Changes between Version 14 and Version 15 of SpSetup


Ignore:
Timestamp:
09/23/15 15:27:03 (5 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • SpSetup

    v14 v15  
    88* Shibboleth SP Version 2.5 
    99 
    10 N.B. 2014-05-08: RHEL - use /etc/shibboleth metagen.sh to generate the SP's metadata ! 
     10N.B. 2014-05-08: RHEL - we now recommend you use /etc/shibboleth metagen.sh (rather than curl) to generate the SP's metadata (step 5 below)! 
    1111 
    1212Installation: 
     
    3737 2.2. Download and setup the IdP's metadata. Check config for correct syntax. 
    3838There are two approaches; either is configured in '''shibboleth2.xml''' configuration file:[[br]] 
    39  2.2.1 simply keep an unchanging local copy of the UA IdP metadata[[br]] 
    40  2.2.2 use the !InCommon metadata and refresh to maintain current version 
    41 The first option is easier to set up; if the IdP metadata changes, however - in particular if the IdP's certificate is changed and published in new metadata, you will have to be aware of that change and manually update the local copy.  The second option requires importing the !InCommon signing key, and will trigger refreshes of the metadata on a schedule you choose (usually every several hours).  The second method is more general and would allow you to include additional Identity Providers from InCommon should that need arise.[[br]] 
    42 [[br]] Option 1: Manually maintained local copy of IdP metadata: 
     39 2.2.1 simply keep an unchanging local copy of the UA IdP metadata (quicker but less robust) [[br]] 
     40 2.2.2 use the !InCommon metadata and refresh to maintain current version (preferred robust and extensible option)[[br]] 
     41The first option is easier to set up; if the IdP metadata changes, however - in particular if the IdP's certificate is changed and published in new metadata, you will have to be aware of that change and manually update the local copy.  The second option requires importing the !InCommon signing key, and will trigger refreshes of the metadata on a schedule you choose (usually every several hours).  The second method is more general and would allow you to include additional Identity Providers from !InCommon should that need arise. [[br]] 
     42[[br]] Option 1 (discouraged): Manually maintained local copy of IdP metadata: 
    4343 
    4444  * Linux: 
     
    7373}}} 
    7474  * Windows: TBD 
    75 Option 2: rely on !InCommon metadata: 
     75Option 2 (preferred): rely on !InCommon metadata: 
    7676 
    7777Comment out the locally maintained metadata section in shibboleth2.xml and include the following: 
     
    141141 
    142142 3. Setup EntityID for SP. Note the entityID for the SP is _NOT_ a URL. It is a unique string that identifies your SP and is usually based off of the hostname of the system. It may also be a CNAME for the system. 
    143   * Linux: 
     143 
     144 
     145 * Linux example using curl: 
    144146{{{ 
    145147[root@idmt-1 shibboleth]# hostname 
     
    179181  * Windows: TBD 
    180182 5. Generate SP metadata. 
    181   * Linux: 
     183 
     184  * Linux using metagen.sh; include attributes of your Service SP in the metagen command for a better metadata description of the service:[[br]] 
     185 man page: http://manpages.ubuntu.com/manpages/lucid/man1/shib-metagen.1.html 
     186{{{ 
     187 ./metagen.sh  
     188     -c sp-cert.pem  
     189     -h yourhosthostname.alaska.edu  
     190     -o "Your Human-friendly Organization Name"  
     191     -u "Your Organization URL" 
     192     -a "AdminContactFirst/Last/Email"  
     193     -s "SupportContactFirst/Last/Email"  
     194  > sp-metadata.xml 
     195}}} 
     196 
     197  * Linux alternative using curl, which will require additional manual editing of metadata to include UI elements and to remove un-needed end points: 
    182198{{{ 
    183199[root@idmt-1 shibboleth]# curl -k https://$(hostname)/Shibboleth.sso/Metadata > $(hostname -s)-metadata.xml 
     
