wiki:ItunesuSpSetup

Version 3 (modified by jpmitchell@…, 12 years ago) (diff)

--

Shibboleth / Setup iTunesU Transfer Script SP

This page documents the setup of the iTunesU transfer script and associated integration components. The integration consists of a perl script and a logical SP that is running on the same OS instance as the CAS/SHIB implementation.

  1. Configure Apache
    [sxjpm@alligator ~]$ vi /etc/httpd/conf.d/ssl.conf
    <VirtualHost _default_:443>
    ServerName casshib.alaska.edu:443
    ...
        # iTunesU Integration Pieces
        Alias /itunesu /var/www/html/itunesu
        <Directory /var/www/html/itunesu>
            DirectoryIndex index.pl
            Options +ExecCGI
            AddHandler cgi-script .pl
        </Directory>
        <Location /itunesu>
            AuthType shibboleth
            ShibRequestSetting requireSession 1
            ShibRequestSetting applicationId itunesu
            require valid-user
        </Location>
    </VirtualHost>
    
  1. Configure Shibboleth Logical SP
    [sxjpm@alligator ~]$ vi /etc/shibboleth/shibboleth2.xml
    ...
            <!-- iTunesU Integration Stuff -->
            <ApplicationOverride id="itunesu" entityID="https://casshib.alaska.edu/itunesu">
                <Sessions lifetime="28800" timeout="3600"
                    checkAddress="false" handlerURL="/itunesu/Shibboleth.sso" />
            </ApplicationOverride>
    ...
    
  1. Generate Shibboleth Logical SP Metadata
    Note that the md:AssertionConsumerService tags need to have their URLs tweaked before submitting the metadata to the IdP. The values 'itunesu/' must be inserted before the 'Shibboleth.sso' value.
    [sxjpm@alligator ~]$ cd /etc/shibboleth/
    [sxjpm@alligator shibboleth]$ ./metagen.sh -h casshib.alaska.edu -e https://casshib.alaska.edu/itunesu
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://casshib.alaska.edu/itunesu">
      <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
        <md:Extensions>
          <DiscoveryResponse xmlns="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://casshib.alaska.edu/Shibboleth.sso/DS" index="1"/>
        </md:Extensions>
        <md:KeyDescriptor>
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>
    MIIC+jCCAeKgAwIBAgIJAJCjNskusfKlMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNV
    BAMTEWFtYXpvbi5hbGFza2EuZWR1MB4XDTEwMTAyMDIzMTYzOVoXDTIwMTAxNzIz
    MTYzOVowHDEaMBgGA1UEAxMRYW1hem9uLmFsYXNrYS5lZHUwggEiMA0GCSqGSIb3
    DQEBAQUAA4IBDwAwggEKAoIBAQDYNn6n8nATxM6TCF/4B0SBqfxMZ0U5S21XpGV1
    KjDpFvJzbYKKiZqFFS/utprcPnBTRtxklrCZTQ9TzAkqcyKy7yu10UjU3LE90nD5
    ap7XLL/ubvbzNZt7ExWq0MmUP+RoIxw0OarCd3l73+0gQjrbbOFoHDsKnVP/ecqm
    ihwq5y+0wYKaWJ0a8X66iqXDlxWncpA2fheSvCpJuQ0SFNP1UM+xB+rVqoV6Rsiq
    LBPPfNTxKw2Wo6LdzegLWr6IYEsekz8vUEtlPFu5O4WCNCoxkuD1LZVOckGyf8Cl
    FN3F584npoh9qYut2nof/FXlcyt8y/FQy3IveIUaHxOZ5IfDAgMBAAGjPzA9MBwG
    A1UdEQQVMBOCEWFtYXpvbi5hbGFza2EuZWR1MB0GA1UdDgQWBBR1r8eS+S/LgBlN
    /1M5ABOrjaySTDANBgkqhkiG9w0BAQUFAAOCAQEAv2P882jFULso1XAM1nJDX3YF
    DW1oQGPNEdDh44x5QWWnBRCR9/BEajtjRGFwP4IjEt4by4YXbLT3EoSvdR6eviAF
    vfVZA95Gm8ar/PMoJo9vWwd2pRHNC+h9E/bYblRV6tGVkfrDd4OjjsugvQfUAbu+
    Gg0oyojg+QoZ9Ig7H++PEpQkfNIetFFautM4MGFD098pa03n+p5cUpczC32MT9D+
    vvXYnBAlD0XqEos0m0oJbe3chCBkgP72tMl7/P5ty76QiXwLwWI/J1wwZxbiyRMV
    BAgIj3qYzIkpe0BFLXjRp9u489Ixq2eoxWVnFnW1EJq5ygjvqP7KGcXNQYExJQ==
              </ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
        <!--
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/SOAP"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/Redirect"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/POST"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://casshib.alaska.edu/Shibboleth.sso/SLO/Artifact"/>
        <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/SOAP"/>
        <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/Redirect"/>
        <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/POST"/>
        <md:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://casshib.alaska.edu/Shibboleth.sso/NIM/Artifact"/>
        -->
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/POST" index="1"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/Artifact" index="3"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML2/ECP" index="4"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML/POST" index="5"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://casshib.alaska.edu/Shibboleth.sso/SAML/Artifact" index="6"/>
      </md:SPSSODescriptor>
    </md:EntityDescriptor>
    
  1. Submit the modified metadata to the IdP
    Refer to the https://iam.alaska.edu/shib/wiki/SetupSpRelyParty article for more info.
  1. Request the eduPersonPrincipalName and eduPersonEntitlement attributes and configure the Shibboleth Logical SP attribute map.
    See the https://iam.alaska.edu/shib/wiki/SetupSpAttrRelease wiki article for more information on releasing attributes.
    [sxjpm@alligator shibboleth]$ vi /etc/shibboleth/attribute-map.xml
    ...
        <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="shibattr-eppn">
        <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="shibattr-eppn">
            <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
        </Attribute>
    ...
        <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
        <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
    ...
    
  1. Setup the Apple iTunesU transfer script
    The iTunesU base transfer script can be downloaded from Apple here: http://images.apple.com/support/itunes_u/docs/iTunes_U_Code_Samples.zip The support center can provide the correct values for the $siteURL, $debugSuffix, and $sharedSecret values. The $ENV values come from the attribute mapping in the Shibboleth Logical SP.
    [sxjpm@alligator shibboleth]$ cp ~/CodeSamples/Perl/ITunesU.pl /var/www/html/itunesu/index.pl
    [sxjpm@alligator shibboleth]$ vi /var/www/html/itunesu/index.pl
    ...
        # Define your site's information. Replace these
        # values with ones appropriate for your site.
        my $siteURL = "http://deimos3.apple.com/WebObjects/Core.woa/Browse/alaska.edu";
        my $debugSuffix = "/sun245";
        my $sharedSecret = "V8J3LE8YK8V55Y3LCWEPFG9FXXHCP3SM"; 
    ...
        # additional credentials and the iTunes U access they provide.
        my $displayName = $ENV{shibattr_eppn};
        my $emailAddress = $ENV{shibattr_eppn};
        my $username = $ENV{shibattr_eppn};
        my $userIdentifier = $ENV{shibattr_eppn}; 
    ...
        # turn the array of credentials into a semicolon delimited string
        my $credentials = $ENV{entitlement};
    ...