which corresponds to the role that Tomcat checks for authorizing authentication on an application Here we chose the attribute title which is available for the LDAP class inetOrgPerson The attribute title can takes the following values admin to access administrator service manager to access
21. domain write by dnattr owner write THHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Specific Directives for database 2 of type other can be bdb too Database specific directives apply to this databasse until another database directive occurs database lt other gt The base of your directory for database 2 suffix dc debian dc org 2006 2007 ASR Final Project 31 Postfix mailserver configuration file See usr share postfix main cf dist for a commented more complete version Debian specific Specifying a file name will cause the first line of that file to be used as the name The Debian default is etc mailname myorigin etc mailname smtpd_banner myhostname ESMTP mail_name Ubuntu biff no appending domain is the job append_dot_mydomain no Uncomment the next line to generate delayed mail warnings fdelay warning time 4h TLS parameters smtpd tls cert file etc ssl certs ssl cert snakeoil pem smtpd tls key filez etc ssl private ssl cert snakeoil key smtpd_use_tls yes smtpd_tls_session_cache_database btree queue_directory smtpd_scache smtp tls session cache database btree queue_directory smtp_scache See usr share doc postfix TLS README gz in the postfix doc package for information on enabling SSL in the smtp client myhostname localhost alias maps hash etc aliases alias database hash etc aliases myo
22. e latter is the case please refer to the Tomcat Documentation for more detailed setup and administration information than is found in the INSTALL file NOTE This page is precompiled If you change it this page will not change since it was compiled into a servlet at build time See SCATALINA HOME webapps ROOT WEB INF web xmi as to how it was mapped NOTE For security reasons using the administration webapp is restricted to users with role admin The manager webapp is restricted to users with role manager Users are defined in scaTALINA_HOME conf tomcat users xml Included with this release are a host of sample Servlets and JSPs with associated source code extensive documentation including the Servlet 24 and JSP 2 0 API JavaDoc and an introductory guide to developing web applications Tomcat mailing lists are available at the Tomcat project web site users tomcat apache org for general questions related to configuring and using Tomcat dev tomcat apache org for developers working on Tomcat Thanks for using Tomcat Powered by m Figure 5 main page of the Tomcat server Diane 2006 2007 ASR Final Project 1 C Administration toolkit installation The core distribution of Tomcat server does not include the administration toolkit for security reason If needed the toolkit can easily be installed Under the same web page presented before download the Administration Web application if you have n
23. ections jar export CLASSPATH CLASSPATH CATALINA_HOME common lib jasper compiler jar export CLASSPATH CLASSPATH CATALINA_HOME common lib jasper compiler jdt jar export CLASSPATH CLASSPATH CATALINA_HOME common lib jta jar export CLASSPATH CLASSPATH CATALINA_HOME common lib naming resources jar export CLASSPATH CLASSPATH CATALINA_HOME common lib commons el jar export CLASSPATH CLASSPATH SCATALINA HOME common lib jsp api jar export CLASSPATH CLASSPATH SCATALINA HOME common lib ldap jar export CLASSPATH CLASSPATH SCATALINA HOME common lib Idapbp jar export CLASSPATH CLASSPATH SCATALINA HOME common lib providerutil jar export CLASSPATH CLASSPATH SCATALINA HOME common lib jaas jar export CLASSPATH CLASSPATH CATALINA_HOME common lib ldapsec jar export CLASSPATH CLASSPATH CATALINA_HOME common lib commons discovery 0 2 jar export CLASSPATH CLASSPATH CATALINA_HOME common lib commons logging 1 0 4 jar export CLASSPATH CLASSPATH CATALINA_HOME common lib log4j 1 2 8 jar export CLASSPATH CLASSPATH CATALINA_HOME server lib tomcat warp jar export CLASSPATH SCLASSPATH SCATALINA HOME server lib tomcat jk jar export CLASSPATH CLASSPATH CATALINA_HOME server lib tomcat ajp jar export CLASSPATH CLASSPATH CATALINA_HOME server lib tomcat apr jar 2006 2007 ASR Final Project 36 export CLASSPATH CLASSPATH CATALINA_HOME server lib tomcat jkstatus ant jar export CLASSPATH CLASSPATH CATALINA_HOME se
