Project

General

Profile

Actions

Shibboleth Service Provider (SP) v2.3.x Installation on Debian Lenny and Ubuntu 10.04

Note::

This document is currently work in progress. But, I checked it out up to the completion of the SP installation procedure. There will be a seperator line in the document, showing the position where it may be not up to date!

This document provides detailed information on how to install a Shibboleth Service Provider (SP) on a Debian (Lenny) based system and configure it correctly to be integrated within the current EDIT CSSO platform.

Currently, there is no official Debian package supporting the latest version of the Shibboleth SP. So, you'll need to download and compile it from source. While [SWITCHaai](https://www.switch.ch/aai provides a detailed deployment guide) , this guide summarises any required steps and adopts them to become an installation guide for a Service Provider integrated into the EDIT CSSO platform.

To shorten the complex installation procedure, there is also a simple shibSP-Setup.tgz available setting up a default Shibboleth SP for the EDIT federation. Please refer to the setup script documentation at the end of this document.

Finally, there is a brief introduction into the installation and configuration of the Shibboleth Drupal module.

Prerequisites

SSL Web Server Certificate

Before starting the installation procedure, you will need an SSL Web Server Certificate. The certificate is mandatory in order to enable trustworthy and secure communication between all components of EDIT's CSSO infrastructure. Please refer to your institution's system administrator to provide you with such a certificate. You may also create a self-generated certificate or can get an (also self-generated) certificate from EDIT's WP 5.7 ServerCA":http://dev.e-taxonomy.eu/trac/wiki/WP57CertificationAuthority#EDITWP5.7ServerCA. Please consider possible convenience restrictions due to the "'Invalid Security Certificate Problem' !

Root access

In order to execute the following build and installation procedure, you need root access to your system!

Time synchronisation

If your system clock is not synchronised yet, make up for installing the ntpdate client software.

apt-get install --yes ntpdate    

Update the file ntpdate as follows:

  • set NTPDATE_USE_NTP_CONF=no

  • optionally, update the NTPSERVERS list to your needs (e.g. country specific or firewall reasons)

Build the Shibboleth SP

For Ubuntu only::

Starting with Ubuntu 10.4, there is an package called libapache2-mod-shib2 which supports version 2.3.1 of the Shibboleth daemon.

This can be installed running the following command.

apt-get install libapache2-mod-shib2
a2enmod shib2
a2enmod ssl
/etc/init.d/apache2 restart

root@spdemo2:~# apt-get install libapache2-mod-shib2
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut       
Status-Informationen einlesen... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
  apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapr1 libaprutil1 libaprutil1-dbd-sqlite3
  libaprutil1-ldap libcurl3 libicu42 liblog4cpp5 libltdl7 libsaml6 libshibsp4 libssl0.9.8 libxerces-c3.1 libxml-security-c15
  libxmltooling4 odbcinst odbcinst1debian1 opensaml2-schemas shibboleth-sp2-schemas ssl-cert unixodbc xmltooling-schemas
Vorgeschlagene Pakete:
  apache2-doc apache2-suexec apache2-suexec-custom libmyodbc odbc-postgresql tdsodbc unixodbc-bin
Die folgenden NEUEN Pakete werden installiert:
  apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapache2-mod-shib2 libapr1 libaprutil1
  libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl3 libicu42 liblog4cpp5 libltdl7 libsaml6 libshibsp4 libxerces-c3.1
  libxml-security-c15 libxmltooling4 odbcinst odbcinst1debian1 opensaml2-schemas shibboleth-sp2-schemas ssl-cert unixodbc
  xmltooling-schemas
Die folgenden Pakete werden aktualisiert:
  libssl0.9.8
1 aktualisiert, 26 neu installiert, 0 zu entfernen und 26 nicht aktualisiert.
Es müssen 17,9MB an Archiven heruntergeladen werden.
Nach dieser Operation werden 56,2MB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren [J/n]?

So, when using ubuntu, the following sections can be omitted and you can continue with section Configure Shibboleth SP for the EDIT federation.

For Debian only::

On Debian Lenny, we need to build and compile the Shibboleth Service Provider software, as the most recent version 2.3.1 is not available as Debian package. But, a version > 2.3.1 is required to support the Single Logout functionality and eliminates some security related bugs.

