Project

General

Profile

Shibboleth Service Provider (SP) Installation on Debian Etch

of Contents,outline)]

SP Software Installation

The current installation uses the Shibboleth Service Provider (SP) version 1.3f-1. The current Debian Etch distribution even includes all needed packages to install a Shibboleth Service Provider. Unfortunalety, there are several bugs in it (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432729), so we rely on the DFN_AAI's recommendation and use the patched Debian p ackages from the LUDIT-AAI (Belgium)

The SP implementation just relies on the Apache Web Server and SSL. So, before installing the IdP, we decided to install

  • Apache Web Server 2.2

  • OpenSSL

Apache Web Server 2.2 Installation

Beside the Apache Web Server installation, we just have to enable mod_ssl to enable SSL authentication.

# apt-get install apache2
# a2enmod ssl

To start the Apache Web Server at boot time, edit /etc/default/apache2 and set NO_START=0:

# 0 = start on boot; 1 = don't start on boot
NO_START=0

Then you can start the apache

# /etc/init.d/apache2 restart

Configure SSL

First, install the necessary packages, where the ca-certifcates package is optional.

# apt-get install openssl ca-certificates

Then, if you want to check your installation later against the Shibboleth test service, then copy the certificate and key obtained during the registration process of your IdP to /etc/ssl/certs/testshib.crt or /etc/ssl/private/testshib.key respectively.

For further installations, you should create a group called ssl and set appropriate access rights to the etc/ssl directories.

# addgroup ssl
# chown -R root:ssl /etc/ssl/certs
# chown -R root:ssl /etc/ssl/private
# chmod 740 /etc/ssl/certs/*
# chmod 740 /etc/ssl/private/*
# chmod 750 /etc/ssl/certs
# chmod 750 /etc/ssl/private

If you want to create your own keys and certificates, copy them to the mentioned directories and set the access rights as described above.

Don't forget to adapt the paths to the files in your Apache and Shibboleth configuration as well !

Create Keys and Certificates with OpenSSL

Generate an SSL-Key for the server.

# openssl req -new -x509 -nodes -out /etc/ssl/certs/sp.e-taxonomy.eu-cert.pem -keyout /etc/ssl/private/sp.e-taxonomy.eu-key.pem

See http://wiki.ubuntuusers.de/Apache/modssl for more info.

Shibboleth SP Installation

Because we use the Debian packages prepared by LUDIT-AAI (Belgium) we must add the following line to /etc/apt/sources.list

deb http://shib.kuleuven.be/debian-repository binary/

After having updated the package list, we proceed with the installation of the required Shibboleth packages:

# apt-get update
# apt install shibboleth-sp

Configure Apache's Shibboleth module

The Shibboleth SP integration into the Apache Web Server is done using the "shib" modul coming with the "shibboleth-sp" package already installed. But, the installation procedure misses the Apache configuration. So, create the following file /etc/apache2/conf.d/modshib.conf_

LoadModule mod_shib /usr/lib/shibboleth-sp/mod_shib_22.so

ShibSchemaDir /usr/share/xml/shibboleth
ShibConfig /etc/shibboleth/shibboleth.xml

<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Allow from all
  </Location>
  Alias /shibboleth-sp/main.css /usr/share/doc/shibboleth/main.css
  Alias /shibboleth-sp/logo.jpg /usr/share/doc/shibboleth/logo.jpg
</IfModule>

Alternatively, if you want to enable and disable mod_shib using the commands a2enmod shib and a2dismod shib, you could create two files as well:

/etc/apache2/mods-available/modshib.load_

LoadModule mod_shib /usr/lib/shibboleth-sp/mod_shib_22.so

/etc/apache2/mods-available/modshib.conf_

ShibSchemaDir /usr/share/xml/shibboleth
ShibConfig /etc/shibboleth/shibboleth.xml

<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Allow from all
  </Location>
  Alias /shibboleth-sp/main.css /usr/share/doc/shibboleth/main.css
  Alias /shibboleth-sp/logo.jpg /usr/share/doc/shibboleth/logo.jpg
</IfModule>

Don't forget to enable the shib module:

# a2enmod shib

Then, configure a path in your web site, you want to protect with Shibboleth (e.g. /secure). Edit /etc/apache2/conf.d/sp.conf as follows (adapt the host name sp.e-taxonomy.eu and SSL paths to your needs!). Then, apache will redirect authentication for /secure to the configured Shibboleth IdP.