24. ever done it Extract the downloaded file and copy the folders in the Tomcat server s directory structure as follow Go to server webapps and copy the folder admin into CATALINA_HOME server webapps e Go to config Catalina localhost and copy the admin xml into CATALINA_HOME config Catalina localhost Here is the service you should be able to access from your browser at the address http lt tomcat_server_address gt lt tomcat_port gt admin e g http ventenpoupe int evry fr 8080 admin o E hrtpiiiventenpoupe int evry fr 8080 adinf w Pj dk Br x Tomcat Server Administration R D a asswo Figure 6 Tomcat administration tool page As you can see from the above figure Tomcat uses an authentication system that is needed to set up at the first use The following part explains how to do so D Setting up the users authentication Tomcat proposes different way of configuring the users authentication for the hosted applications Regarding our case only two of them are relevant the default one which is a stand alone authentication and one using a LDAP database Both configurations are being explained 1 Default configuration Tomcat initially provides a configuration file for setting this authentication list This file is called tomcat users xml situated in the path CATALINA_HOME config 2006 2007 ASR Final Project 12 As the
25. following example of this file you can set the users authentication policy as you wish lt tomcat users gt role rolename user gt lt role rolename manager gt lt role rolename admin gt user username alliance password liberty roles manager admin gt lt tomcat users gt Figure 7 example of the tomcat users xml file The role tag allows you to create roles Note that for the administration service and the management service included in Tomcat you must set up the admin and manager roles The user tag allows you to associate and define the authentication s attributes of all the users The username attribute sets logins the password attribute sets the password of the user associated to the username and the roles attributes set the role s associated to this username You may want to set the authentication process to several applications Tomcat allows you to indicates the application whether any authentication is required in the file web xml of the WEB INF directory of your application s folder which is usually under CATALINA _HOME webapps An example gives you an idea of how setting this file for an application lt xml version 1 0 encoding UTF 8 standalone no gt lt web app gt lt display name gt INTest lt display name gt lt resource env ref gt lt resource env ref name gt users lt resource env ref name gt lt resource env ref type gt org
26. ice applications which are running under Tomcat server and that will both be in our circle of trust That is to say the ventenpoupe computer will host both IdP and SP samples and we will make a Federated Identity process with the same Ping Federate server that will play the roles of IdP and SP Regarding the main settings of the IdP and SP connections please refer to the manual Nevertheless you must pay attention to the base URL you set up and the adapters name you choose This base URL is the same than what we entered in the local settings since the IdP and the SP computers are here the same The full IdP connection and SP connection pages are placed in the appendixes Note that for authentication process these services do not refer to any databases the login passwords to test the applications are stored in a file called pingfederate sp demo users props in the SP directory application or pingfederate idp demo users props in the IdP directory application The main pages of the services you should be able to reach are as follow 2006 2007 ASR Final Project 21 Identity Provider Main Page This is the main page of the IdP Sample Application You can initiate Single Sign on to any of the configured SP connections or perform single logout SP Connection H Connection Id INT SAML2 0 server Click on the image to initiate Single sign on User Attributes El authnContext PASSWORD userid idp Single Logout El
27. ion samples provided by Ping Federate run under Tomcat and also because it is a strong tool that supports both standard web language html and java application by the means of servlets As we have explained before Tomcat server has been installed on the ventenpoupe computer We are going to describe now the procedure of a standard installation of Tomcat followed by some modifications in order to use the LDAP database we have set before A Standard installation The installation package is available at http tomcat apache org under the menu downloads The version of Tomcat to download depends of the J2SE configuration In any case you must have J2SE installed on the ventenpoupe computer