    186202100  3807  100  3807    0     0   169k      0 --:--:-- --:--:-- --:--:-- 3717k 
    187203[root@idmt-1 shibboleth]# xmllint --format $(hostname -s)-metadata.xml  
    188 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_27d456d0acab55e09ede1cd8da7bae46892ddc60" entityID="https://idmt-1.alaska.edu/shibboleth"> 
    189  
    190   <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol"> 
    191     <md:Extensions> 
    192       <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://idmt-1.alaska.edu/Shibboleth.sso/Login"/> 
    193     </md:Extensions> 
     204.... 
     205 
     206}}} 
     207  * Windows: TBD 
     208 
     209 * Add a display name of the service to be shown on the Shibboleth login page if that login page is triggered by a request to login at your service: 
     210{{{ 
     211<md:Extensions> 
     212<mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"> 
     213        <mdui:DisplayName xml:lang="en">Human-friendly Service Name</mdui:DisplayName> 
     214</mdui:UIInfo> 
     215</md:Extensions> 
     216}}} 
     217 * A sample relatively simple sp-metadata file to illustrate and show added UI extensions: 
     218{{{ 
     219<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://staffcouncil.uaf.edu/shibboleth"> 
     220  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol"> 
     221<md:Extensions> 
     222   <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"> 
     223        <mdui:DisplayName xml:lang="en">UAF Staff Council Services</mdui:DisplayName> 
     224   </mdui:UIInfo> 
     225</md:Extensions> 
    194226    <md:KeyDescriptor> 
    195       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
    196         <ds:KeyName>idmt-1.alaska.edu</ds:KeyName> 
     227      <ds:KeyInfo> 
    197228        <ds:X509Data> 
    198           <ds:X509SubjectName>CN=idmt-1.alaska.edu</ds:X509SubjectName> 
    199           <ds:X509Certificate>MIIC+jCCAeKgAwIBAgIJAKzKVe8S5t3gMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNV 
    200 BAMTEWlkbXQtMS5hbGFza2EuZWR1MB4XDTExMDYyNzIzNDkxOVoXDTIxMDYyNDIz 
    201 NDkxOVowHDEaMBgGA1UEAxMRaWRtdC0xLmFsYXNrYS5lZHUwggEiMA0GCSqGSIb3 
    202 DQEBAQUAA4IBDwAwggEKAoIBAQDNwFn9fHtwKalW2gExxaSoodjwZSreNJxppMVa 
    203 gkUyDsvJ2tBezONFz+fvt6eWFOrkrYiwYeLMKB26ee6Uf8XgZRGrGGNtZ3rN6+pw 
    204 popxMQ0bVvko68fK0gZpWrKzrtDdLes+K51HZOd+FZ9bYDV+sM6kpaVpQDtSI5OT 
    205 PkwEWjXtctkTTX48YUe5hCbwprBMEL5KZqiyjqfeXLNDcYrioTyxZXemeHzRtISK 
    206 zNRgUgGbUFO64OAiaziSn6RB2gOoJqIZMmDaedo3QY8yaC56EJ6krrMFNb6wIUog 
    207 RpxQxllxiKzmjufGk2up6KHUjQBmovhnY1/hy/fvvevIKFwLAgMBAAGjPzA9MBwG 
    208 A1UdEQQVMBOCEWlkbXQtMS5hbGFza2EuZWR1MB0GA1UdDgQWBBQfTV+1yqucG5kM 
    209 FJA4qttIwfLEBjANBgkqhkiG9w0BAQUFAAOCAQEAu/8zEVFsI4oDCVwbhnGuF154 
    210 iKevamYhgsfJxWHt4fKIwGUnsl7H7TdBjLaCnRNiaLeuV0CIB+hGjbcl6JV7O/PO 
    211 XopY/gzNF4uSAL9Lh8EWBNBSU7OmLgi6cpyWRpsGVvf+bhj2/TiOaiDSUGCgk7NN 
    212 1/oys7bFnlA605UANXg/u9T5od9Hz01YInwEhGflN5ZfrrIdyZuCXbEVcmo/Z2p4 
    213 FUMQ7Wd2nDk3g7fx50Sv9TIg7IIM2QI6L4+popFmJRy1p78r1yXQoz0tplfYgRek 
    214 /LG0ZB9VqEErdx5fDE90IZVF7OHh1UzyTHl8+ZXTKnSQsLIfcfZb9j8GmjtMtg== 
    215 </ds:X509Certificate> 
     229          <ds:X509Certificate> 
     230... 
     231... 
     232          </ds:X509Certificate> 
    216233        </ds:X509Data> 
    217234      </ds:KeyInfo> 
    218235    </md:KeyDescriptor> 
    219     <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idmt-1.alaska.edu/Shibboleth.sso/Artifact/SOAP" index="0"/> 
    220     <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/SOAP"/> 
    221     <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/Redirect"/> 
    222     <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/POST"/> 
    223     <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/Artifact"/> 
    224     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/POST" index="0"/> 
    225     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/> 
    226     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/Artifact" index="2"/> 
    227     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/ECP" index="3"/> 
    228     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML/POST" index="4"/> 
    229     <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML/Artifact" index="5"/> 
     236    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://staffcouncil.uaf.edu/Shibboleth.sso/SAML2/POST" index="1"/> 
     237    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://staffcouncil.uaf.edu/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/> 
     238    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://staffcouncil.uaf.edu/Shibboleth.sso/SAML2/ECP" index="3"/> 
     239    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://staffcouncil.uaf.edu/Shibboleth.sso/SAML/POST" index="4"/> 
    230240  </md:SPSSODescriptor> 
    231  
    232 }}} 
    233   * Windows: TBD 
     241  <md:Organization> 
     242    <md:OrganizationName xml:lang="en">UAF Staff Council</md:OrganizationName> 
     243    <md:OrganizationDisplayName xml:lang="en">UAF Staff Council</md:OrganizationDisplayName> 
     244    <md:OrganizationURL xml:lang="en">https://staffcouncil.uaf.edu/shibboleth</md:OrganizationURL> 
     245  </md:Organization> 
     246  <md:ContactPerson contactType="administrative"> 
     247    <md:GivenName>UAF Staff</md:GivenName> 
     248    <md:SurName>Council</md:SurName> 
     249    <md:EmailAddress>uaf-staff-council@alaska.edu</md:EmailAddress> 
     250  </md:ContactPerson> 
     251  <md:ContactPerson contactType="support"> 
     252    <md:GivenName>Phil</md:GivenName> 
     253    <md:SurName>Jacobs</md:SurName> 
     254    <md:EmailAddress>ptjacobs@alaska.edu</md:EmailAddress> 
     255  </md:ContactPerson> 
     256</md:EntityDescriptor> 
     257 
     258}}} 
    2342593. Email SP metadata to iam@alaska.edu and request integration with UA IdP. Once the metadata is registered with the UA IdP integration can be tested at the https://idmt-1.alaska.edu/secure test URL that is configured by default with most installations. 
    2352604. Decide which attributes your application will need to authorize access then email iam@alaska.edu and request those attributes be released to your SP from the UA IdP.