{"id":612,"date":"2016-01-22T15:52:35","date_gmt":"2016-01-22T13:52:35","guid":{"rendered":"https:\/\/taat.edu.ee\/main\/?page_id=612"},"modified":"2024-12-09T15:29:17","modified_gmt":"2024-12-09T13:29:17","slug":"idp-juhend","status":"publish","type":"page","link":"https:\/\/taat.edu.ee\/main\/idp-juhend\/","title":{"rendered":"IdP juhend"},"content":{"rendered":"<h1><span style=\"color: #333333;\"><strong>IdP juhend SimpleSAMLphp paigaldamiseks, seadistamiseks ja \u00fchendamiseks TAAT-iga<\/strong><\/span><\/h1>\n<ol>\n<li>Veenduge, et serveriseadistused vastaksid SimpleSAMLphp n\u00f5uetele\u00a0<a href=\"https:\/\/simplesamlphp.org\/docs\/stable\/simplesamlphp-install#section_3\">https:\/\/simplesamlphp.org\/docs\/stable\/simplesamlphp-install#section_3<\/a><\/li>\n<li>Laadige alla SimpleSAMLphp lehelt <a href=\"http:\/\/simplesamlphp.org\/download\">http:\/\/simplesamlphp.org\/download<\/a> ning pakkige arhiiv lahti oma veebiserverisse.<\/li>\n<li>Veenduge, et serveri konfiguratsioon (vhost) v\u00f5imaldaks ligip\u00e4\u00e4su installatsioonikausta. Kui on kasutusel Suhosin, siis on vaja see seadistada lubama pikemaid GET parameetrite v\u00e4\u00e4rtuseid. Debiani puhul failis <em>\/etc\/php5\/apache2\/conf.d\/suhosin.ini<\/em><br \/>\n<blockquote><p>suhosin.get.max_value_length = 2048<\/p><\/blockquote>\n<\/li>\n<li>Navigeerige installatsioonikausta ja kopeerige kaustast <em>config-templates\/<\/em> failid <em>config.php<\/em> ja<em> authsources.php<\/em> kausta <em>config\/<\/em> ning<em> metadata-templates\/<\/em> kaustast fail <em>saml20-idp-hosted.php<\/em> kausta <em>metadata\/<\/em> :\n<pre>cp config-templates\/config.php config-templates\/authsources.php config<\/pre>\n<pre>cp metadata-templates\/saml20-idp-hosted.php metadata<\/pre>\n<\/li>\n<li>Muutke failis <em>config\/config.php<\/em> j\u00e4rgmised read:\n<ul>\n<li>juurkataloogi puhul tuleb installatsioonikaustaks m\u00e4\u00e4rata <code>'\/'<\/code><br \/>\n<blockquote><p>&#8216;baseurlpath&#8217; =&gt; &#8216;minuinstallatsioonikaust\/&#8217;,<\/p><\/blockquote>\n<\/li>\n<li>l\u00fclitage sisse IdP funktsionaalsus<br \/>\n<blockquote><p>&#8216;enable.saml20-idp&#8217; =&gt; &#8216;true&#8217;,<\/p><\/blockquote>\n<\/li>\n<li>s\u00fcmbolijada genereerimiseks v\u00f5ib kasutada SimpleSAMLphp koodi kommentaarides olevat juhendit v\u00f5i sisestada see ise<br \/>\n<blockquote><p>&#8216;secretsalt&#8217; =&gt; &#8216;suvalines\u00fcmbolijada&#8217;,<\/p><\/blockquote>\n<\/li>\n<li>lisage administratiivandmed<br \/>\n<blockquote><p>&#8216;auth.adminpassword&#8217; =&gt; &#8216;administraatoriparool&#8217;,<br \/>\n&#8216;technicalcontact_name&#8217; =&gt; &#8216;tehnilise kontaktisiku nimi&#8217;,<br \/>\n&#8216;technicalcontact_email&#8217; =&gt; &#8216;tehnilise kontaktisiku e-postiaadress&#8217;,<\/p><\/blockquote>\n<\/li>\n<li>m\u00e4\u00e4rake ajatsoon<br \/>\n<blockquote><p>&#8216;timezone&#8217; =&gt; &#8216;Europe\/Tallinn&#8217;,<\/p><\/blockquote>\n<\/li>\n<\/ul>\n<\/li>\n<li>Leidke samas failis<em> authproc.idp<\/em> plokk (k\u00f5ige all), veenduge, et selles oleks rida<br \/>\n<blockquote><p>100 =&gt; array(\u00a0&#8216;class&#8217; =&gt; &#8216;core:AttributeMap&#8217;, &#8216;name2urn&#8217;),<\/p><\/blockquote>\n<\/li>\n<li>Failis <em>config\/authsouces.php<\/em> kommenteerige v\u00e4lja k\u00f5ik autentimisallikad, mida te ei kasuta ning eemaldage kommentaarid sellelt, mida kasutate (olgu selleks siis SQL andmebaas, LDAP v\u00f5i midagi muud). Testimiseks sobib k\u00f5ige paremini <em>exampleauth:UserPass<\/em>.