³ô¼°²ñ¼Ò¥»¥·¥ª¥¹

Secioss Identity Suite Cloud Edition¤Ï¡¢¥¯¥é¥¦¥É¥³¥ó¥Ô¥å¡¼¥Æ¥£¥ó¥°´Ä¶­¤Ë¤ª¤¤¤ÆSAML 2.0¡¢OpenID 2.0¤Ë¤è¤ë¥·¥ó¥°¥ë¥µ¥¤¥ó¥ª¥ó¤äSOAPÄÌ¿®¤Ë¤è¤ë¥¢¥«¥¦¥ó¥ÈƱ´ü¤ò¥µ¥¤¥È´Ö¤Ç¼Â¸½¤¹¤ë¥½¥Õ¥È¥¦¥§¥¢¤Ç¤¹¡£

 

Secioss Identity Suite Cloud Edition¤Ï¡¢SP¡ÊService Provider¡Ë¤ÈIDP¡ÊIdentity Provider¡Ë¤«¤é¹½À®¤µ¤ì¤Æ¤ª¤ê¡¢Secioss identity Suite Cloud Edition SP¡Ê°Ê¹ßIdentity Suite Cloud SP¤È¤·¤Þ¤¹¡Ë¤òSaaS¥µ¥¤¥È¤ËƳÆþ¤¹¤ë¤³¤È¤Ç¡¢SaaS¥µ¡¼¥Ó¥¹¤ËÂФ·¤Æ°Ê²¼¤Îµ¡Ç½¤ò´Êñ¤ËÄɲ乤뤳¤È¤Ç¤­¤Þ¤¹¡£

 

• ¥·¥ó¥°¥ë¥µ¥¤¥ó¥ª¥ó
  SAML¤ÎService Provider¤äOpenID¤ÎRelying Party¤È¤·¤ÆÆ°ºî¤·¡¢SAML¡¢OpenID¤Ë¤è¤ë¥·¥ó¥°¥ë¥µ¥¤¥ó¥ª¥ó¤ò¹Ô¤¤¤Þ¤¹¡£SaaS¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤ÏREST API¤Ë¤è¤ê¤³¤Î¥·¥ó¥°¥ë¥µ¥¤¥ó¥ª¥óµ¡Ç½¤ò´Êñ¤Ëǧ¾Úµ¡Ç½¤ØÁȤ߹þ¤à¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£

• ¥¢¥«¥¦¥ó¥ÈƱ´ü
  SaaS¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Î¥¢¥«¥¦¥ó¥È´ÉÍýÍÑSOAP API¤òÄ󶡤·¡¢SOAP·Ðͳ¤Ç¤Î¥¢¥«¥¦¥ó¥È´ÉÍý¤ä¥µ¥¤¥È´Ö¤Ç¤Î¥¢¥«¥¦¥ó¥ÈƱ´ü¤ò¼Â¸½¤·¤Þ¤¹¡£Identity Suite Cloud SP¤Ï¡¢SOAP API¤Ç¼õ¤±ÉÕ¤±¤¿¹¹¿·Í×µá¤ò¡¢LISM¤Ë¤è¤êSaaS¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Î¥Ç¡¼¥¿¥Ù¡¼¥¹¤ØÈ¿±Ç¤·¤Þ¤¹¡£

 

¤µ¤é¤Ë¡¢Secioss Identity Suite Cloud Edition IDP¡Ê°Ê¹ßIdentity Suite Cloud IDP¤È¤·¤Þ¤¹¡Ë¤ò´ë¶È¤ËƳÆþ¤¹¤ë¤³¤È¤Ç¡¢Identity Suite Cloud SP¤òƳÆþ¤·¤¿SaaS¥µ¡¼¥Ó¥¹¤È¤Î¥·¥ó¥°¥ë¥µ¥¤¥ó¥ª¥ó¤ä¥¢¥«¥¦¥ó¥ÈƱ´ü¤òGUI´ÉÍý¥Ä¡¼¥ë¤«¤é´Êñ¤ËÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£

 

¥ª¡¼¥×¥ó¥½¡¼¥¹¥×¥í¥¸¥§¥¯¥È

Identity Suite Cloud SP¤Ë¤Ä¤¤¤Æ¤Ï¡¢¥ª¡¼¥×¥ó¥½¡¼¥¹¥½¥Õ¥È¥¦¥§¥¢¤È¤·¤ÆGPL¥é¥¤¥»¥ó¥¹¤Ë¤è¤ê¸ø³«¤·¤Æ¤¤¤Þ¤¹¡£

