...
Expand |
---|
title | Install Shibboleth SP on Centos/RedHat |
---|
|
Install using RPM: https://wiki.shibboleth.net/confluence/display/SP3/RPMInstall
- Visit https://shibboleth.net/downloads/service-provider/RPMS/, choose your platform, then click Generate
- Copy generated content to /etc/yum.repos.d/shibboleth.repo
- sudo yum install
shibboleth.x86_64 ( 64 bit OS )
sudo yum install shibboleth (32 bit OS )
|
Expand |
---|
title | Install Shibboleth SP on Ubuntu |
---|
|
sudo apt-get update sudo apt-get install libapache2-mod-shib2 sudo a2enmod shib |
Configuration - Shibboleth SP
After installation Shibboleth configuration files are placed at /etc/shibboleth/. Necessary Apache configuration in /etc/httpd/conf.d/shib.conf (Redhat/Centos), /etc/apache2/conf-available/shib2.conf (Ubuntu). Make sure shib.conf is included in your Apache configuration file. If you are converting CUWebAuth to Shibboleth on a production server, make sure you set "ShibCompatValidUser" to "On" in shib.conf to avoid interruption to your website's CUWebAuth authentication. Set it back to "Off" after you finish the conversion.
...
Expand |
---|
title | Update Access Control shib.conf or shib2.conf( ubuntu) |
---|
|
Open /etc/httpd/conf.d/shib.conf or /etc/apache2/conf-enabled/shib2.conf(ubuntu) in a text editor. If you are Not using default Apache installation, make sure this file is included in your Apache config. All the authorization rules should be defined in this file. Code Block |
---|
title | Require authentication for entire site |
---|
| <Location />
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Location>
|
Code Block |
---|
title | Authorization by affiliation |
---|
| <Location /studentOnly>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr eduPersonPrimaryAffiliation student
</Location>
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr eduPersonAffiliations staff
</Location>
*eduPersonPrimaryAffiliation is single value attribute while eduPersonAffiliations is multi-values attribute.
For example, a staff who also taking courses at Cornell has staff as the value of eduPersonPrimaryAffiliation, has staff and student as the value of eduPersonAffiliations.
All the possible value of affiliations can be found at https://confluence.cornell.edu/display/IDM/edupersonprimaryaffiliation+and+edupersonaffiliation+details |
Code Block |
---|
title | Authorization by group/permit |
---|
| <Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr groups myGroup1 myGroup2
</Location> |
Code Block |
---|
title | Authorization by NetID |
---|
| <Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr uid hjy789 jpq2020
</Location> |
Code Block |
---|
title | Require TwoFactor for everyone |
---|
| <Location />
AuthType shibboleth
ShibRequestSetting authnContextClassRef http://cornell.edu/mfa
ShibRequestSetting requireSession 1
Require shib-attr groups mySecureGroup
</Location> |
|
...