Listen 443

<VirtualHost sp.e-taxonomy.eu:443>
  ServerName              sp.e-taxonomy.eu
  ServerAdmin             webmaster@sp.e-taxonomy.eu
  DocumentRoot            /var/www/

  SSLEngine on
  SSLCertificateFile      /etc/ssl/certs/testshib.crt
  SSLCertificateKeyFile   /etc/ssl/private/testshib.key

  <Location /secure>
    AuthType           shibboleth
    ShibRequireSession On
    require            valid-user
  </Location>

</VirtualHost>

The default log file for Shibboleth is "/var/log/httpd/native.log". So, ensure apache's access rights to the parent directory:

# chown www-data /var/log/httpd

Configuring the Shibboleth Service Provider (SP)

For instance, we can provider the following configuration scenarios:

  • Checking the installation using the TestShib services.

  • Joining the EDIT federation

TestShib configuration

First, you should register your SP with TestShib. Just follow the steps described here During the registration process, you will grab files with you key (testshib.key) and certificate (testshib.crt) to test your SP with TestShib.

Copy these files to /etc/ssl/private and /etc/ssl/certs and set the access rights properly (see Configure SSL).

Next, grab a fresh copy of TestShib metadata and copy it into /etc/shibboleth

# wget http://www.testshib.org/metadata/testshib-metadata.xml -P /etc/shibboleth

Further on, add __ to somewhere pretty on the etc/shibboleth/sessionError.html. (Don't know, if it's really necessary !?)

Backup your /etc/shibboleth/shibboleth.xml and replace it with the following version. Please adapt all occurences of sp.e-taxonomy.eu and the credential key paths to your needs!

<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 /usr/share/xml/shibboleth/shibboleth-targetconfig-1.0.xsd"
    logger="/etc/shibboleth/shibboleth.logger" clockSkew="180">

    <Extensions>
        <Library path="/usr/lib/shibboleth-sp/xmlproviders.so" fatal="true"/>
    </Extensions>

    <Global logger="/etc/shibboleth/shibd.logger">
           <UnixListener address="/var/run/shib-shar.sock"/>
        <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
            defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/>
    </Global>

    <Local logger="/etc/shibboleth/native.logger" localRelayState="true">
        <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
            <RequestMap applicationId="default">
                <Host name="sp.e-taxonomy.eu">
                    <Path name="secure" authType="shibboleth" requireSession="true"/>
                </Host>
            </RequestMap>
        </RequestMapProvider>

    </Local>
    <Applications id="default" providerId="https://sp.e-taxonomy.eu/shibboleth/testshib/sp" homeURL="https://sp.e-taxonomy.eu/index.html"       xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">

        <Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true"
            handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">

            <SessionInitiator isDefault="true" id="testshib" Location="/TestShib"
                Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
                wayfURL="https://idp.testshib.org/shibboleth-idp/SSO"
                wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
            <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
            <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
        </Sessions>

        <Errors session="/etc/shibboleth/sessionError.html"
            metadata="/etc/shibboleth/metadataError.html"
            rm="/etc/shibboleth/rmError.html"
            access="/etc/shibboleth/accessError.html"
            ssl="/etc/shibboleth/sslError.html"
            supportContact="root@localhost"
            logoLocation="/shibboleth-sp/logo.jpg"
            styleSheet="/shibboleth-sp/main.css"/>

        <CredentialUse TLS="testshib" Signing="testshib"/>

        <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="/etc/shibboleth/AAP.xml"/>

        <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
            uri="/etc/shibboleth/testshib-metadata.xml"/>

        <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>

    </Applications>

    <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
        <Credentials>
            <FileResolver Id="testshib">
                <Key>
                    <Path>/etc/ssl/private/testshib.key</Path>
                </Key>
                <Certificate>
                    <Path>/etc/ssl/certs/testshib.crt</Path>
                </Certificate>
            </FileResolver>
        </Credentials>
    </CredentialsProvider>

    <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
        type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>

</SPConfig>

Now, just restart your Shibboleth SP

# /etc/init.d/shibd restart

Test your Service Provider with TestShib

Use your web browser and go to the Shibboleth protected path of your SP (e.g. https://sp.e-taxonomy.eu/secure/). You will be redirected to the Shibboleth TestShib Idp. Accept the certificates and enter username/password myself/myself. Next, you will be redirected to your site. Since we have nothing configured yet, we will get an 404 Not found answer from the browser which means that is was succesful.

