{"id":674,"date":"2016-01-22T17:39:54","date_gmt":"2016-01-22T15:39:54","guid":{"rendered":"https:\/\/taat.edu.ee\/main\/?page_id=674"},"modified":"2024-12-09T15:29:39","modified_gmt":"2024-12-09T13:29:39","slug":"sp-juhend","status":"publish","type":"page","link":"https:\/\/taat.edu.ee\/main\/sp-juhend\/","title":{"rendered":"SP-juhend"},"content":{"rendered":"

SP juhend SimpleSAMLphp paigaldamiseks, seadistamiseks ja \u00fchendamiseks TAATiga.<\/span><\/h1>\n
    \n
  1. Laadige alla SimpleSAMLphp lehelt http:\/\/simplesamlphp.org\/download<\/a> ning pakkige arhiiv lahti oma veebiserverisse.<\/li>\n
  2. Veenduge, et serveri konfiguratsioon (vhost) v\u00f5imaldaks v\u00f5imaldaks ligip\u00e4\u00e4su installatsioonikausta. Kui on kasutusel Suhosin, siis on vaja see seadistada lubama pikemaid GET parameetrite v\u00e4\u00e4rtuseid. Debiani puhul failis \/etc\/php5\/apache2\/conf.d\/suhosin.ini<\/em>
    \nsuhosin.get.max_value_length = 2048<\/li>\n
  3. Navigeerige installatsioonikausta ja kopeerige kaustast config-templates\/<\/em> failid config.php<\/em> ja authsources.php<\/em> kausta config\/<\/em> ning metadata-templates\/<\/em> kaustast fail saml20-idp-hosted.php<\/em> kausta metadata\/<\/em> :\n
    cp config-templates\/config.php config-templates\/authsources.php config<\/pre>\n
    cp metadata-templates\/saml20-idp-hosted.php metadata<\/pre>\n<\/li>\n
  4. Muutke failis config\/config.php<\/em> j\u00e4rgmised read:\n
    \r\n\/\/ juurkataloogi puhul tuleb installatsioonikaustaks m\u00e4\u00e4rata '\/'\r\n'baseurlpath' => 'minuinstallatsioonikaust\/',\r\n\/\/ s\u00fcmbolijada genereerimiseks v\u00f5ib kasutada SimpleSAMLphp koodi kommentaarides olevat juhendit v\u00f5i sisestada see ise\r\n'secretsalt' => 'suvalines\u00fcmbolijada',\r\n\/\/ lisage administratiivandmed\r\n'auth.adminpassword' => 'administraatoriparool',\r\n'technicalcontact_name' => 'tehnilise kontaktisiku nimi',\r\n'technicalcontact_email' => 'tehnilise kontaktisiku e-postiaadress',\r\n\/\/ m\u00e4\u00e4rake ajatsoon\r\n'timezone' => 'Europe\/Tallinn',\r\n<\/code><\/pre>\n<\/li>\n
  5. Leidke samas failis authproc.idp<\/em> plokk (k\u00f5ige all), veenduge, et selles oleks rida
    \n10 => array(\u00a0‘class’ => ‘core:AttributeMap’, ‘name2urn’),<\/li>\n
  6. Failis authsources.php<\/em> muutke default-sp nimi vastavaks oma teenuse nimega ning lisage read:
    \n
    ‘certificate’ => ‘server.crt’,
    \n‘privatekey’ => ‘server.pem’,
    \n‘redirect.sign’ => TRUE, \/\/ sign authn requests, logout requestsand responses sent from this SP
    \n‘redirect.validate’ => TRUE, \/\/ validate signature of authn requests, logout requests and responses sent to this SP
    \n‘sign.authnrequest’ => TRUE, \/\/ sign authentication requests sent from this SP
    \n‘sign.logout’ => TRUE, \/\/ sign logout messages sent from this SP
    \n‘validate.logout’ => TRUE, \/\/ validate signature of logout messages sent to this SP<\/p><\/blockquote>\n<\/li>\n
  7. Kaustas cert\/ peab olema kehtiv sertifikaat. Self-signed sertifikaadi saab genereerida nii:\n
     rm server*<\/pre>\n
     openssl req -nodes -new -keyout server.pem -newkey rsa:2048 > server.csr<\/pre>\n
     openssl x509 -req -days 1095 -in server.csr -signkey server.pem -out server.crt<\/pre>\n
     chgrp www-data server.*<\/pre>\n
     chmod o-r server.pem<\/pre>\n
    TAAT-i jaoturitega \u00fchendamine<\/span><\/h2>\n<\/li>\n
  8. Aktiveerige j\u00e4rgnevad moodulid:\n
      \n
    1. cron<\/b><\/li>\n
    2. metarefresh<\/b><\/li>\n<\/ol>\n
      Croni moodul k\u00e4ivitab etteantud t\u00f6id perioodiliselt.<\/p>\n
      Metarefresh moodul laeb alla ja parsib metaandmed ning salvestab need lokaalselt vahem\u00e4llu.<\/p>\n
      Esmalt kopeerige config-templates failide seast \u00fclalpool mainitud moodulid globaalsesse config\/<\/i> kausta.<\/p>\n
