wiki:RaSpSetup
Last modified 8 years ago Last modified on 12/15/11 10:02:52

Shibboleth / Setup Right Answers SP

This page documents the process of setting up the Shibboleth SP and integrating it with the Right Answers application.

  1. Ensure the SP is installed. See Shibboleth SP Setup for more information.
  1. Ensure the Apache module mod_proxy_ajp is installed. If not contact sdtsos@… and request it be installed.
    [sxjpm@osprey conf.d]$ ls -la /etc/httpd/modules/mod_proxy_ajp.so 
    -rwxr-xr-x. 1 root root 39632 Apr  9 05:00 /etc/httpd/modules/mod_proxy_ajp.so
    
  1. Configure Apache to proxy to Tomcat via the AJP proxy for the base portal path.
    [sxjpm@osprey conf.d]$ pwd
    /etc/httpd/conf.d
    [sxjpm@osprey conf.d]$ vi proxy_ajp.conf
    ...
    ProxyPass /portal/ ajp://localhost:8009/portal/
    ...
    :wq!
    
  1. Configure Apache to require Shibboleth authentication for the various portal paths.
    [sxjpm@osprey conf.d]$ pwd
    /etc/httpd/conf.d
    [sxjpm@osprey conf.d]$ vi shib.conf
    ...
    <Location /portal/sa>
      AuthType shibboleth
      ShibRequestSetting requireSession 1
      ShibUseHeaders On
      require valid-user
    </Location>
    
    <Location /portal/ss>
      AuthType shibboleth
      ShibRequestSetting requireSession 1
      ShibUseHeaders On
      require valid-user
    </Location>
    
    <Location /portal/admin>
      AuthType shibboleth
      ShibRequestSetting requireSession 1
      ShibUseHeaders On
      require valid-user
    </Location>
    ...
    :wq!
    
  1. Configure Tomcat to listen on an AJP port. It is important to ensure no other means of communicating with Tomcat are available to ensure all traffic is pushed through the Apache AJP proxy. Otherwise the application could be accessed without authentication/authorization.
    [sxjpm@osprey conf]$ pwd
    /usr/share/tomcat6/conf
    [sxjpm@osprey conf]$ vi server.xml
    ...
        <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    ...
    :wq!
    
  1. Configure Shibboleth SP in /etc/shibboleth/attribute-policy.xml
    ...
        <afp:PermitValueRule id="isMemberOf" xsi:type="OR">
            <Rule xsi:type="AttributeValueString" value="cn=appusers:rightanswersprod:helpdesk,ou=group,dc=alaska,dc=edu"/>
            <Rule xsi:type="AttributeValueString" value="cn=appusers"/>
        </afp:PermitValueRule>
    ...
             <afp:AttributeRule attributeID="isMemberOf">
                <afp:PermitValueRuleReference ref="isMemberOf"/>
            </afp:AttributeRule>
    ...