== Install Shibboleth == Since grinnell doesn't have access to any repositories with the Shibboleth RPMs, I manually downloaded the RPMs from here: http://download.opensuse.org/repositories/security://shibboleth/RHEL_6/x86_64/. libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm liblog4shib1-1.0.6-1.1.el6.x86_64.rpm libsaml8-2.5.2-1.1.el6.x86_64.rpm libxerces-c-3_1-3.1.1-2.4.el6.x86_64.rpm libxml-security-c17-1.7.0-1.3.el6.x86_64.rpm libxmltooling6-1.5.2-1.1.el6.x86_64.rpm opensaml-schemas-2.5.2-1.1.el6.x86_64.rpm shibboleth-2.5.1-1.2.el6.x86_64.rpm xmltooling-schemas-1.5.2-1.1.el6.x86_64.rpm Note that unixODBC was a dependency that I installed via yum. It had another dependency that was installed automatically. {{{ [root@grinnell tmp]# yum install unixODBC Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to reg ister. This system is receiving updates from RHN Classic or RHN Satellite. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package unixODBC.x86_64 0:2.2.14-12.el6_3 will be installed --> Processing Dependency: libltdl.so.7()(64bit) for package: unixODBC-2.2.14-12.el6_3.x86_64 --> Running transaction check ---> Package libtool-ltdl.x86_64 0:2.2.6-15.5.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================= Package Arch Version Repository Size ========================================================================================================= Installing: unixODBC x86_64 2.2.14-12.el6_3 rhel-x86_64-server-6 378 k Installing for dependencies: libtool-ltdl x86_64 2.2.6-15.5.el6 rhel-x86_64-server-6 44 k Transaction Summary ========================================================================================================= Install 2 Package(s) Total download size: 422 k Installed size: 0 Is this ok [y/N]: y Downloading Packages: (1/2): libtool-ltdl-2.2.6-15.5.el6.x86_64.rpm | 44 kB 00:00 (2/2): unixODBC-2.2.14-12.el6_3.x86_64.rpm | 378 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------- Total 1.9 MB/s | 422 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : libtool-ltdl-2.2.6-15.5.el6.x86_64 1/2 Installing : unixODBC-2.2.14-12.el6_3.x86_64 2/2 Verifying : unixODBC-2.2.14-12.el6_3.x86_64 1/2 Verifying : libtool-ltdl-2.2.6-15.5.el6.x86_64 2/2 Installed: unixODBC.x86_64 0:2.2.14-12.el6_3 Dependency Installed: libtool-ltdl.x86_64 0:2.2.6-15.5.el6 Complete! [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# [root@grinnell tmp]# rpm -iv libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm liblog4shib1-1.0.6-1.1.el6.x86_64.rpm libsaml8-2.5.2-1.1.el6.x86_64.rpm libxerces-c-3_1-3.1.1-2.4.el6.x86_64.rpm libxml-security-c17-1.7.0-1.3.el6.x86_64.rpm libxmltooling6-1.5.2-1.1.el6.x86_64.rpm opensaml-schemas-2.5.2-1.1.el6.x86_64.rpm shibboleth-2.5.1-1.2.el6.x86_64.rpm xmltooling-schemas-1.5.2-1.1.el6.x86_64.rpm warning: libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7d0a1b3d: NOKEY Preparing packages for installation... libxerces-c-3_1-3.1.1-2.4.el6 libxml-security-c17-1.7.0-1.3.el6 liblog4shib1-1.0.6-1.1.el6 libcurl-openssl-7.30.0-1.1.el6 libxmltooling6-1.5.2-1.1.el6 libsaml8-2.5.2-1.1.el6 xmltooling-schemas-1.5.2-1.1.el6 opensaml-schemas-2.5.2-1.1.el6 shibboleth-2.5.1-1.2.el6 }}} == Configure Shibboleth == 1. Add the metadata for the UA IdP to a new file called /etc/shibboleth/alaska-metadata.xml. It just needs to contain a single EntityDescriptor element for the UA IdP that can be copied from the InCommon metadata. And then that simply needs to be wrapped around a EntitiesDescriptor element. Note that I would have simply referenced the InCommon metadata from the SP, but grinnell doesn't have access to connect to the InCommon site to retrieve it. Therefore, I created a local copy. 2. In the /etc/shibboleth/shibboleth2.xml file: a. Set the entityID of the SP. And add "bannerid" to the front of the REMOTE_USER values. This is done so that REMOTE_USER gets set as the authenticated users' BannerID, which then gets passed to Tomcat and available for the Grouper UI. Authentication in the Grouper UI will work if REMOTE_USER is either the subject id (which is the case here) or a subject identifier. {{{ }}} b. Add the reference to the metadata file. Replace the following: {{{ }}} .. with this: {{{ }}} c. Add the entityID of the IdP. Replace the following: {{{ SAML2 SAML1 }}} .. with this: {{{ SAML2 SAML1 }}} 3. In the /etc/shibboleth/attribute-map.xml file, add the mapping for the BannerID attribute. {{{ }}} 4. Restart the SP: {{{ [root@grinnell shibboleth]# /etc/init.d/shibd restart Stopping shibd: [ OK ] Starting shibd: /sbin/restorecon: Warning no default label for /var/run/shibboleth/shibd.pid [ OK ] }}} == Configure Apache == 1. Configure mod_proxy_ajp. Add the file /etc/httpd/conf.d/proxy_ajp.conf with the contents: {{{ LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ProxyPass /grouper/ ajp://localhost:8009/grouper/ }}} 2. Add the following to the end of /etc/httpd/conf.d/shib.conf to require Shibboleth {{{ AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user }}} 3. Restart Apache {{{ [root@grinnell conf.d]# /etc/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@grinnell conf.d]# }}} == Configure Tomcat == 1. In the file /etc/tomcat6/server.xml, make sure the AJP connector listening on port 8009 is not commented out and make sure request.tomcatAuthentication is set to false. {{{ }}} 2. Restart Tomcat {{{ [root@grinnell tomcat6]# /etc/init.d/tomcat6 stop Stopping tomcat6: [ OK ] [root@grinnell tomcat6]# ps -ef | grep -i tomcat root 18377 7627 0 09:21 pts/3 00:00:00 grep -i tomcat [root@grinnell tomcat6]# /etc/init.d/tomcat6 start Starting tomcat6: [ OK ] }}}