before going ahead Since the version of J2SE we require is 1 5 the right version of Tomcat to download is Tomcat 5 We have installed Tomcat 5 5 20 Once you have reached the downloads menu you can click on the 5 5 20 link and start downloading the core distribution You will also need to download the Administration Web Application if you want to use the administration toolkit refer to the section dealing with the topic for more information Create or choose a folder to extract the server files We have chosen the path apache tomcat 5 5 20 2006 2007 ASR Final Project 10 You finally need to set the environment variable CATALINA_HOME to the path of your server e g CATALINA_HOME apache tomcat 5 5 20 an
28. ly signed AuthN requests Always sign the SAML Assertion E tion Poli Status Credentials Digital Signature Settings Selected Certificate Include Key Info Verification Certificat Selected Certificate Activation amp S Status IdPJava IdPJava PF4 Standard Adapter v1 1 Use only the Adapter Contract values in the SAML assertion userld Adapter URL sp ACS saml2 POST URL sp SLO saml2 POST false true false false false Inactive CN Config Signing Cert O2 Sample Organization 05 false CN Config Signing Cert O Sample Organization C US Active 2006 2007 ASR Final Project 44 SP conection_ITAM_Summary Summary SP Connection Role amp Protocol Connection Type SP Protocol SAML v2 0 General Info Partner s Entity ID Connection ID titania ipv6 itam mx Base Url http titania ipv6 itam mx 9030 tion Lifeti Assertion Minutes Before 5 Assertion Minutes After 5 SAML Profiles IdP Initiated SSO true IdP Initiated SLO true Attribute Query false SP Initiated SSO true SP Initiated SLO true SP Web SSO Enable Standard Identifier true Attribute Contract Attribute SAML SUBJECT IdP Adapter Mapping 2006 2007 ASR Final Project 45 Adapter instance name IdP Adapter Mapping Select Adapter Instance Selected adapter A tion Mappi Adapter Data Store or Assertion Attribute Contract Fulfillment SAML SUBJECT Assertion Consumer Service URL Endpoint End
29. n the appendix Here are some comments about this file The following line enables the use of v2 standard of LDAP allow bind v2 following line indicates the root of LDAP database dczmondomaine dc com The database administrator is under the distinguished name cn admin o INT c FR The password is liberty To enable this the following line must be added manually rootdn cn admin dc mondomaine dc com The following line that must be added manually gives the password rootpw admin For better security it is advised to generate an encrypted password using the following command gt slappasswd gt New password gt Re enter new password 55 rdh5747747LDHDFHMDFHDDHD Then the encrypted password must be copied instead of the former unencrypted password To enable write rights on the base the root of the base and the right login must be indicated access to attribute userPassword by dn cn admin dc mondomaine dc com write by anonymous auth by self write by none To enable the read only access of the base the root of the base and the right login must be also indicated access to by dn cn admin dc mondomaine dc com write by read 2006 2007 ASR Final Project E C Running the server The LDAP server can be launched by the following command gt slapd d 5 h ldap localhost 9009 etc ldap slapd conf The d parameter tells the server to display events The good values
30. ners should have done the same the other way wrong Once this is done the connections are set up to allow communications between the Ping Federate servers The figure shows an example of a configuration cf the scenarios part of the manual for more details Partner Connections Connections 2 IN T SAML2 0 server oberon ipv6 itam mx b Manage All IdP Create New sP Connections 2 APE IN T SAML2 0 server titania ipv6 itam mx b Manage Al SP Create New SP Affiliations 0 gt Manage All Affilistions Create New Figure 15 example of the partners connection in Ping Federate server admin page 2006 2007 ASR Final Project 20 VI THE SCENARIOS WE HAVE TESTED In the project case we have tried 3 scenarios we are going to explain here The first one is a local test the second one is a test with ITAM in Mexico and the third one is our application test Internet Explorer keep login information Therefore you may activate SLO or local sign out but the browser will still remember your identity You must close the browser window to erase your identity parameters During the tests we have noticed that browsers Mozilla Firefox and Microsoft A First case local test This case is the example provided by the Quick Star Guide pdf file located in the quickstart docs repertory of Ping Federate With the applications samples provided by Ping Federate we will simulate an IdM and serv
