Page Moved

This page is now being maintained here
AWoods 2012-07-05

Reference

IdP Instance Setup

  1. start up Alestic 32-bit Ubuntu 11.10 instance (ami-6ba27502)
  2. users
    1. prepare for staff accounts
    2. create staff account
    3. shib user 
      sudo useradd -m -k /etc/skel-staff -s /bin/bash -g staff shib
sudo passwd shib [shib-password]
  3. apt 
    sudo apt-get update
sudo apt-get upgrade -y
  4. utils 
    sudo apt-get install unzip
sudo apt-get install tree
  5. env 
    vi ~/.bashrc
    • add 
      export JAVA_HOME=/usr/lib/jvm/java-6-openjdk/jre

Apache

  1. install 
    sudo apt-get install apache2-mpm-worker -y
  2. backup original 
    sudo cp -a /etc/apache2/ /tmp/2012-02-20.orig
sudo mkdir /etc/apache2/.backup
sudo mv /tmp/2012-02-20.orig/ /etc/apache2/.backup/
  3. modules 
    sudo a2enmod authnz_ldap
sudo a2enmod ssl
sudo a2enmod rewrite
sudo apt-get install libapache2-mod-proxy-html
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo a2ensite default-ssl
  4. proxy 
    sudo vi /etc/apache2/mods-enabled/proxy.conf

    <Proxy *>
    AddDefaultCharset off
    Order deny,allow
    #Deny from all
    #Allow from .example.com
    Allow from all
</Proxy>

ProxyVia On

ProxyPass /idp/ ajp://localhost:8009/idp/
  5. apache default site 
    sudo vi /etc/apache2/sites-enabled/000-default
    • add 
      ServerAdmin admin@duraspace.org

RewriteEngine On
RewriteOptions Inherit
  6. mod_ssl 
    sudo vi /etc/apache2/mods-enabled/ssl.conf
    • add 
      SSLVerifyClient optional_no_ca
  7. apache cert
    1. ssl setup 
      sudo vi /etc/apache2/sites-enabled/default-ssl
      • add 
        ServerAdmin admin@duracloud.org

RewriteEngine On
RewriteOptions Inherit

SSLCertificateFile    /etc/ssl/certs/duracloud.org.crt
SSLCertificateKeyFile /etc/ssl/private/duracloud.org.key
#SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

Tomcat

sudo apt-get install tomcat6 -y
  1. tomcat, jk 
    sudo mkdir /usr/share/tomcat6/logs
sudo mkdir -p /usr/share/tomcat6/conf/jk
sudo vi /usr/share/tomcat6/conf/jk/workers.properties

    worker.list = worker1
worker.worker1.type = ajp13
worker.worker1.port = 8009
worker.worker1.connection_pool_size = 1
worker.worker1.connection_pool_timeout = 60

    sudo chown -R tomcat6 /usr/share/tomcat6/*

    sudo cp -a /var/lib/tomcat6/conf/server.xml /var/lib/tomcat6/conf/server.xml.orig
sudo vi /var/lib/tomcat6/conf/server.xml
    • add 
      <Connector port="8009"
    enableLookups="false" protocol="AJP/1.3"
    tomcatAuthentication="false" address="127.0.0.1" />

<Listener className="org.apache.jk.config.ApacheConfig" modJk="/usr/lib/apache2/modules/mod_jk.so" jkConfig="/usr/share/tomcat6/conf/jk/mod_jk.conf" workersConfig="/usr/share/tomcat6/conf/jk/workers.properties" />
    • comment out 
      <!--
 <Connector port="8080...
-->

Identity Provider

mkdir /tmp/shib
cd /tmp/shib
wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identityprovider-2.3.5-bin.zip
wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identityprovider-2.3.5-bin.zip.asc
gpg shibboleth-identityprovider-2.3.5-bin.zip.asc
gpg --keyserver pgpkeys.mit.edu --recv-key A1EAE3E8
gpg shibboleth-identityprovider-2.3.5-bin.zip.asc