Installing the build environment

If not already done, install the wget package to download the necessary source code archives.

apt-get install --yes wget  

The following packages are required to compile the Shibboleth SP daemon and the Shibboleth Apache module.

apt-get install --yes gcc g++ make libssl0.9.8 libssl-dev libcurl3 libcurl3-dev libxerces-c28 libxerces-c2-dev libxml-security-c14 libxml-security-c-dev apache2-threaded-dev    

Finally, define, create and change into a build directory to execute the build process.

export MYBUILD=~/shibsp2.3.1-build
mkdir -p $MYBUILD
cd $MYBUILD

Download and extract source code

To compile the current version 2.3.1 of the Shibboleth SP, please download the following source code archives

wget http://shibboleth.internet2.edu/downloads/log4shib/1.0.4/log4shib-1.0.4.tar.gz
wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/2.3/xmltooling-1.3.3.tar.gz
wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/2.3/opensaml-2.3.tar.gz
wget http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.3.1/shibboleth-sp-2.3.1.tar.gz
tar xvfz log4shib-1.0.4.tar.gz
tar xvfz xmltooling-1.3.3.tar.gz
tar xvfz opensaml-2.3.tar.gz
tar xvfz shibboleth-sp-2.3.1.tar.gz

Build Shibboleth SP

Define and create a home directory for the current Shibboleth-SP version

export SHIB_HOME=/opt/shibboleth-sp-2.3.1
mkdir $SHIB_HOME

Build Log4Shib

pushd $MYBUILD/log4shib-1.0.4/ && ./configure --disable-static --disable-doxygen --prefix=$SHIB_HOME && make && make install && popd

Build XML-Tooling

pushd $MYBUILD/xmltooling-1.3.3/ && ./configure --with-log4shib=$SHIB_HOME --prefix=$SHIB_HOME -C && make && make install && popd

Build OpenSAML

pushd $MYBUILD/opensaml-2.3/ && ./configure --prefix=$SHIB_HOME --with-log4shib=$SHIB_HOME -C && make && make install && popd

Build Shibboleth Service Provider

pushd $MYBUILD/shibboleth-2.3.1/ && ./configure --with-saml=$SHIB_HOME --enable-apache-22 --with-log4shib=$SHIB_HOME --with-xmltooling=$SHIB_HOME --prefix=$SHIB_HOME -C && make && make install && popd

Install Shibboleth SP

After having successfully build the Shibboleth SP, proceed to install the Shibboleth Apache module and daemon into your system.

Install Apache2 web server

If you did not install the Apache2 web server before, make up for it now.

apt-get install --yes apache2

Create symbolic link to current Shibboleth SP version

Create a stable reference to the current Shibboleth SP version.

ln -s $SHIB_HOME /opt/shibboleth-sp2

Define and create a configuration directory for Shibboleth SP

export SHIBSP_CONFIG=/etc/shibboleth
mkdir -p $SHIBSP_CONFIG

Install Shibboleth SP module for Apache2

Installing the Shibboleth SP module for Apache2 web server requires the creation or modification of the following files.

Add the following line

export LD_LIBRARY_PATH=/opt/shibboleth-sp2/lib
  • attachment:"shib.load"
LoadModule mod_shib /opt/shibboleth-sp2/lib/shibboleth/mod_shib_22.so
  • attachment:"shib.conf"
ShibConfig /etc/shibboleth/shibboleth2.xml

<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Allow from all
  </Location>
  Alias /shibboleth-sp/main.css /etc/shibboleth/main.css
  Alias /shibboleth-sp/EDIT-Logo.png /etc/shibboleth/EDIT-Logo.png
</IfModule>

Enable Apache's Shibboleth SP and SSL module.

a2enmod shib2
a2enmod ssl

Init script for the Shibboleth SP daemon

The Shibboleth SP daemon should be started on every system startup. So, an init script must be created and added to the system's init services.

Therefore, create the file shibd as follows.

#! /bin/sh
### BEGIN INIT INFO
# Provides: shibd
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs $remote_fs $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Shibboleth 2 Service Provider Daemon
# Description: Starts the separate daemon used by the Shibboleth
# Apache module to manage sessions and to retrieve
# attributes from Shibboleth Identity Providers.
### END INIT INFO
#
# Written by Quanah Gibson-Mount <quanah@stanford.edu>
# Modified by Lukas Haemmerle <lukas.haemmerle@switch.ch> for Shibboleth 2
# Based on the dh-make template written by:
#
# Written by Miquel van Smoorenburg <miquels@cistron.nl>.
# Modified for Debian
# by Ian Murdock <imurdock@gnu.ai.mit.edu>.