31. ort CLASSPATH CLASSPATH CATALINA_HOME bin tomcat jni jar export CLASSPATH CLASSPATH CATALINA_HOME bin commons daemon jar export CLASSPATH CLASSPATH CATALINA_HOME bin commons logging api jar export CLASSPATH CLASSPATH CATALINA_HOME bin tomcat juli jar export AXIS HOME home alliance axis 1 4 export PATH AXIS_HOME lib commons discovery jar PATH export HOME lib commons logging jar PATH export PATH AXIS_HOME lib jaxrpc jar PATH export PATH AXIS_HOME lib log4j 1 2 4 jar PATH export PATH AXIS_HOME lib saaj jar PATH export HOME lib wsdMj jar PATH export PATH AXIS_HOME lib axis jar PATH export PATH AXIS_HOME lib activation jar PATH export PATH AXIS HOME lib mail jar SPATH 2006 2007 ASR Final Project 38 IdP conection_INT_Summary E Summary information for your IdP connection Click on a link to edit a particular configuration setting Connection Status Active Inactive Summary IdP Connection Role amp Protocol Connection Type IdP Protocol SAML v2 0 General Info Partner s Entity ID Connection ID INT SAML2 0 server Base Url http cubitus int evry fr 9030 SAML Profiles IdP Initiated SSO true IdP Initiated SLO true Attribute Query false SP Initiated SSO true SP Initiated SLO true IdP Web SSO Identity Mapping Enable Account Mapping true Attribute Contract Attribute SAML SUBJECT Adapter Mapping amp User Lookup Adapter instance name SPJava
32. ose the administrator being an INT staff and the servers are in a subnetwork of INT the notifications mails will only be sent to INT addresses G Some links Installation and configuration of postfix http www coagul org article php3 id articlez192 http www linux france org article mail postfix jaco HN3121 http doc ubuntu fr org serveur mail Postfix documentation english and french http www postfix org documentation html http x guimard free fr postfix 2006 2007 ASR Final Project 9 J2SE INSTALLATION Ping Federate and Tomcat both require J2SE to run The installation of J2SE is rather easy please download the version of J2SE you need on http java sun com javase downloads index jsp The latest version of Ping Federate we have installed uses J2SE 1 5 This is the version installed on the cubitus computer Tomcat may use J2SE 1 4 and J2SE 1 5 but to be homogenous with the choice we had made on cubitus computer we have installed J2SE 1 5 Please refer to the installation guide provided on Sun s web site when downloading J2SE for more information about setting up the Java environment For your information about the variables JAVA HOME and PATH we used in both computers bashrc files IV TOMCAT SERVER INSTALLATION As we didn t have any web service that ran inside our circle of trust we have decided to use Tomcat as a web application server The reason is firstly because the applicat
33. point SLO Service URLs Endpoint Endpoint Allowable SAML Bindings Artifact POST Redirect Artifact Lifetime Artifact Lifetime in seconds LDAPINT LDAPINT PF4 LDAP Authentication Service v1 0 Use only the Adapter Contract values in the SAML assertion userId Adapter URL http titania ipv6 itam mx 9030 sp ACS saml2 POST URL http titania ipv6 itam mx 9030 sp ACS saml2 Artifact URL sp SLO saml2 Redirect URL sp SLO saml2 POST 2006 2007 ASR Final Project 46 artifact R I ti Artifact Resolution Endpoint Signature Policy Require digitally signed AuthN requests Always sign the SAML Assertion L tion Poli Status Credentials Back Channel Authentication Dut 1 SOAP Authenticati Type SOAP Authentication Type Basic SOAP Authentication Outbound Username Back Channel Authentication 1 SOAP Authenticati Type SOAP Authentication Type SSL required Basic SOAP Authentication Inbound Username Digital Si Setti Selected Certificate Include Key Info Signature Verification Certificate Selected Certificate index 0 sp ARS ssaml2 false false Inactive HTTP Basic Edith HTTP Basic false Edith CN Config Signing Cert O Sample Organization C US false CN Default Config Signing Sert OU2 Dev O Ping L Denver ST CO C US 2006 2007 ASR Final Project 47
