I was working on a requirement to setup password less/SSO using saml based authentication for cloudera applications particularly for cloudera manager/Hue/Cloudera navigator.
I opted shibboleth since it's open source and support federated identity and we can also use other identity management like ca siteminder, ping identity,oracle access manager if you have already in your infrastructure.
In this post i will show you how to install and configure shibboleth idp for cloudermanager/Hue/Cloudera navagator SP.
Shibboleth Installation :
Please note that, my tomcat instance is running on default port 8080 and 8443. So my shbbolenth final SAML EntityID URL will be https://idp.tanu.com:8443/idp/shibboleth..
If you setup tomcat instance in different port, change the port accordingly.
1) Download the shibboleth from this link https://shibboleth.net/downloads/identity-
provider/latest/shibboleth-identity-provider-3.3.2.tar.gz
2) Download Apache tomcat http://mirrors.gigenet.com/apache/tomcat/tomcat-7/v7.0.82/bin/apache-tomcat-7.0.82.tar.gz
3) Extract the tarball tar -zxvf shibboleth-identity-provider-3.3.2.tar.gz
4) cd shibboleth-identity-provider-3.3.2/bin
then run ./install.sh
Source (Distribution) Directory (press <enter> to accept default): [/app/test/shibboleth-identity-provider-3.3.2]
Installation Directory: [/opt/shibboleth-idp]
/app/test/shibboleth-idp
Hostname: [idp.tanu.com]
SAML EntityID: [https://idp.tanu.com/idp/shibboleth]
https://idp.tanu.com:8443/idp/shibboleth
Attribute Scope: [tanu.com]
Backchannel PKCS12 Password:
Re-enter password:
Cookie Encryption Key Password:
Re-enter password:
Warning: /app/test/shibboleth-idp/bin does not exist.
Warning: /app/test/shibboleth-idp/dist does not exist.
Warning: /app/test/shibboleth-idp/doc does not exist.
Warning: /app/test/shibboleth-idp/system does not exist.
Warning: /app/test/shibboleth-idp/webapp does not exist.
Generating Signing Key, CN = idp.tanu.com URI = https://idp.tanu.com:8443/idp/shibboleth ...
...done
Creating Encryption Key, CN = idp.tanu.com URI = https://idp.tanu.com:8443/idp/shibboleth ...
...done
Creating Backchannel keystore, CN = idp.tanu.com URI = https://idp.tanu.com:8443/idp/shibboleth ...
...done
Creating cookie encryption key files...
...done
Rebuilding /app/test/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
Total time: 52 seconds
5) copy the idp.war from /app/test/shibboleth-idp/war/idp.war to /app/apache-tomcat-7.0.65/webapps/
6) update the shibboleth home path in /app/apache-tomcat-7.0.65/bin/catalina.sh
JAVA_OPTS="$JAVA_OPTS -Didp.home=/app/test/shibboleth-idp"
7) shibboleth provide url to check the installation status but it need additional jar jstl-1.2.jar otherwise status url wont work.
Download http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar jar and copy into /app/apache-tomcat-7.0.65/webapps/idp/WEB-INF/lib directory
8) Configure tomcat to support support SSL. I have already created jks key store and trust store for my tomcat instance
vi /app/apache-tomcat-7.0.65/conf/server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" keystoreFile="/app/apache-tomcat-7.0.65/ssl/idp-cert.jks" keystorePass="test123*"
truststoreFile="/app/apache-tomcat-7.0.65/ssl/ca_truststore.jks" truststorePass="test123" />
<!-- Define an AJP 1.3 Connector on port 9009 -->
<Connector port="9009" protocol="AJP/1.3" redirectPort="8443" />
Please note that i have enabled client Auth = true since i am going to use X.509 Login Handler in shibboleth. Our client infrastructure use smartcard based authentication and all the internal sites are use ssl mutual authentication, so i also opted to use ssl mutual authentication for cloudera sites.. if you are going to use different shibboleth authentication handler, you can skip this entry.
9) Then start the tomcat instance.
10) verify the installation by accessing https://idp.tanu.com:8443/idp/status url
I opted shibboleth since it's open source and support federated identity and we can also use other identity management like ca siteminder, ping identity,oracle access manager if you have already in your infrastructure.
In this post i will show you how to install and configure shibboleth idp for cloudermanager/Hue/Cloudera navagator SP.
Shibboleth Installation :
Please note that, my tomcat instance is running on default port 8080 and 8443. So my shbbolenth final SAML EntityID URL will be https://idp.tanu.com:8443/idp/shibboleth..
If you setup tomcat instance in different port, change the port accordingly.