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="Shibboleth 2 daemon"
NAME=shibd
SHIB_HOME=/opt/shibboleth-sp2
SHIBSP_CONFIG=/etc/shibboleth/shibboleth2.xml
LD_LIBRARY_PATH=$SHIB_HOME/lib
DAEMON=$SHIB_HOME/sbin/$NAME
SCRIPTNAME=/etc/init.d/$NAME
PIDFILE=/var/run/$NAME.pid
DAEMON_OPTS=""

# Force removal of socket
DAEMON_OPTS="$DAEMON_OPTS -f"

# Use defined configuration file
DAEMON_OPTS="$DAEMON_OPTS -c $SHIBSP_CONFIG"

# Specify pid file to use
DAEMON_OPTS="$DAEMON_OPTS -p $PIDFILE"

# Specify wait time to use
DAEMON_OPTS="$DAEMON_OPTS -w 30"

# Exit if the package is not installed.
[ -x "$DAEMON" ] || exit 0

# Read configuration if it is present.
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Get the setting of VERBOSE and other rcS variables.
[ -f /etc/default/rcS ] && . /etc/default/rcS

case "$1" in
start)
    # Don't start shibd if NO_START is set.
    if [ "$NO_START" = 1 ] ; then
        echo "Not starting $DESC (see /etc/default/$NAME)"
        exit 0
    fi
    echo -n "Starting $DESC: "
    start-stop-daemon --start --quiet \
        --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
    echo "$NAME."
    ;;
stop)
    echo -n "Stopping $DESC: "
    start-stop-daemon --stop --quiet --pidfile $PIDFILE \
        --exec $DAEMON
    echo "$NAME."
    ;;
restart|force-reload)
    echo -n "Restarting $DESC: "
    start-stop-daemon --stop --quiet --pidfile $PIDFILE \
        --exec $DAEMON
    sleep 1
    start-stop-daemon --start --quiet \
        --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
    echo "$NAME."
    ;;
*)
    echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
    exit 1
    ;;
esac

exit 0

At the beginning of the init-script, there are some options to adopt the script to your environment. But, there should be no reason to touch them, unless you are following this guide.

To enable the init script, make it executable and register it to the different run levels of your Debian system by calling update-rc.d.

chmod +x /etc/init.d/shibd
update-rc.d shibd defaults

Install the Shibboleth Log system

The Shibboleth SP's log system should be adopted to the Debians system defaults. Therefore, create a directory /var/log/shibboleth for Shibboleth log files first.

mkdir -p /var/log/shibboleth

Next, copy the original logger configuration template files from the Shibboleth distribution in $SHIB_HOME (/opt/shibboleth-sp2) to ${SHIBSP_CONFIG} (/etc/shibboleth).

cp ${SHIB_HOME}/etc/shibboleth/native.logger ${SHIBSP_CONFIG}
cp ${SHIB_HOME}/etc/shibboleth/shibd.logger ${SHIBSP_CONFIG}
cp ${SHIB_HOME}/etc/shibboleth/syslog.logger ${SHIBSP_CONFIG}

Adopt the following logger files to the Debian system defaults.

log4j.appender.native_log.fileName=/var/log/shibboleth/native.log
log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log
log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log

Finally, create empty log files and set the log files access control lists accordingly.

touch /var/log/shibboleth/shibd.log
touch /var/log/shibboleth/native.log
chown root:www-data /var/log/shibboleth/native.log
chmod g+w /var/log/shibboleth/native.log
chown root:www-data /var/log/shibboleth/shibd.log
chmod g+w /var/log/shibboleth/shibd.log

Configure Shibboleth SP for the EDIT federation

For Ubuntu only:

Since, you probably have not followed the Debian installation instructions, please set the following environment variables.

export SHIBSP_CONFIG=/etc/shibboleth

Certificate and key files

As stated at the beginning of the document, a SSL web server certificate is required to run the CSSO services. Usually, you should have two files in PEM format: a certificate file and a key file.

Note: The key file must not be encrypted, otherwise the SP may not run correctly.

Debian's and Ubuntu's default locations for certificates and key files are the directories /etc/ssl/certs or /etc/ssl/private respectively. So, copy both PEM-files to their default locations and set appropriate access control rights.

In order to get working the configuration correctly, you must follow the naming convention for certificate and key files I introduced for all my system setups. It's quite simple, use the DNS hostname of your SP and append -cert.pem or -key.pem respectively.

