== [[https://iam.alaska.edu/shib|Shibboleth]] / Shibboleth SP Setup ==

This page documents installing a Shibboleth SP.

UA Supported Configurations:
* Apache or IIS on Windows 
* Apache on Linux
* Shibboleth SP Version 2.4.2

Installation:
1. Download and install the appropriate installers/packages.
 * Windows: (It is recommended to use the MSIs.)
   * [[http://www.shibboleth.net/downloads/service-provider/latest/win32/|Latest 32-bit Windows Installer Packages]]
   * [[http://www.shibboleth.net/downloads/service-provider/latest/win64/|Latest 64-bit Windows Installer Packages]]
 * Linux: (It is recommended to use a binary repo.)
  * [[http://download.opensuse.org/repositories/security://shibboleth/|Binary RPMs]]
  * [[http://www.shibboleth.net/downloads/service-provider/latest/SRPMS/|Source RPMs]]
2. Configure the SP
 1. Remove and regen the SP keys.
  * Linux:
{{{
[root@idmt-1 shibboleth]# pwd
/etc/shibboleth
[root@idmt-1 shibboleth]# rm -rf sp-key.pem sp-cert.pem 
[root@idmt-1 shibboleth]# ./keygen.sh 
Generating a 2048 bit RSA private key
...........................................................................................+++
.........................................................................................................................................................+++
writing new private key to 'sp-key.pem'
-----
}}}
  * Windows: TBD
 2. Download and setup the IdP's metadata. Check config for correct syntax.
  * Linux:
{{{
[root@idmt-1 shibboleth]# wget https://idp.alaska.edu/idp-metadata.xml
--2011-06-27 15:50:17--  https://idp.alaska.edu/idp-metadata.xml
Resolving idp.alaska.edu... 137.229.114.38
Connecting to idp.alaska.edu|137.229.114.38|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6973 (6.8K) [application/xml]
Saving to: `idp-metadata.xml'

100%[===================================================================================================================================================================================================>] 6,973       --.-K/s   in 0s      

2011-06-27 15:50:17 (302 MB/s) - `idp-metadata.xml' saved [6973/6973]
[root@idmt-1 shibboleth]# pwd
/etc/shibboleth
[root@idmt-1 shibboleth]# vi shibboleth2.xml
            -->
            <SSO entityID="urn:mace:incommon:alaska.edu">
              SAML2 SAML1
            </SSO>

            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout>

        <!-- Example of locally maintained metadata. -->
        <MetadataProvider type="XML" file="idp-metadata.xml"/>
:wq!
[root@idmt-1 shibboleth]# shibd -t
overall configuration is loadable, check console for non-fatal problems
}}}
  * Windows: TBD
 3. Setup EntityID for SP. Note the entityID for the SP is _NOT_ a URL. It is a unique string that identifies your SP and is usually based off of the hostname of the system. It may also be a CNAME for the system.
  * Linux:
{{{
[root@idmt-1 shibboleth]# hostname
idmt-1.alaska.edu
[root@idmt-1 shibboleth]# pwd
/etc/shibboleth
[root@idmt-1 shibboleth]# vi shibboleth2.xml
    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://idmt-1.alaska.edu/shibboleth"
                         REMOTE_USER="eppn persistent-id targeted-id">

        <!--
:wq!
[root@idmt-1 shibboleth]# shibd -t
overall configuration is loadable, check console for non-fatal problems
}}}
  * Windows: TBD
 4. Start Apache/IIS and Shibd and check function.
  * Linux:
{{{
[root@idmt-1 shibboleth]# service httpd start
Starting httpd:                                            [  OK  ]
[root@idmt-1 shibboleth]# service shibd start
Starting shibd:                                            [  OK  ]
[root@idmt-1 shibboleth]# curl -k https://localhost/Shibboleth.sso/Status | xmllint --format - | grep -C 3 "<Status>"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4889  100  4889    0     0   194k      0 --:--:-- --:--:-- --:--:-- 4774k
      </ds:X509Data>
    </ds:KeyInfo>
  </md:KeyDescriptor>
  <Status>
    <OK/>
  </Status>
</StatusHandler>
}}}
  * Windows: TBD
 5. Generate SP metadata.
  * Linux:
{{{
[root@idmt-1 shibboleth]# curl -k https://idmt-1.alaska.edu/Shibboleth.sso/Metadata > idmt1-metadata.xml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3807  100  3807    0     0   169k      0 --:--:-- --:--:-- --:--:-- 3717k
[root@idmt-1 shibboleth]# xmllint --format idmt1-metadata.xml 
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_27d456d0acab55e09ede1cd8da7bae46892ddc60" entityID="https://idmt-1.alaska.edu/shibboleth">

