Install Shibboleth

Since grinnell doesn't have access to any repositories with the Shibboleth RPMs, I manually downloaded the RPMs from here: ​http://download.opensuse.org/repositories/security://shibboleth/RHEL_6/x86_64/.

libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm

liblog4shib1-1.0.6-1.1.el6.x86_64.rpm

libsaml8-2.5.2-1.1.el6.x86_64.rpm

libxerces-c-3_1-3.1.1-2.4.el6.x86_64.rpm

libxml-security-c17-1.7.0-1.3.el6.x86_64.rpm

libxmltooling6-1.5.2-1.1.el6.x86_64.rpm

opensaml-schemas-2.5.2-1.1.el6.x86_64.rpm

shibboleth-2.5.1-1.2.el6.x86_64.rpm

xmltooling-schemas-1.5.2-1.1.el6.x86_64.rpm

Note that unixODBC was a dependency that I installed via yum. It had another dependency that was installed automatically.

[root@grinnell tmp]# yum install unixODBC
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to reg                   ister.
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package unixODBC.x86_64 0:2.2.14-12.el6_3 will be installed
--> Processing Dependency: libltdl.so.7()(64bit) for package: unixODBC-2.2.14-12.el6_3.x86_64
--> Running transaction check
---> Package libtool-ltdl.x86_64 0:2.2.6-15.5.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================
 Package                Arch             Version                    Repository                      Size
=========================================================================================================
Installing:
 unixODBC               x86_64           2.2.14-12.el6_3            rhel-x86_64-server-6           378 k
Installing for dependencies:
 libtool-ltdl           x86_64           2.2.6-15.5.el6             rhel-x86_64-server-6            44 k

Transaction Summary
=========================================================================================================
Install       2 Package(s)

Total download size: 422 k
Installed size: 0
Is this ok [y/N]: y
Downloading Packages:
(1/2): libtool-ltdl-2.2.6-15.5.el6.x86_64.rpm                                                        |  44 kB     00:00
(2/2): unixODBC-2.2.14-12.el6_3.x86_64.rpm                                                           | 378 kB     00:00
----------------------------------------------------------------------------------------------------------------------------
Total                                                                                       1.9 MB/s | 422 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : libtool-ltdl-2.2.6-15.5.el6.x86_64                                                                       1/2
  Installing : unixODBC-2.2.14-12.el6_3.x86_64                                                                          2/2
  Verifying  : unixODBC-2.2.14-12.el6_3.x86_64                                                                          1/2
  Verifying  : libtool-ltdl-2.2.6-15.5.el6.x86_64                                                                       2/2

Installed:
  unixODBC.x86_64 0:2.2.14-12.el6_3

Dependency Installed:
  libtool-ltdl.x86_64 0:2.2.6-15.5.el6

Complete!
[root@grinnell tmp]#
[root@grinnell tmp]#
[root@grinnell tmp]#
[root@grinnell tmp]#
[root@grinnell tmp]# rpm -iv libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm liblog4shib1-1.0.6-1.1.el6.x86_64.rpm libsaml8-2.5.2-1.1.el6.x86_64.rpm libxerces-c-3_1-3.1.1-2.4.el6.x86_64.rpm libxml-security-c17-1.7.0-1.3.el6.x86_64.rpm libxmltooling6-1.5.2-1.1.el6.x86_64.rpm opensaml-schemas-2.5.2-1.1.el6.x86_64.rpm shibboleth-2.5.1-1.2.el6.x86_64.rpm xmltooling-schemas-1.5.2-1.1.el6.x86_64.rpm
warning: libcurl-openssl-7.30.0-1.1.el6.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 7d0a1b3d: NOKEY
Preparing packages for installation...
libxerces-c-3_1-3.1.1-2.4.el6
libxml-security-c17-1.7.0-1.3.el6
liblog4shib1-1.0.6-1.1.el6
libcurl-openssl-7.30.0-1.1.el6
libxmltooling6-1.5.2-1.1.el6
libsaml8-2.5.2-1.1.el6
xmltooling-schemas-1.5.2-1.1.el6
opensaml-schemas-2.5.2-1.1.el6
shibboleth-2.5.1-1.2.el6

Configure Shibboleth

1. Add the metadata for the UA IdP to a new file called /etc/shibboleth/alaska-metadata.xml. It just needs to contain a single EntityDescriptor? element for the UA IdP that can be copied from the InCommon? metadata. And then that simply needs to be wrapped around a EntitiesDescriptor? element. Note that I would have simply referenced the InCommon? metadata from the SP, but grinnell doesn't have access to connect to the InCommon? site to retrieve it. Therefore, I created a local copy.

2. In the /etc/shibboleth/shibboleth2.xml file:

1. Set the entityID of the SP. And add "bannerid" to the front of the REMOTE_USER values. This is done so that REMOTE_USER gets set as the authenticated users' BannerID, which then gets passed to Tomcat and available for the Grouper UI. Authentication in the Grouper UI will work if REMOTE_USER is either the subject id (which is the case here) or a subject identifier.

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://grinnell.alaska.edu/shibboleth"
                         REMOTE_USER="bannerid eppn persistent-id targeted-id">

2. Add the reference to the metadata file. Replace the following:

        <!-- Example of locally maintained metadata. -->
        <!--
        <MetadataProvider type="XML" file="partner-metadata.xml"/>
        -->

.. with this:

        <MetadataProvider type="XML" file="alaska-metadata.xml"/>

3. Add the entityID of the IdP. Replace the following:

            <SSO entityID="https://idp.example.org/idp/shibboleth"
                 discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
              SAML2 SAML1
            </SSO>

.. with this:

            <SSO entityID="urn:mace:incommon:alaska.edu"
                 discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
              SAML2 SAML1
            </SSO>

3. In the /etc/shibboleth/attribute-map.xml file, add the mapping for the BannerID attribute.

    <Attribute name="urn:mace:alaska.edu:attributes:bannerid" id="bannerid" />

4. Restart the SP:

[root@grinnell shibboleth]# /etc/init.d/shibd restart
Stopping shibd:                                            [  OK  ]
Starting shibd: /sbin/restorecon:  Warning no default label for /var/run/shibboleth/shibd.pid
                                                           [  OK  ]

Configure Apache

1. Configure mod_proxy_ajp. Add the file /etc/httpd/conf.d/proxy_ajp.conf with the contents:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

ProxyPass /grouper/ ajp://localhost:8009/grouper/

2. Add the following to the end of /etc/httpd/conf.d/shib.conf to require Shibboleth

<Location />
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

3. Restart Apache

[root@grinnell conf.d]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@grinnell conf.d]#

Configure Tomcat

1. In the file /etc/tomcat6/server.xml, make sure the AJP connector listening on port 8009 is not commented out and make sure request.tomcatAuthentication is set to false.

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" request.tomcatAuthentication="false" />

2. Restart Tomcat

[root@grinnell tomcat6]# /etc/init.d/tomcat6 stop
Stopping tomcat6:                                          [  OK  ]
[root@grinnell tomcat6]# ps -ef | grep -i tomcat
root     18377  7627  0 09:21 pts/3    00:00:00 grep -i tomcat
[root@grinnell tomcat6]# /etc/init.d/tomcat6 start
Starting tomcat6:                                          [  OK  ]