Changes between Version 6 and Version 7 of SpSetup

Timestamp:

06/28/11 10:45:39 (13 years ago)

Author:

jpmitchell@…

Comment:

--

SpSetup

@@ -4 +4 @@
 
 UA Supported Configurations:
-* Windows and Apache or IIS
-* Linux and Apache or IIS
+* Apache or IIS on Windows 
+* Apache on Linux
 * Shibboleth SP Version 2.4.2
 
@@ -13 +13 @@
    * [[http://www.shibboleth.net/downloads/service-provider/latest/win32/|Latest 32-bit Windows Installer Packages]]
    * [[http://www.shibboleth.net/downloads/service-provider/latest/win64/|Latest 64-bit Windows Installer Packages]]
- * Linux: (It is recommended to use a repo.)
+ * Linux: (It is recommended to use a binary repo.)
   * [[http://download.opensuse.org/repositories/security://shibboleth/|Binary RPMs]]
   * [[http://www.shibboleth.net/downloads/service-provider/latest/SRPMS/|Source RPMs]]
 2. Configure the SP
- * Remove and regen the SP keys.
+ 1. Remove and regen the SP keys.
   * Linux:
 {{{
@@ -31 +31 @@
 }}}
   * Windows: TBD
- * Download and setup the IdP's metadata.
+ 2. Download and setup the IdP's metadata. Check config for correct syntax.
   * Linux:
 {{{
@@ -49 +49 @@
 [root@idmt-1 shibboleth]# vi shibboleth2.xml
             -->
-            <SSO entityID="urn:mace:incommon:alaska.edu"
+            <SSO entityID="urn:mace:incommon:alaska.edu">
               SAML2 SAML1
             </SSO>
@@ -59 +59 @@
         <MetadataProvider type="XML" file="idp-metadata.xml"/>
 :wq!
+[root@idmt-1 shibboleth]# shibd -t
+overall configuration is loadable, check console for non-fatal problems
 }}}
   * Windows: TBD
+ 3. Setup EntityID for SP. Note the entityID for the SP is _NOT_ a URL. It is a unique string that identifies your SP and is usually based off of the hostname of the system. It may also be a CNAME for the system.
+  * Linux:
+{{{
+[root@idmt-1 shibboleth]# hostname
+idmt-1.alaska.edu
+[root@idmt-1 shibboleth]# pwd
+/etc/shibboleth
+[root@idmt-1 shibboleth]# vi shibboleth2.xml
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://idmt-1.alaska.edu/shibboleth"
+                         REMOTE_USER="eppn persistent-id targeted-id">
+
+        <!--
+:wq!
+[root@idmt-1 shibboleth]# shibd -t
+overall configuration is loadable, check console for non-fatal problems
+}}}
+  * Windows: TBD
+ 4. Start Apache/IIS and Shibd and check function.
+  * Linux:
+{{{
+[root@idmt-1 shibboleth]# service httpd start
+Starting httpd:                                            [  OK  ]
+[root@idmt-1 shibboleth]# service shibd start
+Starting shibd:                                            [  OK  ]
+[root@idmt-1 shibboleth]# curl -k https://localhost/Shibboleth.sso/Status | xmllint --format - | grep -C 3 "<Status>"
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100  4889  100  4889    0     0   194k      0 --:--:-- --:--:-- --:--:-- 4774k
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </md:KeyDescriptor>
+  <Status>
+    <OK/>
+  </Status>
+</StatusHandler>
+}}}
+  * Windows: TBD
+ 5. Generate SP metadata.
+  * Linux:
+{{{
+[root@idmt-1 shibboleth]# curl -k https://idmt-1.alaska.edu/Shibboleth.sso/Metadata > idmt1-metadata.xml
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100  3807  100  3807    0     0   169k      0 --:--:-- --:--:-- --:--:-- 3717k
+[root@idmt-1 shibboleth]# xmllint --format idmt1-metadata.xml 
+<?xml version="1.0"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_657cf08a6730ac2e70ce094b8262cdf79ce25120" entityID="https://sp.example.org/shibboleth">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
+    <md:Extensions>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://idmt-1.alaska.edu/Shibboleth.sso/Login"/>
+    </md:Extensions>
+    <md:KeyDescriptor>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>idmt-1.alaska.edu</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=idmt-1.alaska.edu</ds:X509SubjectName>
+          <ds:X509Certificate>MIIC+jCCAeKgAwIBAgIJAKzKVe8S5t3gMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNV
+BAMTEWlkbXQtMS5hbGFza2EuZWR1MB4XDTExMDYyNzIzNDkxOVoXDTIxMDYyNDIz
+NDkxOVowHDEaMBgGA1UEAxMRaWRtdC0xLmFsYXNrYS5lZHUwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDNwFn9fHtwKalW2gExxaSoodjwZSreNJxppMVa
+gkUyDsvJ2tBezONFz+fvt6eWFOrkrYiwYeLMKB26ee6Uf8XgZRGrGGNtZ3rN6+pw
+popxMQ0bVvko68fK0gZpWrKzrtDdLes+K51HZOd+FZ9bYDV+sM6kpaVpQDtSI5OT
+PkwEWjXtctkTTX48YUe5hCbwprBMEL5KZqiyjqfeXLNDcYrioTyxZXemeHzRtISK
+zNRgUgGbUFO64OAiaziSn6RB2gOoJqIZMmDaedo3QY8yaC56EJ6krrMFNb6wIUog
+RpxQxllxiKzmjufGk2up6KHUjQBmovhnY1/hy/fvvevIKFwLAgMBAAGjPzA9MBwG
+A1UdEQQVMBOCEWlkbXQtMS5hbGFza2EuZWR1MB0GA1UdDgQWBBQfTV+1yqucG5kM
+FJA4qttIwfLEBjANBgkqhkiG9w0BAQUFAAOCAQEAu/8zEVFsI4oDCVwbhnGuF154
+iKevamYhgsfJxWHt4fKIwGUnsl7H7TdBjLaCnRNiaLeuV0CIB+hGjbcl6JV7O/PO
+XopY/gzNF4uSAL9Lh8EWBNBSU7OmLgi6cpyWRpsGVvf+bhj2/TiOaiDSUGCgk7NN
+1/oys7bFnlA605UANXg/u9T5od9Hz01YInwEhGflN5ZfrrIdyZuCXbEVcmo/Z2p4
+FUMQ7Wd2nDk3g7fx50Sv9TIg7IIM2QI6L4+popFmJRy1p78r1yXQoz0tplfYgRek
+/LG0ZB9VqEErdx5fDE90IZVF7OHh1UzyTHl8+ZXTKnSQsLIfcfZb9j8GmjtMtg==
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idmt-1.alaska.edu/Shibboleth.sso/Artifact/SOAP" index="0"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/POST" index="0"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/Artifact" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/ECP" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML/POST" index="4"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML/Artifact" index="5"/>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+}}}
+  * Windows: TBD
+3. Email SP metadata to iam@alaska.edu and request integration with UA IdP. Once the metadata is registered with the UA IdP integration can be tested at the https://idmt-1.alaska.edu/secure test URL that is configured by default with most installations.
+4. Decide which attributes your application will need to authorize access then email iam@alaska.edu and request those attributes be released to your SP from the UA IdP.