Shibboleth Service Provider (SP) Installation on Debian Etch¶
- Table of contents
- Shibboleth Service Provider (SP) Installation on Debian Etch
SP Software Installation¶
The current installation uses the Shibboleth Service Provider (SP) version 1.3f-1. The current Debian Etch distribution even includes all needed packages to install a Shibboleth Service Provider. Unfortunalety, there are several bugs in it (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432729), so we rely on the DFN_AAI's recommendation and use the patched Debian p ackages from the LUDIT-AAI (Belgium)
The SP implementation just relies on the Apache Web Server and SSL. So, before installing the IdP, we decided to install
Apache Web Server 2.2
OpenSSL
Apache Web Server 2.2 Installation¶
Beside the Apache Web Server installation, we just have to enable mod_ssl to enable SSL authentication.
# apt-get install apache2 # a2enmod ssl
To start the Apache Web Server at boot time, edit /etc/default/apache2 and set NO_START=0:
# 0 = start on boot; 1 = don't start on boot NO_START=0
Then you can start the apache
# /etc/init.d/apache2 restart
Configure SSL¶
First, install the necessary packages, where the ca-certifcates package is optional.
# apt-get install openssl ca-certificates
Then, if you want to check your installation later against the Shibboleth test service, then copy the certificate and key obtained during the registration process of your IdP to /etc/ssl/certs/testshib.crt or /etc/ssl/private/testshib.key respectively.
For further installations, you should create a group called ssl and set appropriate access rights to the etc/ssl directories.
# addgroup ssl # chown -R root:ssl /etc/ssl/certs # chown -R root:ssl /etc/ssl/private # chmod 740 /etc/ssl/certs/* # chmod 740 /etc/ssl/private/* # chmod 750 /etc/ssl/certs # chmod 750 /etc/ssl/private
If you want to create your own keys and certificates, copy them to the mentioned directories and set the access rights as described above.
Don't forget to adapt the paths to the files in your Apache and Shibboleth configuration as well !
Create Keys and Certificates with OpenSSL¶
Generate an SSL-Key for the server.
# openssl req -new -x509 -nodes -out /etc/ssl/certs/sp.e-taxonomy.eu-cert.pem -keyout /etc/ssl/private/sp.e-taxonomy.eu-key.pem
See http://wiki.ubuntuusers.de/Apache/modssl for more info.
Shibboleth SP Installation¶
Because we use the Debian packages prepared by LUDIT-AAI (Belgium) we must add the following line to /etc/apt/sources.list
deb http://shib.kuleuven.be/debian-repository binary/
After having updated the package list, we proceed with the installation of the required Shibboleth packages:
# apt-get update # apt install shibboleth-sp
Configure Apache's Shibboleth module¶
The Shibboleth SP integration into the Apache Web Server is done using the "shib" modul coming with the "shibboleth-sp" package already installed. But, the installation procedure misses the Apache configuration. So, create the following file /etc/apache2/conf.d/mod_shib.conf
LoadModule mod_shib /usr/lib/shibboleth-sp/mod_shib_22.so ShibSchemaDir /usr/share/xml/shibboleth ShibConfig /etc/shibboleth/shibboleth.xml <IfModule mod_alias.c> <Location /shibboleth-sp> Allow from all </Location> Alias /shibboleth-sp/main.css /usr/share/doc/shibboleth/main.css Alias /shibboleth-sp/logo.jpg /usr/share/doc/shibboleth/logo.jpg </IfModule>
Alternatively, if you want to enable and disable mod_shib using the commands a2enmod shib and a2dismod shib, you could create two files as well:
/etc/apache2/mods-available/mod_shib.load
LoadModule mod_shib /usr/lib/shibboleth-sp/mod_shib_22.so
/etc/apache2/mods-available/mod_shib.conf
ShibSchemaDir /usr/share/xml/shibboleth ShibConfig /etc/shibboleth/shibboleth.xml <IfModule mod_alias.c> <Location /shibboleth-sp> Allow from all </Location> Alias /shibboleth-sp/main.css /usr/share/doc/shibboleth/main.css Alias /shibboleth-sp/logo.jpg /usr/share/doc/shibboleth/logo.jpg </IfModule>
Don't forget to enable the shib module:
# a2enmod shib
Then, configure a path in your web site, you want to protect with Shibboleth (e.g. /secure). Edit /etc/apache2/conf.d/sp.conf as follows (adapt the host name sp.e-taxonomy.eu and SSL paths to your needs!). Then, apache will redirect authentication for /secure to the configured Shibboleth IdP.
