- Requirements Hardware
- Software that will be installed
- Other Requirements
- Installation Instructions
- Configuration Instructions
- Authors
- Thanks
- CPU: 2 Core
- RAM: 4 GB
- HDD: 20 GB
- ca-certificates
- ntp
- vim
- libapache2-mod-php, libapache2-mod-shib2, apache2 (>= 2.4)
- openssl
- Place the SSL Credentials into the right place:
- SSL Certificate: "
/etc/ssl/certs/ssl-sp.crt
" - SSL Key: "
/etc/ssl/private/ssl-sp.key
" - SSL CA: "
/usr/local/share/ca-certificates/ssl-ca.crt
" - Run the command: "
update-ca-certificates
"
- SSL Certificate: "
-
Become ROOT:
sudo su -
-
Change the default mirror with the GARR ones:
sed -i 's/deb.debian.org/mi.mirror.garr.it\/mirrors/g' /etc/apt/sources.list
apt update && apt upgrade
-
Install the packages required:
apt install ca-certificates vim openssl
-
Modify your
/etc/hosts
:-
vim /etc/hosts
127.0.1.1 sp.example.org sp
(Replace
sp.example.org
with your SP Full Qualified Domain Name) -
-
Be sure that your firewall doesn't block the traffic on port 443 (or you can't access to your SP)
-
***Define the costant
APACHE_LOG
,SHIB_SP
andSHIBD_LOG
inside/etc/environment
:-
vim /etc/environment
APACHE_LOG=/var/log/apache2 SHIB_SP=/etc/shibboleth SHIBD_LOG=/var/log/shibboleth
-
source /etc/environment
(OPTIONAL) Create a Certificate and a Key self-signed for HTTPS if you don't have yet the official ones provided by the Certificate Authority(DigicertCA):
openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/ssl-sp.key -out /etc/ssl/certs/ssl-sp.crt -nodes -days 1095
-
-
Become ROOT:
sudo su -
-
Install Shibboleth SP:
-
apt install apache2 libapache2-mod-shib2 libapache2-mod-php ntp --no-install-recommends
From this point the location of the SP directory is:
/etc/shibboleth
-
-
Modify the file
/etc/apache2/sites-available/default-ssl.conf
as follows:<IfModule mod_ssl.c> SSLStaplingCache shmcb:/var/run/ocsp(128000) <VirtualHost _default_:443> ServerName sp.example.org:443 ServerAdmin [email protected] DocumentRoot /var/www/html ... SSLEngine On ... SSLCertificateFile /etc/ssl/certs/ssl-sp.crt SSLCertificateKeyFile /etc/ssl/private/ssl-sp.key ... SSLCertificateChainFile /root/certificates/ssl-ca.pem ... SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" SSLHonorCipherOrder on # Disable SSL Compression SSLCompression Off # OCSP Stapling, only in httpd/apache >= 2.3.3 SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off # Enable HTTP Strict Transport Security with a 2 year duration Header always set Strict-Transport-Security "max-age=63072000;includeSubDomains;preload" </VirtualHost> </IfModule>
-
Enable proxy_http, SSL and headers Apache2 modules:
a2enmod proxy_http ssl headers alias include negotiation
a2ensite default-ssl.conf
systemctl restart apache2.service
-
Configure Apache2 to open port 80 only for localhost:
-
vim /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default.conf Listen 127.0.0.1:80 <IfModule ssl_module> Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule>
-
-
Configure Apache2 to redirect all on HTTPS:
-
vim /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80> ServerName "sp.example.org" Redirect permanent "/" "https://sp.example.org/" RedirectMatch permanent ^/(.*)$ https://sp.example.org/$1 </VirtualHost>
-
systemctl reload apache2.service
-
-
Verify the strength of your SP's machine on:
-
Become ROOT:
sudo su -
-
Download Federation Metadata Signing Certificate:
-
cd /etc/shibboleth/
-
wget https://md.idem.garr.it/certs/idem-signer-20220121.pem -O federation-cert.pem
-
Check the validity:
-
cd /etc/shibboleth
-
openssl x509 -in federation-cert.pem -fingerprint -sha1 -noout
(sha1: D1:68:6C:32:A4:E3:D4:FE:47:17:58:E7:15:FC:77:A8:44:D8:40:4D)
-
openssl x509 -in federation-cert.pem -fingerprint -md5 -noout
(md5: 48:3B:EE:27:0C:88:5D:A3:E7:0B:7C:74:9D:24:24:E0)
-
-
-
Edit
shibboleth2.xml
opportunely:-
vim /etc/shibboleth/shibboleth2.xml