34. r more details on the Internet cf Useful Information 2 LDAP using configuration After being sure your LDAP database has been properly installed cf LDAP Server Installation and Configuration part you can use LDAP as a database for Tomcat to realise authentication instead of the default authentication that Tomcat includes To do so you need to install an API for Tomcat to communicate with LDAP indicated Tomcat how to find your database and homogenate the attributes used by LDAP and Tomcat e installation of the APIs The API between Java language and LDAP is part of Sun s JNDI interface that you can download from the following web site http java sun com products jndi downloads index html We have downloaded JNDI 1 2 1 which includes all the LDAP APIs required for using LDAP in a Java language environment Choose the place you want to extract what has been downloading You should have three folders corresponding to the parts of the download JNDI LDAP and LDAPBP Each part contains a lib directory of jar libraries To make Tomcat using these libraries it is required to move the content of the three lib directory in to Tomcat s libraries directory CATALINA HOME server lib The final step to install the APIs is adding the libraries to the variable CLASSPATH of the bashre file see the example in the appendix If you need to get into the JNDI classes the official Java Doc is here http java sun com jndi 1 2 java
35. rigin etc mailname mydestination cubitus int evry fr localhost localhost localdomain localhost relayhost relay domains mynetworks 127 0 0 0 8 mailbox_size_limit 0 recipient_delimiter inet_interfaces all notify_classes resource software home_mailbox Maildir 2006 2007 ASR Final Project A Ventenpoupe computer bashrc file some more 15 aliases alias 18 alias la Is alias 1 15 CF enable programmable completion features you don t need to enable this if it s already enabled in etc bash bashrc and etc profile sources etc bash bashrc if f etc bash_completion then etc bash_completion fi eunice et pierre export JAVA_HOME home liberty JDK jdk1 5 0_10 export PATH JAVA_HOME bin PATH export PATH JAVA_HOME PATH export CLIENT_AXIS home liberty Client_AXIS export CLASSPATH CLASSPATH CLIENT_AXIS lib axis ant jar export CLASSPATH CLASSPATH CLIENT_AXIS lib saaj jar export CLASSPATH CLASSPATH CLIENT_AXIS lib commons discovery 0 2 jar export CLASSPATH CLASSPATH CLIENT_AXIS lib jaxrpc jar export CLASSPATH CLASSPATH CLIENT_AXIS lib axis jar export CLASSPATH CLASSPATH CLIENT_AXIS lib commons logging 1 0 4 jar export CLASSPATH CLASSPATH CLIENT_AXIS lib log4j 1 2 8 jar export CLASSPATH CLASSPATH CLIENT_AXIS lib wsdl4j 1 5 1 jar export CLASSPATH CLASSPATH CLIENT_AXIS lib activation jar export CLASSPATH CLASSPATH CLIENT_AXIS lib mail jar
36. rootpw SSHA K2s6Z Rx4Q 84bE93ji393jxxr5UzPLk Where the database file are physically stored for database 1 directory var lib ldap Indexing options for database 1 index objectClass eq Save the time that the entry gets modified for database 1 lastmod on Where to store the replica logs for database 1 replogfile var lib Idap replog The userPassword by default can be changed by the entry owning it if they are authenticated Others should not be able to see it except the admin entry below These access lines apply to database 1 only access to attrs userPassword by dn cn admin c FR write by anonymous auth by self write by none Ensure read access to the base for things like supportedSASLMechanisms Without this you may have problems with SASL not knowing what mechanisms are available and the like Note that this is covered by the access to ACL below too but if you change that as people are wont to do you ll still need this if you want SASL and possible other things to work 2006 2007 ASR Final Project 30 happily access to dn base by read The admin dn has full write access everyone else can read everything access to by dn cn admin o INT c FR write by read For Netscape Roaming support each user gets a roaming profile for which they have write access to access to dn ou Roaming o morsnet by dn cn admin dc no
37. rs enables a user having previously acces to a circle of trust set of services in a same domain for example int evry fr to be able to access services from another circle of trust without having to pass through local authentication This is possible because Ping Federate servers can interact with existing databases or directories We have chosen to use a LDAP directory because PingFederate packages an LDAP Authentication Service Adapter and logon form that can authenticate users directly against an LDAP data store It was interesting because we did not have already a centralized local authentication service Thanks to this LDAP adapter it will be possible to authenticate to our IdP via a pop up authentication window searching in our LDAP database A Server installation LDAP Lightweight Directory Access Protocol is an Internet protocol that email and other programs use to look up information from a server LDAP is appropriate for any kind of directory like information where fast lookups and less frequent updates are the norm To install LDAP server we downloaded the following packages via Synaptic Package Manager reachable via System gt Administration gt S ynaptic Package Manager ldap utils libldap 2 2 7 libldap2 dev slapd The password for the LDAP server is liberty 2006 2007 ASR Final Project 2 B Server configuration The configuration file can be found at etc Idap slapd conf copy of this file is i
