Nov 3, 2013 ... Start the installer to install the OS. During installation, select [Web Server] on the [
Select a Package] dialog. ○. After the installation completed, ...
Steps for Building a SP server for ARCADE (WebDAV server) Ver 1.1 Created on November 3rd, 2013 This document describes the steps for building a SP server for ARCADE (WebDAV server). In this document, the steps for building a server running on CentOS 6.2 (64-bit) are described. 1
Installing the OS
Start the installer to install the OS. During installation, select [Web Server] on the [Select a Package] dialog.
After the installation completed, disable the setting for SELinux. #vi
/etc/selinux/config
SELINUX=enforcing → SELINUX=disabled
For more information, refer to the GakuNin Web page: http://www.gakunin.jp/docs/fed/technical/sp/install/spInst2#2
2
Installing and Setting Shibboleth
To install Shibboleth and set up the SP server, please refer to the GakuNin Web page: http://www.gakunin.jp/docs/fed/technical/sp/install/spInst4 http://www.gakunin.jp/docs/fed/technical/sp/customize
* Change "eppn" in attribute-map.xml to "eduPersonPrincipalName".
3
Setting up Apache for ARCADE
Create a directory for ARCADE so that Apache can read/write files. # mkdir /var/www/html/arcade # chown apache:apache /var/www/html/arcade
Edit /etc/httpd/conf/httpd.conf. …(omission)….. # # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot "/var/www/html/arcade" …(omission)….. # # This should be changed to whatever you set DocumentRoot to. #
# # Possible values for the Options directive are "None", "All", # or any combination of: #
Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
# # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important.
Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options # for more information. # Options Indexes FollowSymLinks
# # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords:
#
Options FileInfo AuthConfig Limit
# AllowOverride Limit AuthConfig
# # Controls who can get stuff from this server. # Order allow,deny Allow from all
# # WebDAV Restriction # DAV On
# # Shibboleth Restriction # AuthType shibboleth ShibRequireSession On require valid-user
…(omission)….. # # Specify a default charset for all content served; this enables # interpretation of all content as UTF-8 by default. To use the # default browser choice (ISO-8859-1), or to allow the META tags # in HTML content to override this choice, comment out this # directive: # AddDefaultCharset UTF-8 …(omission)…..
Edit /etc/sysconfig/httpd. # # By default, the httpd process is started in the C locale; to # change the locale in which the server runs, the HTTPD_LANG # variable can be set. # #HTTPD_LANG=C HTTPD_LANG=ja_JP.UTF-8
Place a dummy file into the directory for ARCADE. # touch /var/www/html/arcade/index.html
Comment out /etc/httpd/conf.d/shib.conf. # # AuthType shibboleth # ShibRequestSetting requireSession 1 # require valid-user #
Restart Apache (httpd).
4
Setting up GakuNin mAP
Edit /etc/shibboleth/attribute-map.xml. Add the following statement immediately before the last .