... <ApplicationDefaults entityID="https://sp.example.org/shibboleth" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> ... <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerSSL="true" cookieProps="https"> ... <!-- To install and Configure the Shibboleth Embedded Discovery Service follow: http://tiny.cc/howto-idem-shib-eds --> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.idem-test.garr.it/WAYF"> SAML2 </SSO> ... <MetadataProvider type="XML" uri="http://md.idem.garr.it/metadata/idem-test-metadata-sha256.xml" legacyOrgName="true" backingFilePath="idem-test-metadata-sha256.xml" reloadInterval="600"> <MetadataFilter type="Signature" certificate="federation-cert.pem"/> <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /> </MetadataProvider>
-
-
Create SP metadata credentials:
/usr/sbin/shib-keygen
shibd -t /etc/shibboleth/shibboleth2.xml
(Check Shibboleth configuration)systemctl restart shibd.service
-
Enable Shibboleth Apache2 configuration:
a2enmod shib2
systemctl reload apache2.service
-
Now you are able to reach your Shibboleth SP Metadata on:
https://sp.example.org/Shibboleth.sso/Metadata
(changesp.example.org
to you SP full qualified domain name)
-
Register you SP on IDEM Entity Registry (your entity have to be approved by an IDEM Federation Operator before become part of IDEM Test Federation):
- Go to
https://registry.idem.garr.it/
and follow "Insert a New Service Provider into the IDEM Test Federation"
- Go to
-
Create the Apache2 configuration for the application:
-
sudo su -
-
vim /etc/apache2/conf-available/secure.conf
RedirectMatch ^/$ /secure <Location /secure> Authtype shibboleth ShibRequireSession On require valid-user </Location>
-
a2enconf secure
-
-
Create the "
secure
" application into the DocumentRoot:-
mkdir /var/www/html/secure
-
vim /var/www/html/secure/index.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Example PHP Federated Application</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body> <p> <a href="https://sp.example.org/privacy.html">Privacy Policy</a> </p> <?php //The REMOTE_USER variable holds the name of the user authenticated by the web server. $name = getName(); print "<h1>Ciao " . $name . "!!!</h1>"; print "<p>Let see all other attributes:</p>"; print "<p>Your REMOTE_USER is <strong>" . $_SERVER["REMOTE_USER"] . "</strong></p>"; print "<p>Your email is <strong>" . $_SERVER['mail'] . "</strong></p>"; print "<p>Your eduPersonPrincipalName is <strong>" . $_SERVER["eppn"] . "</strong></p>"; print "<p>Your schacHomeOrganization is <strong>" . $_SERVER["schacHomeOrganization"] . "</strong></p>"; print "<p>Your schacHomeOrganizationType is <strong>" . $_SERVER["schacHomeOrganizationType"] . "</strong></p>"; ?> </body> </html> <?php function getName() { if (array_key_exists("displayName", $_SERVER)) { return implode(" ", explode(";", $_SERVER["displayName"])); } else if (array_key_exists("cn", $_SERVER)) { return implode(" ", explode(";", $_SERVER["cn"])); } else if (array_key_exists("givenName", $_SERVER) && array_key_exists("sn", $_SERVER)) { return implode(" ", explode(";", $_SERVER["givenName"])) . " " . implode(" ", explode(";", $_SERVER["sn"])); } return "Unknown"; } ?>
-
-
Install needed packages:
-
apt install libapache2-mod-php
-
systemctl restart apache2.service
-
- Enable attribute support by removing comment from the related content into "
/etc/shibboleth/attribute-map.xml
" - Disable First deprecated/incorrect version of
persistent-id
fromattribute-map.xml
-
Add a sessionHook for attribute checker:
sessionHook="/Shibboleth.sso/AttrChecker"
and themetadataAttributePrefix="Meta-"
toApplicationDefaults
:-
vim /etc/shibboleth/shibboleth2.xml
<ApplicationDefaults entityID="https://<HOST>/shibboleth" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2" sessionHook="/Shibboleth.sso/AttrChecker" metadataAttributePrefix="Meta-" >
-
-
Add the attribute checker handler with the list of required attributes to Sessions (in the example below:
displayName
,givenName
,mail
,cn
,sn
,eppn
,schacHomeOrganization
,schacHomeOrganizationType
). The attributes' names HAVE TO MATCH with those are defined onattribute-map.xml
:-
vim /etc/shibboleth/shibboleth2.xml
<!-- Attribute Checker --> <Handler type="AttributeChecker" Location="/AttrChecker" template="attrChecker.html" attributes="displayName givenName mail cn sn eppn schacHomeOrganization schacHomeOrganizationType" flushSession="true"/>
If you want to describe more complex scenarios with required attributes, operators such as "AND" and "OR" are available.