38. rver lib tomcat http 11 jar export CLASSPATH CLASSPATH CATALINA_HOME server lib tomcat http jar export CLASSPATH SCLASSPATH SCATALINA HOME server lib catalina jar export CLASSPATH SCLASSPATH SCATALINA HOME server lib tomcat coyote jar export CLASSPATH CLASSPATH CATALINA_HOME server lib commons modeler jar export CLASSPATH CLASSPATH CATALINA_HOME server lib commons fileupload 1 0 jar export CLASSPATH CLASSPATH CATALINA_HOME server lib servlets invoker jar export CLASSPATH SCLASSPATH SCATALINA HOME server lib tomcat jk2 jar export CLASSPATH CLASSPATH CATALINA_HOME server lib servlets webdav jar export CLASSPATH CLASSPATH CATALINA_HOME server lib servlets cgi renametojar export CLASSPATH CLASSPATH CATALINA_HOME server lib servlets ssi renametojar export CLASSPATH CLASSPATH CATALINA_HOME server lib catalina ant jar export CLASSPATH CLASSPATH CATALINA_HOME server lib catalina ant jmx jar export CLASSPATH CLASSPATH CATALINA_HOME server lib catalina cluster jar export CLASSPATH CLASSPATH CATALINA_HOME server lib catalina optional jar export CLASSPATH CLASSPATH CATALINA_HOME server lib catalina storeconfig jar export CLASSPATH SCLASSPATH SCATALINA HOME server lib mx4j jmx jar export CLASSPATH CLASSPATH CATALINA_HOME server lib jaas jar export CLASSPATH CLASSPATH SCATALINA HOME server lib commons logging jar export CLASSPATH CLASSPATH CATALINA_HOME server lib tomcat util jar export CLASSPATH CLASSPATH CAT
39. s Idapbrowser screenshot 2006 2007 ASR Final Project 5 LDAP Browser Editor v2 8 2 Idap cubitus int evry tr 9009 0 IN gt fo x File Edit View LDIF Help Beaanre ara ae H o INT FR 4 Attribute Value Eunice eunice mondesir int evry fr o 7 cn Pierre BINARY 6b D inetOrgPerson M cn Utilisateur He gt E Mondesir e E Francisco Eunice o 3 cn Uciel Figure 3 IdapBrowser screenshot F Some links Here are some useful links to go further the links are in french http blog thelinuxfr org index php post 2006 09 01 56 installation et configuration d un serveur lda Installation and configuration of a LDAP server with K Ubuntu http www public int evry fr gardie LDAP ListeTP html LDAP labs of Mr Michel GARDIE professor at INT Links about CAS Central Authentication Service http fr wikipedia org wiki Central_Authentication Service http www ja sig org products cas index html http www esup portail org consortium espace SSO 1 B cas jres cas jres2003 article web htm Toc52002547 2006 2007 ASR Final Project 6 II POSTFIX MAILSERVER INSTALLATION A Installation We have installed a mail server on cubitus computer for Ping Federate server to send notifications i e when the licence happens to be out of date The mail server we used is Postfix We installed it by downloading the following packages in Synaptic
40. s jar export CLASSPATH CLASSPATH CATALINA_HOME webapps axis WEB INF lib commons logging 1 0 4 jar export CLASSPATH CLASSPATH CATALINA_HOME webapps axis WEB INF lib log4j 1 2 8 jar 2006 2007 ASR Final Project 35 export CLASSPATH CLASSPATH CATALINA_HOME webapps axis WEB INF lib wsdi4j 1 5 1 jar export CLASSPATH CLASSPATH CATALINA_HOME common lib activation jar export CLASSPATH CLASSPATH CATALINA_HOME common lib commons dbcp 1 1 jar export CLASSPATH CLASSPATH CATALINA_HOME common lib jasper runtime jar export CLASSPATH CLASSPATH CATALINA_HOME common lib mail jar export CLASSPATH CLASSPATH CATALINA_HOME common lib servlet jar export CLASSPATH CLASSPATH SCATALINA HOME common lib servlet api jar export CLASSPATH CLASSPATH CATALINA_HOME common lib ant jar export CLASSPATH CLASSPATH CATALINA_HOME common lib commons logging api jar export CLASSPATH CLASSPATH CATALINA_HOME common lib jdbc2_0 stdext jar export CLASSPATH CLASSPATH CATALINA_HOME common lib naming common jar export CLASSPATH CLASSPATH CATALINA_HOME common lib ant launcher jar export CLASSPATH CLASSPATH CATALINA_HOME common lib commons pool 1 1 jar export CLASSPATH CLASSPATH CATALINA_HOME common lib jndi jar export CLASSPATH CLASSPATH SCATALINA HOME common lib naming factory jar export CLASSPATH CLASSPATH CATALINA_HOME common lib naming factory dbcp jar export CLASSPATH CLASSPATH CATALINA_HOME common lib commons coll