Edit /etc/shibboleth/attribute-policy.xml. Add the following statement immediately before .
Save GakuNin mAP (IdP) metadata into /etc/shibboleth/metadata/ gakuninmap-idp-metadata.xml. ma p.gakunin.nii.ac.jp MIIFGjCCBAKgAwIBAgIIKAeb42cBQVowDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UE BhMCSlAxETAPBgNVBAcTCEFjYWRlbWUyMSowKAYDVQQKEyFOYXRpb25hbCBJbnN0 aXR1dGUgb2YgSW5mb3JtYXRpY3MxDTALBgNVBAsTBFVQS0kxIDAeBgNVBAsTF05J SSBPcGVuIERvbWFpbiBDQSAtIEcyMB4XDTExMDUwMjEwNTIwNFoXDTEzMDUzMTEx MDIwNFowgaoxCzAJBgNVBAYTAkpQMREwDwYDVQQHEwhBY2FkZW1lMjEqMCgGA1UE ChMhTmF0aW9uYWwgSW5zdGl0dXRlIG9mIEluZm9ybWF0aWNzMTwwOgYDVQQLEzND eWJlciBTY2llbmNlIEluZnJhc3RydWN0dXJlIERldmVsb3BtZW50IERlcGFydG1l bnQxHjAcBgNVBAMTFW1hcC5nYWt1bmluLm5paS5hYy5qcDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAKzQmFgwni7QD6+ZuXDAeIiLac52FAy/TCxn0Ewl FbijzTfnMQ+pIEiXSk6cnGJvwWLOgRhhU5ISJ8K/IXFLEOubCyCoH2iwL4tG1M7d FTcmRYAq5UecRWaYR1uq8ZZv4YnIuFi9NJ19bOBEQGTBAvH4t0kVZ+w8ggseGEgx QUVQtqWc/7f4LueNV2D6ISoDzVxH6HNIlJwE0ccDKB3kunF5awfHkwl6qaZK4yk3 DEDWrvf32JPLmRWczvY7kNDZHxtFtuWkzeG5qJnCzSkddQLm3M3eroiwa1PN+LBm JA4jwkKNMgkRxQqHktBDby1+1p8X5ag8ByqbRQ7hpddHGOUCAwEAAaOCAW4wggFq MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU en4PU0LKI5WKB+LUKP4n7k3ylCAwHwYDVR0jBBgwFoAUewoH9xjKjA7W2rxQgGws RwLRDfswPgYDVR0RBDcwNYIVbWFwLmdha3VuaW4ubmlpLmFjLmpwghx2b3BsYXRm b3JtLmdha3VuaW4ubmlpLmFjLmpwMGYGA1UdIARfMF0wTQYKKoMIjJweAQICATA/ MD0GCCsGAQUFBwIBFjFodHRwczovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3Bw L2Nwcy9pbmRleC5odG1sMAwGCiqDCIybG2SHBQEwSAYDVR0fBEEwPzA9oDugOYY3 aHR0cDovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwcGNhL25paS9vZGNhMi9mdWxs Y3JsLmNybDARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBAHyz ZBG9gaG1CW0oUsdHN1/Ip0JacMpCCMUq4kER7oCPikSJJfUcZ2D2z+z/KRM8DgIz KoNOWe+RiBx6GKw7VxdgEs66EZJbk7j8sB+s7Ahs6bWj1M9JNTuVqckemJlxjoXS
IvHDIQJFpl9kEClb7xrDgpMaaBdyyj6FtgyCF8rxfe0WyJWT74jgEPuM9UPWKJcV xOZs4U6lBo/QcxWgwD6CkewRAI2HmJ+wnYYRaUBpsDAOQEYsgvg1EcvNUuedPPeJ YGV3njeh1D7nbEbNQfGi1ANuVnWdmYA3K4Q51D/KX/X6E2k+jfSszY14q0+ZNRBI 1AcZsff8LpBIg3Fr4Z4= urn:mace:shibboleth:1.0:nameIdentifier urn:oasis:names:tc:SAML:2.0:nameid-format:transient ma p.gakunin.nii.ac.jp MIIFGjCCBAKgAwIBAgIIKAeb42cBQVowDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UE BhMCSlAxETAPBgNVBAcTCEFjYWRlbWUyMSowKAYDVQQKEyFOYXRpb25hbCBJbnN0 aXR1dGUgb2YgSW5mb3JtYXRpY3MxDTALBgNVBAsTBFVQS0kxIDAeBgNVBAsTF05J SSBPcGVuIERvbWFpbiBDQSAtIEcyMB4XDTExMDUwMjEwNTIwNFoXDTEzMDUzMTEx MDIwNFowgaoxCzAJBgNVBAYTAkpQMREwDwYDVQQHEwhBY2FkZW1lMjEqMCgGA1UE ChMhTmF0aW9uYWwgSW5zdGl0dXRlIG9mIEluZm9ybWF0aWNzMTwwOgYDVQQLEzND eWJlciBTY2llbmNlIEluZnJhc3RydWN0dXJlIERldmVsb3BtZW50IERlcGFydG1l bnQxHjAcBgNVBAMTFW1hcC5nYWt1bmluLm5paS5hYy5qcDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAKzQmFgwni7QD6+ZuXDAeIiLac52FAy/TCxn0Ewl FbijzTfnMQ+pIEiXSk6cnGJvwWLOgRhhU5ISJ8K/IXFLEOubCyCoH2iwL4tG1M7d FTcmRYAq5UecRWaYR1uq8ZZv4YnIuFi9NJ19bOBEQGTBAvH4t0kVZ+w8ggseGEgx QUVQtqWc/7f4LueNV2D6ISoDzVxH6HNIlJwE0ccDKB3kunF5awfHkwl6qaZK4yk3 