- Table of contents
- Shibboleth Service Provider (SP) v2.3.x Installation on Debian Lenny and Ubuntu 10.04
Shibboleth Service Provider (SP) v2.3.x Installation on Debian Lenny and Ubuntu 10.04¶
Note::
This document is currently work in progress. But, I checked it out up to the completion of the SP installation procedure. There will be a seperator line in the document, showing the position where it may be not up to date!
This document provides detailed information on how to install a Shibboleth Service Provider (SP) on a Debian (Lenny) based system and configure it correctly to be integrated within the current EDIT CSSO platform.
Currently, there is no official Debian package supporting the latest version of the Shibboleth SP. So, you'll need to download and compile it from source. While [SWITCHaai](https://www.switch.ch/aai provides a detailed deployment guide) , this guide summarises any required steps and adopts them to become an installation guide for a Service Provider integrated into the EDIT CSSO platform.
To shorten the complex installation procedure, there is also a simple shibSP-Setup.tgz available setting up a default Shibboleth SP for the EDIT federation. Please refer to the setup script documentation at the end of this document.
Finally, there is a brief introduction into the installation and configuration of the Shibboleth Drupal module.
Prerequisites¶
SSL Web Server Certificate¶
Before starting the installation procedure, you will need an SSL Web Server Certificate. The certificate is mandatory in order to enable trustworthy and secure communication between all components of EDIT's CSSO infrastructure. Please refer to your institution's system administrator to provide you with such a certificate. You may also create a self-generated certificate or can get an (also self-generated) certificate from EDIT's WP 5.7 ServerCA":http://dev.e-taxonomy.eu/trac/wiki/WP57CertificationAuthority#EDITWP5.7ServerCA. Please consider possible convenience restrictions due to the "'Invalid Security Certificate Problem' !
Root access¶
In order to execute the following build and installation procedure, you need root access to your system!
Time synchronisation¶
If your system clock is not synchronised yet, make up for installing the ntpdate client software.
apt-get install --yes ntpdate
Update the file ntpdate as follows:
set NTPDATE_USE_NTP_CONF=no
optionally, update the NTPSERVERS list to your needs (e.g. country specific or firewall reasons)
Build the Shibboleth SP¶
For Ubuntu only::
Starting with Ubuntu 10.4, there is an package called libapache2-mod-shib2 which supports version 2.3.1 of the Shibboleth daemon.
This can be installed running the following command.
apt-get install libapache2-mod-shib2 a2enmod shib2 a2enmod ssl /etc/init.d/apache2 restart root@spdemo2:~# apt-get install libapache2-mod-shib2 Paketlisten werden gelesen... Fertig Abhängigkeitsbaum wird aufgebaut Status-Informationen einlesen... Fertig Die folgenden zusätzlichen Pakete werden installiert: apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl3 libicu42 liblog4cpp5 libltdl7 libsaml6 libshibsp4 libssl0.9.8 libxerces-c3.1 libxml-security-c15 libxmltooling4 odbcinst odbcinst1debian1 opensaml2-schemas shibboleth-sp2-schemas ssl-cert unixodbc xmltooling-schemas Vorgeschlagene Pakete: apache2-doc apache2-suexec apache2-suexec-custom libmyodbc odbc-postgresql tdsodbc unixodbc-bin Die folgenden NEUEN Pakete werden installiert: apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapache2-mod-shib2 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl3 libicu42 liblog4cpp5 libltdl7 libsaml6 libshibsp4 libxerces-c3.1 libxml-security-c15 libxmltooling4 odbcinst odbcinst1debian1 opensaml2-schemas shibboleth-sp2-schemas ssl-cert unixodbc xmltooling-schemas Die folgenden Pakete werden aktualisiert: libssl0.9.8 1 aktualisiert, 26 neu installiert, 0 zu entfernen und 26 nicht aktualisiert. Es müssen 17,9MB an Archiven heruntergeladen werden. Nach dieser Operation werden 56,2MB Plattenplatz zusätzlich benutzt. Möchten Sie fortfahren [J/n]?
So, when using ubuntu, the following sections can be omitted and you can continue with section Configure Shibboleth SP for the EDIT federation.
For Debian only::
On Debian Lenny, we need to build and compile the Shibboleth Service Provider software, as the most recent version 2.3.1 is not available as Debian package. But, a version > 2.3.1 is required to support the Single Logout functionality and eliminates some security related bugs.
