LPS:Java-idp-webauth-login-handler

Z HelpDesk


Webauth Login Handler Installation instructions

internal

        ForceAuthn [Optional]
2042    A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than
2043    rely on a previous security context. If a value is not provided, the default is "false". However, if both
2044    ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the
2045    presenter unless the constraints of IsPassive can be met.

Requirements

Installation and configuration

Download and build the source (replace X.0 with the last stable version, e.g.: "tags/1.0"): 

svn export https://subversds.d..........zcu.cz
cd java-idp-webauth-login-handler
mvn package

IdP - Configuration

Copy the .jar file to the installation folder: 

cp target/webauth-login-handler-X.0.jar $IDP_INSTALL_DIR/lib

Configuring the server (tomcat)

In the web-application you have to enable the Webauth login servlet. You do that in $IDP_INSTALL_DIR/src/main/webapp/WEB-INF/web.xml: 

<webapp>
(...)
  <servlet>
    <servlet-name>WebauthAuthServlet</servlet-name>
    <servlet-class>cz.zcu.civ.idp.webauth.WebauthAuthServlet</servlet-class>
    <init-param>
      <param-name>reauthURL</param-name>
      <param-value>https://shib2.zcu.cz/wareauth</param-value>
    </init-param>
    <init-param>
      <param-name>maxTokenAge</param-name>
      <param-value>10</param-value>
    </init-param>
  </servlet>

  <servlet-mapping>
    <servlet-name>WebauthAuthServlet</servlet-name>
    <url-pattern>/Authn/Webauth</url-pattern>
  </servlet-mapping>
(...)
</webapp>

Apache configuration

reauth url must be within the same webauth_at context, as we need to be able to delete it from IdP application/module ... 

# RUSS 2
<Location /wareauth>
  ## WebAuth     
  AuthType WebAuth
  require valid-user
  
  #WA3
  ##  WebAuthForceLogin on
  ##  WebAuthAppTokenLifetime 1m
  
  # WA4
  WebAuthRequireSessionFactor p
  
  RewriteEngine on
  RewriteRule .* https://shib2.zcu.cz/idp/Authn/RemoteUser [R,L]
</Location>

handler.xml configuration

Configure the handler.xml at:

  • new install: $IDP_INSTALL_DIR/src/installer/resources/conf-tmpl/handler.xml
  • reinstall: $IDP_DIR/conf/handler.xml

<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  (...)
  xmlns:webauth="http://support.zcu.cz/java-idp-webauth-login-handler"                                      <<<<<
  (...)
  xsi:schemaLocation="
    urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
    http://support.zcu.cz/java-idp-webauth-login-handler classpath:/schema/webauth-login-handler.xsd        <<<<<
(...)
">
(...)
  <ph:LoginHandler xsi:type="webauth:Webauth">                                                              <<<<<
    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:Webauth</ph:AuthenticationMethod>       <<<<<
  </ph:LoginHandler>                                                                                        <<<<<
(...)
</ph:ProfileHandlerGroup>

Log configuration

The logging for the Handler is configured in the logging.xml file. It can be found at:

  • new install: $IDP_INSTALL_DIR/src/installer/resources/conf-tmpl/logging.xml
  • reinstall: $IDP_DIR/conf/logging.xml
(...)
<logger name="cz.zcu.civ.idp.webauth">
<level value="DEBUG"/>
</logger>
(...)

Deployment

Backup the IdP configuration before re-deploying the application: 

$IDP_INSTALL_DIR/install.sh

Troubleshooting

Citováno z „https://helpdesk.zcu.cz/index.php?title=LPS:Java-idp-webauth-login-handler&oldid=31736