Example for the host sp.e-taxonomy.eu:

Certificate file: sp.e-taxonomy.eu-cert.pem
Key file:sp.e-taxonomy.eu-key.pem

Next, copy the files to their respective locations and set access right appropriately. Replace ${shibSPHost} with the DNS host name of your SP or set the environment variable as follows !

export shibSPHost=<FQDN of your SP Host(e.g. sp.e-taxonomy.eu)>
cp ${pathToCertfile} /etc/ssl/certs/${shibSPHost}-cert.pem
cp ${pathToKeyfile} /etc/ssl/private/${shibSPHost}-key.pem
chown root:ssl-cert /etc/ssl/private/${shibSPHost}-key.pem
chmod 640 /etc/ssl/private/${shibSPHost}-key.pem

Note: If your certificate was issued by a RootCA, which is not included within /etc/ssl/certs, you must copy that certificate file into /etc/ssl/certs!

Then, set the access right appropriately and create the required hash links to the certificate files with c_rehash:

chown root:root /etc/ssl/certs/*
chmod 644 /etc/ssl/certs/*
c_rehash

Finally, you must add the user www-data to the group ssl-cert, so that the Apache web server can access the key file.

adduser www-data ssl-cert

Shibboleth SP

Our EDIT specific configuration of the Shibboleth SP takes place in the following files:

shibboleth2.xml::

covers the main configuration of a Shibboleth SP.

attribute-map.xml::

defines the mapping of attributes sent by EDIT's Identity provider to Apache2 web server's environment variables.

attribute-policy.xml::

defines Shibboleth SP's access control policy rules.

metadata-idp.e-taxonomy.eu.xml::

contains EDIT's IdP metadata for backup reasons.

EDIT-Logo.png and _main.css*::

set up logo and style of any kind of messages shown by the Shibboleth SP in the user's web browser.

Except from the shibboleth2.xml file, all files come already preconfigured fitting the EDIT federation's requirements. So, you can just download and copy them to the Shibboleth SP's configuration directory (${SHIBSP_CONFIG} (/etc/shibboleth)).

wget -O ${SHIBSP_CONFIG}/attribute-map.xml http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/attribute-map.xml
wget -O ${SHIBSP_CONFIG}/attribute-policy.xml http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/attribute-policy.xml
wget -O ${SHIBSP_CONFIG}/metadata-idp.e-taxonomy.eu.xml http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/metadata-idp.e-taxonomy.eu.xml
wget -O ${SHIBSP_CONFIG}/EDIT-Logo.png http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/EDIT-Logo.png
wget -O ${SHIBSP_CONFIG}/main.css http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/main.css

When downloading shibboleth2.xml, you receive a preconfigured template (shibboleth2.xml.tmpl), which requires some additional work to make it compatible. Therefore, the template file contains a placeholder (${shibSPHost}), which must be replaced by the full qualified hostname (including domain name) of your service provider(e.g. sp.e-taxonomy.eu). That can be done with your preferred text editor, or by executing the following command (e.g. for sp.e-taxonomy.eu).

wget -O ${SHIBSP_CONFIG}/shibboleth2.xml.tmpl http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/shibboleth2.xml.tmpl

Note:::

If the private key you installed on the server (see Certificate and key files) is passphrase protected, then you must add the password attribute manually to the definition of the __ element in line 252 as follows

<CredentialResolver type="File" key="/etc/ssl/private/${shibSPHost}-key.pem" password="YOUR KEY PASSPHRASE HERE" certificate="/etc/ssl/certs/${shibSPHost}-cert.pem"/>

Next, replace the pattern with your Shibboleth host name.

sed -i s\'${shibSPHost}'\${shibSPHost}\g ${SHIBSP_CONFIG}/shibboleth2.xml.tmpl

Finally, you can move the modified file to the Shibboleth SP's configuration directory (${SHIBSP_CONFIG} (/etc/shibboleth)).

mv ${SHIBSP_CONFIG}/shibboleth2.xml.tmpl ${SHIBSP_CONFIG}/shibboleth2.xml

Apache2 site configuration

The site configuration for Apache2 web server requires the following files.