Configuring the Service Provider for joining the EDIT federation

Currently, the EDIT federation is on alpha or demo stage. Nevertheless, before joining the federation two steps must have been gone:

  • Generation of key and certificate for your service provider

  • Updating the meta-data of the federation with the data of your service provider

So, if you want to join in, just send an email with your request and at least the DNS name of your service provider. We will generate the key pair, update the meta-data and return the resulting files to you.

Installing Key and Certificates

First, you should copy the key and certificate file to the /etc/ssl/private or /etc/ssl/certs directory of your SP. Then you should set the access rights to these files according to the Configure SSL section.

*Please consider that you have to adapt the DNS host name sp.e-taxonomy.eu in any file names and URIs used in this description to the DNS host name of your service provider !

*

# cp sp.e-taxonomy.eu-key.pem /etc/ssl/private
# cp sp.e-taxonomy.eu-cert.pem /etc/ssl/certs
# chown -R root:ssl /etc/ssl/certs
# chown -R root:ssl /etc/ssl/private
# chmod 740 /etc/ssl/certs/*
# chmod 740 /etc/ssl/private/*
# chmod 750 /etc/ssl/certs
# chmod 750 /etc/ssl/private

Configure Apache

Next, within the Apache2 configuration file _/etc/apache2/conf.d/ you should adapt the following entries to your needs

  • the DNS name of your virtual host and server name, as well as the ServerAdmin email address

  • the path to the SSLCertificateFILE and SSLCertificateKeyFile

  • the Location paths to the application(s) you want to protect with Shibboleth

There are further possible configuration parameters for the mod_shib. Please refer to the documentation.

Listen 443

<VirtualHost sp.e-taxonomy.eu:443>
  ServerName              sp.e-taxonomy.eu
  ServerAdmin             webmaster@sp.e-taxonomy.eu
  DocumentRoot            /var/www/

  SSLEngine on
  SSLCertificateFile      /etc/ssl/certs/sp.e-taxonomy.eu-cert.pem
  SSLCertificateKeyFile   /etc/ssl/private/sp.e-taxonomy.eu-key.pem

  <Location /secure>
    AuthType           shibboleth
    ShibRequireSession On
    require            valid-user
  </Location>
</VirtualHost>

Configuring Shibboleth SP

Now, we have to adapt /etc/shibboleth/shibboleth.xml for joining the EDIT federation. If you followed our configuration description, it should be sufficient to just replace all occurences of the string sp.e-taxonomy.eu with the DNS host name of your SP.

<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 /usr/share/xml/shibboleth/shibboleth-targetconfig-1.0.xsd"
    logger="/etc/shibboleth/shibboleth.logger" clockSkew="180">

    <Extensions>
        <Library path="/usr/lib/shibboleth-sp/xmlproviders.so" fatal="true"/>
    </Extensions>

    <Global logger="/etc/shibboleth/shibd.logger">
           <UnixListener address="/var/run/shib-shar.sock"/>
        <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15"
            defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/>
    </Global>

    <Local logger="/etc/shibboleth/native.logger" localRelayState="true">
        <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider">
            <RequestMap applicationId="default">
                <Host name="sp.e-taxonomy.eu">
                    <Path name="secure" authType="shibboleth" requireSession="true"/>
                </Host>
            </RequestMap>
        </RequestMapProvider>
        <Implementation>
            <ISAPI normalizeRequest="true"><Site id="1" name="sp.e-taxonomy.eu"></Site></ISAPI>
        </Implementation>       
    </Local>

    <Applications id="default" providerId="https://sp.e-taxonomy.eu/shibboleth-sp" homeURL="https://sp.e-taxonomy.eu/index.html"        xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">