Listen 443 <VirtualHost sp.e-taxonomy.eu:443> ServerName sp.e-taxonomy.eu ServerAdmin webmaster@sp.e-taxonomy.eu DocumentRoot /var/www/ SSLEngine on SSLCertificateFile /etc/ssl/certs/testshib.crt SSLCertificateKeyFile /etc/ssl/private/testshib.key <Location /secure> AuthType shibboleth ShibRequireSession On require valid-user </Location> </VirtualHost>
The default log file for Shibboleth is "/var/log/httpd/native.log". So, ensure apache's access rights to the parent directory:
# chown www-data /var/log/httpd
Configuring the Shibboleth Service Provider (SP)¶
For instance, we can provider the following configuration scenarios:
Checking the installation using the TestShib services.
Joining the EDIT federation
TestShib configuration¶
First, you should register your SP with TestShib. Just follow the steps described here During the registration process, you will grab files with you key (testshib.key) and certificate (testshib.crt) to test your SP with TestShib.
Copy these files to /etc/ssl/private and /etc/ssl/certs and set the access rights properly (see Configure SSL).
Next, grab a fresh copy of TestShib metadata and copy it into /etc/shibboleth
# wget http://www.testshib.org/metadata/testshib-metadata.xml -P /etc/shibboleth
Further on, add __ to somewhere pretty on the etc/shibboleth/sessionError.html. (Don't know, if it's really necessary !?)
Backup your /etc/shibboleth/shibboleth.xml and replace it with the following version. Please adapt all occurences of sp.e-taxonomy.eu and the credential key paths to your needs!
<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 /usr/share/xml/shibboleth/shibboleth-targetconfig-1.0.xsd" logger="/etc/shibboleth/shibboleth.logger" clockSkew="180"> <Extensions> <Library path="/usr/lib/shibboleth-sp/xmlproviders.so" fatal="true"/> </Extensions> <Global logger="/etc/shibboleth/shibd.logger"> <UnixListener address="/var/run/shib-shar.sock"/> <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15" defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/> </Global> <Local logger="/etc/shibboleth/native.logger" localRelayState="true"> <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider"> <RequestMap applicationId="default"> <Host name="sp.e-taxonomy.eu"> <Path name="secure" authType="shibboleth" requireSession="true"/> </Host> </RequestMap> </RequestMapProvider> </Local> <Applications id="default" providerId="https://sp.e-taxonomy.eu/shibboleth/testshib/sp" homeURL="https://sp.e-taxonomy.eu/index.html" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true" handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7"> <SessionInitiator isDefault="true" id="testshib" Location="/TestShib" Binding="urn:mace:shibboleth:sp:1.3:SessionInit" wayfURL="https://idp.testshib.org/shibboleth-idp/SSO" wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/> <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/> <md:AssertionConsumerService Location="/SAML/Artifact" index="2" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/> </Sessions> <Errors session="/etc/shibboleth/sessionError.html" metadata="/etc/shibboleth/metadataError.html" rm="/etc/shibboleth/rmError.html" access="/etc/shibboleth/accessError.html" ssl="/etc/shibboleth/sslError.html" supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> <CredentialUse TLS="testshib" Signing="testshib"/> <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="/etc/shibboleth/AAP.xml"/> <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata" uri="/etc/shibboleth/testshib-metadata.xml"/> <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/> </Applications> <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials"> <Credentials> <FileResolver Id="testshib"> <Key> <Path>/etc/ssl/private/testshib.key</Path> </Key> <Certificate> <Path>/etc/ssl/certs/testshib.crt</Path> </Certificate> </FileResolver> </Credentials> </CredentialsProvider> <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/> </SPConfig>
Now, just restart your Shibboleth SP
# /etc/init.d/shibd restart
Test your Service Provider with TestShib¶
Use your web browser and go to the Shibboleth protected path of your SP (e.g. https://sp.e-taxonomy.eu/secure/). You will be redirected to the Shibboleth TestShib Idp. Accept the certificates and enter username/password myself/myself. Next, you will be redirected to your site. Since we have nothing configured yet, we will get an 404 Not found answer from the browser which means that is was succesful.