• ¥×¥í¥¸¥§¥¯¥È¥µ¥¤¥È¡§http://sourceforge.jp/projects/secioss-auth/

• ¥á¡¼¥ê¥ó¥°¥ê¥¹¥È¡§http://lists.sourceforge.jp/mailman/listinfo/secioss-auth-users

¾¦ÍÑ¥µ¡¼¥Ó¥¹

Identity Suite Cloud SP¤Ë´Ø¤¹¤ë¥³¥ó¥µ¥ë¥Æ¥£¥ó¥°¡¢¾¦ÍÑ¥µ¥Ý¡¼¥È¥µ¡¼¥Ó¥¹¤Ë¤Ä¤¤¤Æ¤Ï¡¢¤³¤Á¤é¤Ø¤ªÌä¹ç¤»²¼¤µ¤¤¡£

 

 

°Ê²¼¤Ç¤Ï¡¢Identity Suite Cloud SP¤ÎÀßÄêÊýË¡¤È¥·¥ó¥°¥ë¥µ¥¤¥ó¥ª¥óÍѤÎREST API¤Ë¤Ä¤¤¤Æ²òÀ⤷¤Þ¤¹¡£

 

1. ¥¤¥ó¥¹¥È¡¼¥ë

Identity Suite Cloud SP¤Î¿ä¾©´Ä¶­¤Ï°Ê²¼¤Ë¤Ê¤ê¤Þ¤¹¡£

• OS¡§ CentOS 5¡¢RedHat Enterprise Linux 5

• Web¥µ¡¼¥Ð¡§ Apache 2.2

 

º£²ó¤Î¥¤¥ó¥¹¥È¡¼¥ë´Ä¶­¤È¤·¤Æ¤Ï¡¢Linux¤ÎCentOS 5¤òÁÛÄꤷ¤Æ¤¤¤Þ¤¹¡£

 

1.1 EPEL¥ê¥Ý¥¸¥È¥ê¤ÎÀßÄê

# wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
# rpm -ivh epel-release-5-3.noarch.rpm

 

1.2 ɬÍפʥ½¥Õ¥È¥¦¥§¥¢¤Î¥¤¥ó¥¹¥È¡¼¥ë

# yum install php-pear
# yum install php-xml
# yum install php-pear-Log
# yum install php-pear-HTTP-Request
# yum install php-Smarty
# yum install perl-LDAP
# yum install php-pecl-memcache
# yum install perl-XML-Simple
# yum install perl-Config-General
# yum install perl-Mail-Sendmail
# yum install perl-SOAP-Lite
# yum install perl-CGI-Session

 

1.3 memcached

# rpm -Uvh memcached
# /sbin/chkconfig --level 345 memcached on
# /etc/init.d/memcached start

 

1.4 simpleSAMLphp

simpleSAMLphp¤Î¥µ¥¤¥È¡Êhttp://code.google.com/p/simplesamlphp/¡Ë¤«¤é¥½¥Õ¥È¥¦¥§¥¢¤ò¥À¥¦¥ó¥í¡¼¥É¤·¤Æ¡¢/usr/shareÇÛ²¼¤ËŸ³«¤·¤Æ¤¯¤À¤µ¤¤¡£
# unzip simplesmalphp_1_4.zip -d /usr/share
# mv /usr/share/simplesamlphp_1_4 /usr/share/simplesamlphp
# chown -R apache.apache /usr/share/simplesamlphp

 

Apache¤«¤ésimpleSAMLphp¤Ø¥¢¥¯¥»¥¹¤Ç¤­¤ë¤è¤¦¤ËÀßÄê¤ò¹Ô¤¤¤Þ¤¹¡£
# vi /etc/httpd/conf.d/simplesamlphp.conf
Alias /simplesaml /usr/share/simplesamlphp/www

 

1.5 PHP OpenID Library

OpenID Enabled¤Î¥µ¥¤¥È¡Êhttp://openidenabled.com/php-openid/¡Ë¤«¤éPHP OpenID Library 2¤ò¥À¥¦¥ó¥í¡¼¥É¤·¡¢/usr/share/pearÇÛ²¼¤Ë¥³¥Ô¡¼¤·¤Þ¤¹¡£
# bzip2 -cd php-openid-2.1.3.tar.bz2 | tar xvf -
# cp -r php-openid-2.1.3/Auth /usr/share/pear