As for shibboleth2.xml, the Shibboleth SP site configuration file for the Apache2 web server also comes as a preconfigured template (shibboleth-sp.tmpl). It can be adopted to the SP's host name by executing the same command as above or by editing it with a text editor.

wget -O /etc/apache2/sites-available/shibboleth-sp.tmpl http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/shibboleth-sp.tmpl
sed -i s\'${shibSPHost}'\${shibSPHost}\g /etc/apache2/sites-available/shibboleth-sp.tmpl
mv /etc/apache2/sites-available/shibboleth-sp.tmpl /etc/apache2/sites-available/shibboleth-sp

Activating the shibboleth-sp site within the Apache2 web server, puts the SSL part of your site ("https://your.site.org/") completely under the control of the Shibboleth SP's. That means, any login approach will be redirected to the EDIT Identity Provider (i.e. https://idp.e-taxonomy.eu/opensso/)!

To change this, the root path (/) within the Location statement must be adopted to meet the local requirements. Further Location statements may be added in order to protect several paths on the service provider.

    <Location />
        AuthType Shibboleth
        ShibRequireSession On
        ShibUseHeaders On
        require shibboleth
    </Location>

For verifying the functionality of the CSSO access later on, the PHP script shibenv.php may be useful. While it just displays any Shibboleth and Apache environment variables, the correct functionality of the CSSO access can be monitored. For that, it should be simply copied to the document root of the Apache2 web server (usually /var/www).

Here are the remaining commands to protect the entire SSL section of your site by CSSO.

a2ensite shibboleth-sp
wget -O /var/www/shibenv.php http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/shibenv.php
chown root:www-data /var/www/shibenv.php
chmod 750 /var/www/shibenv.php

Shibboleth SP notification mechanism

The configuration of the Shibboleth SP's notification mechanism needs following files.

The Shibboleth notification mechanism is used to implement the Single Logout (SLO) functionality on service providers. The Shibboleth SP's notification mechnism simply calls a defined script (notify.php), which calls all logout URLs of applications running on the given site. That way, there should be no specific application authentication cookies left causing some applications to "think" that a user is always logged in. In particular, this scenario may occur, when Single Logout was initiated on another server.

To enable this, install the php5-curl library first. Then, download and copy notify.php to the document root of your Apache2 web server. Furthermore, set the access control rights appropriately

apt-get install php5-curl
wget -O /var/www/notify.php http://dev.e-taxonomy.eu/trac/raw-attachment/wiki/ShibbolethSP2InstallDebianLenny/notify.php
chown root:www-data /var/www/notify.php
chmod 750 /var/www/notify.php

Last but not least, the $logoutURL array at the beginning of the notify.php script must be adopted by entering the logout URLs of your applications.

Note: Do not change anything below the array definition, if you do not know what you are doing !

Note: Since, these URLs will be called by the users' browser, they must be listed with their external hostname. Defining URLs like http://localhost/app/logout will not work!

Here is an example defining a Drupal logout URLs

$logoutURL = array(
  'http://your.host.org/drupal5/?q=logout',
  'http://your.host.org/drupal6/?q=logout'
);

Restarting Apache2 and the Shibboleth daemon

Finally, let's restart the Apache2 web server and shibd.

/etc/init.d/apache2 restart && /etc/init.d/shibd restart && ps -efa | grep shibd

Please check, if the shibd process is really running. If not, repeat the last command. Sometimes, the shibd does not start!?

If there are any problems, please check the log files of Apache2 web server (/var/log/apache2) and Shibboleth SP daemon (/var/log/shibboleth) first!

Registering the new Shibboleth SP at the EDIT federation

If anything went fine, accessing your Shibboleth SP at the URL_https://your.host.org/shibboleth_ should succesfully start a download of the SP's metadata. In that case, please notify the EDIT federation manager (suhrbier(at)inf.fu-berlin.de). Then, the federation manager may register your service provider to the EDIT federation. Since that point in time, any registered EDIT user may login to the applications on your service provider!

Next, verify if users can login successfully, by accessing shibenv.php script stated above on your web server (e.g. https://your.host.org/shibenv.php). Presumed, you are already an registered user at the EDIT federation, you should be redirected to EDIT's IdP (https://idp.e-taxonomy.eu/opensso/). Otherwise, refer to the EDIT federation manager (suhrbier(at)inf.fu-berlin.de) as well.

After having successfully authenticated there, you should be redirected back to originally selected service provider and see an attribute list containing at least your name and email address on your browser!


*The following may be not up-to-date!!! *

Setup Script

The shibSP-Setup.tgz is a compressed tar file containing a directory with the script, some configuration files and some template files as described above. So, if you want to use the setup script for installing and configuring your Shibboleth SP, download and extract the script first. Then, change to the setup directory just created.

