Version 9 (modified by dabantz@…, 11 years ago) (diff) |
---|
Shibboleth / Shibboleth SP Setup
This page documents installing a Shibboleth SP.
UA Supported Configurations:
- Apache or IIS on Windows
- Apache on Linux
- Shibboleth SP Version 2.4.2
N.B. 2014-05-08: RHEL - use /etc/shibboleth metagen.sh to generate the SP's metadata !
Installation:
- Download and install the appropriate installers/packages.
- Windows: (It is recommended to use the MSIs.)
- Linux: (It is recommended to use a binary repo.)
- Configure the SP
- Remove and regen the SP keys.
- Linux:
[root@idmt-1 shibboleth]# pwd /etc/shibboleth [root@idmt-1 shibboleth]# rm -rf sp-key.pem sp-cert.pem [root@idmt-1 shibboleth]# ./keygen.sh Generating a 2048 bit RSA private key ...........................................................................................+++ .........................................................................................................................................................+++ writing new private key to 'sp-key.pem' -----
- Windows: TBD
- Linux:
- Download and setup the IdP's metadata. Check config for correct syntax.
- Linux:
[root@idmt-1 shibboleth]# wget https://idp.alaska.edu/idp-metadata.xml --2011-06-27 15:50:17-- https://idp.alaska.edu/idp-metadata.xml Resolving idp.alaska.edu... 137.229.114.38 Connecting to idp.alaska.edu|137.229.114.38|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 6973 (6.8K) [application/xml] Saving to: `idp-metadata.xml' 100%[===================================================================================================================================================================================================>] 6,973 --.-K/s in 0s 2011-06-27 15:50:17 (302 MB/s) - `idp-metadata.xml' saved [6973/6973] [root@idmt-1 shibboleth]# pwd /etc/shibboleth [root@idmt-1 shibboleth]# vi shibboleth2.xml --> <SSO entityID="urn:mace:incommon:alaska.edu"> SAML2 SAML1 </SSO> <!-- SAML and local-only logout. --> <Logout>SAML2 Local</Logout> <!-- Example of locally maintained metadata. --> <MetadataProvider type="XML" file="idp-metadata.xml"/> :wq! [root@idmt-1 shibboleth]# shibd -t overall configuration is loadable, check console for non-fatal problems
- Windows: TBD
- Linux:
- Setup EntityID for SP. Note the entityID for the SP is _NOT_ a URL. It is a unique string that identifies your SP and is usually based off of the hostname of the system. It may also be a CNAME for the system.
- Linux:
[root@idmt-1 shibboleth]# hostname idmt-1.alaska.edu [root@idmt-1 shibboleth]# pwd /etc/shibboleth [root@idmt-1 shibboleth]# vi shibboleth2.xml <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> <ApplicationDefaults entityID="https://idmt-1.alaska.edu/shibboleth" REMOTE_USER="eppn persistent-id targeted-id"> <!-- :wq! [root@idmt-1 shibboleth]# shibd -t overall configuration is loadable, check console for non-fatal problems
- Windows: TBD
- Linux:
- Start Apache/IIS and Shibd and check function.
- Linux:
[root@idmt-1 shibboleth]# service httpd start Starting httpd: [ OK ] [root@idmt-1 shibboleth]# service shibd start Starting shibd: [ OK ] [root@idmt-1 shibboleth]# curl -k https://localhost/Shibboleth.sso/Status | xmllint --format - | grep -C 3 "<Status>" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4889 100 4889 0 0 194k 0 --:--:-- --:--:-- --:--:-- 4774k </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <Status> <OK/> </Status> </StatusHandler>
- Windows: TBD
- Linux:
- Generate SP metadata.
- Linux:
[root@idmt-1 shibboleth]# curl -k https://idmt-1.alaska.edu/Shibboleth.sso/Metadata > idmt1-metadata.xml % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3807 100 3807 0 0 169k 0 --:--:-- --:--:-- --:--:-- 3717k [root@idmt-1 shibboleth]# xmllint --format idmt1-metadata.xml <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_27d456d0acab55e09ede1cd8da7bae46892ddc60" entityID="https://idmt-1.alaska.edu/shibboleth"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol"> <md:Extensions> <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://idmt-1.alaska.edu/Shibboleth.sso/Login"/> </md:Extensions> <md:KeyDescriptor> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName>idmt-1.alaska.edu</ds:KeyName> <ds:X509Data> <ds:X509SubjectName>CN=idmt-1.alaska.edu</ds:X509SubjectName> <ds:X509Certificate>MIIC+jCCAeKgAwIBAgIJAKzKVe8S5t3gMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNV BAMTEWlkbXQtMS5hbGFza2EuZWR1MB4XDTExMDYyNzIzNDkxOVoXDTIxMDYyNDIz NDkxOVowHDEaMBgGA1UEAxMRaWRtdC0xLmFsYXNrYS5lZHUwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDNwFn9fHtwKalW2gExxaSoodjwZSreNJxppMVa gkUyDsvJ2tBezONFz+fvt6eWFOrkrYiwYeLMKB26ee6Uf8XgZRGrGGNtZ3rN6+pw popxMQ0bVvko68fK0gZpWrKzrtDdLes+K51HZOd+FZ9bYDV+sM6kpaVpQDtSI5OT PkwEWjXtctkTTX48YUe5hCbwprBMEL5KZqiyjqfeXLNDcYrioTyxZXemeHzRtISK zNRgUgGbUFO64OAiaziSn6RB2gOoJqIZMmDaedo3QY8yaC56EJ6krrMFNb6wIUog RpxQxllxiKzmjufGk2up6KHUjQBmovhnY1/hy/fvvevIKFwLAgMBAAGjPzA9MBwG A1UdEQQVMBOCEWlkbXQtMS5hbGFza2EuZWR1MB0GA1UdDgQWBBQfTV+1yqucG5kM FJA4qttIwfLEBjANBgkqhkiG9w0BAQUFAAOCAQEAu/8zEVFsI4oDCVwbhnGuF154 iKevamYhgsfJxWHt4fKIwGUnsl7H7TdBjLaCnRNiaLeuV0CIB+hGjbcl6JV7O/PO XopY/gzNF4uSAL9Lh8EWBNBSU7OmLgi6cpyWRpsGVvf+bhj2/TiOaiDSUGCgk7NN 1/oys7bFnlA605UANXg/u9T5od9Hz01YInwEhGflN5ZfrrIdyZuCXbEVcmo/Z2p4 FUMQ7Wd2nDk3g7fx50Sv9TIg7IIM2QI6L4+popFmJRy1p78r1yXQoz0tplfYgRek /LG0ZB9VqEErdx5fDE90IZVF7OHh1UzyTHl8+ZXTKnSQsLIfcfZb9j8GmjtMtg== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idmt-1.alaska.edu/Shibboleth.sso/Artifact/SOAP" index="0"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/SOAP"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/Redirect"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/POST"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SLO/Artifact"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/POST" index="0"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/POST-SimpleSign" index="1"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/Artifact" index="2"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML2/ECP" index="3"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML/POST" index="4"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://idmt-1.alaska.edu/Shibboleth.sso/SAML/Artifact" index="5"/> </md:SPSSODescriptor>
- Windows: TBD
- Linux:
- Remove and regen the SP keys.
- Email SP metadata to iam@… and request integration with UA IdP. Once the metadata is registered with the UA IdP integration can be tested at the https://idmt-1.alaska.edu/secure test URL that is configured by default with most installations.
- Decide which attributes your application will need to authorize access then email iam@… and request those attributes be released to your SP from the UA IdP.