Installing the build environment¶
If not already done, install the wget package to download the necessary source code archives.
apt-get install --yes wget
The following packages are required to compile the Shibboleth SP daemon and the Shibboleth Apache module.
apt-get install --yes gcc g++ make libssl0.9.8 libssl-dev libcurl3 libcurl3-dev libxerces-c28 libxerces-c2-dev libxml-security-c14 libxml-security-c-dev apache2-threaded-dev
Finally, define, create and change into a build directory to execute the build process.
export MYBUILD=~/shibsp2.3.1-build mkdir -p $MYBUILD cd $MYBUILD
Download and extract source code¶
To compile the current version 2.3.1 of the Shibboleth SP, please download the following source code archives
wget http://shibboleth.internet2.edu/downloads/log4shib/1.0.4/log4shib-1.0.4.tar.gz wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/2.3/xmltooling-1.3.3.tar.gz wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/2.3/opensaml-2.3.tar.gz wget http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.3.1/shibboleth-sp-2.3.1.tar.gz tar xvfz log4shib-1.0.4.tar.gz tar xvfz xmltooling-1.3.3.tar.gz tar xvfz opensaml-2.3.tar.gz tar xvfz shibboleth-sp-2.3.1.tar.gz
Build Shibboleth SP¶
Define and create a home directory for the current Shibboleth-SP version
export SHIB_HOME=/opt/shibboleth-sp-2.3.1 mkdir $SHIB_HOME
Build Log4Shib¶
pushd $MYBUILD/log4shib-1.0.4/ && ./configure --disable-static --disable-doxygen --prefix=$SHIB_HOME && make && make install && popd
Build XML-Tooling¶
pushd $MYBUILD/xmltooling-1.3.3/ && ./configure --with-log4shib=$SHIB_HOME --prefix=$SHIB_HOME -C && make && make install && popd
Build OpenSAML¶
pushd $MYBUILD/opensaml-2.3/ && ./configure --prefix=$SHIB_HOME --with-log4shib=$SHIB_HOME -C && make && make install && popd
Build Shibboleth Service Provider¶
pushd $MYBUILD/shibboleth-2.3.1/ && ./configure --with-saml=$SHIB_HOME --enable-apache-22 --with-log4shib=$SHIB_HOME --with-xmltooling=$SHIB_HOME --prefix=$SHIB_HOME -C && make && make install && popd
Install Shibboleth SP¶
After having successfully build the Shibboleth SP, proceed to install the Shibboleth Apache module and daemon into your system.
Install Apache2 web server¶
If you did not install the Apache2 web server before, make up for it now.
apt-get install --yes apache2
Create symbolic link to current Shibboleth SP version¶
Create a stable reference to the current Shibboleth SP version.
ln -s $SHIB_HOME /opt/shibboleth-sp2
Define and create a configuration directory for Shibboleth SP¶
export SHIBSP_CONFIG=/etc/shibboleth mkdir -p $SHIBSP_CONFIG
Install Shibboleth SP module for Apache2¶
Installing the Shibboleth SP module for Apache2 web server requires the creation or modification of the following files.
Add the following line
export LD_LIBRARY_PATH=/opt/shibboleth-sp2/lib
- attachment:"shib.load"
LoadModule mod_shib /opt/shibboleth-sp2/lib/shibboleth/mod_shib_22.so
- attachment:"shib.conf"
ShibConfig /etc/shibboleth/shibboleth2.xml <IfModule mod_alias.c> <Location /shibboleth-sp> Allow from all </Location> Alias /shibboleth-sp/main.css /etc/shibboleth/main.css Alias /shibboleth-sp/EDIT-Logo.png /etc/shibboleth/EDIT-Logo.png </IfModule>
Enable Apache's Shibboleth SP and SSL module.
a2enmod shib2 a2enmod ssl
Init script for the Shibboleth SP daemon¶
The Shibboleth SP daemon should be started on every system startup. So, an init script must be created and added to the system's init services.
Therefore, create the file shibd as follows.
