# Hinweise:
# 1. Passwort ist stets "shibboleth"
# 2. Auf der VM befindet sich bereits ein LDAP-Browser (phpLDAPadmin), der bereits im Web-Browser (Firefox) als Lesezeichen verlinkt ist
# 3. Zum besseren Verständnis des lokalen Setups (idp/sp1/sp2) hilft ein Blick in /etc/hosts und die Apache-Konfiguration unter /etc/apache2/sites-enabled

sudo su

vi /etc/environment
JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64/"
JRE_HOME="/usr/lib/jvm/java-8-openjdk-amd64/jre"

exit
sudo su

cd /var/lib/tomcat8/lib
# mit dem vorinstallierten Package 1.1 kommt es zu einem Parser-Fehler
wget https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar

cd /opt/install
unzip shibboleth-identity-provider-3.2.0.zip
cd shibboleth-identity-provider-3.2.0
./bin/install.sh

##### !!! Aenderungen in "Hostname" und "Attribute Scope" !!! #####
Source (Distribution) Directory: [/opt/install/shibboleth-identity-provider-3.2.0]

Installation Directory: [/opt/shibboleth-idp]

Hostname: [localhost.localdomain]
idp.local
SAML EntityID: [https://idp.local/idp/shibboleth]

Attribute Scope: [localdomain]
local
Backchannel PKCS12 Password: 
Re-enter password: 
Cookie Encryption Key Password: 
Re-enter password: 
###################################################################

cd /opt/shibboleth-idp/metadata/
wget --no-check-certificate -O sp1-metadata.xml https://sp1.local/Shibboleth.sso/Metadata
wget --no-check-certificate -O sp2-metadata.xml https://sp2.local/Shibboleth.sso/Metadata

vi /opt/shibboleth-idp/conf/metadata-providers.xml
    <MetadataProvider id="SP1-Metadata"  xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/sp1-metadata.xml"/>
    <MetadataProvider id="SP2-Metadata"  xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/sp2-metadata.xml"/>

vi /opt/shibboleth-idp/conf/ldap.properties
idp.authn.LDAP.authenticator                   = bindSearchAuthenticator
idp.authn.LDAP.ldapURL                          = ldap://idp.local:389
idp.authn.LDAP.useStartTLS                     = false
idp.authn.LDAP.baseDN                           = dc=users,dc=nodomain
idp.authn.LDAP.userFilter                       = (uid={user})
idp.authn.LDAP.bindDN                           = cn=admin,dc=nodomain
idp.authn.LDAP.bindDNCredential                 = shibboleth
idp.attribute.resolver.LDAP.returnAttributes    = *

vi /opt/shibboleth-idp/conf/access-control.xml
    <util:map id="shibboleth.AccessControlPolicies">

        <!--entry key="AccessByIPAddress">
            <bean parent="shibboleth.IPRangeAccessControl"
                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
        </entry-->
        <entry key="AccessByIPAddress">
            <bean parent="shibboleth.IPRangeAccessControl"
                p:allowedRanges="#{ {'127.0.0.0/8', '::1/128'} }" />
        </entry>

    
    </util:map>


cd /opt/shibboleth-idp/conf/
cp attribute-resolver-full.xml attribute-resolver.xml
vi attribute-resolver.xml
... alle Attribute aktivieren
... LDAP-DC ohne TLS


vi /opt/shibboleth-idp/conf/attribute-filter.xml
    <!-- Release to local SPs. -->
    <AttributeFilterPolicy id="SPs-locals">
        <PolicyRequirementRule xsi:type="OR">
            <Rule xsi:type="Requester" value="https://sp1.local/shibboleth" />
            <Rule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="surname">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="uid">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>

cd /opt/shibboleth-idp/
chown -R tomcat8:tomcat8 *

/etc/init.d/tomcat8 restart
/etc/init.d/shibd restart

##### erstes Login #####
username: pingel
password: shibboleth


##### fertig :-) #####