...
OutOfDate: Still working but a new version is available
Unsupported: Out of Support
Secadv: Security alerts exist against this plugin
Withdrawn
There are no semantics associated with these beyond that only Supported versions are candidates for automatically selected update. The other states are there as (dynamic) guidance from the developer to the deployer of the state of the plugin.
GPG Trust
In order for a plugin to be installed, the distribution must be accompanied by a GPG signature. The installation process checks the correctness of this signature before it does any installation or other potentially dangerous operations. Before it can do this check, the public key needs to be available to the plugin command in a trust store. By default each plugin has its own trust store. This means that the trust surrounding one plugin cannot be subverted to allow another plugin to be installed. Alternatively the --truststore qualifier to the plugin command can be used to point to a central store (which you are expected to maintain).
The default location for a plugin is derived from the "pluginId" as:
| Code Block |
|---|
%{idp.home}/credentials/<pluginId>/truststore.asc |
This is a user-editable file you may delete or add to as you wish.
A plugin author may chose to ship signing key(s) with the plugin. If the key is not found in the trust store during the signature check, then you will be prompted to optionally install it:
| Code Block |
|---|
INFO - TrustStore does not contain signature 0X1483F262A4B3FF0
Accept this Key:
Signature: 0X1483F262A4B3FF0
FingerPrint: 4AF4D83EEDDF43DA3C06CB3101483F262A4B3FF0
Username: Rod Widdowson <rdw@steadingsoftware.com>
[yN] |
Note that the default operation it to refuse to install the key.
The 'plugin' Command
All plugin manipulation (except trust store maintenance) is done via the plugin command. Operations fall into 2 broad categories.
Plugin Discovery and Automated Installation
Information about plugins is always kept separate from the plugin itself. This same information can be used to discover which plugins are available at a given URL. The -L will list them. It should be emphasised that the versioning is purely a statement of API compatibility, not support. The fact that a plugin version is “Current” is purely a statement that “This is the best version to run with this version of the IdP”.
The only plugin versions supported by the Shibboleth Project are those which are marked current for a support version of the IdP.
GPG Trust
In order for a plugin to be installed, the distribution must be accompanied by a GPG signature. The installation process checks the correctness of this signature before it does any installation or other potentially dangerous operations. Before it can do this check, the public key needs to be available to the plugin command in a trust store. By default each plugin has its own trust store. This means that the trust surrounding one plugin cannot be subverted to allow another plugin to be installed. Alternatively the --truststore qualifier to the plugin command can be used to point to a central store (which you are expected to maintain).
The default location for a plugin is derived from the "pluginId" as:
| Code Block |
|---|
%{idp.home}/credentials/<pluginId>/truststore.asc |
This is a user-editable file you may delete or add to as you wish.
A plugin author may chose to ship signing key(s) with the plugin. If the key is not found in the trust store during the signature check, then you will be prompted to optionally install it:
| Code Block |
|---|
INFO - TrustStore does not contain signature 0X1483F262A4B3FF0
Accept this Key:
Signature: 0X1483F262A4B3FF0
FingerPrint: 4AF4D83EEDDF43DA3C06CB3101483F262A4B3FF0
Username: Rod Widdowson <rdw@steadingsoftware.com>
[yN] |
Note that the default operation it to refuse to install the key.
The 'plugin' Command
All plugin manipulation (except trust store maintenance) is done via the plugin command. Operations fall into 2 broad categories.
Plugin Discovery and Automated Installation
Information about plugins is always kept separate from the plugin itself. This same information can be used to discover which plugins are available at a given URL. The -L will list them. This defaults to using the URL which is shared by all plugins developed by the Shibboleth Team (and documented here). The --updateURL allows other locations to be used.
...
These define which operation to perform.
Short | Long | Parameter | Description |
|---|---|---|---|
-i | --install | File Or URL | Install the provided qualifier |
-u | --update | PluginId | Update installed plugin |
-r | --remove | PluginId | Remove the installed plugin |
-l | --list | Enumerate all installed plugins | |
-fl | --full-list | Give full version details for all installed plugins | |
-cl | --contents-list | PluginId | List all files installed by the specified plugin |
-L | --list-available | List available plugins (i.e discover plugins which can be downloaded and installed) | |
-I | --install-ID | PluginId | Install plugin from its ID. The plugin should be available at the default endpoint (or that specified by --updateURL) |
--noCheck | Do not check for compatibility with the current IdP Version | ||
--updateURL | Specify the update URL (for -L, -I or to override the plugin provided value) | ||
--license | PluginId | Output the license information for the specified plugin |
Other Qualifiers
These provide extra/advanced options for the command:
Short | Long | Parameter | Description |
|---|---|---|---|
--verbose | Verbose logging | ||
--quiet | Quiet logging | ||
--logConfig | a logback file | Specify a file to use to control the logging of the plugin command | |
--version | Output the version of the plugin command | ||
--propertyFiles | file list | Any property files that are to be included when parsing a Spring file input (see below) | |
--noPrompt | Use for unattended installs. If specified the install will fail rather than require input. | ||
--truststore | Path to the (non default) trust store file used during installs and updates. See above. | ||
--noRebuild | If set then the war file is not rebuilt after the installation. | ||
-fu | --force-update | Version | Used with the -u qualifier to force the update (or downgrade) to a specific |
version | |||
-hc | --http-client | Bean ID | Allows specification of an HTTP client bean used to download updates (or perform any related Module operation). For details on wiring up a client bean, refer to the HttpClientConfiguration topic. |
-hs | --http- |
security | Bean ID | Allows |
For details on wiring up a client bean, refer to the HttpClientConfiguration topic.
