Overview
Procedures
Requirements
Shibboleth SP3 is distributed through the Ubuntu or Debain package repository
Shibboleth requires HTTPS to operate, and the website certificate does not necessarily need to be issued by a Certificate Authority (CA).
Installing Shibboleth SP
Install the package with apt as root on the server
apt install libapache2-mod-shib
Setup Service Provider
During the Shibboleth SP installation, signing and encryption certificates will be generated for your server and placed in the /etc/shibboleth directory. These certificates will be automatically included in the metadata file. If they get regenerated, it will invalidate the existing metadata. These certificates are configured to be valid for 10 years automatically and do not need to include any specific information such as the site or server name.
Update the SP entityID attribute
Edit the /etc/shibboleth/shibboleth2.xml file, and then find this element.
<ApplicationDefaults entityID="https://sp.example.org/shibboleth"
REMOTE_USER="eppn subject-id pairwise-id persistent-id"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
Change the entityID URL to match your site URL. Keep the /shibboleth URI. Then set the REMOTE_USER attribute to uid. You can leave cipherSuites unchanged.
New example,
<ApplicationDefaults entityID="https://itsscdemo.rpi.edu/shibboleth"
REMOTE_USER="uid"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
Add the RPI Shibboleth IdP metadata to your configuration.
Insert above the Metadata Provider element above </ApplicationDefaults> tag.
<MetadataProvider type="XML"
url="https://shib.auth.rpi.edu/idp/shibboleth"
backingFilePath="shib-idp.xml" maxRefreshDelay="7200"/>
Update the entityID for the SP
The SSO element needs to be updated to the entityID of the RPI SSO server.
Find this element,
<SSO entityID="https://idp.example.org/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2
</SSO>
and replace it with this.
<SSO entityID="https://shib-idp.rpi.edu/idp/shibboleth">
SAML2
</SSO>
Start Shibboleth SP
The shibd service needs to be started and enabled. Apache should also be restarted
systemctl enable shibd
systemctl start shibd
systemctl restart httpd
Validate SP service is functional
Check /Shibboleth.sso/Status page of your site to make sure that Shibboleth is running and Apache can communicate with it.
Example URL - https://itsscdemo.rpi.edu/Shibboleth.sso/Status
Share metadata with RPI Security team.
The site metadata needs to be shared with security team to be configured with Shibboleth. Metadata can be downloaded off your site from metadata page at /Shibboleth.sso/Metadata after you have finished the initial configuration. If the server is accessible on campus
Example - URL https://itsscdemo.rpi.edu/Shibboleth.sso/Metadata
Setup site in Apache2
Import Configuration Note
Apache ServerName should be set to website domain name in either the VirutalServer config or Apache main config. Shibboleth will try to figure out what the ServerName is when redirecting to the Shibboleth IdP page, and if it the name does not match the name in your Metadata the logon will fail.
Updating existing sites
Shibboleth install will create a shib.conf config file in the /etc/httpd/conf.d/ directory with a basic configuration. By default only the /secure location is restricted to shibboleth authenticated users.
Adding
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
to your site will enable shibboleth in Apache config module
References/Links
None
Comments
0 comments
Please sign in to leave a comment.