#! /bin/sh ### BEGIN INIT INFO # Provides: shibd # Required-Start: $local_fs $remote_fs $network # Required-Stop: $local_fs $remote_fs $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Shibboleth 2 Service Provider Daemon # Description: Starts the separate daemon used by the Shibboleth # Apache module to manage sessions and to retrieve # attributes from Shibboleth Identity Providers. ### END INIT INFO # # Written by Quanah Gibson-Mount <quanah@stanford.edu> # Modified by Lukas Haemmerle <lukas.haemmerle@switch.ch> for Shibboleth 2 # Based on the dh-make template written by: # # Written by Miquel van Smoorenburg <miquels@cistron.nl>. # Modified for Debian # by Ian Murdock <imurdock@gnu.ai.mit.edu>. PATH=/sbin:/bin:/usr/sbin:/usr/bin DESC="Shibboleth 2 daemon" NAME=shibd SHIB_HOME=/opt/shibboleth-sp2 SHIBSP_CONFIG=/etc/shibboleth/shibboleth2.xml LD_LIBRARY_PATH=$SHIB_HOME/lib DAEMON=$SHIB_HOME/sbin/$NAME SCRIPTNAME=/etc/init.d/$NAME PIDFILE=/var/run/$NAME.pid DAEMON_OPTS="" # Force removal of socket DAEMON_OPTS="$DAEMON_OPTS -f" # Use defined configuration file DAEMON_OPTS="$DAEMON_OPTS -c $SHIBSP_CONFIG" # Specify pid file to use DAEMON_OPTS="$DAEMON_OPTS -p $PIDFILE" # Specify wait time to use DAEMON_OPTS="$DAEMON_OPTS -w 30" # Exit if the package is not installed. [ -x "$DAEMON" ] || exit 0 # Read configuration if it is present. [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Get the setting of VERBOSE and other rcS variables. [ -f /etc/default/rcS ] && . /etc/default/rcS case "$1" in start) # Don't start shibd if NO_START is set. if [ "$NO_START" = 1 ] ; then echo "Not starting $DESC (see /etc/default/$NAME)" exit 0 fi echo -n "Starting $DESC: " start-stop-daemon --start --quiet \ --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS echo "$NAME." ;; stop) echo -n "Stopping $DESC: " start-stop-daemon --stop --quiet --pidfile $PIDFILE \ --exec $DAEMON echo "$NAME." ;; restart|force-reload) echo -n "Restarting $DESC: " start-stop-daemon --stop --quiet --pidfile $PIDFILE \ --exec $DAEMON sleep 1 start-stop-daemon --start --quiet \ --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS echo "$NAME." ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0
At the beginning of the init-script, there are some options to adopt the script to your environment. But, there should be no reason to touch them, unless you are following this guide.
To enable the init script, make it executable and register it to the different run levels of your Debian system by calling update-rc.d.
chmod +x /etc/init.d/shibd update-rc.d shibd defaults
Install the Shibboleth Log system¶
The Shibboleth SP's log system should be adopted to the Debians system defaults. Therefore, create a directory /var/log/shibboleth for Shibboleth log files first.
mkdir -p /var/log/shibboleth
Next, copy the original logger configuration template files from the Shibboleth distribution in $SHIB_HOME (/opt/shibboleth-sp2) to ${SHIBSP_CONFIG} (/etc/shibboleth).
cp ${SHIB_HOME}/etc/shibboleth/native.logger ${SHIBSP_CONFIG} cp ${SHIB_HOME}/etc/shibboleth/shibd.logger ${SHIBSP_CONFIG} cp ${SHIB_HOME}/etc/shibboleth/syslog.logger ${SHIBSP_CONFIG}
Adopt the following logger files to the Debian system defaults.
log4j.appender.native_log.fileName=/var/log/shibboleth/native.log
log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log
Finally, create empty log files and set the log files access control lists accordingly.
touch /var/log/shibboleth/shibd.log touch /var/log/shibboleth/native.log chown root:www-data /var/log/shibboleth/native.log chmod g+w /var/log/shibboleth/native.log chown root:www-data /var/log/shibboleth/shibd.log chmod g+w /var/log/shibboleth/shibd.log
Configure Shibboleth SP for the EDIT federation¶
For Ubuntu only:
Since, you probably have not followed the Debian installation instructions, please set the following environment variables.
export SHIBSP_CONFIG=/etc/shibboleth
Certificate and key files¶
As stated at the beginning of the document, a SSL web server certificate is required to run the CSSO services. Usually, you should have two files in PEM format: a certificate file and a key file.
Note: The key file must not be encrypted, otherwise the SP may not run correctly.
Debian's and Ubuntu's default locations for certificates and key files are the directories /etc/ssl/certs or /etc/ssl/private respectively. So, copy both PEM-files to their default locations and set appropriate access control rights.
In order to get working the configuration correctly, you must follow the naming convention for certificate and key files I introduced for all my system setups. It's quite simple, use the DNS hostname of your SP and append -cert.pem or -key.pem respectively.