-hs
--http-security
Bean ID
Only used if the plugin installer needs to invoke a module operation, and allows security customization of the HTTP operation(s).
Optional Parameter
Finally the plugin command can take one additional bare parameter - the path to a file which contains any native Spring bean definitions that may be needed. This is typically only required for the -hc and -hs qualifiers to perform advanced customization of HTTP operations, and should be rare.
Using an HTTP proxy is the only typical case where this should be needed, e.g.:
Example HTTP Client with proxy settings
...
| language | xml |
|---|
...
security customization of the HTTP operation(s). |
Optional Parameter
Finally the plugin command can take one additional bare parameter - the path to a file which contains any native Spring bean definitions that may be needed. This is typically only required for the -hc and -hs qualifiers to perform advanced customization of HTTP operations, and should be rare.
Using an HTTP proxy is the only typical case where this should be needed, e.g.:
Example HTTP Client with proxy settings
| Code Block | ||
|---|---|---|
| ||
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.springframeworkw3.org/schema2001/beansXMLSchema-instance" xmlnsxsi:contextschemaLocation="http://www.springframework.org/schema/context" xmlns:util="beans http://www.springframework.org/schema/util"/beans/spring-beans.xsd xmlns:p="http://www.springframework.org/schema/p" xmlns:c="context http://www.springframework.org/schema/c"/context/spring-context.xsd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beansutil http://www.springframework.org/schema/beansutil/spring-beans.xsd util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <bean id="customHttpClient" parent="shibboleth.HttpClientFactory" p:connectionProxyHost="proxy.example.org" p:connectionProxyPort="80" /> </beans> |
Examples
Install from a file
| Code Block | ||
|---|---|---|
| ||
/idp/bin$ ./plugin.sh -i http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy">mnt/h/Perforce/Juno/New/plugins/java-idp-plugin-scripting/rhino-dist/target/shibboleth-idp-plugin-rhino-0.1.4-SNAPSHOT.tar.gz INFO - TrustStore does not contain signature 0X1483F262A4B3FF0 Accept this Key: Signature: <bean id="customHttpClient" parent="shibboleth.HttpClientFactory"0X1483F262A4B3FF0 FingerPrint: 4AF4D83EEDDF43DA3C06CB3101483F262A4B3FF0 Username: p:connectionProxyHost="proxy.example.org" Rod Widdowson <rdw@steadingsoftware.com> [yN]yINFO p:connectionProxyPort="80" /> </beans> |
Examples
Install from a file
| Code Block | ||
|---|---|---|
| ||
/idp/bin$ ./plugin.sh -i /mnt/h/Perforce/Juno/New/plugins/java-idp-plugin-scripting/rhino-dist/target/shibboleth-idp-plugin-rhino-0.1.4-SNAPSHOT.tar.gz- Installing Plugin net.shibboleth.idp.plugin.rhino version 0.1.4 INFO - Rebuilding /home/rdw/idp/war/idp.war, Version 4.1.0-SNAPSHOT INFO - Initial TrustStore does not contain signature 0X1483F262A4B3FF0 Accept this Key: Signature: 0X1483F262A4B3FF0 FingerPrint: 4AF4D83EEDDF43DA3C06CB3101483F262A4B3FF0 Username: Rod Widdowson <rdw@steadingsoftware.com> [yN]yINFO - Installing Pluginpopulate from /home/rdw/idp/dist/webapp to /home/rdw/idp/webpapp.tmp INFO - Overlay from /home/rdw/idp/dist/plugin-webapp to /home/rdw/idp/webpapp.tmp INFO - Overlay from /home/rdw/idp/edit-webapp to /home/rdw/idp/webpapp.tmp INFO - Creating war file /home/rdw/idp/war/idp.war rdw@DELL10:~/idp/bin$ ./plugin.sh -l Plugin: net.shibboleth.idp.plugin.rhino Current versionVersion: 0.1.4 INFO - Rebuilding /home/rdw/idp/war/idp.war, Version 4.1.0-SNAPSHOT INFO - Initial populate fromrdw@DELL10:~/idp/bin$ ./plugin.sh -cl net.shibboleth.idp.plugin.rhino /home/rdw/idp/dist/plugin-webapp to /home/rdw/idp/webpapp.tmp INFO - Overlay from/WEB-INF/lib/idp-plugin-rhino-impl-0.1.4-SNAPSHOT.jar /home/rdw/idp/dist/plugin-webapp to /home/rdw/idp/webpapp.tmp INFO - Overlay from /home/rdw/idp/edit-webapp to /home/rdw/idp/webpapp.tmp INFO - Creating war file /WEB-INF/lib/idp-plugin-scripting-api-0.1.4-SNAPSHOT.jar /home/rdw/idp/war/idp.war rdw@DELL10:~/idp/bin$ ./plugin.sh -l Plugin: net.shibboleth.idp.plugin.rhino Current Version: 0.1.4dist/plugin-webapp/WEB-INF/lib/rhino-1.7.13.jar rdw@DELL10:~/idp/bin$ |
Full list of installed plugins
| Code Block | ||
|---|---|---|
| ||
/idp/bin$ ./plugin.sh -clfl Plugin: net.shibboleth.idp.plugin.rhino /home/rdw/idp/dist/plugin-webapp/WEB-INF/lib/idp-plugin-rhino-impl- Current Version: 0.1.4-SNAPSHOT.jar /home/rdw/idp/dist/plugin-webapp/WEB-INF/lib/idp-plugin-scripting-api-0.1.4-SNAPSHOT.jar /home/rdw/idp/dist/plugin-webapp/WEB-INF/lib/rhino-1.7.13.jar rdw@DELL10:~/idp/bin$ |
...
Versions
0.1.3: Min=4.1.0 Max=5.0.0 Support level: Withdrawn |
Discover and automated install 4.2
| Code Block | ||
|---|---|---|
| ||
rdw@DELL10:~/idp/bin$ ./plugin.sh -flL Plugin: net.shibboleth.idp.plugin.rhino Current Version: 0.1.4 Versions 0.1.3: Min=4version 1.1.0 available for install Plugin net.shibboleth.idp.plugin.authn.duo.sdk: version Max=51.01.01 available for install Support level: Withdrawn |
Discover and automated install 4.2
| Code Block | ||
|---|---|---|
| ||
rdw@DELL10:~/idp/bin$ ./plugin.sh -LPlugin net.shibboleth.idp.plugin.authn.totp: version 1.0.0 available for install Plugin net.shibboleth.idp.plugin.rhinooidc.op: version 13.0.1.0 available for install Plugin net.shibboleth.idp.plugin.authn.duo.sdkmetadatagen: version 10.1.1 available for install Plugin net.shibboleth.idp.plugin.authn.totpduo.nimbus: version 1.01.01 available for install Plugin net.shibboleth.idp.plugin.oidc.opnashorn: Installed version 31.1.0.1: availableNo forupdate installavailable Plugin net.shibboleth.idpoidc.plugin.metadatagencommon: version 01.1.10 available for install Plugin rdw@DELL10:~/idp/bin$ ./plugin.sh -I net.shibboleth.idp.plugin.authn.duo.nimbus: version 1.1.1 available for install Plugintotp ..... rdw@DELL10:~/idp/bin$ ./plugin.sh -l Plugin: net.shibboleth.idp.plugin.nashorn: Installed version 1.1.0: No update available Plugin net.shibboleth.oidc.common: versionCurrent Version: 1.1.0 available for install rdw@DELL10:~/idp/bin$ ./plugin.sh -IPlugin: net.shibboleth.idp.plugin.authn.totp Current Version: 1.0.0 |
Trouble Shooting
On Windows a plugin update may fail with the error
| Code Block |
|---|
java.nio.file.DirectoryNotEmptyException: <PathToIdpHome>\..... rdw@DELL10:~/idp/bin$ ./plugin.sh -l Plugin: net.shibboleth.idp.plugin.nashorn Current Version: 1.1.0 Plugin: net.shibboleth.idp.plugin.authn.totp Current Version: 1.0.0\ |
This is due to a restriction in some versions of the the Java run time library around the renaming of directories between DOS devices. If you hit this problem you need to let the installer use a temporary directory on the same DOS device (volume) as your IdP Installation. You do this by setting the java.io.tmpDir property when running the plugin command.
So, assuming an IdP Installation on DOS device F:\
| Code Block |
|---|
F:\opt\idp\bin> mkdir f:\tmp\
F:\opt\idp\bin> SET JAVA_OPTS=-Djava.io.tmpDir=F:\tmp
F:\opt\idp\bin> Plugin -i <usual command line> |