== [[/|Shibboleth]] / Setup iTunesU Transfer Script SP ==

This page documents the setup of the iTunesU transfer script and associated integration components. The integration consists of a perl script and a logical SP that is running on the same OS instance as the CAS/SHIB implementation.

1. Configure Apache
{{{
[sxjpm@alligator ~]$ vi /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
ServerName casshib.alaska.edu:443
...
    # iTunesU Integration Pieces
    Alias /itunesu /var/www/html/itunesu
    <Directory /var/www/html/itunesu>
        DirectoryIndex index.pl
        Options +ExecCGI
        AddHandler cgi-script .pl
    </Directory>
    <Location /itunesu>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting applicationId itunesu
        require valid-user
    </Location>
</VirtualHost>
}}}

2. Configure Shibboleth Logical SP
{{{
[sxjpm@alligator ~]$ vi /etc/shibboleth/shibboleth2.xml
...
        <!-- iTunesU Integration Stuff -->
        <ApplicationOverride id="itunesu" entityID="https://casshib.alaska.edu/itunesu">
            <Sessions lifetime="28800" timeout="3600"
                checkAddress="false" handlerURL="/itunesu/Shibboleth.sso" />
        </ApplicationOverride>
...
}}}

3. Generate Shibboleth Logical SP Metadata [[br]] Note that the md:AssertionConsumerService tags need to have their URLs tweaked before submitting the metadata to the IdP. The value 'itunesu/' must be inserted before the 'Shibboleth.sso' value.
{{{
[sxjpm@alligator ~]$ cd /etc/shibboleth/
[sxjpm@alligator shibboleth]$ ./metagen.sh -h casshib.alaska.edu -e https://casshib.alaska.edu/itunesu
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://casshib.alaska.edu/itunesu">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
    <md:Extensions>
      <DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://casshib.alaska.edu/Shibboleth.sso/DS" index="1"/>
    </md:Extensions>
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
MIIC+jCCAeKgAwIBAgIJAJCjNskusfKlMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNV
BAMTEWFtYXpvbi5hbGFza2EuZWR1MB4XDTEwMTAyMDIzMTYzOVoXDTIwMTAxNzIz
MTYzOVowHDEaMBgGA1UEAxMRYW1hem9uLmFsYXNrYS5lZHUwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDYNn6n8nATxM6TCF/4B0SBqfxMZ0U5S21XpGV1
KjDpFvJzbYKKiZqFFS/utprcPnBTRtxklrCZTQ9TzAkqcyKy7yu10UjU3LE90nD5
ap7XLL/ubvbzNZt7ExWq0MmUP+RoIxw0OarCd3l73+0gQjrbbOFoHDsKnVP/ecqm
ihwq5y+0wYKaWJ0a8X66iqXDlxWncpA2fheSvCpJuQ0SFNP1UM+xB+rVqoV6Rsiq
LBPPfNTxKw2Wo6LdzegLWr6IYEsekz8vUEtlPFu5O4WCNCoxkuD1LZVOckGyf8Cl
FN3F584npoh9qYut2nof/FXlcyt8y/FQy3IveIUaHxOZ5IfDAgMBAAGjPzA9MBwG
A1UdEQQVMBOCEWFtYXpvbi5hbGFza2EuZWR1MB0GA1UdDgQWBBR1r8eS+S/LgBlN
/1M5ABOrjaySTDANBgkqhkiG9w0BAQUFAAOCAQEAv2P882jFULso1XAM1nJDX3YF
DW1oQGPNEdDh44x5QWWnBRCR9/BEajtjRGFwP4IjEt4by4YXbLT3EoSvdR6eviAF
vfVZA95Gm8ar/PMoJo9vWwd2pRHNC+h9E/bYblRV6tGVkfrDd4OjjsugvQfUAbu+
Gg0oyojg+QoZ9Ig7H++PEpQkfNIetFFautM4MGFD098pa03n+p5cUpczC32MT9D+
vvXYnBAlD0XqEos0m0oJbe3chCBkgP72tMl7/P5ty76QiXwLwWI/J1wwZxbiyRMV
BAgIj3qYzIkpe0BFLXjRp9u489Ixq2eoxWVnFnW1EJq5ygjvqP7KGcXNQYExJQ==
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <!--
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/SOAP"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/Redirect"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/POST"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/Artifact"/>
    <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/SOAP"/>
    <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/Redirect"/>
    <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/POST"/>
    <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/Artifact"/>
    -->
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/POST" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/Artifact" index="3"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/ECP" index="4"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML/POST" index="5"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML/Artifact" index="6"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>
}}}

4. Submit the modified metadata to the IdP [[br]] Refer to the https://iam.alaska.edu/shib/wiki/SetupSpRelyParty article for more info.

5. Request the eduPersonPrincipalName and eduPersonEntitlement attributes and configure the Shibboleth Logical SP attribute map.[[br]] See the https://iam.alaska.edu/shib/wiki/SetupSpAttrRelease wiki article for more information on releasing attributes.
{{{
[sxjpm@alligator shibboleth]$ vi /etc/shibboleth/attribute-map.xml
...
    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="shibattr-eppn">
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="shibattr-eppn">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
    </Attribute>
...
    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
...
}}}

6. Setup the Apple iTunesU transfer script[[br]] The iTunesU base transfer script can be downloaded from Apple here: http://images.apple.com/support/itunes_u/docs/iTunes_U_Code_Samples.zip The support center can provide the correct values for the $siteURL, $debugSuffix, and $sharedSecret values. The $ENV values come from the attribute mapping in the Shibboleth Logical SP.
{{{
[sxjpm@alligator shibboleth]$ cp ~/CodeSamples/Perl/ITunesU.pl /var/www/html/itunesu/index.pl
[sxjpm@alligator shibboleth]$ vi /var/www/html/itunesu/index.pl
...
    # Define your site's information. Replace these
    # values with ones appropriate for your site.
    my $siteURL = "http://deimos3.apple.com/WebObjects/Core.woa/Browse/alaska.edu";
    my $debugSuffix = "/sun245";
    my $sharedSecret = "V8J3LE8YK8V55Y3LCWEPFG9FXXHCP3SM"; 
...
    # additional credentials and the iTunes U access they provide.
    my $displayName = $ENV{shibattr_eppn};
    my $emailAddress = $ENV{shibattr_eppn};
    my $username = $ENV{shibattr_eppn};
    my $userIdentifier = $ENV{shibattr_eppn}; 
...
    # turn the array of credentials into a semicolon delimited string
    my $credentials = $ENV{entitlement};
...
}}}

7. Test integration by loading the https://casshib.alaska.edu/itunes URL in a browser. The browser should be redirected to the Shibboleth IdP login page and then to a URL that opens iTunes.