Versions Compared

Old Version 105

changes.mady.by.user Hong Ye

Saved on

compared with

New Version Current

changes.mady.by.user Hong Ye

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleRun Shibboleth SP Windows Installer

1 Download the latest version of the Windows installer package from the Shibboleth download site at https://shibboleth.net/downloads/service-provider/latest/. Select either the win32/ or win64/ directory as appropriate to your 32-bit or 64-bit system. Then download .msi file.

2 Run the installer package. It is recommended that you accept all defaults, as follows:

  1. Accept the license agreement
  2. Install to C:\opt\shibboleth-sp ( this is the default location. You may change it to other location.)
  3. Make sure Configure IIS7 module 'Configure IIS Support' checkbox is checked

Image Added

  1. Click Next, then Install, then Finish
  2. Click Yes to restart your system

...

Expand
titleUpdate shibboleth2.xml

Save a copy of shibboleth2.xml to shibboleth2.xml.orig or similar. Download our sample shibboleth2.xml and replace your shibboleth2.xml with downloaded file. Open shibboleth2.xml in a text editor.

  • Update the site ID and name:

Find <ISAPI...>...<Site id="1" name="shibtest.cit.cornell.edu"/>. Change the "site id" to match the id assigned to your site by IIS. You can find your site id in Internet Services (IIS) Manager by clicking on "Sites". In this same location, change the site name to your website domain name. Our example defined two sites. Delete or add more as needed.

Info
titleHTTP Header Variables

It is not safe to use HTTP header variables. Shibboleth SP 3 do not pass attributes as HTTP headers by default. If your applications look up attributes from HTTP headers, it is recommended switching to use server variables.

If you have to use HTTP header variables, refer to https://wiki.shibboleth.net/confluence/display/SP3/ISAPI for instruction.

  • Update the host name:

Find <RequestMap>...<Host name="shibtest.cit.cornell.edu">. Change the "Host name" to the site name you defined in step above. In this example file, we defined two hosts and specifies different authorization rules for each site and location. Please modify it to meet your site requirement. If your site supports both http and https, add redirectToSSL="443" in Host element because shibboleth SP doesn't work with http connection.

Info

If you use group for authorization, please note group membership is not released by default. Please specify your group names in Shibboleth Integration Request form. Shibboleth IDP doesn't support nested groups( for example group B is a member of group A, user C is a member of group B, IDP doesn't know user C is a member of group A) . If you have to use nested group, you need to convert nested group to dynamic group.


Code Block
titleExample: Entire website require authentication and allow valid-user
<Host name="xxx" authType="shibboleth" requireSession="true" redirectToSSL="443" />

 

" requireSession="true" redirectToSSL="443" />


Code Block
titleExample: certain path require authentication and allow valid-user
<Host name="xxx"  redirectToSSL="443" />
	 <Path name="special" authType="shibboleth" requireSession="true" />
</Host>


Code Block
titleExample: different authorizaiton rules
<Host name="xxx"  redirectToSSL="443" />
     <!-- authorization by NetID -->
     <Path name="special" authType="shibboleth" requireSession="true">
   	    <AccessControl> 
            <Rule require="uid">jy98 mop29</Rule>      
        </AccessControl>
    </Path>
    <!-- authorization by group/permit -->
    <!-- Group Name is CASE SENSITIVE -->
    <Path name="students" authType="shibboleth" requireSession="true">
   	    <AccessControl> 
            <Rule require="groups">cit.idm CIT-IDM-test</Rule>      
        </AccessControl>
    </Path> 
    <!-- authorization by user's affiliation.Possible value of affiliation: affiliate, alum, faculty, employee, staff, student -->
    <Path name="students" authType="shibboleth" requireSession="true">
   	    <AccessControl> 
            <Rule require="affiliations">employee student</Rule>     
        </AccessControl>
    </Path> 
    
</Host>


Code Block
titleExample: sub level path has different authorization rule
<!-- /secure require certain netID. /special/doc require group cit.idm -->
<Path name="secure" authType="shibboleth" requireSession="true">
  	<AccessControl> 
        <Rule require="uid">jy98 mop29</Rule>      
    </AccessControl>
    <Path name="doc">
        <AccessControl> 
            <Rule require="groups">cit.idm</Rule>      
        </AccessControl>
    </Path>
</Path>