Configuring the Service Provider for joining the EDIT federation¶
Currently, the EDIT federation is on alpha or demo stage. Nevertheless, before joining the federation two steps must have been gone:
Generation of key and certificate for your service provider
Updating the meta-data of the federation with the data of your service provider
So, if you want to join in, just send an email with your request and at least the DNS name of your service provider. We will generate the key pair, update the meta-data and return the resulting files to you.
Installing Key and Certificates¶
First, you should copy the key and certificate file to the /etc/ssl/private or /etc/ssl/certs directory of your SP. Then you should set the access rights to these files according to the Configure SSL section.
*Please consider that you have to adapt the DNS host name sp.e-taxonomy.eu in any file names and URIs used in this description to the DNS host name of your service provider !
*
# cp sp.e-taxonomy.eu-key.pem /etc/ssl/private # cp sp.e-taxonomy.eu-cert.pem /etc/ssl/certs # chown -R root:ssl /etc/ssl/certs # chown -R root:ssl /etc/ssl/private # chmod 740 /etc/ssl/certs/* # chmod 740 /etc/ssl/private/* # chmod 750 /etc/ssl/certs # chmod 750 /etc/ssl/private
Configure Apache¶
Next, within the Apache2 configuration file _/etc/apache2/conf.d/ you should adapt the following entries to your needs
the DNS name of your virtual host and server name, as well as the ServerAdmin email address
the path to the SSLCertificateFILE and SSLCertificateKeyFile
the Location paths to the application(s) you want to protect with Shibboleth
There are further possible configuration parameters for the mod_shib. Please refer to the documentation.
Listen 443 <VirtualHost sp.e-taxonomy.eu:443> ServerName sp.e-taxonomy.eu ServerAdmin webmaster@sp.e-taxonomy.eu DocumentRoot /var/www/ SSLEngine on SSLCertificateFile /etc/ssl/certs/sp.e-taxonomy.eu-cert.pem SSLCertificateKeyFile /etc/ssl/private/sp.e-taxonomy.eu-key.pem <Location /secure> AuthType shibboleth ShibRequireSession On require valid-user </Location> </VirtualHost>
Configuring Shibboleth SP¶
Now, we have to adapt /etc/shibboleth/shibboleth.xml for joining the EDIT federation. If you followed our configuration description, it should be sufficient to just replace all occurences of the string sp.e-taxonomy.eu with the DNS host name of your SP.
<SPConfig xmlns="urn:mace:shibboleth:target:config:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:target:config:1.0 /usr/share/xml/shibboleth/shibboleth-targetconfig-1.0.xsd" logger="/etc/shibboleth/shibboleth.logger" clockSkew="180"> <Extensions> <Library path="/usr/lib/shibboleth-sp/xmlproviders.so" fatal="true"/> </Extensions> <Global logger="/etc/shibboleth/shibd.logger"> <UnixListener address="/var/run/shib-shar.sock"/> <MemorySessionCache cleanupInterval="300" cacheTimeout="3600" AATimeout="30" AAConnectTimeout="15" defaultLifetime="1800" retryInterval="300" strictValidity="false" propagateErrors="true"/> </Global> <Local logger="/etc/shibboleth/native.logger" localRelayState="true"> <RequestMapProvider type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapProvider"> <RequestMap applicationId="default"> <Host name="sp.e-taxonomy.eu"> <Path name="secure" authType="shibboleth" requireSession="true"/> </Host> </RequestMap> </RequestMapProvider> <Implementation> <ISAPI normalizeRequest="true"><Site id="1" name="sp.e-taxonomy.eu"></Site></ISAPI> </Implementation> </Local> <Applications id="default" providerId="https://sp.e-taxonomy.eu/shibboleth-sp" homeURL="https://sp.e-taxonomy.eu/index.html" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <Sessions lifetime="7200" timeout="3600" checkAddress="false" consistentAddress="true" handlerURL="/Shibboleth.sso" handlerSSL="false" idpHistory="true" idpHistoryDays="7"> <SessionInitiator isDefault="true" id="default-idp" Location="/WAYF/idp.e-taxonomy.eu" Binding="urn:mace:shibboleth:sp:1.3:SessionInit" wayfURL="https://idp.e-taxonomy.eu/shibboleth-idp/SSO" wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/> <md:AssertionConsumerService