Download and extract setup directory

wget -O shibSP-Setup.tgz http://dev.e-taxonomy.eu/trac/attachment/wiki/ShibbolethSP2InstallDebianLenny/shibSP-Setup.tgz?format=raw
tar xvfz shibSP-Setup.tgz
cd shibSP-Setup

Within the directory, there is a script called shibSPSetup. If you call it without parameters, the command help will be printed on the screen.

Copy certificate files

Before starting the installation, the certificate and key file for your web server must be copied into the shibSP-Setup directory. Also, both files should be renamed according the naming rules stated above. Here is an example for the host idp.e-taxonomy.eu.

Certificate file: idp.e-taxonomy.eu-cert.pem
Key file:idp.e-taxonomy.eu-key.pem

Installation

The setup script offers the following commands. Letters in brackets[] show the options to be applied with that command.

The following options are available:

  • -b build target (default: ./)"

  • -c Local SSL certificate file (default: ./$hostname-cert.pem)"

  • -d DS Url (default: https://idp.e-taxonomy.eu/DS) not implemented yet"

  • -e Support Contact (default: editsupport@bgbm.org"

  • -i IdP entity id (default: https://idp.e-taxonomy.eu:443/opensso)"

  • -h hostname (default: 'eval hostname')"

  • -k Local SSL private key file (default: ./$hostname-key.pem)"

  • -a IdP hostname (default: idp.e-taxonomy.eu)"

  • -r SSL RootCA certificate path (default: /etc/ssl/certs)"

  • -s SP entity id (default: https://$hostname/shibboleth"

  • -t installation target (default: /opt)"

  • -v SP version to install (default: 2.3.1)"

Besides the certificate files, the only information the script needs for a default installation is the hostname of your server. Therefore, the script uses the hostname command to get the hostname automatically. Please check, if that command prints the correct, full qualified hostname of your server (e.g. idp.e-taxonomy.eu)

root@idp:~# hostname
idp.e-taxonomy.eu

Next, the setup procedure may start. Use the all command to setup your basic Shibboleth SP in one go. Alternatively, use the compile, install and configure in that order. You can also use these command steps to repeat any of these steps on error. If you need to change some of the configuration parameters, please check which command options may apply.

The complete setup will take approximately 20-30 minutes. Most of time will be consumed by the compile command. Here, take care on potential error messages. In that case, you should verify your setup and repeat the compile step.

If all went well, you should have reached the state Registering the new Shibboleth SP at the EDIT federation. So, contact the EDIT federation manager to register your service provider with the EDIT federation.

Installing and Configuring Drupal modules

The setup directory supports the installation of Drupal 5(6) modules adopted to the EDIT CSSO setup. Currently, There are two quit simple scripts (shibDrupal5(6)Setup) which are copying the modules to their usual location. These locations may easily be changed by adapting the paths to /var/www/drupal5(6) to another directory.

Next, the Drupal modules must be installed configured appropriately. Therefore, you must login with Drupal administration rights, and install the modules userprotect and shib_auth by selecting the respective modules in Drupal's module administration section. After that, configure the Shibboleth module within the Shibboleth settings->General settings menu within of the User management administration section.

Configure the General Shibboleth settings as follows:

| Shibboleth handler settings | |
| Shibboleth handler URL: | /Shibboleth.sso |
| Shibboleth handler protocol: | HTTPS |
| WAYF location: | /Login |
| Shibboleth login target protocol: | HTTPS |
| Shibboleth logout return URL: | e.g. http://your.host.org/drupal6/?q=logout |
| Attribute settings | |
| Server variable for username: | Shib_eduPersonPrincipalName |
| Server variable for e-mail address: | Shib-mail |

You can also define specific access rules, which will map Shibboleth attribute values to defined Drupal user roles. The mapping will be defined by matching regular expressions. Access rules may be configures within the Shibboleth settings->Shibboleth group rules menu.

When adding a new rule, the Shibboleth attribute name and a regular expression must be entered. Then, the user roles assigned to users matching the regular expression must be selected.

The currently defined attributes are listed within the Current Set of EDIT Attributes document. Using e.g. the eduPersonAffiliation attribute (Shib_eduPersonAffiliation variable), the EDIT Federation manager group will be matched by defining the following regular expression:

^cn=FederationManager.*

When assigned to the Drupal admin rule, EDIT Federation manager can manage e.g. the Shibboleth configuration on your Drupal instance.

Updated by Andreas Müller about 2 years ago · 75 revisions