41. s you should be able to reach are as follow 2006 2007 ASR Final Project 24 Identity Provider Main Page This is the main page of the IdP Sample Application You can initiate Single Sign on to any of the configured SP connections or perform single logout SP Connection H User Attributes authnContext PASSWORD Connection Id titania ipv6 itam mx Click on the image to initiate Single sign on SP Connection E Connection Id INT SAML2 0 server Click on the image to initiate Single sign on userid idp Single Logout El Click on the link for Single Logout Single Logout Local Logout El Click on the link for Local logout Local Logout Figure 20 main page of the IdP application sample case 2 Service Provider Login Login ID Local Login El Joe Iv Password Login through El Select an IdP connection from the drop down and click Login oberon ipv6 itam mx Login Figure 21 login page of the SP application sample case 2 We can clearly see here that INT s and ITAM s IdP are known from the service 2006 2007 ASR Final Project 25 Service Provider Main Page This is the main page of the SP Sample Application You can initiate Single Sign on to any of the configured IdP connections or perform single logout IdP Connection User Attributes El Connection Id oberon ipv6 i
42. start amp amp sudo etc init d courier imap restart amp amp sudo etc init d courier authdaemon restart E Sending e mail with terminal mode In order to send mails thanks to the mail Linux command console mode we have installed Mailx The command is mail recipient as showed in the following example gt mail eunice mondesir int evry fr Subject Test Identity Federation is very cool gt Between each field you must tape the Enter key After the field you must tape Enter key then CTRL D Both MTA Mail Transfer Agent and MDA Mail Delivery Agent have been installed on cubitus we don t expect to receive send many emails since this mailbox is only dedicated to send automatic notifications F Mail Client In order to check the received mails we have installed the MUA Mail User Agent mail client Mozilla Thunderbird To do that we installed mozilla thunderbird package The requested parameters for the configuration of Thunderbird are they can be modified in Edit gt account parameters for the Linux thunderbird e Account Name optional Liberty Email Address liberty cubitus int evry fr e Password liberty Linux user password Servers parameters IMAP server MDA 157 159 103 165 port 143 cubitus IP e SMTP server MTA 157 159 103 165 port 25 2006 2007 ASR Final Project 8 Gourrier entrant pour Heaps ENDANG THE EVI Hr munderbird Fichier Edition
43. tam mx userid Joe Click on the image to initiate Single sign on ForceAuthn E isPassive E Single Logout H Click on the link for Single logout Single Logout IdP Connection El Local Logout Connection Id INT SAML2 0 server Click on the link for Local logout Click on the image to initiate Single sign on Local Logout ForceAuthn E isPassive E Figure 22 main page of the application SP application sample case 2 C Third case test with LDAP This case tests the PF LDAP adapter on the IdP side It is then possible to test the SP initiated SSO SLO but it works from both ITAM and INT s SP application sample In that case the user name is not shown in the login field as the IdP and SP application samples do but the user needs to know his her login and password These can be any of the couple login password entered in the LDAP database Working from the previous case s if you need to set up this case you only have to change IdPJava by LDAPINT as long as you have created the LDAPINT IdP adapter are we have explained before in each SP partners connections you want The SP login and main pages will remains exactly the same the only difference will be that you will not be connected to INT s IdP login page as before A login for will appear as the one illustrated here 2006 2007 ASR Final Project 26
44. the management service and user to access INTest test service our application Here is the authentication form on the service we have made INTest and the main page of the service 2006 2007 ASR Final Project 5 P http ventenpoupe int evry fr 8080 INTest Windows Internet Explorer ls GO 6n X we D Htpiiventenpoupeint ewry f eosoyiNtest A Le serveur ventenpoupe int evry fr l adresse INTest requiert un nom d utilisateur et un mot de passe Avertissement serveur requiert que votre nom d utilisateur et votre mot de passe soient envoy s de fa on non s curis e authentification de base sans connexion s curis e Nom d utilisateur 6 Utilisateur x Mot de passe C M moriser mon mot de passe Attente d 888 J LUS Figure 10 authentication popup on the Tomcat INT est service Cc E a v so Ehtelwentenpoupeint ewy fr oeonnresy m amp BG Figure 11 Tomcat INTest sevice main page after authentication 2006 2007 ASR Final Project 16 E Useful links To install the security policy on Tomcat http www agora 2ia net mediawiki index php title Tomcat http tomcat apache org tomcat 5 5 doc jndi resources howto html http beuss developpez com tutoriels tomcat authentification formulaire For general information http www igm
