== [[https://iam.alaska.edu/shib|Shibboleth]] / Setup Right Answers SP == This page documents the process of setting up the Shibboleth SP and integrating it with the Right Answers application. 1. Ensure the SP is installed. See [[https://iam.alaska.edu/shib/wiki/SpSetup|Shibboleth SP Setup]] for more information. 2. Ensure the Apache module mod_proxy_ajp is installed. If not contact sdtsos@alaska.edu and request it be installed. {{{ [sxjpm@osprey conf.d]$ ls -la /etc/httpd/modules/mod_proxy_ajp.so -rwxr-xr-x. 1 root root 39632 Apr 9 05:00 /etc/httpd/modules/mod_proxy_ajp.so }}} 3. Configure Apache to proxy to Tomcat via the AJP proxy for the base portal path. {{{ [sxjpm@osprey conf.d]$ pwd /etc/httpd/conf.d [sxjpm@osprey conf.d]$ vi proxy_ajp.conf ... ProxyPass /portal/ ajp://localhost:8009/portal/ ... :wq! }}} 4. Configure Apache to require Shibboleth authentication for the various portal paths. {{{ [sxjpm@osprey conf.d]$ pwd /etc/httpd/conf.d [sxjpm@osprey conf.d]$ vi shib.conf ... AuthType shibboleth ShibRequestSetting requireSession 1 ShibUseHeaders On require valid-user AuthType shibboleth ShibRequestSetting requireSession 1 ShibUseHeaders On require valid-user AuthType shibboleth ShibRequestSetting requireSession 1 ShibUseHeaders On require valid-user ... :wq! }}} 5. Configure Tomcat to listen on an AJP port. It is important to ensure no other means of communicating with Tomcat are available to ensure all traffic is pushed through the Apache AJP proxy. Otherwise the application could be accessed without authentication/authorization. {{{ [sxjpm@osprey conf]$ pwd /usr/share/tomcat6/conf [sxjpm@osprey conf]$ vi server.xml ... ... :wq! }}} 6. Configure Shibboleth SP in /etc/shibboleth/attribute-policy.xml {{{ ... ... ... }}}