<\/li>\n<li>Konfigureerige valitud autentimisallikas vastavalt oma autentimiss\u00fcsteemile, arvestades, et v\u00e4ljastama peate atribuudid, mis on n\u00f5utud TAAT Tehnoloogilises profiilis (<a href=\"https:\/\/taat.edu.ee\/main\/dokumendid\/\">https:\/\/taat.edu.ee\/main\/dokumendid\/<\/a>).<br \/>\n<strong>NB!<\/strong> Kui autentimine toimub \u00fches s\u00fcsteemis (nt LDAP) ning vajalikke andmeid v\u00f5etakse teisest (nt SQL andmebaasist), siis selleks on olemas eraldi atribuutide koguja moodul: <a href=\"https:\/\/github.com\/NIIF\/simplesamlphp-module-attributecollector\">https:\/\/github.com\/NIIF\/simplesamlphp-module-attributecollector<\/a><\/li>\n<li>Aktiveerige valitud autoriseerimisallika moodul:\n<pre>touch modules\/exampleauth\/enable<\/pre>\n<\/li>\n<li>Muutke failis<em> metadata\/saml20-idp-hosted.php<\/em> j\u00e4rgmised read:<br \/>\n<blockquote><p>&#8216;certificate&#8217; =&gt; &#8216;server.crt&#8217;,<br \/>\n&#8216;privatekey&#8217; =&gt; &#8216;server.pem&#8217;, \/\/ sertifikaadiandmed vastavalt enda poolt kasutatud sertifikaatidele<br \/>\n&#8216;auth&#8217; =&gt; &#8216;example-userpass&#8217;, \/\/ autentimisallikas, mida kasutate<\/p><\/blockquote>\n<p>lisage j\u00e4rgmised:<\/p>\n<blockquote><p>&#8216;sign.logout&#8217; =&gt; TRUE, \/\/ sign logout messages sent from this IdP &#8216;validate.authnrequest&#8217; =&gt; TRUE, \/\/ require signatures on authentication requests sent to this IdP<br \/>\n&#8216;validate.logout&#8217; =&gt; TRUE, \/\/ require signatures on logout messages sent to this IdP<br \/>\n&#8216;redirect.sign&#8217; =&gt; TRUE, \/\/ sign logout requests and responses sent from this IdP<br \/>\n&#8216;redirect.validate&#8217; =&gt; TRUE, \/\/ validate logout requests and responses sent to this IdP<\/p><\/blockquote>\n<h1 id=\"jaoturid\"><span style=\"color: #333333;\">TAAT-i jaoturitega \u00fchendamine<\/span><\/h1>\n<\/li>\n<li>Aktiveerige j\u00e4rgnevad moodulid:\n<ol>\n<li><b>cron<\/b><\/li>\n<li><b>metarefresh<\/b><\/li>\n<\/ol>\n<p>Croni moodul k\u00e4ivitab etteantud t\u00f6id perioodiliselt.<\/p>\n<p>Metarefresh moodul laeb alla ja parsib metaandmed ning salvestab need lokaalselt vahem\u00e4llu.<\/p>\n<p>Esmalt kopeerige config-templates failide seast \u00fclalpool mainitud moodulid globaalsesse <i>config\/<\/i> kausta.<\/p>\n<pre>[root@simplesamlphp] cd \/var\/simplesamlphp\r\n[root@simplesamlphp simplesamlphp] touch modules\/cron\/enable\r\n[root@simplesamlphp simplesamlphp] cp modules\/cron\/config-templates\/*.php config\/\r\n[root@simplesamlphp simplesamlphp] touch modules\/metarefresh\/enable\r\n[root@simplesamlphp simplesamlphp] cp modules\/metarefresh\/config-templates\/*.php config\/\r\n<\/pre>\n<h2><span id=\"Konfiguratsiooni_t.C3.A4iendused\" class=\"mw-headline\" style=\"color: #333333;\">Metarefresh konfiguratsiooni t\u00e4iendused<\/span><\/h2>\n<p>Muutke <em>config\/config-metarefresh.php<\/em> faili vastavalt sellele, kas soovite \u00fchendada test v\u00f5i produktsiooni jaoturi k\u00fclge:<\/p>\n<pre> &lt;?php\r\n$config = array(\r\n\u00a0 'sets' =&gt; array(\r\n\u00a0\u00a0\u00a0 \/\/ TAAT produktsiooni jaotur identiteedipakkujale\r\n\u00a0\u00a0\u00a0 'taat-prod' =&gt; array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'cron'\u00a0\u00a0\u00a0\u00a0\u00a0 =&gt; array('hourly'),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'sources'\u00a0\u00a0 =&gt; array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'src' =&gt; 