<Handler type="AttributeChecker" Location="/AttrChecker" template="attrChecker.html" flushSession="true"> <OR> <Rule require="displayName"/> <AND> <Rule require="givenName"/> <Rule require="surname"/> </AND> </OR> </Handler>
-
-
Add the element of the type="Metadata" next to the already existing type="XML": (
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
)-
vim /etc/shibboleth/shibboleth2.xml
<!-- Extracts support information for IdP from its metadata. --> <AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName" InformationURL="informationURL" PrivacyStatementURL="privacyStatementURL" OrganizationURL="organizationURL"> <ContactPerson id="Technical-Contact" contactType="technical" formatter="$EmailAddress" /> <Logo id="Small-Logo" height="16" width="16" formatter="$_string"/> </AttributeExtractor>
-
-
Save and restart "shibd" service:
systemctl restart shibd.restart
-
Customize Attribute Checker template:
cd /etc/shibboleth
cp attrChecker.html attrChecker.html.orig
wget https://raw.githubusercontent.com/CSCfi/shibboleth-attrchecker/master/attrChecker.html -O attrChecker.html
sed -i 's/SHIB_//g' /etc/shibboleth/attrChecker.html
sed -i 's/eduPersonPrincipalName/eppn/g' /etc/shibboleth/attrChecker.html
sed -i 's/Meta-Support-Contact/Meta-Technical-Contact/g' /etc/shibboleth/attrChecker.html
sed -i 's/supportContact/technicalContact/g' /etc/shibboleth/attrChecker.html
sed -i 's/support/technical/g' /etc/shibboleth/attrChecker.html
There are three locations needing modifications to do on
attrChecker.html
:-
The pixel tracking link after the comment "PixelTracking". The Image tag and all required attributes after the variable must be configured here. After "
miss=
" define all required attributes you updated inshibboleth2.xml
using shibboleth tagging.Eg
<shibmlpifnot $attribute>-$attribute</shibmlpifnot>
(this echoes $attribute if it's not received by shibboleth). The attributes' names HAVE TO MATCH with those are defined onattribute-map.xml
.This example uses "
-
" as a delimiter. -
The table showing missing attributes between the tags "
<!--TableStart-->
" and "<!--TableEnd-->
". You have to insert again all the same attributes as above.Define row for each required attribute (eg:
displayName
below)<tr <shibmlpifnot displayName> class='warning text-danger'</shibmlpifnot>> <td>displayName</td> <td><shibmlp displayName /></td> </tr>
-
The email template between the tags "<textarea>" and "</textarea>". After "The attributes that were not released to the service are:".
Again define all required attributes using shibboleth tagging like in section 1 ( eg:
<shibmlpifnot $attribute> * $attribute</shibmlpifnot>
). The attributes' names HAVE TO MATCH with those are defined onattribute-map.xml
. Note that for SP identifier target URL is used instead of entityID. There arent yet any tag for SP entityID so you can replace this target URL manually.
-
Enable Logging:
-
Download an image 1x1 px from 'http://png-pixel.com/' and put it under /var/www/html/track.png (your DocumentRoot)
-
Result into /var/log/apache2/access.log:
./apache2/access.log:193.206.129.66 - - [20/Sep/2018:15:05:07 +0000] "GET /track.png?idp=https://garr-idp-test.irccs.garr.it/idp/shibboleth&miss=-SHIB_givenName-SHIB_cn-SHIB_sn-SHIB_eppn-SHIB_schacHomeOrganization-SHIB_schacHomeOrganizationType HTTP/1.1" 404 637 "https://sp.example.org/Shibboleth.sso/AttrChecker?return=https%3A%2F%2Fsp.example.org%2FShibboleth.sso%2FSAML2%2FPOST%3Fhook%3D1%26target%3Dss%253Amem%253A43af2031f33c3f4b1d61019471537e5bc3fde8431992247b3b6fd93a14e9802d&target=https%3A%2F%2Fsp.example.org%2Fsecure%2F"
-
-
Edit '
shibd
' init script:-
vim /etc/init.d/shibd
#...other lines... ### END INIT INFO # Import useful functions like 'status_of_proc' needed to 'status' . /lib/lsb/init-functions #...other lines... # Add 'status' operation status) status_of_proc -p "$PIDFILE" "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2 exit 1 ;; esac exit 0
-
-
Create a new watchdog for '
shibd
':-
vim /etc/cron.hourly/watch-shibd.sh
#! /bin/bash SERVICE=/etc/init.d/shibd STOPPED_MESSAGE="failed" if [[ "`$SERVICE status`" == *"$STOPPED_MESSAGE"* ]]; then $SERVICE stop sleep 1 $SERVICE start fi
-
-
Reload daemon:
systemctl daemon-reload
- Marco Malavolti ([email protected])
- eduGAIN Wiki: For the original How to configure Shibboleth SP attribute checker