Code Block
titleExample: Force Everyone with TwoFactor 
<Host name="xxxx" authType="shibboleth" authnContextClassRef="https://refeds.org/profile/mfa" requireSession="true" >
    <AccessControl>                    
        <Rule require="authnContextClassRef">https://refeds.org/profile/mfa</Rule>
    </AccessControl>
</Host>


  • Update SP entityID:

Find <ApplicationDefaults entityID="https://shibtest.cit.cornell.edu/shibboleth" ...>. EntityID is the unique identifier for your SP. Cornell Shibboleth Identity Provider(IDP) provides service to many applications. This entityID will help Cornell IDP to identify your SP. We recommend you follow shibboleth convention named it "https://yourDomainName/shibboleth". It's better not include space or special characters in it( / or : are fine). 

You can use one entityID for all your sites hosted in the same IIS.

  • Update the support contact:

Find  < Errors supportContact ="root@localhost"  helpLocation ="/about.html" styleSheet ="/shibboleth-sp/main.css"  /> . Change the email address to your application's support email address.

  • Update IDP info if you are configuring a test/dev site( skip this if you are configuring production site )

Find <SSO entityID=" https://shibidp.cit.cornell.edu/idp/shibboleth ">.Replace our production IDP's entityID with test IDP's entityID: https://shibidp-test.cit.cornell.edu/idp/shibboleth

Find <MetadataProvider ... url=" https://shibidp.cit.cornell.edu/idp/shibboleth " ..>. This is production IDP's metadata url. Comment out this block for your test site. Then un-comment MetadataProvider for Cornell test IDP.

...

Expand
titleVerify the Configuration

Go to your SP installation directory(default C:\opt\shibboleth-sp), cd to /sbin64 or /sbin directory as appropriate to your 64-bit or 32-bit system. Running the code below from the command line:

 



Code Block
languagetext
shibd.exe -check
If the last line of the output is the following message, everything is as expected:
"overall configuration is loadable, check console for non-fatal problems"

If there is error, check log for detail. All the log files are in SP installation directory\var\log\shibboleth

...

Expand
titleGet SP's metadata
  • Restart IIS and the Shibboleth Daemon. The Shibboleth Daemon can be restarted using the Administrative Tools > Services navigation.
  • Navigate to  https://yoursiteDomain/Shibboleth.sso/Metadata and download it.Open your downloaded file with text editor. Make sure the entityID is the same as your defined in shibboleth2.xml. If there are multiple sites in IIS require Shibboleth authentication and you define them in shibboleth2.xml, you need to manually add consumer service url for each site in your SP's metadata.       
Code Block
languagetext
titleExample
In our example, SP's metadata can be obtained from https://shibtest.cit.cornell.edu/Shibboleth.sso/Metadata. In the metadata there should be a line:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibtest.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="1"/>

Our example also have shibtest1.cit.cornell.edu defined in shibboleth2.xml, another AssertionConsumerService url for shibtest1.cit.cornell.edu need to be manually added in the metadata:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibtest1.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="2"/>
  • Save your metadata file. You'll need to submit your SP's metadata in shibboleth integration request form.need to submit your SP's metadata in shibboleth integration request form.


Expand
titleRegister metadata

Submit

Expand
titleRegister metadata

If your site is configured with test IDP, you don't have to submit Shibboleth integration request form because test IDP supports anonymous SP. You can start testing the authentication of your site.

For sites configured with prod IDP, submit your shibboleth integration request from https://shibrequest.cit.cornell.edu. On the second page of request form, select 'No' for question "Has the application service provider's metadata been published with InCommon?".  Use text editor open your SP's metadata, copy the content of the metadata and paste it in the "Service Provider's metadata field. Once the form is submitted, Identity Management get a Remedy case. We'll configure your SP in prod IDP in 1 - 2 business day. We'll notify you when the configuration is complete.

...

contact idmgmt@cornell.edu