wiki:ParkingSpSetup
Last modified 11 years ago Last modified on 04/14/14 10:20:57

Shibboleth / Setup T2/UAF Parking App SP

This document describes the process of installing and configuring the Shibboleth SP to support the T2 UAF Parking App.

Note 2014-04-10: In response to the Windows SP 2.5 reliance on OpenSSL version vulnerable to "Heartbleed" attack, the SP was upgraded to un-vulnerable 2.5.3 using patched OpenSSL; then the SP metadata were re-generated with new certificate; the new metadata were added to the IdP's sp-metadata.xml file and tested OK.

  1. Download the latest Shibboleth SP for IIS and the appropriate platform (32bit/64bit):
    http://www.shibboleth.net/downloads/service-provider/latest/win32/
    http://www.shibboleth.net/downloads/service-provider/latest/win64/
  2. Install the Shibboleth SP using the defaults in the installer but noting the installation path.
  3. Download the IdP metadata from the following URL and save into the etc directory in the Shibboleth SP installation path:
    https://idp.alaska.edu/idp-metadata.xml
  4. Open the idp-metadata.xml file and copy out the entityID of the IdP without the quotes:
    ...
    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    entityID="urn:mace:incommon:alaska.edu">
    ...
    
  5. Open the shibboleth2.xml file in the etc directory of the Shibboleth SP installation and edit the ISAPI tag, RequestMap tag, ApplicationDefaults tag, SSO tag, and MetadataProvider tag as follows and save the file. The site id comes from the value in the IIS control panel associated with the web site that is configure to work with the Shibboleth SP. The name and hostname should be the outwardly listening IIS interface that the web browser will be connecting to. The entityID in the ApplicationDefaults tag should looks something like: https://thefullhostname/shibboleth . This should _not_ be the URL for the web server. The entityID in the SSO tag should be the entityID copied from the idp-metadata.xml file. The file name in the MetadataProvider should point to the idp-metadata.xml file saved in the etc directory of the Shibboleth SP installation. It should not include any directory components, just the filename.
    ...
            <ISAPI normalizeRequest="true" safeHeaderNames="true">
                <!--
                Maps IIS Instance ID values to the host scheme/name/port. The name is
                required so that the proper <Host> in the request map above is found without
                having to cover every possible DNS/IP combination the user might enter.
                -->
                <Site id="1" name="uafparktest.uaf.edu"/>
                <!--
                When the port and scheme are omitted, the HTTP request's port and scheme are used.
                If these are wrong because of virtualization, they can be explicitly set here to
                ensure proper redirect generation.
                -->
                <!--
                <Site id="42" name="virtual.example.org" scheme="https" port="443"/>
                -->
            </ISAPI>
    ...
            <RequestMap>
                <!--
                The example requires a session for documents in /secure on the containing host with http and
                https on the default ports. Note that the name and port in the <Host> elements MUST match
                Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
                -->
                <Host name="uafparktest.uaf.edu" authType="shibboleth"/>
                <!-- Example of a second vhost mapped to a different applicationId. -->
                <!--
                <Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
                -->
            </RequestMap>
    ...
        <ApplicationDefaults entityID="https://uafparktest.uaf.edu/shibboleth"
                             REMOTE_USER="eppn persistent-id targeted-id">
    ...
                <SSO entityID="urn:mace:incommon:alaska.edu"
                     discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
                  SAML2 SAML1
                </SSO>
    ...
            <MetadataProvider type="XML" file="idp-metadata.xml"/>
    ...
    
  6. Open the attribute-map.xml file in the etc directory of the Shibboleth SP installation. Add the following tag to the file along with the other Attribute tags and save it.
    ...
    <Attribute name="urn:mace:alaska.edu:attributes:bannerid" id="bannerid"/>
    ...
    
  7. Restart IIS and the shibd service. This step may require a reboot to finish the process on some installations.
  8. Browse to the following URL and email the downloaded XML file to iam@….
    https://thefullhostname/Shibboleth.sso/Metadata