Example for the host sp.e-taxonomy.eu:
Certificate file: sp.e-taxonomy.eu-cert.pem Key file:sp.e-taxonomy.eu-key.pem
Next, copy the files to their respective locations and set access right appropriately. Replace ${shibSPHost} with the DNS host name of your SP or set the environment variable as follows !
export shibSPHost=<FQDN of your SP Host(e.g. sp.e-taxonomy.eu)>
cp ${pathToCertfile} /etc/ssl/certs/${shibSPHost}-cert.pem cp ${pathToKeyfile} /etc/ssl/private/${shibSPHost}-key.pem chown root:ssl-cert /etc/ssl/private/${shibSPHost}-key.pem chmod 640 /etc/ssl/private/${shibSPHost}-key.pem
Note: If your certificate was issued by a RootCA, which is not included within /etc/ssl/certs, you must copy that certificate file into /etc/ssl/certs!
Then, set the access right appropriately and create the required hash links to the certificate files with c_rehash:
chown root:root /etc/ssl/certs/* chmod 644 /etc/ssl/certs/* c_rehash
Finally, you must add the user www-data to the group ssl-cert, so that the Apache web server can access the key file.
adduser www-data ssl-cert
Shibboleth SP¶
Our EDIT specific configuration of the Shibboleth SP takes place in the following files:
shibboleth2.xml::
covers the main configuration of a Shibboleth SP.
attribute-map.xml::
defines the mapping of attributes sent by EDIT's Identity provider to Apache2 web server's environment variables.
attribute-policy.xml::
defines Shibboleth SP's access control policy rules.
metadata-idp.e-taxonomy.eu.xml::
contains EDIT's IdP metadata for backup reasons.
EDIT-Logo.png and _main.css*::
set up logo and style of any kind of messages shown by the Shibboleth SP in the user's web browser.
Except from the shibboleth2.xml file, all files come already preconfigured fitting the EDIT federation's requirements. So, you can just download and copy them to the Shibboleth SP's configuration directory (${SHIBSP_CONFIG} (/etc/shibboleth)).
wget -O ${SHIBSP_CONFIG}/attribute-map.xml http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/attribute-map.xml wget -O ${SHIBSP_CONFIG}/attribute-policy.xml http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/attribute-policy.xml wget -O ${SHIBSP_CONFIG}/metadata-idp.e-taxonomy.eu.xml http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/metadata-idp.e-taxonomy.eu.xml wget -O ${SHIBSP_CONFIG}/EDIT-Logo.png http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/EDIT-Logo.png wget -O ${SHIBSP_CONFIG}/main.css http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/main.css
When downloading shibboleth2.xml, you receive a preconfigured template (shibboleth2.xml.tmpl), which requires some additional work to make it compatible. Therefore, the template file contains a placeholder (${shibSPHost}), which must be replaced by the full qualified hostname (including domain name) of your service provider(e.g. sp.e-taxonomy.eu). That can be done with your preferred text editor, or by executing the following command (e.g. for sp.e-taxonomy.eu).
wget -O ${SHIBSP_CONFIG}/shibboleth2.xml.tmpl http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/shibboleth2.xml.tmpl
Note:::
If the private key you installed on the server (see Certificate and key files) is passphrase protected, then you must add the password attribute manually to the definition of the __ element in line 252 as follows
<CredentialResolver type="File" key="/etc/ssl/private/${shibSPHost}-key.pem" password="YOUR KEY PASSPHRASE HERE" certificate="/etc/ssl/certs/${shibSPHost}-cert.pem"/>
Next, replace the pattern with your Shibboleth host name.
sed -i s\'${shibSPHost}'\${shibSPHost}\g ${SHIBSP_CONFIG}/shibboleth2.xml.tmpl
Finally, you can move the modified file to the Shibboleth SP's configuration directory (${SHIBSP_CONFIG} (/etc/shibboleth)).
mv ${SHIBSP_CONFIG}/shibboleth2.xml.tmpl ${SHIBSP_CONFIG}/shibboleth2.xml
Apache2 site configuration¶
The site configuration for Apache2 web server requires the following files.