 

1.6 Identity Suite Cloud SP

http://sourceforge.jp/projects/secioss-auth/releases/¤«¤ésecioss-idsuite-cloud-sp-1.0.x.tgz¤ò¥À¥¦¥ó¥í¡¼¥É¤·¤Æ²¼¤µ¤¤¡£

1.6.1 siscloud¤Î¥¤¥ó¥¹¥È¡¼¥ë

secioss-idsuite-cloud-spÉÕ°¤Îsiscloud¥Ñ¥Ã¥±¡¼¥¸¤ò¥¤¥ó¥¹¥È¡¼¥ë¤·¤Þ¤¹¡£
# tar zxvf secioss-idsuite-cloud-sp-1.0.x.tgz
# cd secioss-idsuite-cloud-sp-1.0.x
# tar -C /usr/share -zxvf software/siscloud-1.0.x.tgz
# mv /usr/share/siscloud-1.0.x /usr/share/siscloud
# chown -R apache.apache /usr/share/siscloud
# cp /usr/share/sisclud/cgi/* /var/www/cgi-bin
# chown apache.apache /usr/share/simplesamlphp/config

 

Apache¤«¤ésiscloud¤Ø¥¢¥¯¥»¥¹¤Ç¤­¤ë¤è¤¦¤ËÀßÄê¤ò¹Ô¤¤¤Þ¤¹¡£
# vi /etc/httpd/conf.d/siscloud.conf
Alias /siscloud /usr/share/siscloud/www

 

1.6.2 LISM¤Î¥¤¥ó¥¹¥È¡¼¥ë

secioss-idsuite-cloud-spÉÕ°¤ÎLISM¤ò¥¤¥ó¥¹¥È¡¼¥ë¤·¤Þ¤¹¡£
# rpm -Uvh rpm/*.rpm
¢¨RedHat Enterprise Linux 5¡¢CentOS 5°Ê³°¤ÎOS¤Î¾ì¹ç¤Ïsource¥Õ¥©¥ë¥À¤Î¥½¡¼¥¹¤ò¥³¥ó¥Ñ¥¤¥ë¤·¤Æ¥¤¥ó¥¹¥È¡¼¥ë¤·¤Æ²¼¤µ¤¤¡£
¥¤¥ó¥¹¥È¡¼¥ë¼ê½ç¤ÏLISM¤Î¥µ¥¤¥È¤ò¤´Í÷²¼¤µ¤¤¡£

 

 

2. ÀßÄê

2.1 SAMLǧ¾Ú¤ÎÀßÄê

# cd /usr/share/simplesamlphp
# cp config-templates/config.php config
# cp config-tempates/authsources.php config
# cp metadata-templates/{saml20-idp-remote.php,saml20-sp-hosted.php} metadata
# chown apache.apache metadata/*
# vi metadata/saml20-sp-hosted.php

---

$metadata = array(      /*
      * Example of a hosted SP
      */
     '__DYNAMIC:1__' => array(
         'host'  => '__DEFAULT__'
     ) );

---

"__DYNAMIC:1__"¤ÎÉôʬ¤ËService Provider¤ÎID¤òÀßÄꤷ¤Æ²¼¤µ¤¤¡£¤³¤ÎID¤Ï¡¢SAML¥¢¥µ¡¼¥·¥ç¥ó¤Îȯ¹Ô¼Ô¤È¤·¤Æ»ÈÍѤµ¤ì¡¢Identity Suite Cloud IDP¤Ë¤ª¤¤¤ÆSaaS¥µ¡¼¥Ó¥¹¤ÎSAMLǧ¾Ú¤ÎÀßÄê¤ËɬÍפȤʤê¤Þ¤¹¡£

 

2.2 Identity Suite Cloud SP¤ÎÀßÄê

2.3.1 ǧ¾Ú¤ÎÀßÄê

# vi /usr/share/siscloud/conf/config.ini
memcache_host = <memcached¤Î¥Û¥¹¥È̾>
trust = <ǧ¾Ú¤òµö²Ä¤¹¤ë¥µ¡¼¥Ð¤Î¥Û¥¹¥È̾¤ÎÀµµ¬É½¸½>
¢¨memcached¤Î¥Û¥¹¥È̾¤Ï¥¹¥Ú¡¼¥¹¤ÇÏ¢·ë¤·¤ÆÊ£¿ôµ­½Ò¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£