1) Download the shibboleth from this link https://shibboleth.net/downloads/identity-
provider/latest/shibboleth-identity-provider-3.3.2.tar.gz
2) Download Apache tomcat http://mirrors.gigenet.com/apache/tomcat/tomcat-7/v7.0.82/bin/apache-tomcat-7.0.82.tar.gz
3) Extract the tarball tar -zxvf shibboleth-identity-provider-3.3.2.tar.gz
4) cd shibboleth-identity-provider-3.3.2/bin
then run ./install.sh
Source (Distribution) Directory (press <enter> to accept default): [/app/test/shibboleth-identity-provider-3.3.2]
Installation Directory: [/opt/shibboleth-idp]
/app/test/shibboleth-idp
Hostname: [idp.tanu.com]
SAML EntityID: [https://idp.tanu.com/idp/shibboleth]
https://idp.tanu.com:8443/idp/shibboleth
Attribute Scope: [tanu.com]
Backchannel PKCS12 Password:
Re-enter password:
Cookie Encryption Key Password:
Re-enter password:
Warning: /app/test/shibboleth-idp/bin does not exist.
Warning: /app/test/shibboleth-idp/dist does not exist.
Warning: /app/test/shibboleth-idp/doc does not exist.
Warning: /app/test/shibboleth-idp/system does not exist.
Warning: /app/test/shibboleth-idp/webapp does not exist.
Generating Signing Key, CN = idp.tanu.com URI = https://idp.tanu.com:8443/idp/shibboleth ...
...done
Creating Encryption Key, CN = idp.tanu.com URI = https://idp.tanu.com:8443/idp/shibboleth ...
...done
Creating Backchannel keystore, CN = idp.tanu.com URI = https://idp.tanu.com:8443/idp/shibboleth ...
...done
Creating cookie encryption key files...
...done
Rebuilding /app/test/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
Total time: 52 seconds
6) update the shibboleth home path in /app/apache-tomcat-7.0.65/bin/catalina.sh
JAVA_OPTS="$JAVA_OPTS -Didp.home=/app/test/shibboleth-idp"
7) shibboleth provide url to check the installation status but it need additional jar jstl-1.2.jar otherwise status url wont work.
Download http://central.maven.org/maven2/javax/servlet/jstl/1.2/jstl-1.2.jar jar and copy into /app/apache-tomcat-7.0.65/webapps/idp/WEB-INF/lib directory
8) Configure tomcat to support support SSL. I have already created jks key store and trust store for my tomcat instance
vi /app/apache-tomcat-7.0.65/conf/server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" keystoreFile="/app/apache-tomcat-7.0.65/ssl/idp-cert.jks" keystorePass="test123*"
truststoreFile="/app/apache-tomcat-7.0.65/ssl/ca_truststore.jks" truststorePass="test123" />
<!-- Define an AJP 1.3 Connector on port 9009 -->
<Connector port="9009" protocol="AJP/1.3" redirectPort="8443" />
9) Then start the tomcat instance.
10) verify the installation by accessing https://idp.tanu.com:8443/idp/status url
### Operating Environment Information operating_system: Linux operating_system_version: 2.6.32-642.15.1.el6.x86_64 operating_system_architecture: amd64 jdk_version: 1.8.0_131 available_cores: 2 used_memory: 225 MB maximum_memory: 823 MB ### Identity Provider Information idp_version: 3.3.2 start_time: 2017-12-13T10:57:51-05:00 current_time: 2017-12-13T10:57:52-05:00 uptime: 604 ms service: shibboleth.LoggingService last successful reload attempt: 2017-12-13T15:57:28Z last reload attempt: 2017-12-13T15:57:28Z service: shibboleth.ReloadableAccessControlService last successful reload attempt: 2017-12-13T15:57:34Z last reload attempt: 2017-12-13T15:57:34Z service: shibboleth.MetadataResolverService last successful reload attempt: 2017-12-13T15:57:33Z last reload attempt: 2017-12-13T15:57:33Z service: shibboleth.RelyingPartyResolverService last successful reload attempt: 2017-12-13T15:57:33Z last reload attempt: 2017-12-13T15:57:33Z service: shibboleth.NameIdentifierGenerationService last successful reload attempt: 2017-12-13T15:57:33Z last reload attempt: 2017-12-13T15:57:33Z service: shibboleth.AttributeResolverService last successful reload attempt: 2017-12-13T15:57:32Z last reload attempt: 2017-12-13T15:57:32Z DataConnector statiConnector: has never failed DataConnector myLDAP: has never failed service: shibboleth.AttributeFilterService last successful reload attempt: 2017-12-13T15:57:30Z last reload attempt: 2017-12-13T15:57:30Z
No comments:
Post a Comment