As for shibboleth2.xml, the Shibboleth SP site configuration file for the Apache2 web server also comes as a preconfigured template (shibboleth-sp.tmpl). It can be adopted to the SP's host name by executing the same command as above or by editing it with a text editor.
wget -O /etc/apache2/sites-available/shibboleth-sp.tmpl http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/shibboleth-sp.tmpl sed -i s\'${shibSPHost}'\${shibSPHost}\g /etc/apache2/sites-available/shibboleth-sp.tmpl mv /etc/apache2/sites-available/shibboleth-sp.tmpl /etc/apache2/sites-available/shibboleth-sp
Activating the shibboleth-sp site within the Apache2 web server, puts the SSL part of your site ("https://your.site.org/") completely under the control of the Shibboleth SP's. That means, any login approach will be redirected to the EDIT Identity Provider (i.e. https://idp.e-taxonomy.eu/opensso/)!
To change this, the root path (/) within the Location statement must be adopted to meet the local requirements. Further Location statements may be added in order to protect several paths on the service provider.
<Location /> AuthType Shibboleth ShibRequireSession On ShibUseHeaders On require shibboleth </Location>
For verifying the functionality of the CSSO access later on, the PHP script shibenv.php may be useful. While it just displays any Shibboleth and Apache environment variables, the correct functionality of the CSSO access can be monitored. For that, it should be simply copied to the document root of the Apache2 web server (usually /var/www).
Here are the remaining commands to protect the entire SSL section of your site by CSSO.
a2ensite shibboleth-sp wget -O /var/www/shibenv.php http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/shibenv.php chown root:www-data /var/www/shibenv.php chmod 750 /var/www/shibenv.php
Shibboleth SP notification mechanism¶
The configuration of the Shibboleth SP's notification mechanism needs following files.
The Shibboleth notification mechanism is used to implement the Single Logout (SLO) functionality on service providers. The Shibboleth SP's notification mechnism simply calls a defined script (notify.php), which calls all logout URLs of applications running on the given site. That way, there should be no specific application authentication cookies left causing some applications to "think" that a user is always logged in. In particular, this scenario may occur, when Single Logout was initiated on another server.
To enable this, install the php5-curl library first. Then, download and copy notify.php to the document root of your Apache2 web server. Furthermore, set the access control rights appropriately
apt-get install php5-curl
wget -O /var/www/notify.php http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/notify.php chown root:www-data /var/www/notify.php chmod 750 /var/www/notify.php
Last but not least, the $logoutURL array at the beginning of the notify.php script must be adopted by entering the logout URLs of your applications.
Note: Do not change anything below the array definition, if you do not know what you are doing !
Note: Since, these URLs will be called by the users' browser, they must be listed with their external hostname. Defining URLs like http://localhost/app/logout will not work!
Here is an example defining a Drupal logout URLs
$logoutURL = array( 'http://your.host.org/drupal5/?q=logout', 'http://your.host.org/drupal6/?q=logout' );
Restarting Apache2 and the Shibboleth daemon¶
Finally, let's restart the Apache2 web server and shibd.
/etc/init.d/apache2 restart && /etc/init.d/shibd restart && ps -efa | grep shibd
Please check, if the shibd process is really running. If not, repeat the last command. Sometimes, the shibd does not start!?
If there are any problems, please check the log files of Apache2 web server (/var/log/apache2) and Shibboleth SP daemon (/var/log/shibboleth) first!
Registering the new Shibboleth SP at the EDIT federation¶
If anything went fine, accessing your Shibboleth SP at the URL_https://your.host.org/shibboleth_ should succesfully start a download of the SP's metadata. In that case, please notify the EDIT federation manager (suhrbier(at)inf.fu-berlin.de). Then, the federation manager may register your service provider to the EDIT federation. Since that point in time, any registered EDIT user may login to the applications on your service provider!
Next, verify if users can login successfully, by accessing shibenv.php script stated above on your web server (e.g. https://your.host.org/shibenv.php). Presumed, you are already an registered user at the EDIT federation, you should be redirected to EDIT's IdP (https://idp.e-taxonomy.eu/opensso/). Otherwise, refer to the EDIT federation manager (suhrbier(at)inf.fu-berlin.de) as well.
After having successfully authenticated there, you should be redirected back to originally selected service provider and see an attribute list containing at least your name and email address on your browser!
*The following may be not up-to-date!!! *
Setup Script¶
The shibSP-Setup.tgz is a compressed tar file containing a directory with the script, some configuration files and some template files as described above. So, if you want to use the setup script for installing and configuring your Shibboleth SP, download and extract the script first. Then, change to the setup directory just created.
