Shibboleth Identity Provider 3.x Installation on Ubuntu 18.4 Tomcat

Download Shibboleth IDP

You can download the Shibboleth IDP from the this location. Download the shibboleth-identity-provider-3.4.6.tar.gz file

wget https://shibboleth.net/downloads/identity-provider/3.4.6/shibboleth-identity-provider-3.4.6.tar.gz

Extract the file using the following command

tar -xvzf shibboleth-identity-provider-3.4.6.tar.gz

Install Shibboleth IDP

Install the IDP using the installation script install.sh inside extracted folder shibboleth-identity-provider-3.4.6/bin

sudo sh install.sh

Use relevant parameters when installing the product.

Source (Distribution) Directory: /home/Downloads/shibboleth-identity-provider-3.4.6Installation Directory: /opt/shibboleth-idpHostname: localhost.localdomainSAML EntityID: my-idp Attribute Scope: localdomainBackchannel PKCS12 Password: secretRe-enter password: secretCookie Encryption Key Password: secretRe-enter password: secret

Note: above process will create the idp war file in /opt/shibboleth-idp/war/idp.war

Enable Error Logs

It is useful to enable shibboleth IDP error logs when using the product. You can enable the logs by editing the file at the location /opt/shibboleth-idp/conf/logback.xml

<!-- Logging level shortcuts. -->
    <variable name="idp.loglevel.idp" value="ALL" />
    <variable name="idp.loglevel.ldap" value="ALL" />
    <variable name="idp.loglevel.messages" value="ALL" />
    <variable name="idp.loglevel.encryption" value="INFO" />
    <variable name="idp.loglevel.opensaml" value="ALL" />
    <variable name="idp.loglevel.props" value="INFO" />

Deploy the war file in Tomcat with enabled https

You must make sure that you have installed tomcat and enable SSL correctly before deploying the war file. In my example I have used tomcat8.
To Enable SSL on Tomcat use following steps.

1. Creating a Keystore file using Java (need java SDK)

cd $JAVA_HOME/bin

Above command change the current directory to bin folder of Java SDK. Inside it there is a file named keytool. It will generate a keystore file for us.

Next, type on the terminal:

keytool -genkey -alias tomcat -keyalg RSA

When you type the command above, it will ask you some questions. First, it will ask you to create a password (My password is “password“):

loiane:bin loiane$ keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:  password
Re-enter new password: password
What is your first and last name?
  [Unknown]:  Loiane Groner
What is the name of your organizational unit?
  [Unknown]:  home
What is the name of your organization?
  [Unknown]:  home
What is the name of your City or Locality?
  [Unknown]:  Sao Paulo
What is the name of your State or Province?
  [Unknown]:  SP
What is the two-letter country code for this unit?
  [Unknown]:  BR
Is CN=Loiane Groner, OU=home, O=home, L=Sao Paulo, ST=SP, C=BR correct?
  [no]:  yes
 
Enter key password for
    (RETURN if same as keystore password):  password
Re-enter new password: password

It will create a .keystore file on your user home directory.  (/home/[username])

2. Configuring Tomcat for using the keystore file – SSL config

Open your Tomcat installation directory and open the conf folder. Inside this folder, you will find the server.xml file. Open it.

Find the following declaration:

<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" />
-->

Uncomment it and modify it to look like the following:

Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false" maxThreads="25"
    port="8443" keystoreFile="/home/[username]/.keystore" keystorePass="password"
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
    secure="true" sslProtocol="TLS" />

Note: we add the keystoreFile, keystorePass and changed the protocol declarations. /home/[username]/.keystore is keystoreFile location.

3. Let’s test it!

Start tomcat service and try to access https://localhost:8443. You will see Tomcat’s local home page.

Note if you try to access the default 8080 port it will be working too: http://localhost:8080

Go to IDP war file location /opt/shibboleth-idp/war/idp.war and deploy it in tomcat.

Then browse the following URL to see the IDP works fine in tomcat.

https://localhost:8443/idp/status

Note :- You may sometimes encounter an error called Nested Servelet Exception. In such cases download this jar file from the maven repository and include it in the tomcat.
You can check other errors of idp by looking at its log

tail -f /opt/shibboleth-idp/logs/*.log

Quick Test

Now you will able to see the status of the server in the browser.

Now you have successfully installed shibboleth IDP