Version 2 (modified by jpmitchell@…, 13 years ago) (diff) |
---|
Shibboleth / Setup iTunesU Transfer Script SP
This page documents the setup of the iTunesU transfer script and associated integration components. The integration consists of a perl script and a logical SP that is running on the same OS instance as the CAS/SHIB implementation.
- Configure Apache
[sxjpm@alligator ~]$ vi /etc/httpd/conf.d/ssl.conf <VirtualHost _default_:443> ServerName casshib.alaska.edu:443 ... # iTunesU Integration Pieces Alias /itunesu /var/www/html/itunesu <Directory /var/www/html/itunesu> DirectoryIndex index.pl Options +ExecCGI AddHandler cgi-script .pl </Directory> <Location /itunesu> AuthType shibboleth ShibRequestSetting requireSession 1 ShibRequestSetting applicationId itunesu require valid-user </Location> </VirtualHost>
- Configure Shibboleth Logical SP
[sxjpm@alligator ~]$ vi /etc/shibboleth/shibboleth2.xml ... <!-- iTunesU Integration Stuff --> <ApplicationOverride id="itunesu" entityID="https://casshib.alaska.edu/itunesu"> <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/itunesu/Shibboleth.sso" /> </ApplicationOverride> ...
- Generate Shibboleth Logical SP Metadata
Note that the md:AssertionConsumerService tags need to have their URLs tweaked before submitting the metadata to the IdP. The values 'itunesu/' must be inserted before the 'Shibboleth.sso' value.[sxjpm@alligator ~]$ cd /etc/shibboleth/ [sxjpm@alligator shibboleth]$ ./metagen.sh -h casshib.alaska.edu -e https://casshib.alaska.edu/itunesu <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://casshib.alaska.edu/itunesu"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol"> <md:Extensions> <DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://casshib.alaska.edu/Shibboleth.sso/DS" index="1"/> </md:Extensions> <md:KeyDescriptor> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> MIIC+jCCAeKgAwIBAgIJAJCjNskusfKlMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNV BAMTEWFtYXpvbi5hbGFza2EuZWR1MB4XDTEwMTAyMDIzMTYzOVoXDTIwMTAxNzIz MTYzOVowHDEaMBgGA1UEAxMRYW1hem9uLmFsYXNrYS5lZHUwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDYNn6n8nATxM6TCF/4B0SBqfxMZ0U5S21XpGV1 KjDpFvJzbYKKiZqFFS/utprcPnBTRtxklrCZTQ9TzAkqcyKy7yu10UjU3LE90nD5 ap7XLL/ubvbzNZt7ExWq0MmUP+RoIxw0OarCd3l73+0gQjrbbOFoHDsKnVP/ecqm ihwq5y+0wYKaWJ0a8X66iqXDlxWncpA2fheSvCpJuQ0SFNP1UM+xB+rVqoV6Rsiq LBPPfNTxKw2Wo6LdzegLWr6IYEsekz8vUEtlPFu5O4WCNCoxkuD1LZVOckGyf8Cl FN3F584npoh9qYut2nof/FXlcyt8y/FQy3IveIUaHxOZ5IfDAgMBAAGjPzA9MBwG A1UdEQQVMBOCEWFtYXpvbi5hbGFza2EuZWR1MB0GA1UdDgQWBBR1r8eS+S/LgBlN /1M5ABOrjaySTDANBgkqhkiG9w0BAQUFAAOCAQEAv2P882jFULso1XAM1nJDX3YF DW1oQGPNEdDh44x5QWWnBRCR9/BEajtjRGFwP4IjEt4by4YXbLT3EoSvdR6eviAF vfVZA95Gm8ar/PMoJo9vWwd2pRHNC+h9E/bYblRV6tGVkfrDd4OjjsugvQfUAbu+ Gg0oyojg+QoZ9Ig7H++PEpQkfNIetFFautM4MGFD098pa03n+p5cUpczC32MT9D+ vvXYnBAlD0XqEos0m0oJbe3chCBkgP72tMl7/P5ty76QiXwLwWI/J1wwZxbiyRMV BAgIj3qYzIkpe0BFLXjRp9u489Ixq2eoxWVnFnW1EJq5ygjvqP7KGcXNQYExJQ== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <!-- <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/SOAP"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/Redirect"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/POST"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/Artifact"/> <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/SOAP"/> <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/Redirect"/> <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/POST"/> <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/Artifact"/> --> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/POST" index="1"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/Artifact" index="3"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/ECP" index="4"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML/POST" index="5"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML/Artifact" index="6"/> </md:SPSSODescriptor> </md:EntityDescriptor>
- Submit the modified metadata to the IdP
Refer to the https://iam.alaska.edu/shib/wiki/SetupSpRelyParty article for more info.
- Request the eduPersonPrincipalName and eduPersonEntitlement attributes and configured the Shibboleth Logical SP attribute map.
See the https://iam.alaska.edu/shib/wiki/SetupSpAttrRelease wiki article for more information on releasing attributes.[sxjpm@alligator shibboleth]$ vi /etc/shibboleth/attribute-map.xml ... <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="shibattr-eppn"> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="shibattr-eppn"> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> </Attribute> ... <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/> ...
- Setup the Apple iTunesU transfer script
The iTunesU base transfer script can be downloaded from Apple here: http://images.apple.com/support/itunes_u/docs/iTunes_U_Code_Samples.zip The support center can provide the correct values for the $siteURL, $debugSuffix, and $sharedSecret values. The $ENV values come from the attribute mapping in the Shibboleth Logical SP.[sxjpm@alligator shibboleth]$ cp ~/CodeSamples/Perl/ITunesU.pl /var/www/html/itunesu/index.pl [sxjpm@alligator shibboleth]$ vi /var/www/html/itunesu/index.pl ... # Define your site's information. Replace these # values with ones appropriate for your site. my $siteURL = "http://deimos3.apple.com/WebObjects/Core.woa/Browse/alaska.edu"; my $debugSuffix = "/sun245"; my $sharedSecret = "V8J3LE8YK8V55Y3LCWEPFG9FXXHCP3SM"; ... # additional credentials and the iTunes U access they provide. my $displayName = $ENV{shibattr_eppn}; my $emailAddress = $ENV{shibattr_eppn}; my $username = $ENV{shibattr_eppn}; my $userIdentifier = $ENV{shibattr_eppn}; ... # turn the array of credentials into a semicolon delimited string my $credentials = $ENV{entitlement}; ...