 

2.3.2 REST API¤ÎÀßÄê

REST API¤Ë¥¢¥¯¥»¥¹¤¹¤ë¤¿¤á¤Î¥æ¡¼¥¶¤È¥Ñ¥¹¥ï¡¼¥É¤òÅÐÏ¿¤·¤Þ¤¹¡£
# htpasswd -c /etc/httpd/conf/.htpasswd <¥æ¡¼¥¶>

2.3.2 ¥¢¥«¥¦¥ó¥ÈƱ´ü¤ÎÀßÄê

Identity Suite Cloud SP¤Ï¡¢SOAP API¤«¤é¹¹¿·¥ê¥¯¥¨¥¹¥È¤ò¼õ¤±ÉÕ¤±¡¢LISM¤Ë¤è¤Ã¤ÆSaaS¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Î¥Ç¡¼¥¿¥Ù¡¼¥¹¤äLDAP¤Î¥¢¥«¥¦¥ó¥È¤ò¹¹¿·¤·¤Þ¤¹¡£

SOAP API¤ÎÀßÄê¥Õ¥¡¥¤¥ë¤ò°Ê²¼¤Î¤è¤¦¤Ëµ­½Ò¤·¤Æ²¼¤µ¤¤¡£
# vi /var/www/cgi-bin/soaplism.conf
admin = <¥¢¥«¥¦¥ó¥ÈƱ´ü¥µ¡¼¥Ó¥¹¤Î´ÉÍý¥æ¡¼¥¶>
adminpw = <´ÉÍý¥æ¡¼¥¶¤Î¥Ñ¥¹¥ï¡¼¥É>
syncdir = <LISMÍѥǥ£¥ì¥¯¥È¥ê>
conf = <LISM¤ÎÀßÄê¥Õ¥¡¥¤¥ë>

 

LISM¤ÎÀßÄê¥Õ¥¡¥¤¥ëlism.conf¤Ë¤Ï¡¢¹¹¿·ÂоݤΥǡ¼¥¿¥Ù¡¼¥¹¡¢¤Þ¤¿¤ÏLDAP¤ÎÀßÄê¤ò¹Ô¤¤¤Þ¤¹¡£
LISM¤ÎÀßÄêÊýË¡¤Ë¤Ä¤¤¤Æ¤Ï¡¢LISM¤Î¥µ¥¤¥È¤ò¤´Í÷²¼¤µ¤¤¡£
¤¿¤À¤·¡¢Identity Suite Cloud SP¤Î¥¢¥«¥¦¥ó¥ÈƱ´ü¤Ç¤Ï¡¢LISM¤ÎÀßÄê¤Ë°Ê²¼¤ÎÀ©¸Â¤¬¤¢¤ê¤Þ¤¹¡£

• ¹¹¿·ÂоݤΥǡ¼¥¿¤Ï£±¤Ä

• <data><container><rdn>¤ÎÃͤˤϡ¢"o=lism"¤òÀßÄê

 

¤µ¤é¤Ë¡¢Identity Suite Cloud IDP¤ò¥Þ¥ë¥Á¥Æ¥Ê¥ó¥È¹½À®¤È¤·¤Æ¡¢Ê£¿ô¤Î´ë¶ÈËè¤Ë¥¢¥«¥¦¥ó¥ÈƱ´ü¤ò¹Ô¤¦¾ì¹ç¤Ë¤Ï¡¢LISM¤Î¥Ç¥£¥ì¥¯¥È¥ê¥Ä¥ê¡¼¤¬¡¢°Ê²¼¤Î¹½À®¤È¤Ê¤ë¤è¤¦¤ËLISM¤òÀßÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£

 

 

 

¥Æ¥Ê¥ó¥ÈID¤Ï³Æ´ë¶È¤Ë³ä¤ê¿¶¤é¤ì¤¿¼±Ê̻Ҥǡ¢¤½¤Î¥¨¥ó¥È¥ê¤ÎÇÛ²¼¤Ë³Æ´ë¶È¤Î¥¢¥«¥¦¥ó¥È¤ò³ÊǼ¤·¤Þ¤¹¡£
Identity Suite Cloud IDP¤Î¥¢¥«¥¦¥ó¥ÈƱ´ü¤ÎÀßÄê¤Ç¤Ï¡¢¤³¤Î¥Æ¥Ê¥ó¥ÈID¤¬É¬ÍפȤʤê¤Þ¤¹¡£