45. the server if you change this pidfile var run slapd slapd pid List of arguments that were passed to the server argsfile var run slapd args Read slapd conf 5 for possible values loglevel 0 Where the dynamically loaded modules are stored modulepath usr lib Idap moduleload THiHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH SSL Uncomment the following lines to enable SSL and use the default snakeoil certificates TLSCertificateFile etc ssl certs ssl cert snakeoil pem TLSCertificateKeyFile etc ssl private ssl cert snakeoil key THiHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Specific Backend Directives for bdb Backend specific directives apply to this backend until another backend directive occurs backend bdb checkpoint 512 30 2006 2007 ASR Final Project 29 THiHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Specific Backend Directives for other Backend specific directives apply to this backend until another backend directive occurs backend lt other gt THHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Specific Directives for database 1 of type bdb Database specific directives apply to this databasse until another database directive occurs database bdb The base of your directory in database 1 suffix o INT c FR rootdn cn admin o INT c FR
46. univ mlv fr dr XPOSE2003 tomcat tomcat php rub 20 http www inf int evry fr cours WebServices Samir TATA s teaching labs page INT V INSTALLING AND CONFIGURING PING FEDERATE To install Ping Federate you must download the product archive at the following website http pingfederate com products pingfederate download Since we were not concerned about the background of the structure we had to deploy Ping Federate we have chosen to install the latest version Ping Federate 4 2 Note that you will require a license to use Ping Federate for free during 90 days or the first 100 000 transactions whichever comes first It needs 2 working days max to receive the license so be aware of the fact that during this gap you CAN NOT set up Ping Federate As we have seen Ping Federate server can play the role of an IdP or an SP or both According your infrastructure and policy you may need to install Ping Federate on different computers with dedicated roles In our case one computer is used to play the role of an IdP and SP the cubitus computer The installation itself is not difficult we invite you to consult the PingFederate_Admin_Ma nual pdf file to follow the installation instructions located in the directory docs of Ping Federate folder The main page of the server https lt pingferate_server_name gt lt pingfederat_port gt pingfeder ate app for example https cubitus int evry fr 9999 pingfederate app loads a
47. vry fr Email Server 157 159 103 165 SMTP Port 25 Username liberty Figure 12 local settings page of Ping Federate server adapters We have installed two adapters a standard adapter and a LDAP adapter For the standard adapter the configuration has been set according to the manual the only part to care about is that we put the Logout Service and Authentication Service fields contain the address http ventenpoupe int evry fr 8080 which refers to our Tomcat server In the following summary of the LDAP adapter we can see the filter s settings to perform the database s entries cn username where username is a token that corresponds to the login entered in the authentication form that provides the adapter 2006 2007 ASR Final Project 18 Main Manage IdP Adapter Instances Create Adapter Instance Y Adapter Type IdP Adapter Y Adapter Attributes 3 EW EJ IdP adapter instance summary information Summary Info Create Adapter Instance Adapter Type Adapter Instance Name LDAPINT Adapter Instance Id LDAPINT Adapter Type PF4LDAP Authentication Service v1 0 Adapter Class Name com pingidentity adapters ldap idp LdapIdpAuthnAdapter IdP Adapter LDAP Datastore LDAP 2343F 3AE0AB20E65 184C7 18D 53D 5FB24ECE3A92A Search Base o INT c FR Search Filter cn username Realm INTest Scope of Search SUBTREE_SCOPE Connection Pooling false Operational Mode BASIC_AUTHN Challenge Retries
Download Pdf Manuals
Related Search