      [root@simplesamlphp] cd \/var\/simplesamlphp\r\n[root@simplesamlphp simplesamlphp] touch modules\/cron\/enable\r\n[root@simplesamlphp simplesamlphp] cp modules\/cron\/config-templates\/*.php config\/\r\n[root@simplesamlphp simplesamlphp] touch modules\/metarefresh\/enable\r\n[root@simplesamlphp simplesamlphp] cp modules\/metarefresh\/config-templates\/*.php config\/\r\n<\/pre>\n
      Metarefresh konfiguratsiooni t\u00e4iendused<\/span><\/h2>\n
      Muutke config\/config-metarefresh.php<\/em> faili vastavalt sellele, kas soovite \u00fchendada test v\u00f5i produktsiooni jaoturi k\u00fclge:<\/p>\n
       <?php\r\n$config = array(\r\n\u00a0 'sets' => array(\r\n\u00a0\u00a0\u00a0 \/\/ TAAT produktsiooni jaotur teenusepakkujale\r\n\u00a0\u00a0\u00a0 'taat-prod' => array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'cron'\u00a0\u00a0\u00a0\u00a0\u00a0 => array('hourly'),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'sources'\u00a0\u00a0 => array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'src' => 'https:\/\/taeva.taat.edu.ee\/metadata\/metadata.taat+hub+prod+idp.xml',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validateFingerprint' => 'E8:9A:5C:BB:05:BD:E4:16:F7:6F:47:E8:F6:1E:94:EE:7C:FC:29:0C',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'template' => array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'tags'\u00a0 => array('taat-prod'),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validate.authnrequest' => FALSE,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validate.logout' => FALSE, \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'expireAfter'\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 => 60*60*24*4, \/\/ Maximum 4 days cache time.\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'outputDir'\u00a0\u00a0\u00a0\u00a0 => 'metadata\/taat-prod\/',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'outputFormat' => 'flatfile',\r\n\u00a0\u00a0\u00a0 ),\r\n\r\n\u00a0\u00a0\u00a0 \/\/ TAAT test jaotur teenusepakkujale\r\n\u00a0\u00a0\u00a0 'taat-test' => array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'cron'\u00a0\u00a0\u00a0\u00a0\u00a0 => array('hourly'),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'sources'\u00a0\u00a0 => array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'src' => 'https:\/\/taeva.taat.edu.ee\/metadata\/metadata.taat+hub+test+idp.xml',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validateFingerprint' => 'E8:9A:5C:BB:05:BD:E4:16:F7:6F:47:E8:F6:1E:94:EE:7C:FC:29:0C',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'template' => array(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'tags'\u00a0 => array('taat-test'),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validate.authnrequest' => FALSE,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'validate.logout' => FALSE, \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 ),\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'expireAfter'\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 => 60*60*24*4, \/\/ Maximum 4 days cache time.\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'outputDir'\u00a0\u00a0\u00a0\u00a0 => 'metadata\/taat-test\/',\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 'outputFormat' => 'flatfile',\r\n\u00a0\u00a0\u00a0 ),\r\n\u00a0 ),\r\n);<\/pre>\n<\/li>\n
    3. Tehke TAAT-i hubi metadata jaoks eraldi kaust ning andke veebiserverile sinna kirjutamis\u00f5igus:\n
      mkdir -p metadata\/taat-prod\r\nchmod go+rw metadata\/taat-prod\/\r\nmkdir -p metadata\/taat-test\r\nchmod go+rw metadata\/taat-test\/<\/pre>\n<\/li>\n
    4. Lisage config\/config.php<\/em> faili jaoturi metadata asukoht:
      \n<\/span><\/p>\n
      # ... rest of the file\r\n#\r\n# Find 'metadata.sources' section and make it to reflect:\r\n  'metadata.sources' => array(\r\n    array('type' => 'flatfile', 'directory' => 'metadata'),\r\n    array('type' => 'flatfile', 'directory' => 'metadata\/taat-prod'),\r\n    array('type' => 'flatfile', 'directory' => 'metadata\/taat-test'),\r\n),\r\n# ... rest of the file<\/pre>\n<\/li>\n
    5. Kindlasti on vaja seada croni jaoks parool (m\u00e4rgitud failides RANDOM_KEY-iga), sest muidu saab iga\u00fcks tulla ja taske k\u00e4ivitada.\n
