This document describes the procedure used to install Shibboleth Service Provider (SP) software on Centos/RedHat, and to configure it to work with the Cornell Shibboleth Identity Provider (IdP).
Prerequisites
Apache must be installed and your website have an SSL certificate installed and SSL enabled.
Installation
Follow instruction on https://wiki.shibboleth.net/confluence/display/SP3/RPMInstall to install Shibboleth.
...
| Expand |
|---|
| title | Update Access Control shib.conf |
|---|
|
Open /etc/httpd/conf.d/shib.conf in a text editor. If you are Not using default Apache installation, make sure this file is included in your Apache config. All the authorization rules should be defined in this file. | Code Block |
|---|
| title | Require authentication for entire site |
|---|
| <Location />
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Location>
|
| Code Block |
|---|
| title | Authorization by affiliation |
|---|
| <Location /studentOnly>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr eduPersonPrimaryAffiliation student
</Location>
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr eduPersonAffiliations staff
</Location>
*eduPersonPrimaryAffiliation is single value attribute while eduPersonAffiliations is multi-values attribute.
For example, a staff who also taking courses at Cornell has staff as the value of eduPersonPrimaryAffiliation, has staff and student as the value of eduPersonAffiliations.
All the possible value of affiliations can be found at https://confluence.cornell.edu/display/IDM/edupersonprimaryaffiliation+and+edupersonaffiliation+details |
| Code Block |
|---|
| title | Authorization by group/permit |
|---|
| <Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr groups myGroup1 myGroup2
</Location> |
| Code Block |
|---|
| title | Require TwoFactor for everyone |
|---|
| <Location /superSecret>
AuthType shibboleth
ShibRequestSetting authnContextClassRef http://cornell.edu/mfa
ShibRequestSetting requireSession 1
Require shib-attr groups mySecureGroup
</Location> |
|
Start Shibboleth Service Provider and Apache
shibd is installed to /usr/sbin may be managed using service and chkconfig (on System V platforms) or with systemctl (on systemd platforms, some additional information available).
Register Service Provider with Cornell IDP
...
