This document describes the procedure used to install Shibboleth Service Provider (SP) software on Centos, RedHat, Ubuntu and to configure it to work with the Cornell Shibboleth Identity Provider (IdP).
Shibboleth doesn't support http access. If http access is supported on your site, define a redirect rule in Apache configuration that route http traffic to https.
Copy generated content to /etc/yum.repos.d/shibboleth.repo
sudo yum install shibboleth.x86_64 ( 64 bit OS ) sudo yum installshibboleth (32 bit OS )
sudo apt-get update
sudo apt-get install libapache2-mod-shib2
sudo a2enmod shib
Configuration - Shibboleth SP
After installation Shibboleth configuration files are placed at /etc/shibboleth/. Necessary Apache configuration in /etc/httpd/conf.d/shib.conf (Redhat/Centos), /etc/apache2/conf-available/shib2.conf (Ubuntu). Make sure shib.conf is included in your Apache configuration file.
Download our sample attribute-map.xmland replace your /etc/shibboleth/attribute-map.xml with downloaded file. Our attribute-map.xml defines all commonly used attributes.
All attributes except groups defined in attribute-map.xml are released by default to all SP. Attribute "groups" is released on demand. Please specify your group names in Shibboleth Integration Request form. Shibboleth IDP doesn't support nested groups( for example group B is a member of group A, user C is a member of group B, IDP doesn't know user C is a member of group A) . If you have to use nested group, you need to convert nested group to dynamic group.
Download our sample shibboleth2.xml and replace your /etc/shibboleth/shibboleth2.xml with downloaded file. Open shibboleth2.xml in a text editor.
Update SP entityID:
Find <ApplicationDefaults entityID="https://mysite.cit.cornell.edu/shibboleth"... >. EntityID is the Unique identifier for your SP. Cornell Shibboleth Identity Provider(IDP) provides service to many applications. This entityID will help Cornell IDP to identify your SP. We recommend you follow shibboleth convention named it "https://xxx/shibboleth". It's better not include space or special characters in it( / and : are fine). One SP can server multiple sites in your Apache so it doesnotnecessarily equate to the hostname(s) at which your service runs.
Update the support contact:
Find <ErrorssupportContact="root@localhost" helpLocation="/about.html"styleSheet="/shibboleth-sp/main.css" />. Change the email address to your application's support email address. Change the helpLocation to your application's help page.
Update IDP info if you are configuring a test/dev site( skip this if you are configuring production site )
Find <MetadataProvider ... url="https://shibidp.cit.cornell.edu/idp/shibboleth" ..>. This is production IDP's metadata url. Comment out this block for your test site. Then un-comment MetadataProvider for Cornell test IDP.
Check if you have sp-signing-cert.pem and sp-encrypt-cert.pem in /etc/shibboleth directory. If they are not there, generate them.
generate a 10 year signing key
shib-keygen -n sp-signing -h yourServername -y 10 (your servername will be the CN of the certificate)
generate a 10 year encryption key
shib-keygen -n sp-encrypt -h yourServername -y 10
Update timeout if needed: In <Sessions lifetime="28800" timeout="3600>, maximum duration that a session maintained by the SP is set to 28800 seconds( 8 hours ), inactivity timeout is set to 3600 seconds( 1 hour ). You can modify them to meet your website's requirement. Detail information of timeout:https://wiki.shibboleth.net/confluence/display/SP3/Sessions
Start Shibboleth Service Provider and Apache
shibd is installed to /usr/sbin and may be managed using service and chkconfig (on System V platforms) or with systemctl (on systemd platforms, some additional information available).
On Centos 7, you can start shibd and apache by running
sudo systemctl start shibd
sudo systemctl start httpd
After you run the command, make sure shibd and httpd are running. Logs for Shibboleth SP are located at /var/log/shibboleth/. Take a look at /var/log/shibboleth/shibd_warn.log and make sure there is no error in there. You need to fix error if there is any and restart shibd and httpd.
Register Service Provider with Cornell IDP
Navigate to https://yoursiteDomain/Shibboleth.sso/Metadata and download it.Open your downloaded file with text editor. Some browser doesn't show metadata correctly in the browser. DO NOT copy the content in the browser. Make sure the entityID is the same as your defined in shibboleth2.xml. If there are multiple sites in Apache require Shibboleth authentication, you can get SP's metadata by navigating to one of the site, then you need to manually add consumer service url for all the other sites in your SP's metadata.
Example
In our example, SP's metadata can be obtained from https://shibtest.cit.cornell.edu/Shibboleth.sso/Metadata. In the metadata there should be a line:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibtest.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="1"/>
Our example also have another site mytest.cit.cornell.edu, another AssertionConsumerService url for mytest.cit.cornell.edu need to be manually added in the metadata:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mytest.cit.cornell.edu/Shibboleth.sso/SAML2/POST" index="2"/>
If your site is configured with test IDP, you don't have to submit Shibboleth integration request form because test IDP supports anonymous SP. You can start testing the authentication of your site.
For sites configured with prod IDP, submit your shibboleth integration request from https://shibrequest.cit.cornell.edu. On the second page of request form, select 'No' for question "Has the application service provider's metadata been published with InCommon?". Use text editor open your SP's metadata, copy the content of the metadata and paste it in the "Service Provider's metadata field. Once the form is submitted, Identity Management get a Remedy case. We'll configure your SP in prod IDP in 1 - 2 business day. We'll notify you when the configuration is complete.
Configuration - Apache Access control
After you are notified that your metadata has been integrated in Cornell IDP, you can continue your configuration.
Open /etc/httpd/conf.d/shib.conf or /etc/apache2/conf-enabled/shib2.conf(ubuntu) in a text editor. If you are Not using default Apache installation, make sure this file is included in your Apache config. All the authorization rules should be defined in this file.
<Location /studentOnly>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr eduPersonPrimaryAffiliation student
</Location>
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr eduPersonAffiliations staff
</Location>
*eduPersonPrimaryAffiliation is single value attribute while eduPersonAffiliations is multi-values attribute.
For example, a staff who also taking courses at Cornell has staff as the value of eduPersonPrimaryAffiliation, has staff and student as the value of eduPersonAffiliations.
All the possible value of affiliations can be found at https://confluence.cornell.edu/display/IDM/edupersonprimaryaffiliation+and+edupersonaffiliation+details
After you finish the configuration, restart Apache.
Test SP integration with IdP
Confirm you are able to log in with your netID and user's attributes are properly released. To verify attribute release, in shibboleth2.xml, you need to set showAttributeValues to true and restart shibd, httpd.
Using a web browser, visit the /secure directory (or other protected location) of your SP.
If you are prompted to log in, that means that your SP is properly integrated with Cornell IdP.
After you log in, open a new tab of the same browser and point your web browser to https://<your dns name>/Shibboleth.sso/Session. Your browser should return a status page that show you all the attributes and values released to your SP.
Auto start shibd after server reboot
sudo systemctl enable shibd
Retrieve Shibboleth Attributes in Application
By default, Shibboleth attributes that released to your shibboleth SP are available to your application as environment variables, not available in HTTP headers. In your application, you should get authenticated user's netID from server variable REMOTE_USER.
If you have tomcat in your environment, since environment variables are not passed by mod_proxy_ajp unless they have AJP_ prefixes, you'll need to add attributePrefix="AJP_" to the <ApplicationDefaults> element in your configuration:
