Configure Apache
When installing Shibboleth Service Provider , we have to make sure that the Apache web server is installed. If not, the server can be installed using the following command.
sudo apt-get update
sudo apt-get install apache2
I n my example I am going to change the default service port 80 of Apache to 88.
Note: You can skip this step if you are willing to run Apache in the default port.
Edit the /etc/apache2/ports.conf file.
sudo vi /etc/apache2/ports.conf
Find the line containing the follow.
Listen 80
Replace it with the port you are willing to have. In this example I use the port 88.
Listen 88
Now save the file and close it. Then change the port number of the file found at /etc/apache2/sites-enabled/000-default.conf
sudo gedit /etc/apache2/sites-enabled/000-default.conf
Change the port number as follow.
<VirtualHost *:88>
Restart the Apache server
sudo systemctl restart apache2
Open the browser and navigate to http://localhost:88
Note: If the above URL doesn’t bring you the default Apache server page, make sure that your /etc/hosts file contains the following entry.
127.0.0.1 localhost
If not,open the file and add it.
sudo gedit /etc/hosts
Now you should get the default Apache server page. :-)
Then enable ssl using the following command.
sudo a2enmod ssl
Enable ssl virtual host.
sudo a2ensite default-ssl.conf
Create a self-signed certificate(SSL).
sudo mkdir /etc/apache2/sslsudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Install Shibboleth SP
After configuring the Apache server now you can install the shibboleth SP as an Apache module.
sudo apt-get install libapache2-mod-shib2
sudo a2enmod auth_basic
sudo a2enmod shib2
Now set the shibboleth certificate using the following command.
sudo shib-keygen -h localhost
openssl x509 -text -noout -in /etc/shibboleth/sp-cert.pem
Open the shibboleth SP configuration file.
sudo nano /etc/shibboleth/shibboleth2.xml
In the configuration file, <ApplicationDefaults> set the entityId. In my example, I have used my-sp
<ApplicationDefaults entityID="my-sp" REMOTE_USER="eppn persistent-id targeted-id">
Under the <Sessions> set handlerSSL to true and cookieProps to https.
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerURL="/Shibboleth.sso" handlerSSL="true" cookieProps="https">
Under the <SSO> alter the entity ID to your IDP. I have enabled Shibboleth IDP and I use my-idp
Note: If you have not configured the Shibboleth IDP you can refer my blog on installing the IDP from following link.
Shibboleth Identity Provider Installation on Ubuntu 18.4 Tomcat
Shibboleth Identity Provider Installation on Ubuntu 18.4 Tomcat
<SSO entityID="dit-idp" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
Under the <Handler> add your IP address.
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 192.168.1.20"/>
Note: adding your IP here you can access shibboleth status remotely
Under the <Errors> change the supportContact to something valid.
<Errors supportContact="admin@localhost" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/>
Include the <MetadataProvider> as below.
<MetadataProvider type="XML"
file="idp-metadata.xml"/>
Note: Here file value is the your shibboleth IDP metadata file location
Copy the IDP metadata file (idp-metadata.xml) to the /etc/shibboleth directory or set the path of idp-metadata.xml accordingly.In my-idp example idp-metadata.xml is in following folder
cd /opt/shibboleth-idp/metadata
Save and close the shibboleth2.xml file.
My sample shibboleth2.xml page is displayed below.
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"><!-- By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache are used. See example-shibboleth2.xml for samples of explicitly configuring them. --><!-- To customize behavior for specific resources on Apache, and to link vhosts or resources to ApplicationOverride settings below, use web server options/commands. See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help. For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic. --><!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> <ApplicationDefaults entityID="my-sp" REMOTE_USER="eppn persistent-id targeted-id"><!-- Controls session lifetimes, address checks, cookie handling, and the protocol handlers. You MUST supply an effectively unique handlerURL value for each of your applications. The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing a relative value based on the virtual host. Using handlerSSL="true", the default, will force the protocol to be https. You should also set cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to "false", this has a negative impact on the security of your site. Stealing sessions via cookie theft is much easier with this disabled. --> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"><!-- Configures SSO for a default IdP. To allow for >1 IdP, remove entityID property and adjust discoveryURL to point to discovery service. (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.) You can also override entityID on /Login query string, or in RequestMap/htaccess. --> <SSO entityID="my-idp" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO><!-- SAML and local-only logout. --> <Logout>SAML2 Local</Logout> <!-- Extension service that generates "approximate" metadata based on SP configuration. --> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/><!-- Status reporting service. --> <Handler type="Status" Location="/Status" acl="127.0.1.1 ::1"/><!-- Session diagnostic service. --> <Handler type="Session" Location="/Session" showAttributeValues="false"/><!-- JSON feed of discovery information. --> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/></Sessions><!-- Allows overriding of error template information/filenames. You can also add attributes with values that can be plugged into the templates. --> <Errors supportContact="admin@localhost" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Example of remotely supplied batch of signed metadata. --><MetadataProvider type="XML" file="idp-metadata.xml"/><!-- <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml" backingFilePath="federation-metadata.xml" reloadInterval="7200"> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> <MetadataFilter type="Signature" certificate="fedsigner.pem"/> </MetadataProvider> --><!-- Example of locally maintained metadata. --> <!-- <MetadataProvider type="XML" file="partner-metadata.xml"/> --><!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> <!-- Use a SAML query if no attributes are supplied during SSO. --> <AttributeResolver type="Query" subjectMatch="true"/><!-- Default filtering policy for recognized attributes, lets other data pass. --> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/><!-- Simple file-based resolver for using a single keypair. --> <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/><!-- The default settings can be overridden by creating ApplicationOverride elements (see the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic). Resource requests are mapped by web server commands, or the RequestMapper, to an applicationId setting. Example of a second application (for a second vhost) that has a different entityID. Resources on the vhost would map to an applicationId of "admin": --> <!-- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/> --> </ApplicationDefaults> <!-- Policies that determine how to process and authenticate runtime messages. --> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/><!-- Low-level configuration about protocols and bindings available for use. --> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/></SPConfig>
Now restart the Shibboleth SP.
sudo service shibd restart
Test the SP
You can test the functionality of the SP by accessing the browser.
https://localhost/Shibboleth.sso/Status
Note: it will output a xml with shibboleth status, idp endpoints etc..
Register this service provider (my-sp) in identity provider (my-idp)
This will display following message in browser
It means you have to register your service provider (my-sp) metadata in identity provider (my-idp)
Generate Service provider metadata
Save the file generated from above link and copy it to my-idp metadata folder
cp /home/[username]/Downloads/Metadata /opt/shibboleth-idp/metadata/sp-metadata.xml
Open identity provider's (my-idp) metadata-providers.xml
nano /opt/shibboleth-idp/conf/metadata-providers.xml
<MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml"/>
Quick Test
If your registration of metadata success you will get identity provider's (my-idp) login page
Note: For authentication data configure LDAP or other storage service accordingly
in: ගැන, තුළ, තුළට
English - Sinhala
Comments
Post a Comment