This document describes the procedure used to install Shibboleth Service Provider (SP) software on Centos, RedHat and to configure it to work with the Cornell Shibboleth Identity Provider (IdP).
If you are moving shib protected domain to a new serve, please use instruction here: Move Shibboleth Service Provider to a Different Server
Prerequisites
- Apache must be installed and your website have an SSL certificate installed and SSL enabled. To request a SSL certificate: https://it.cornell.edu/ssl/renew-or-request-ssl-certificate.
- Shibboleth doesn't support http access. If http access is supported on your site, define a redirect rule in Apache configuration that route http traffic to https.
- Make sure your server time is accurate.
- Your server has user shibd available.
Installation
- We do not recommend the use of the old prefork MPM and strongly encourage the worker MPM. The prefork option will fail under load in a variety of cases, with some limited workarounds possible.
Installation
Expand | ||
---|---|---|
| ||
If | ||
Expand | ||
| ||
If you are on a CIT Managed Server, please check this document: https://sysdocs.cit.cornell.edu/Documentation/LinuxShibbolethRepository Otherwise, Install using RPM: https://wiki.shibboleth.net/confluence/display/SP3/RPMInstall
|
...
Expand | ||
---|---|---|
| ||
Download our sample attribute-map.xml and replace your /etc/shibboleth/attribute-map.xml with downloaded file. Our attribute-map.xml defines all commonly used attributes. All attributes except groups defined in attribute-map.xml are released by default to all SP. Attribute "groups" is released on demand. Please specify your group names in Shibboleth Integration Request form. Shibboleth IDP doesn't support nested groups( for example group B is a member of group A, user C is a member of group B, IDP doesn't know user C is a member of group A) . If you have to use nested group, you need to convert nested group to dynamic group. |
...
Expand | |||||
---|---|---|---|---|---|
| |||||
Download our sample shibboleth2.xml and replace your /etc/shibboleth/shibboleth2.xml with downloaded file. Open shibboleth2.xml in a text editor.
Search <ApplicationDefaults entityID="https://mysite.cit.cornell.edu/shibboleth"... >. EntityID is the Unique identifier for your SP. Cornell Shibboleth Identity Provider(IDP) provides service to many applications. This entityID will help Cornell IDP to identify your SP. We recommend you follow shibboleth convention named it "https://xxx/shibboleth". It's better not include space or special characters in it( / and : are fine). One SP can server multiple sites in your Apache so it does not necessarily equate to the hostname(s) at which your service runs.
--- lifetime is the maximum duration in --- timeout is the maximum inactivity allowed between requests in a session maintained by the SP. The settings shown in the example will set your Shibboleth session timeout to 3600 (1 hour).
--- postData="ss:mem" postTemplate="postTemplate.html" Add it to <Sessions ..> if your website hosts web form(with Content-Type application/x-www-form-urlencoded). Web form POST data with Content-Type application/x-www-form-urlencoded will be saved in the Shibboleth memory cache rather than discarded when a user requires authentication after filling out a web form. "postTemplate.html" is located in /etc/shibboleth directory. Modify it to meet your website's style. "postLimit" is the maximum number of bytes to allow when saving off POST data. Over this limit, a warning in the log will appear, but the data will not be saved. When not defined it uses the default which is 1048576 bytes(1024k). More information: https://wiki.shibboleth.net/confluence/display/SP3/Sessions
Search < Errors supportContact ="root@localhost" helpLocation ="/about.html" styleSheet ="/shibboleth-sp/main.css" /> . Change the email address to your application's support email address. Change the helpLocation to your application's help page.
|
Expand | ||
---|---|---|
| ||
If Shibboleth is installed via RPM, signing/encryption key and certificate files are generated automatically. Check if you have sp-signing-cert.pem, sp-signing-key.pem, sp-encrypt-key.pem, sp-encrypt-cert.pem in /etc/shibboleth directory. If they are not there, generate them. shib-keygen./keygen |
If your website is behind a Load Balancer
Please make sure that the real client's IP address (e.g. "x-forwarded-for") is being passed to the SP, instead of the load-balancer's IP address. Please see this page for details: Pass the real client IP to the Shibboleth SP when your site is behind a load balancer
Shibboleth Configuration Check
...
Panel |
---|
sudo LD_LIBRARY_PATH=/opt/shibboleth/lib64 /sbin/shibd -t |
The last line of the output should read:
...
Expand | |||||
---|---|---|---|---|---|
| |||||
Navigate to https://yoursiteDomain/Shibboleth.sso/Metadata and download it.Open your downloaded file with text editor. Some browser doesn't show metadata correctly in the browser. DO NOT copy the content in the browser. Make sure the entityID is the same as your defined in shibboleth2.xml. If there are multiple sites in Apache require Shibboleth authentication, you can get SP's metadata by navigating to one of the site, then you need to manually add assertion consumer service url HTTP-POST bindings for each of the other sites in your SP's metadata. other sites in your SP's metadata. You may see other AssertionConsumerService bindings, 'SingleLogoutService', 'ArtifactResolutionService' etc in your downloaded metadata. Those are not being used. You don't need to add those for other sites.
|
...
After you are notified that your metadata has been integrated in Cornell IDP, you can continue your configuration. If you are converting CUWebAuth to Shibboleth SP, you may refer to Converting CUWebAuth to Shibboleth.
Expand | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||
Open /etc/httpd/conf.d/shib.conf in a text editor. If you are Not using default Apache installation, make sure this file is included in your Apache config. All the authorization rules should be defined in this file.
|
...
If you have tomcat in your environment , since environment variables are not passed by mod_proxy_ajp
unless they have AJP_
prefixes, you'll need to and REMOTE_USER is not working, you can try add attributePrefix="AJP_"
to the <ApplicationDefaults>
element in your configuration:
...