'https:\/\/taeva.taat.edu.ee\/metadata\/metadata.taat+hub+prod+sp.xml',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validateFingerprint' =&gt; 'E8:9A:5C:BB:05:BD:E4:16:F7:6F:47:E8:F6:1E:94:EE:7C:FC:29:0C',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'template' =&gt; array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'tags'\u00a0 =&gt; array('taat-prod'),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validate.authnrequest' =&gt; FALSE,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validate.logout' =&gt; FALSE, \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'expireAfter'\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 =&gt; 60*60*24*4, \/\/ Maximum 4 days cache time.\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'outputDir'\u00a0\u00a0\u00a0\u00a0 =&gt; 'metadata\/taat-prod\/',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'outputFormat' =&gt; 'flatfile',\r\n\u00a0\u00a0\u00a0 ),\r\n\r\n\u00a0\u00a0\u00a0 \/\/ TAAT test jaotur identiteedipakkujale\r\n\u00a0\u00a0\u00a0 'taat-test' =&gt; array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'cron'\u00a0\u00a0\u00a0\u00a0\u00a0 =&gt; array('hourly'),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'sources'\u00a0\u00a0 =&gt; array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'src' =&gt; 'https:\/\/taeva.taat.edu.ee\/metadata\/metadata.taat+hub+test+sp.xml',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validateFingerprint' =&gt; 'E8:9A:5C:BB:05:BD:E4:16:F7:6F:47:E8:F6:1E:94:EE:7C:FC:29:0C',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'template' =&gt; array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'tags'\u00a0 =&gt; array('taat-test'),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validate.authnrequest' =&gt; FALSE,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validate.logout' =&gt; FALSE, \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'expireAfter'\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 =&gt; 60*60*24*4, \/\/ Maximum 4 days cache time.\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'outputDir'\u00a0\u00a0\u00a0\u00a0 =&gt; 'metadata\/taat-test\/',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'outputFormat' =&gt; 'flatfile',\r\n\u00a0\u00a0\u00a0 ),\r\n\u00a0 ),\r\n);<\/pre>\n<\/li>\n<li>Tehke TAAT-i hubi metadata jaoks eraldi kaust ning andke veebiserverile sinna kirjutamis\u00f5igus:\n<pre>mkdir -p metadata\/taat-prod\r\nchmod go+rw metadata\/taat-prod\/\r\nmkdir -p metadata\/taat-test\r\nchmod go+rw metadata\/taat-test\/<\/pre>\n<\/li>\n<li><span id=\"config.2Fconfig.php\" class=\"mw-headline\">Lisage <em>config\/config.php<\/em> faili jaoturi metadata asukoht:<br \/>\n<\/span><\/p>\n<pre># ... rest of the file\r\n#\r\n# Find 'metadata.sources' section and make it to reflect:\r\n  'metadata.sources' =&gt; array(\r\n    array('type' =&gt; 'flatfile', 'directory' =&gt; 'metadata'),\r\n    array('type' =&gt; 'flatfile', 'directory' =&gt; 'metadata\/taat-prod'),\r\n    array('type' =&gt; 'flatfile', 'directory' =&gt; 'metadata\/taat-test'),\r\n),\r\n# ... rest of the file<\/pre>\n<\/li>\n<li>Kindlasti on vaja seada croni jaoks parool (m\u00e4rgitud failides RANDOM_KEY-iga), sest muidu saab iga\u00fcks tulla ja taske k\u00e4ivitada.\n<pre>&lt;?php\r\n\/*\r\n * Configuration for the Cron module.\r\n *\r\n * $Id: $\r\n *\/\r\n$config = array (\r\n        'key' =&gt; 'RANDOM_KEY',\r\n        'allowed_tags' =&gt; array('daily', 'hourly', 'frequent'),\r\n        'debug_message' =&gt; false,\r\n        'sendemail' =&gt; false,\r\n);\r\n?