DEDWrvf32JPLmRWczvY7kNDZHxtFtuWkzeG5qJnCzSkddQLm3M3eroiwa1PN+LBm JA4jwkKNMgkRxQqHktBDby1+1p8X5ag8ByqbRQ7hpddHGOUCAwEAAaOCAW4wggFq MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU en4PU0LKI5WKB+LUKP4n7k3ylCAwHwYDVR0jBBgwFoAUewoH9xjKjA7W2rxQgGws RwLRDfswPgYDVR0RBDcwNYIVbWFwLmdha3VuaW4ubmlpLmFjLmpwghx2b3BsYXRm b3JtLmdha3VuaW4ubmlpLmFjLmpwMGYGA1UdIARfMF0wTQYKKoMIjJweAQICATA/ MD0GCCsGAQUFBwIBFjFodHRwczovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwY3Bw L2Nwcy9pbmRleC5odG1sMAwGCiqDCIybG2SHBQEwSAYDVR0fBEEwPzA9oDugOYY3 aHR0cDovL3JlcG8xLnNlY29tdHJ1c3QubmV0L3NwcGNhL25paS9vZGNhMi9mdWxs Y3JsLmNybDARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBAHyz ZBG9gaG1CW0oUsdHN1/Ip0JacMpCCMUq4kER7oCPikSJJfUcZ2D2z+z/KRM8DgIz KoNOWe+RiBx6GKw7VxdgEs66EZJbk7j8sB+s7Ahs6bWj1M9JNTuVqckemJlxjoXS IvHDIQJFpl9kEClb7xrDgpMaaBdyyj6FtgyCF8rxfe0WyJWT74jgEPuM9UPWKJcV xOZs4U6lBo/QcxWgwD6CkewRAI2HmJ+wnYYRaUBpsDAOQEYsgvg1EcvNUuedPPeJ YGV3njeh1D7nbEbNQfGi1ANuVnWdmYA3K4Q51D/KX/X6E2k+jfSszY14q0+ZNRBI 1AcZsff8LpBIg3Fr4Z4=
urn:mace:shibboleth:1.0:nameIdentifier urn:oasis:names:tc:SAML:2.0:nameid-format:transient National Institute of Informatics 国立情報学研究所 GakuNin mAP (IdP) GakuNin mAP (IdP) https://www.gakunin.jp/ Takeshi Nishimura
[email protected]
Edit /etc/shibboleth/shibboleth2.xml. Set loading of GakuNin mAP (IdP) metadata. Add the following statement after other .
After a regular authentication flow is completed, set SimpleAggregation so that the isMemberOf attribute can be obtained from GakuNin mAP (IdP) based on eppn. Add the following statement after the existing . https://map.gakunin.nii.ac.jp/idp/shibboleth
Restart Shibboleth (Shibd).
Access GakuNin mAP to connect SP.
You are invited as an administrator of Connector "ARCADE" by sending us an email with the subject of "New SP Connection Request" at arcade-help@ml.db.kanazawau.ac.jp.
ARCADE will send an invitation at the From address specified in your email.
After you promoted to an administrator, connect the SP with ARCADE connector by yourself. The setting is completed.
Inquiry for mAP GakuNinmAP-help@nii.ac.jp (Please replace a double-byte @ with a single-byte @.) Inquiry for ARCADE arcade-help@ml.db.kanazawa-u.ac.jp (Please replace a double-byte @ with a singlebyte @.)
[Reference] To make a file server public only within your organization If you follow the above-mentioned steps, basically, the file server can be accessed by anyone who can log in GakuNin. If you want to limit access users (for example, access can be permitted for user within your organization only, or teachers and stuff only), create a root document directory named /var/www/html/arcade/.htaccess for SP. AuthType shibboleth ShibRequireSession On ShibRequireAll On require eduPersonPrincipalName ~ .*@kanazawa-u.ac.jp$ With this setting, a user whose eduPersonPrincipalName is "*@kanazawa-u.ac.jp (where "*" is any characters including alphanumeric characters)" can access the SP only, while other users cannot view its contents on ARCADE. That is, in this case, access can be permitted for Kanazawa University users only.