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
    <md:Extensions>
      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://idmt-1.alaska.edu/Shibboleth.sso/Login"/>
    </md:Extensions>
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>idmt-1.alaska.edu</ds:KeyName>
        <ds:X509Data>
          <ds:X509SubjectName>CN=idmt-1.alaska.edu</ds:X509SubjectName>
          <ds:X509Certificate>MIIC+jCCAeKgAwIBAgIJAKzKVe8S5t3gMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNV
BAMTEWlkbXQtMS5hbGFza2EuZWR1MB4XDTExMDYyNzIzNDkxOVoXDTIxMDYyNDIz
NDkxOVowHDEaMBgGA1UEAxMRaWRtdC0xLmFsYXNrYS5lZHUwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDNwFn9fHtwKalW2gExxaSoodjwZSreNJxppMVa
gkUyDsvJ2tBezONFz+fvt6eWFOrkrYiwYeLMKB26ee6Uf8XgZRGrGGNtZ3rN6+pw
popxMQ0bVvko68fK0gZpWrKzrtDdLes+K51HZOd+FZ9bYDV+sM6kpaVpQDtSI5OT
PkwEWjXtctkTTX48YUe5hCbwprBMEL5KZqiyjqfeXLNDcYrioTyxZXemeHzRtISK
zNRgUgGbUFO64OAiaziSn6RB2gOoJqIZMmDaedo3QY8yaC56EJ6krrMFNb6wIUog
RpxQxllxiKzmjufGk2up6KHUjQBmovhnY1/hy/fvvevIKFwLAgMBAAGjPzA9MBwG
A1UdEQQVMBOCEWlkbXQtMS5hbGFza2EuZWR1MB0GA1UdDgQWBBQfTV+1yqucG5kM
FJA4qttIwfLEBjANBgkqhkiG9w0BAQUFAAOCAQEAu/8zEVFsI4oDCVwbhnGuF154
iKevamYhgsfJxWHt4fKIwGUnsl7H7TdBjLaCnRNiaLeuV0CIB+hGjbcl6JV7O/PO
XopY/gzNF4uSAL9Lh8EWBNBSU7OmLgi6cpyWRpsGVvf+bhj2/TiOaiDSUGCgk7NN
1/oys7bFnlA605UANXg/u9T5od9Hz01YInwEhGflN5ZfrrIdyZuCXbEVcmo/Z2p4
FUMQ7Wd2nDk3g7fx50Sv9TIg7IIM2QI6L4+popFmJRy1p78r1yXQoz0tplfYgRek
/LG0ZB9VqEErdx5fDE90IZVF7OHh1UzyTHl8+ZXTKnSQsLIfcfZb9j8GmjtMtg==
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idmt-1.alaska.edu/Shibboleth.sso/Artifact/SOAP" index="0"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/SOAP"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/Redirect"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/POST"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/Artifact"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/POST" index="0"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/Artifact" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/ECP" index="3"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML/POST" index="4"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML/Artifact" index="5"/>
  </md:SPSSODescriptor>

}}}
  * Windows: TBD
3. Email SP metadata to iam@alaska.edu and request integration with UA IdP. Once the metadata is registered with the UA IdP integration can be tested at the https://idmt-1.alaska.edu/secure test URL that is configured by default with most installations.
4. Decide which attributes your application will need to authorize access then email iam@alaska.edu and request those attributes be released to your SP from the UA IdP.