¥Þ¥ë¥Á¥Æ¥Ê¥ó¥È¤ËÂбþ¤·¤¿¥ª¡¼¥×¥ó¥½¡¼¥¹¥Ý¡¼¥¿¥ëLiferay¤òÎã¤È¤·¤ÆLISM¤ÎÀßÄê¤Î°ìÉô¤òÎ㼨¤·¤Þ¤¹¡£

 

lism.conf

---

<config>
  <data name="Liferay">
    <container>
      <rdn>o=lism</rdn>
    </container>
    <storage name="SQL">
      <dsn>DBI:mysql:lportal:localhost</dsn>
      <admin>admin</admin>
      <passwd>secret</passwd>
      <initquery>set names utf8</initquery>
      <object name="Tenant">
        <table>Company</table>
        <id>
          <column>companyId</column>
        </id>
        <oc>organization</oc>
        <rdn>o</rdn>
        <attr name="o">
          <column>webId</column>
        </attr>
      </object>
      <object name="User">
        <container>
          <oname>Tenant</oname>
          <joinwhere>User_.companyId = %c</joinwhere>
        </container>
        <subcontainer>
          <rdn>ou=People</rdn>
          <oc>organizationalUnit</oc>
        </subcontainer>
        <table>User_</table>
        <id>
          <column>userId</column>
        </id>
        <oc>inetOrgPerson</oc>
        <oc>organizationalPerson</oc>
        <oc>Person</oc>
        <rdn>uid</rdn>
        <attr name="uid">
          <column>screenName</column>
        </attr>
        <attr name="sn">
          <selexpr>Contact_.lastname</selexpr>
          <fromtbls>Contact_</fromtbls>
          <joinwhere>User_.contactId = Contact_.contactId</joinwhere>
        </attr>
        <attr name="givenname">
          <selexpr>Contact_.firstname</selexpr>
          <fromtbls>Contact_</fromtbls>
          <joinwhere>User_.contactId = Contact_.contactId</joinwhere>
        </attr>
        <attr name="userpassword">
          <column>password_</column>
        </attr>
        <attr name="mail">
          <column>emailAddress</column>
        </attr>
        ...
      </object>
    ...
  </data>
</config>

---

 

2.4 ¥í¥°¤ÎÀßÄê

¥·¥ó¥°¥ë¥µ¥¤¥ó¥ª¥ó¤ÈIDƱ´ü¤Î¥í¥°¤Ï¡¢¤½¤ì¤¾¤ìsyslog¤Îlocal5¡¢local4¤Ë½ÐÎϤ·¤Þ¤¹¡£
/etc/syslog.conf¤Ë°Ê²¼¤ÎÀßÄê¤òÄɵ­¤·¤Æ¡¢syslog¥Ç¡¼¥â¥ó¤òºÆµ¯Æ°¤·¤Æ²¼¤µ¤¤¡£

---

local5.*                                         -/var/log/auth.log
local4.*                                         -/var/log/lism.log

---

 

3. REST API

3.1 IDPÀßÄê

SAMLǧ¾Ú¤ÎIDP¤ÎÀßÄê¤È¤·¤Æ¡¢Identity Suite Cloud IDP¤Î¾ðÊó¤ò¡¢Identity Suite Cloud SP¤ËÂФ·¤ÆÁ÷¿®¤·¤Þ¤¹¡£

 

 

­¡ IDP¤ÎÀßÄêÃͤȤ·¤Æ¡¢°Ê²¼¤Î¥Ñ¥é¥á¡¼¥¿¤òPOST¤·¤Þ¤¹¡£

• user¡§ API¤Ë¥¢¥¯¥»¥¹¤¹¤ë¥æ¡¼¥¶

• password¡§ API¤Ë¥¢¥¯¥»¥¹¤¹¤ë¥Ñ¥¹¥ï¡¼¥É

• idp¡§ IDP¥µ¡¼¥Ð¤ÎSAML¥¢¥µ¡¼¥·¥ç¥ó¤Îȯ¹Ô¼Ô

• login¡§ IDP¤Î¥í¥°¥¤¥ó¥Ú¡¼¥¸¤ÎURL
      http://<IDP¤Î¥Û¥¹¥È̾>/simplesaml/saml2/idp/SSOService.php