        <Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true"
            handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7">

            <SessionInitiator isDefault="true" id="default-idp" Location="/WAYF/idp.e-taxonomy.eu"
                Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
                wayfURL="https://idp.e-taxonomy.eu/shibboleth-idp/SSO"
                wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>

            <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1"
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
            <md:AssertionConsumerService Location="/SAML/Artifact" index="2"
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
        </Sessions>

        <Errors session="/etc/shibboleth/sessionError.html"
            metadata="/etc/shibboleth/metadataError.html"
            rm="/etc/shibboleth/rmError.html"
            access="/etc/shibboleth/accessError.html"
            ssl="/etc/shibboleth/sslError.html"
            supportContact="root@localhost"
            logoLocation="/shibboleth-sp/logo.jpg"
            styleSheet="/shibboleth-sp/main.css"/>

        <CredentialUse TLS="sp_creds" Signing="sp_creds"/>

        <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="/etc/shibboleth/AAP.xml"/>

        <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
            uri="/etc/shibboleth/EDIT-Federation-metadata.xml"/>

        <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/>

    </Applications>

    <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
        <Credentials>
            <FileResolver Id="sp_creds">
                <Key password="secret">
                    <Path>/etc/ssl/private/sp.e-taxonomy.eu-key.pem</Path>
                </Key>
                <Certificate>
                    <Path>/etc/ssl/certs/sp.e-taxonomy.eu-cert.pem</Path>
                </Certificate>
            </FileResolver>
        </Credentials>
    </CredentialsProvider>

    <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
        type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/>

</SPConfig>

The elements which may be subject of change are:

Local::

Adapt Host and Site and Path name to your host name.

Applications::

Adapt providerId and homeURL to your host name. The providerId is your reference within the federation metadata.

!SessionInitiator::

Adapt Location and wayfURL to your Identity Provider (This is not necessary, since you are joining the EDIT federation).

!MetadataProvider::

Adapt the path to the metadata of your SP (not necessary if you download the recent EDIT-Federation-metadata.xml and copy it to the given path on your SP host). Please refer to Federation meta-data

If you are member of multiple federations, you should add another !MetaDataProvider element reference the metadata of the other federation.

!CredentialsProvider::

Adapt the path to the credential files. If your key is not encrypted with a password, you can omit the password attribute.

Mapping Attributes to environment variables

The last thing we might adapt is the Attribute Acceptance Policy (AAP) within /etc/shibboleth/AAP.xml.

Using the AAP you can configure exactly which values were accepted from which Identity Provider and you can define mapping from these values to specific environment variables.

Currently, we just want the value of the attributes

  • eduPersonPrincipalName to the Apache2 environment variable REMOTE_USER.

  • mail to the Apache2 environment variable SHIB_MAIL.

The following policy definition is quite adequate to do the job, and accepts attributes submitted from any site.

Using the !SiteRule attribute Name we could change this to accept the providerId of the EDIT federation, to accept values from all IdPs having joined in the EDIT federation.

You can find a lot of other examples in the distributions default /etc/shibboleth/AAP.xml file and here:

<AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:mace:shibboleth:1.0 /usr/share/xml/shibboleth/shibboleth.xsd">

   <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="false" Header="REMOTE_USER" Alias="user">
    <AnySite>
            <Value Type="regexp">^[^@]+$</Value>
        </AnySite>
    </AttributeRule>

   <AttributeRule Name="urn:mace:dir:attribute-def:mail" Scoped="false" Header="SHIB_MAIL" Alias="mail" >
    <AnySite>
            <AnyValue/>
    </AnySite>
    </AttributeRule>

</AttributeAcceptancePolicy>

Testing your Service Provider within the EDIT federation

Just direct your browser to the protected location on your SP (https://sp.e-taxonomy.eu/secure). You should be redirected the IdP of the EDIT federation and login with your EDIT username/password. Then, you should be able to use your secure site.

EDIT-Federation-metadata.xml View - Shibboleth metadata for the EDIT federation (17 KB) Lutz Suhrbier, 08/30/2007 12:06 AM

Add picture from clipboard (Maximum size: 40 MB)