wiki:SpSetup

Version 8 (modified by jpmitchell@…, 13 years ago) (diff)

--

Shibboleth / Shibboleth SP Setup

This page documents installing a Shibboleth SP.

UA Supported Configurations:

  • Apache or IIS on Windows
  • Apache on Linux
  • Shibboleth SP Version 2.4.2

Installation:

  1. Download and install the appropriate installers/packages.
  2. Configure the SP
    1. Remove and regen the SP keys.
      • Linux:
        [root@idmt-1 shibboleth]# pwd
        /etc/shibboleth
        [root@idmt-1 shibboleth]# rm -rf sp-key.pem sp-cert.pem 
        [root@idmt-1 shibboleth]# ./keygen.sh 
        Generating a 2048 bit RSA private key
        ...........................................................................................+++
        .........................................................................................................................................................+++
        writing new private key to 'sp-key.pem'
        -----
        
      • Windows: TBD
    2. Download and setup the IdP's metadata. Check config for correct syntax.
      • Linux:
        [root@idmt-1 shibboleth]# wget https://idp.alaska.edu/idp-metadata.xml
        --2011-06-27 15:50:17--  https://idp.alaska.edu/idp-metadata.xml
        Resolving idp.alaska.edu... 137.229.114.38
        Connecting to idp.alaska.edu|137.229.114.38|:443... connected.
        HTTP request sent, awaiting response... 200 OK
        Length: 6973 (6.8K) [application/xml]
        Saving to: `idp-metadata.xml'
        
        100%[===================================================================================================================================================================================================>] 6,973       --.-K/s   in 0s      
        
        2011-06-27 15:50:17 (302 MB/s) - `idp-metadata.xml' saved [6973/6973]
        [root@idmt-1 shibboleth]# pwd
        /etc/shibboleth
        [root@idmt-1 shibboleth]# vi shibboleth2.xml
                    -->
                    <SSO entityID="urn:mace:incommon:alaska.edu">
                      SAML2 SAML1
                    </SSO>
        
                    <!-- SAML and local-only logout. -->
                    <Logout>SAML2 Local</Logout>
        
                <!-- Example of locally maintained metadata. -->
                <MetadataProvider type="XML" file="idp-metadata.xml"/>
        :wq!
        [root@idmt-1 shibboleth]# shibd -t
        overall configuration is loadable, check console for non-fatal problems
        
      • Windows: TBD
    3. Setup EntityID for SP. Note the entityID for the SP is _NOT_ a URL. It is a unique string that identifies your SP and is usually based off of the hostname of the system. It may also be a CNAME for the system.
      • Linux:
        [root@idmt-1 shibboleth]# hostname
        idmt-1.alaska.edu
        [root@idmt-1 shibboleth]# pwd
        /etc/shibboleth
        [root@idmt-1 shibboleth]# vi shibboleth2.xml
            <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
            <ApplicationDefaults entityID="https://idmt-1.alaska.edu/shibboleth"
                                 REMOTE_USER="eppn persistent-id targeted-id">
        
                <!--
        :wq!
        [root@idmt-1 shibboleth]# shibd -t
        overall configuration is loadable, check console for non-fatal problems
        
      • Windows: TBD
    4. Start Apache/IIS and Shibd and check function.
      • Linux:
        [root@idmt-1 shibboleth]# service httpd start
        Starting httpd:                                            [  OK  ]
        [root@idmt-1 shibboleth]# service shibd start
        Starting shibd:                                            [  OK  ]
        [root@idmt-1 shibboleth]# curl -k https://localhost/Shibboleth.sso/Status | xmllint --format - | grep -C 3 "<Status>"
          % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                         Dload  Upload   Total   Spent    Left  Speed
        100  4889  100  4889    0     0   194k      0 --:--:-- --:--:-- --:--:-- 4774k
              </ds:X509Data>
            </ds:KeyInfo>
          </md:KeyDescriptor>
          <Status>
            <OK/>
          </Status>
        </StatusHandler>
        