Download and extract setup directory¶
wget -O shibSP-Setup.tgz http://dev.e-taxonomy.eu/trac/attachment/wiki/ShibbolethSP2InstallDebianLenny/shibSP-Setup.tgz?format=raw tar xvfz shibSP-Setup.tgz cd shibSP-Setup
Within the directory, there is a script called shibSPSetup. If you call it without parameters, the command help will be printed on the screen.
Copy certificate files¶
Before starting the installation, the certificate and key file for your web server must be copied into the shibSP-Setup directory. Also, both files should be renamed according the naming rules stated above. Here is an example for the host idp.e-taxonomy.eu.
Certificate file: idp.e-taxonomy.eu-cert.pem Key file:idp.e-taxonomy.eu-key.pem
Installation¶
The setup script offers the following commands. Letters in brackets[] show the options to be applied with that command.
all compile, install and configure SP"
compile compile SP * configure configure SP [-cdeihkrsv"
install install SP * setacl set ACLfor SP installation [-v"
uninstall removes build, install and configuration files"
The following options are available:
-b build target (default: ./)"
-c Local SSL certificate file (default: ./$hostname-cert.pem)"
-d DS Url (default: https://idp.e-taxonomy.eu/DS) not implemented yet"
-e Support Contact (default: editsupport@bgbm.org"
-i IdP entity id (default: https://idp.e-taxonomy.eu:443/opensso)"
-h hostname (default: 'eval hostname')"
-k Local SSL private key file (default: ./$hostname-key.pem)"
-a IdP hostname (default: idp.e-taxonomy.eu)"
-r SSL RootCA certificate path (default: /etc/ssl/certs)"
-s SP entity id (default: https://$hostname/shibboleth"
-t installation target (default: /opt)"
-v SP version to install (default: 2.3.1)"
Besides the certificate files, the only information the script needs for a default installation is the hostname of your server. Therefore, the script uses the hostname command to get the hostname automatically. Please check, if that command prints the correct, full qualified hostname of your server (e.g. idp.e-taxonomy.eu)
root@idp:~# hostname idp.e-taxonomy.eu
Next, the setup procedure may start. Use the all command to setup your basic Shibboleth SP in one go. Alternatively, use the compile, install and configure in that order. You can also use these command steps to repeat any of these steps on error. If you need to change some of the configuration parameters, please check which command options may apply.
The complete setup will take approximately 20-30 minutes. Most of time will be consumed by the compile command. Here, take care on potential error messages. In that case, you should verify your setup and repeat the compile step.
If all went well, you should have reached the state Registering the new Shibboleth SP at the EDIT federation. So, contact the EDIT federation manager to register your service provider with the EDIT federation.
Installing and Configuring Drupal modules¶
The setup directory supports the installation of Drupal 5(6) modules adopted to the EDIT CSSO setup. Currently, There are two quit simple scripts (shibDrupal5(6)Setup) which are copying the modules to their usual location. These locations may easily be changed by adapting the paths to /var/www/drupal5(6) to another directory.
Next, the Drupal modules must be installed configured appropriately. Therefore, you must login with Drupal administration rights, and install the modules userprotect and shib_auth by selecting the respective modules in Drupal's module administration section. After that, configure the Shibboleth module within the Shibboleth settings->General settings menu within of the User management administration section.
Configure the General Shibboleth settings as follows:
| Shibboleth handler settings | |
| Shibboleth handler URL: | /Shibboleth.sso |
| Shibboleth handler protocol: | HTTPS |
| WAYF location: | /Login |
| Shibboleth login target protocol: | HTTPS |
| Shibboleth logout return URL: | e.g. http://your.host.org/drupal6/?q=logout |
| Attribute settings | |
| Server variable for username: | Shib_eduPersonPrincipalName |
| Server variable for e-mail address: | Shib-mail |
You can also define specific access rules, which will map Shibboleth attribute values to defined Drupal user roles. The mapping will be defined by matching regular expressions. Access rules may be configures within the Shibboleth settings->Shibboleth group rules menu.
When adding a new rule, the Shibboleth attribute name and a regular expression must be entered. Then, the user roles assigned to users matching the regular expression must be selected.
The currently defined attributes are listed within the Current Set of EDIT Attributes document. Using e.g. the eduPersonAffiliation attribute (Shib_eduPersonAffiliation variable), the EDIT Federation manager group will be matched by defining the following regular expression:
^cn=FederationManager.*
When assigned to the Drupal admin rule, EDIT Federation manager can manage e.g. the Shibboleth configuration on your Drupal instance.
Updated by Andreas Müller about 2 years ago · 75 revisions