Location="/SAML/POST" isDefault="true" index="1" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/> <md:AssertionConsumerService Location="/SAML/Artifact" index="2" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/> </Sessions> <Errors session="/etc/shibboleth/sessionError.html" metadata="/etc/shibboleth/metadataError.html" rm="/etc/shibboleth/rmError.html" access="/etc/shibboleth/accessError.html" ssl="/etc/shibboleth/sslError.html" supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> <CredentialUse TLS="sp_creds" Signing="sp_creds"/> <AAPProvider type="edu.internet2.middleware.shibboleth.aap.provider.XMLAAP" uri="/etc/shibboleth/AAP.xml"/> <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata" uri="/etc/shibboleth/EDIT-Federation-metadata.xml"/> <TrustProvider type="edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust"/> </Applications> <CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials"> <Credentials> <FileResolver Id="sp_creds"> <Key password="secret"> <Path>/etc/ssl/private/sp.e-taxonomy.eu-key.pem</Path> </Key> <Certificate> <Path>/etc/ssl/certs/sp.e-taxonomy.eu-cert.pem</Path> </Certificate> </FileResolver> </Credentials> </CredentialsProvider> <AttributeFactory AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" type="edu.internet2.middleware.shibboleth.common.provider.TargetedIDFactory"/> </SPConfig>
The elements which may be subject of change are:
Local::
Adapt Host and Site and Path name to your host name.
Applications::
Adapt providerId and homeURL to your host name. The providerId is your reference within the federation metadata.
!SessionInitiator::
Adapt Location and wayfURL to your Identity Provider (This is not necessary, since you are joining the EDIT federation).
!MetadataProvider::
Adapt the path to the metadata of your SP (not necessary if you download the recent EDIT-Federation-metadata.xml and copy it to the given path on your SP host). Please refer to Federation meta-data
If you are member of multiple federations, you should add another !MetaDataProvider element reference the metadata of the other federation.
!CredentialsProvider::
Adapt the path to the credential files. If your key is not encrypted with a password, you can omit the password attribute.
Mapping Attributes to environment variables¶
The last thing we might adapt is the Attribute Acceptance Policy (AAP) within /etc/shibboleth/AAP.xml.
Using the AAP you can configure exactly which values were accepted from which Identity Provider and you can define mapping from these values to specific environment variables.
Currently, we just want the value of the attributes
eduPersonPrincipalName to the Apache2 environment variable REMOTE_USER.
mail to the Apache2 environment variable SHIB_MAIL.
The following policy definition is quite adequate to do the job, and accepts attributes submitted from any site.
Using the !SiteRule attribute Name we could change this to accept the providerId of the EDIT federation, to accept values from all IdPs having joined in the EDIT federation.
You can find a lot of other examples in the distributions default /etc/shibboleth/AAP.xml file and here:
<AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:1.0 /usr/share/xml/shibboleth/shibboleth.xsd"> <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="false" Header="REMOTE_USER" Alias="user"> <AnySite> <Value Type="regexp">^[^@]+$</Value> </AnySite> </AttributeRule> <AttributeRule Name="urn:mace:dir:attribute-def:mail" Scoped="false" Header="SHIB_MAIL" Alias="mail" > <AnySite> <AnyValue/> </AnySite> </AttributeRule> </AttributeAcceptancePolicy>
Testing your Service Provider within the EDIT federation¶
Just direct your browser to the protected location on your SP (https://sp.e-taxonomy.eu/secure). You should be redirected the IdP of the EDIT federation and login with your EDIT username/password. Then, you should be able to use your secure site.
Updated by Andreas Müller about 2 years ago · 22 revisions