      • Windows: TBD
    5. Generate SP metadata.
      • Linux:
        [root@idmt-1 shibboleth]# curl -k https://idmt-1.alaska.edu/Shibboleth.sso/Metadata > idmt1-metadata.xml
          % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                         Dload  Upload   Total   Spent    Left  Speed
        100  3807  100  3807    0     0   169k      0 --:--:-- --:--:-- --:--:-- 3717k
        [root@idmt-1 shibboleth]# xmllint --format idmt1-metadata.xml 
        <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_27d456d0acab55e09ede1cd8da7bae46892ddc60" entityID="https://idmt-1.alaska.edu/shibboleth">
        
          <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
            <md:Extensions>
              <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://idmt-1.alaska.edu/Shibboleth.sso/Login"/>
            </md:Extensions>
            <md:KeyDescriptor>
              <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:KeyName>idmt-1.alaska.edu</ds:KeyName>
                <ds:X509Data>
                  <ds:X509SubjectName>CN=idmt-1.alaska.edu</ds:X509SubjectName>
                  <ds:X509Certificate>MIIC+jCCAeKgAwIBAgIJAKzKVe8S5t3gMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNV
        BAMTEWlkbXQtMS5hbGFza2EuZWR1MB4XDTExMDYyNzIzNDkxOVoXDTIxMDYyNDIz
        NDkxOVowHDEaMBgGA1UEAxMRaWRtdC0xLmFsYXNrYS5lZHUwggEiMA0GCSqGSIb3
        DQEBAQUAA4IBDwAwggEKAoIBAQDNwFn9fHtwKalW2gExxaSoodjwZSreNJxppMVa
        gkUyDsvJ2tBezONFz+fvt6eWFOrkrYiwYeLMKB26ee6Uf8XgZRGrGGNtZ3rN6+pw
        popxMQ0bVvko68fK0gZpWrKzrtDdLes+K51HZOd+FZ9bYDV+sM6kpaVpQDtSI5OT
        PkwEWjXtctkTTX48YUe5hCbwprBMEL5KZqiyjqfeXLNDcYrioTyxZXemeHzRtISK
        zNRgUgGbUFO64OAiaziSn6RB2gOoJqIZMmDaedo3QY8yaC56EJ6krrMFNb6wIUog
        RpxQxllxiKzmjufGk2up6KHUjQBmovhnY1/hy/fvvevIKFwLAgMBAAGjPzA9MBwG
        A1UdEQQVMBOCEWlkbXQtMS5hbGFza2EuZWR1MB0GA1UdDgQWBBQfTV+1yqucG5kM
        FJA4qttIwfLEBjANBgkqhkiG9w0BAQUFAAOCAQEAu/8zEVFsI4oDCVwbhnGuF154
        iKevamYhgsfJxWHt4fKIwGUnsl7H7TdBjLaCnRNiaLeuV0CIB+hGjbcl6JV7O/PO
        XopY/gzNF4uSAL9Lh8EWBNBSU7OmLgi6cpyWRpsGVvf+bhj2/TiOaiDSUGCgk7NN
        1/oys7bFnlA605UANXg/u9T5od9Hz01YInwEhGflN5ZfrrIdyZuCXbEVcmo/Z2p4
        FUMQ7Wd2nDk3g7fx50Sv9TIg7IIM2QI6L4+popFmJRy1p78r1yXQoz0tplfYgRek
        /LG0ZB9VqEErdx5fDE90IZVF7OHh1UzyTHl8+ZXTKnSQsLIfcfZb9j8GmjtMtg==
        </ds:X509Certificate>
                </ds:X509Data>
              </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idmt-1.alaska.edu/Shibboleth.sso/Artifact/SOAP" index="0"/>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/SOAP"/>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/Redirect"/>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/POST"/>
            <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/Artifact"/>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/POST" index="0"/>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/Artifact" index="2"/>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/ECP" index="3"/>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML/POST" index="4"/>
            <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML/Artifact" index="5"/>
          </md:SPSSODescriptor>
        
        
      • Windows: TBD
  3. Email SP metadata to iam@… and request integration with UA IdP. Once the metadata is registered with the UA IdP integration can be tested at the https://idmt-1.alaska.edu/secure test URL that is configured by default with most installations.
  4. Decide which attributes your application will need to authorize access then email iam@… and request those attributes be released to your SP from the UA IdP.