      <?php\r\n\/*\r\n * Configuration for the Cron module.\r\n *\r\n * $Id: $\r\n *\/\r\n$config = array (\r\n        'key' => 'RANDOM_KEY',\r\n        'allowed_tags' => array('daily', 'hourly', 'frequent'),\r\n        'debug_message' => false,\r\n        'sendemail' => false,\r\n);\r\n?><\/pre>\n<\/li>\n
    6. Lisage croni t\u00f6\u00f6:
      \nN\u00e4iteks simplesamlphp_cron<\/em> fail:<\/p>\n
      # Run SimpleSAMLphp Hourly tasks at every second minute of an hour\r\n2 * * * * apache curl --silent  \"https:\/\/SERVER\/simplesaml\/module.php\/cron\/cron.php?key=RANDOM_KEY&tag=hourly\" > \/dev\/null 2>&1\r\n\r\n<\/pre>\n
      NB! Juhul kui uuendasite SSP eelmist seadistust metarefreshi peale, siis on vajalik kustutada v\u00f5i v\u00e4ljakommenteerida \u00a0vanas juhendis <\/a><\/span>(punktis 8) loodud\u00a0metadata\/saml20-idp-remote.php<\/em> failis reos.taat.edu.ee<\/a><\/span> ja\/v\u00f5i sarvik.taat.edu.ee<\/a><\/span>\u00a0metaandmed<\/strong>.<\/span><\/p>\n
      JANUS (uue \u00fchenduse loomiseks)<\/span><\/h2>\n<\/li>\n
    7. Tehke kasutaja JANUSesse aadressil https:\/\/taeva.taat.edu.ee\/module.php\/janus\/index.php<\/a><\/li>\n
    8. Lisage JANUSesse uus \u00fchendus (\u201eCreate connection\u201c), kus ID on \u201eentity id\u201c, mis on leitav teie oma SimpleSAMLphp installatsioonilehel men\u00fc\u00fcst \u201eFederation\u201c ning \u00fchenduse t\u00fc\u00fcbiks on \u201eSAML 2.0 SP\u201c. XML-i ei ole vaja kopeerida.<\/li>\n
    9. \u00a0Valige loodud \u00fchendus ja minge lehele \u201eImport metadata\u201c. Kopeerige oma metaandmete XML v\u00f5i link, mille leiate oma SimpleSAMLphp installatsioonilehet \u201eFederation\u201c vahelehelt \u201eshow metadata\u201c kl\u00f5psates.<\/li>\n
    10. Vahelehel \u201eMetadata\u201c lisage metaandmed, mis on n\u00f5utud TAAT Tehnoloogilises profiilis ( https:\/\/taat.edu.ee\/main\/dokumendid\/<\/a> ).<\/li>\n
    11. Vahelehel \u201cConnection\u201d valige endale ARP ehk atribuutide v\u00e4ljastamise poliitika.
      \nT\u00f5en\u00e4oliselt on teil vaja luua uus \u201cNew\u201d. Nimetage oma ARP nii, et nimi sisaldaks teie
      \nasutuse domeeninime ja ARP lisamise\/muutmise kuup\u00e4eva ning valige atribuudid, mida
      \nsoovite TAATi kaudu vastu v\u00f5tta. Atribuudid peavad klappima hiljem s\u00f5lmitud lepingus
      \noleva atribuutide nimistuga. \u00c4rge unustage ka muudatusi salvestada.<\/li>\n
    12. Testige sisselogimist TAAT test-idp andmetega, mille leiate lehelt https:\/\/eitja.taat.edu.ee\/<\/a>
      \nNB!<\/strong> Jaoturite andmeid uuendatakse kord 5 min jooksul. Kui teie \u00fchendus kohe ei toimi,
      \noodake 5 minutit ja proovige uuesti.<\/li>\n<\/ol>\n
      \u00a0<\/span><\/div>\n
      <\/div>\n","protected":false},"excerpt":{"rendered":"
      SP juhend SimpleSAMLphp paigaldamiseks, seadistamiseks ja \u00fchendamiseks TAATiga. Laadige alla SimpleSAMLphp lehelt http:\/\/simplesamlphp.org\/download ning pakkige arhiiv lahti oma veebiserverisse. Veenduge, et serveri konfiguratsioon (vhost) v\u00f5imaldaks v\u00f5imaldaks ligip\u00e4\u00e4su installatsioonikausta. Kui on kasutusel Suhosin, siis on vaja see seadistada lubama pikemaid GET parameetrite v\u00e4\u00e4rtuseid. Debiani puhul failis \/etc\/php5\/apache2\/conf.d\/suhosin.ini suhosin.get.max_value_length = 2048 Navigeerige installatsioonikausta ja kopeerige kaustast config-templates\/ […]<\/p>\n","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/pages\/674"}],"collection":[{"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/comments?post=674"}],"version-history":[{"count":33,"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/pages\/674\/revisions"}],"predecessor-version":[{"id":926,"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/pages\/674\/revisions\/926"}],"wp:attachment":[{"href":"https:\/\/taat.edu.ee\/main\/wp-json\/wp\/v2\/media?parent=674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}