• logout¡§ IDP¤Î¥í¥°¥¢¥¦¥È¥Ú¡¼¥¸¤ÎURL
      http://<IDP¤Î¥Û¥¹¥È̾>/simplesaml/saml2/idp/SingleLogoutService.php

• certfinterprint¡§ IDP¤ÎSAMLǧ¾ÚÍѾÚÌÀ½ñ¤«¤éÀ¸À®¤·¤¿fingerprint

¢¨¾ÚÌÀ½ñ¤Îfingerprint¤Ï°Ê²¼¤Î¥³¥Þ¥ó¥É¤ÇÀ¸À®¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£
# cat server.crt | openssl x509 -fingerprint
­¢ Identity Suite Cloud SP¤Ï¡¢IDP¤ÎÀßÄê¤òÄɲ䷤ơ¢·ë²Ì¤òXML·Á¼°¤Î¥ì¥¹¥Ý¥ó¥¹¤È¤·¤ÆÊÖ¤·¤Þ¤¹¡£
¥ì¥¹¥Ý¥ó¥¹¤Î·Á¼°¤Ï¡¢°Ê²¼¤Ë¤Ê¤ê¤Þ¤¹¡£
<response>
  <code>¥¨¥é¡¼¥³¡¼¥É</code>
  <message>¥á¥Ã¥»¡¼¥¸</message>
</response>

• ¥¨¥é¡¼¥³¡¼¥É¡§ À®¸ù 0¡¢¥¨¥é¡¼ 0°Ê³°

• ¥á¥Ã¥»¡¼¥¸¡§ ¥¨¥é¡¼¥á¥Ã¥»¡¼¥¸

 

3.2 ǧ¾Ú

Identity Suite SP¤ËÂФ·¤Æ¡¢SAML¡¢¤Þ¤¿¤ÏOpenID¤Ë¤è¤ëǧ¾Ú¤ò°ÍÍꤷ¡¢¤½¤Î·ë²Ì¤ò¼õ¤±¼è¤ê¤Þ¤¹¡£

 

 

­¡ ¥æ¡¼¥¶¤¬SaaS¥µ¥¤¥È¤Ë¥¢¥¯¥»¥¹¤·¤Þ¤¹¡£

­¢ ǧ¾Ú¤¬ºÑ¤ó¤Ç¤¤¤Ê¤¤¾ì¹ç¡¢¥¯¥¨¥ê¥¹¥È¥ê¥ó¥°¤Ë°Ê²¼¤ÎÃͤòÉղ䷤ơ¢SAMLǧ¾Ú¤Î¾ì¹ç"/siscloud/saml"¡¢OpenIDǧ¾Ú¤Î¾ì¹ç"/siscloud/openid"¤Ë¥ê¥À¥¤¥ì¥¯¥È¤·¤Þ¤¹¡£

• back¡§ SaaS¥µ¥¤¥È¤Î¥í¥°¥¤¥ó¥Ú¡¼¥¸¤ÎURL

• idpentityid¡§ SAMLǧ¾Ú¤Î¾ì¹ç¡¢IDP¤Î¼±Ê̻ҤȤ·¤Æ3.1¹à¤ÇÀßÄꤷ¤¿IDP¥µ¡¼¥Ð¤Îȯ¹Ô¼Ô¤ò»ØÄê

­£ Identity Suite Cloud SP¤Ï¡¢SAMLǧ¾Ú¤Î¾ì¹çSAML¤ÎIDP¤ËÂФ·¤Æ¡¢OpenIDǧ¾Ú¤Î¾ì¹çOpenID¤ÎOP¤ËÂФ·¤Æ¡¢Ç§¾ÚÍ×µá¤òÁ÷¿®¤·¡¢¥æ¡¼¥¶¤ÏIDP¡¢OP¤ËÂФ·¤Æ¥í¥°¥¤¥ó¤ò¹Ô¤¤¤Þ¤¹¡£

­¤ ¥æ¡¼¥¶¤Îǧ¾Ú¤ËÀ®¸ù¤·¤¿¾ì¹ç¡¢¥¯¥¨¥ê¥¹¥È¥ê¥ó¥°back¤Ç»ØÄꤷ¤¿URL¤Ë¡¢¥ê¥À¥¤¥ì¥¯¥È¤Ç¥È¡¼¥¯¥ó¡Êsecioss_token¡Ë¤òPOST¤·¤Þ¤¹¡£

