Versions Compared

Old Version 66

changes.mady.by.user Hong Ye

Saved on

compared with

New Version 67

changes.mady.by.user Hong Ye

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleUpdate shibboleth2.xml

Download our sample shibboleth2.xml and replace your /etc/shibboleth/shibboleth2.xml with downloaded file. Open shibboleth2.xml in a text editor.

  • Update SP entityID:

 Search <ApplicationDefaults entityID="https://mysite.cit.cornell.edu/shibboleth"... >.  EntityID is the  Unique identifier for your SP. Cornell Shibboleth Identity Provider(IDP) provides service to many applications. This entityID will help Cornell IDP to identify your SP. We recommend you follow shibboleth convention named it "https://xxx/shibboleth". It's better not include space or special characters in it( / and : are fine). One SP can server multiple sites in your Apache so it does not necessarily equate to the hostname(s) at which your service runs. 

  • Update SP session:
    Search <Sessions lifetime="28800" timeout="3600" ...>

--- lifetime is the maximum duration in seconds that a session maintained by the SP will be valid.The settings shown in the example will set your Shibboleth session lifetime to 28800 (8 hours).

--- timeout is the maximum inactivity allowed between requests in a session maintained by the SP. The settings shown in the example will set your Shibboleth session timeout to 3600 (1 hour).

 --- postData="ss:mem" postTemplate="postTemplate.html"

Add it to <Session ..> if your website has web form. Web form POST data will be saved in the Shibboleth memory cache rather than discarded when a user requires authentication after filling out a web form. "postTemplate.html" is located in /etc/shibboleth directory. Modify it to meet your website's style.

More information: https://wiki.shibboleth.net/confluence/display/SP3/Sessions

  • Update the support contact: 

Search < Errors supportContact ="root@localhost"  helpLocation ="/about.html" styleSheet ="/shibboleth-sp/main.css"  /> . Change the email address to your application's support email address. Change the helpLocation to your application's help page.

  • Update IDP information if you are configuring a test/dev site( skip this if you would like to use production IDP for your test/dev site)
Search <SSO entityID=" https://shibidp.cit.cornell.edu/idp/shibboleth ">.Replace our production IDP's entityID with test IDP's entityID: https://shibidp-test.cit.cornell.edu/idp/shibboleth

Search <MetadataProvider ... url=" https://shibidp.cit.cornell.edu/idp/shibboleth " ..>. This is production IDP's metadata url. Comment out this block for your test site. Then un-comment MetadataProvider for Cornell test IDP.

  • Check if you have sp-signing-cert.pem and sp-encrypt-cert.pem in /etc/shibboleth directory. If they are not there, generate them.

    Code Block
    titlegenerate a 10 year signing key
    shib-keygen -n sp-signing -h yourServername -y 10     (your servername will be the CN of the certificate)
    Code Block
    titlegenerate a 10 year encryption key
    shib-keygen -n sp-encrypt -h yourServername -y 10


...

Expand
titleGet SP's metadata

Navigate to  https://yoursiteDomain/Shibboleth.sso/Metadata and download it.Open your downloaded file with text editor. Some browser doesn't show metadata correctly in the browser. DO NOT copy the content in the browser. Make sure the entityID is the same as your defined in shibboleth2.xml. If there are multiple sites in Apache require Shibboleth authentication, you can get SP's metadata by navigating to one of the site,  then you need to manually add consumer service url for all the other sites in your SP's metadata. 

Code Block
titleExample
In our example, SP's metadata can be obtained from https://shibtest.cit.cornell.edu/Shibboleth.sso/Metadata. In the metadata there should be a line:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibtest.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="1"/>
 
Our example also have another site mytest.cit.cornell.edu, another AssertionConsumerService url for mytest.cit.cornell.edu need to be manually added in the metadata:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mytest.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="2"/>
Expand
titleRegister SP

If your site is configured with test IDP, you don't have to submit Shibboleth integration request form because test IDP supports anonymous SP. You can start testing the authentication of your site.

For sites configured with prod IDP, submit your Submit your shibboleth integration request from https://shibrequest.cit.cornell.edu. On the second page of the request form, select 'No' for question "Has the application service provider's metadata been published with InCommon?".  Use text editor open your SP's metadata, copy the content of the metadata and paste it in the "Service Provider's metadata field. Once the form is submitted, Identity Management get a Remedy case. We'll configure your SP in prod IDP in 1 - 2 business day. We'll notify you when the configuration is complete.

...