&gt;<\/pre>\n<\/li>\n<li>Lisage croni t\u00f6\u00f6:<br \/>\nN\u00e4iteks <em>simplesamlphp_cron<\/em> fail:<\/p>\n<pre># Run SimpleSAMLphp Hourly tasks at every second minute of an hour\r\n2 * * * * apache curl --silent  \"https:\/\/SERVER\/simplesaml\/module.php\/cron\/cron.php?key=RANDOM_KEY&amp;tag=hourly\" &gt; \/dev\/null 2&gt;&amp;1<\/pre>\n<p><span style=\"color: #800000;\"><strong>NB! Juhul kui uuendasite SSP eelmist seadistust metarefreshi peale, siis on vajalik kustutada\u00a0<span style=\"color: #3366ff;\"><a style=\"color: #3366ff;\" href=\"https:\/\/taat.edu.ee\/main\/wp-content\/uploads\/idp-juhend.pdf\">vanas juhendis <\/a><\/span>(punktis 10)\u00a0loodud\u00a0<em>metadata\/saml20-sp-remote.php<\/em> failis <a href=\"https:\/\/reos.taat.edu.ee\">reos.taat.edu.ee<\/a> ja\/v\u00f5i <a href=\"https:\/\/sarvik.taat.edu.ee\">sarvik.taat.edu.ee<\/a>\u00a0metaandmed.<\/strong><\/span><\/p>\n<h2><span style=\"color: #333333;\">JANUS (uue \u00fchenduse loomiseks)<\/span><\/h2>\n<\/li>\n<li>Tehke kasutaja JANUSesse aadressil <a href=\"https:\/\/taeva.taat.edu.ee\/module.php\/janus\/index.php\">https:\/\/taeva.taat.edu.ee\/module.php\/janus\/index.php<\/a><\/li>\n<li>Lisage JANUSesse uus \u00fchendus (\u201eCreate connection\u201c), kus ID on \u201eentity id\u201c, mis on leitav teie oma SimpleSAMLphp installatsioonilehel men\u00fc\u00fcst \u201eFederation\u201c ning \u00fchenduse t\u00fc\u00fcbiks on \u201eSAML 2.0 IdP\u201c. XML-i ei ole vaja kopeerida.<\/li>\n<li>Valige loodud \u00fchendus ja minge lehele \u201eImport metadata\u201c. Kopeerige oma metaandmete XML v\u00f5i link, mille leiate oma SimpleSAMLphp installatsioonilehet \u201eFederation\u201c vahelehelt \u201eshow metadata\u201c kl\u00f5psates.<\/li>\n<li>Vahelehel \u201eMetadata\u201c lisage metaandmed, mis on n\u00f5utud TAAT Tehnoloogilises profiilis (<a href=\"https:\/\/taat.edu.ee\/main\/dokumendid\/\">https:\/\/taat.edu.ee\/main\/dokumendid\/<\/a>).<\/li>\n<li>Testige sisselogimist TAAT testlehel <a href=\"https:\/\/eitja.taat.edu.ee\/\">https:\/\/eitja.taat.edu.ee\/<\/a><br \/>\n<strong>NB!<\/strong> Jaoturite andmeid uuendatakse kord 5 min jooksul. Kui teie \u00fchendus kohe ei toimi, oodake 5 minutit ja proovige uuesti.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>IdP juhend SimpleSAMLphp paigaldamiseks, seadistamiseks ja \u00fchendamiseks TAAT-iga Veenduge, et serveriseadistused vastaksid SimpleSAMLphp n\u00f5uetele\u00a0https:\/\/simplesamlphp.org\/docs\/stable\/simplesamlphp-install#section_3 Laadige alla SimpleSAMLphp lehelt http:\/\/simplesamlphp.org\/download ning pakkige arhiiv lahti oma veebiserverisse. Veenduge, et serveri konfiguratsioon (vhost) v\u00f5imaldaks ligip\u00e4\u00e4su installatsioonikausta. Kui on kasutusel Suhosin, siis on vaja see seadistada lubama pikemaid GET parameetrite v\u00e4\u00e4rtuseid. Debiani puhul failis \/etc\/php5\/apache2\/conf.d\/suhosin.ini suhosin.get.max_value_length = 2048 Navigeerige [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/pages\/612"}],"collection":[{"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/comments?post=612"}],"version-history":[{"count":74,"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/pages\/612\/revisions"}],"predecessor-version":[{"id":925,"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/pages\/612\/revisions\/925"}],"wp:attachment":[{"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/media?parent=612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}