­¥ ¥È¡¼¥¯¥ó¤ò¼èÆÀ¤·¤¿SaaS¥µ¥¤¥È¤Ï¡¢¥¯¥¨¥ê¥¹¥È¥ê¥ó¥°secioss_token¤Ë¥È¡¼¥¯¥ó¤òÀßÄꤷ¤Æ¡¢"/siscloud/api/login.php"¤Ë¥¢¥¯¥»¥¹¤·¤Þ¤¹¡£

­¦ Identity Suite Cloud SP¤Ï¡¢¥È¡¼¥¯¥ó¤ÎÃͤò³Îǧ¤·¡¢XML·Á¼°¤Î¥ì¥¹¥Ý¥ó¥¹¤òÊÖ¤·¤Þ¤¹¡£
¥ì¥¹¥Ý¥ó¥¹¤Î·Á¼°¤Ï°Ê²¼¤Ë¤Ê¤ê¤Þ¤¹¡£
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <code>¥¨¥é¡¼¥³¡¼¥É</code>
  <userid>¥æ¡¼¥¶Ì¾</userid>
  <idpentityid>IDP¤Î¼±ÊÌ»Ò</idpentityid>
</response>

• ¥¨¥é¡¼¥³¡¼¥É¡§ À®¸ù 0¡¢¥¨¥é¡¼ 0°Ê³°

• ¥æ¡¼¥¶Ì¾¡§ ǧ¾Ú¤ò¹Ô¤Ã¤¿¥æ¡¼¥¶Ì¾

• IDP¤Î¼±Ê̻ҡ§ IDP¥µ¡¼¥Ð¤ÎFQDN

­§¥µ¥¤¥È¤Î²èÌ̤òɽ¼¨¤·¤Þ¤¹¡£

 

3.3 ¥í¥°¥¢¥¦¥È

SaaS¥µ¥¤¥È¤Î¥í¥°¥¢¥¦¥È½èÍý¸å¡¢"/simplesaml/saml2/sp/SingleLogoutService.php"¤Ë¥ê¥À¥¤¥ì¥¯¥È¤·¤Æ²¼¤µ¤¤¡£

 

 

4. ¥µ¥ó¥×¥ë¥×¥í¥°¥é¥à

Identity Suite Cloud SP¤Ë¤Ï¡¢SAMLǧ¾Ú¡¢OpenIDǧ¾ÚÍѤΥµ¥ó¥×¥ë¥×¥é¥°¥é¥à¤¬ÉÕ°¤·¤Æ¤¤¤Þ¤¹¡£

4.1 ÀßÄê

# vi /usr/share/siscloud/www/login_sample.php
$idp = http://<Identity Suite Cloud SP¤Î¥Û¥¹¥È̾>/siscloud/api/login.php
$idp = <Identity Suite Cloud IDP¤Î¥Û¥¹¥È̾>

4.2 Æ°ºî³Îǧ

http://<Identity Suite Cloud SP¤Î¥Û¥¹¥È̾>/siscloud/login_sample.php¤Ë¥¢¥¯¥»¥¹¤·¤Þ¤¹¡£

­¡SAML¡¢¤Þ¤¿¤ÏOpenID¤Îǧ¾Ú¤ò¹Ô¤¤¤Þ¤¹¡£

• SAMLǧ¾Ú¡§¡¡SAML¤Î¥í¥°¥¤¥ó¤ò¥¯¥ê¥Ã¥¯¤·¤Æ²¼¤µ¤¤¡£

• OpenIDǧ¾Ú¡§¡¡OpenID URL¤ËOpenID¤ÎURL¤òÆþÎϤ·¤Æ²¼¤µ¤¤¡£OpenID¤ÎOP¤¬Identity Suite SP¤Î¾ì¹ç¤Ï¡¢http://<Identity Suite IDP¤Î¥Û¥¹¥È̾>/siscloud/auth/index.php¤ÈÆþÎϤ·¤Æ²¼¤µ¤¤¡£

­¢¥í¥°¥¤¥ó¸å¡¢Identity Suite Cloud SP¤Î¥ì¥¹¥Ý¥ó¥¹¤¬É½¼¨¤µ¤ì¤Þ¤¹¡£