This document describes the procedure used to install Shibboleth Service Provider (SP) software on Centos, RedHat, Ubuntu and to configure it to work with the Cornell Shibboleth Identity Provider (IdP).
Apache must be installed and your website have an SSL certificate installed and SSL enabled. To request a SSL certificate: https://it.cornell.edu/ssl/renew-or-request-ssl-certificate.
Shibboleth doesn't support http access. If http access is supported on your site, define a redirect rule in Apache configuration that route http traffic to https.
Install using RPM: https://wiki.shibboleth.net/confluence/display/SP3/RPMInstall.
sudo apt-get update sudo apt-get install libapache2-mod-shib2 sudo a2enmod shib |
After installation Shibboleth configuration files are placed at /etc/shibboleth/. Necessary Apache configuration in /etc/httpd/conf.d/shib.conf (Redhat/Centos), /etc/apache2/conf-available/shib2.conf (Ubuntu). Make sure shib.conf is included in your Apache configuration file.
Download our sample attribute-map.xml and replace your /etc/shibboleth/attribute-map.xml with downloaded file. Our attribute-map.xml defines all commonly used attributes. All attributes except groups defined in attribute-map.xml are released by default to all SP. Attribute "groups" is released on demand. Please specify your group names in Shibboleth Integration Request form. Shibboleth IDP doesn't support nested groups( for example group B is a member of group A, user C is a member of group B, IDP doesn't know user C is a member of group A) . If you have to use nested group, you need to convert nested group to dynamic group. |
Download our sample shibboleth2.xml and replace your /etc/shibboleth/shibboleth2.xml with downloaded file. Open shibboleth2.xml in a text editor.
Find <ApplicationDefaults entityID="https://mysite.cit.cornell.edu/shibboleth"... >. EntityID is the Unique identifier for your SP. Cornell Shibboleth Identity Provider(IDP) provides service to many applications. This entityID will help Cornell IDP to identify your SP. We recommend you follow shibboleth convention named it "https://xxx/shibboleth". It's better not include space or special characters in it( / and : are fine). One SP can server multiple sites in your Apache so it does not necessarily equate to the hostname(s) at which your service runs.
Find < Errors supportContact ="root@localhost" helpLocation ="/about.html" styleSheet ="/shibboleth-sp/main.css" /> . Change the email address to your application's support email address. Change the helpLocation to your application's help page.
Find <SSO entityID=" https://shibidp.cit.cornell.edu/idp/shibboleth ">. Replace our production IDP's entityID with test IDP's entityID: https://shibidp-test.cit.cornell.edu/idp/shibboleth Find <MetadataProvider ... url=" https://shibidp.cit.cornell.edu/idp/shibboleth " ..>. This is production IDP's metadata url. Comment out this block for your test site. Then un-comment MetadataProvider for Cornell test IDP.
|
shibd is installed to /usr/sbin and may be managed using service and chkconfig (on System V platforms) or with systemctl (on systemd platforms, some additional information available).
On Centos 7, you can start shibd and apache by running
sudo systemctl start shibd sudo systemctl start httpd |
After you run the command, make sure shibd and httpd are running. Logs for Shibboleth SP are located at /var/log/shibboleth/. Take a look at /var/log/shibboleth/shibd_warn.log and make sure there is no error in there. You need to fix error if there is any and restart shibd and httpd.
Navigate to https://yoursiteDomain/Shibboleth.sso/Metadata and download it. Open your downloaded file with text editor. Make sure the entityID is the same as your defined in shibboleth2.xml. If there are multiple sites in Apache require Shibboleth authentication, you can get SP's metadata by navigating to one of the site, then you need to manually add consumer service url for all the other sites in your SP's metadata.
|
Open /etc/httpd/conf.d/shib.conf or /etc/apache2/conf-enabled/shib2.conf(ubuntu) in a text editor. If you are Not using default Apache installation, make sure this file is included in your Apache config. All the authorization rules should be defined in this file.
|
Addition configuration information can be found at https://wiki.shibboleth.net/confluence/display/SP3/Apache
Confirm you are able to log in with your netID and user's attributes are properly released. To verify attribute release, in shibboleth2.xml, you need to set showAttributeValues to true and restart shibd, httpd.
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
By default, Shibboleth attributes that released to your shibboleth SP are available to your application as environment variables, not available in HTTP headers. In your application, you should get authenticated user's netID from server variable REMOTE_USER.
Detail and examples about attribute access.
https://wiki.shibboleth.net/confluence/display/SP3/AttributeAccess
If you have tomcat in your environment, since environment variables are not passed by mod_proxy_ajp
unless they have AJP_
prefixes, you'll need to add attributePrefix="AJP_"
to the <ApplicationDefaults>
element in your configuration:
contact idmgmt@cornell.edu