unzip shibboleth-identityprovider-2.3.5-bin.zip

sudo mkdir /opt/shibboleth-idp
sudo chown shib /opt/shibboleth-idp

cd /tmp/shib/shibboleth-identityprovider-2.3.5
sudo su shib
./install.sh

Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]
<enter>
The directory '/opt/shibboleth-idp' already exists.  Would you like to overwrite this Shibboleth configuration? (yes, [no])
<yes>
What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org]
<ama.duracloud.org> --> should be idp.dfr.duracloud.org
A keystore is about to be generated for you. Please enter a password that will be used to protect it.
<some-password>
  1. tomcat endorsed 
    sudo mkdir /usr/share/tomcat6/endorsed
sudo chown root:tomcat6 /usr/share/tomcat6/endorsed
sudo cp /tmp/shib/shibboleth-identityprovider-2.3.5/endorsed/*.jar /usr/share/tomcat6/endorsed/
sudo chown root:tomcat6 /usr/share/tomcat6/endorsed/*.jar
sudo service tomcat6 restart
  2. apache basic auth 
    sudo vi /etc/apache2/sites-enabled/default-ssl
    • add 
      <Location /idp/Authn/RemoteUser>
        AuthType Basic
        AuthName "DfR Identity Provider"
        AuthUserFile /opt/shibboleth-idp/credentials/user.db
        require valid-user
</Location>
  3. basic auth db 
    sudo htpasswd -c /opt/shibboleth-idp/credentials/user.db myself
sudo chown root:root /opt/shibboleth-idp/credentials/user.db
password=myself
  4. tomcat deploy idp 
    sudo chgrp tomcat6 /opt/shibboleth-idp/logs
sudo chgrp tomcat6 /opt/shibboleth-idp/metadata
sudo cp /opt/shibboleth-idp/war/idp.war /var/lib/tomcat6/webapps/

Configure IdP

  1. shib IdP configure 
    sudo cp /opt/shibboleth-idp/conf/relying-party.xml /opt/shibboleth-idp/conf/relying-party.xml.orig
sudo vi /opt/shibboleth-idp/conf/relying-party.xml
    • Uncomment the URLMD <MetadataProvider>. Change the metadataURL to http://www.testshib.org/metadata/testshib-providers.xml and the backingFile to something like testshib.xml.
    • Comment out the entire <MetadataFilter>, from the ChainingFilter on down. These filters check the expiration and signature on the metadata. While that's important for production, everyone already knows TestShib is untrustworthy. 
              <!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->
        <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider" 
                        metadataURL="https://dev.duracloud.org/Shibboleth.sso/Metadata"
                        backingFile="/opt/shibboleth-idp/metadata/dfr-sp-metadata.xml">
            <!--
            <metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
                <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil" 
                                maxValidityInterval="P7D" />
                <metadata:MetadataFilter xsi:type="metadata:SignatureValidation"
                                trustEngineRef="shibboleth.MetadataTrustEngine"
                                requireSignedMetadata="true" />
                    <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
                    <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
                </metadata:MetadataFilter>
            </metadata:MetadataFilter>
            -->
        </metadata:MetadataProvider>
  2. attribute resolver 
    sudo cp /opt/shibboleth-idp/conf/attribute-resolver.xml /opt/shibboleth-idp/conf/attribute-resolver.xml.orig
sudo vi /opt/shibboleth-idp/conf/attribute-resolver.xml
    • add 
          <!-- Name Identifier related attributes -->
<!--
    <resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">
        <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    </resolver:AttributeDefinition>
-->

    <resolver:AttributeDefinition id="principal" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
    </resolver:AttributeDefinition>
  3. attribute filter 
    sudo cp /opt/shibboleth-idp/conf/attribute-filter.xml /opt/shibboleth-idp/conf/attribute-filter.xml.orig
sudo vi /opt/shibboleth-idp/conf/attribute-filter.xml
    • add 
          <afp:AttributeFilterPolicy id="releasePrincipalToAnyone">
        <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
        <afp:AttributeRule attributeID="principal">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>
  4. idp-metadata.xml 
    sudo cp /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idp-metadata.xml.orig
sudo vi /opt/shibboleth-idp/metadata/idp-metadata.xml

    remove all 8443 ports
  5. logging 
    sudo cp /opt/shibboleth-idp/conf/logging.xml /opt/shibboleth-idp/conf/logging.xml.orig
sudo vi /opt/shibboleth-idp/conf/logging.xml

    from:
    <!-- Logs IdP, but not OpenSAML, messages -->
    <logger name="edu.internet2.middleware.shibboleth" level="INFO"/>

    <!-- Logs OpenSAML, but not IdP, messages -->
    <logger name="org.opensaml" level="WARN"/>

to: 
    <!-- Logs IdP, but not OpenSAML, messages -->
    <logger name="edu.internet2.middleware.shibboleth" level="DEBUG"/>

    <!-- Logs OpenSAML, but not IdP, messages -->
    <logger name="org.opensaml" level="DEBUG"/>

    <!-- Logs LDAP related messages -->
    <logger name="edu.vt.middleware.ldap" level="DEBUG"/>

Restart

sudo service apache2 restart
sudo service tomcat6 restart

Register (optional)

This step is only used to test the IdP without a DuraSpace SP

LDAP Setup

here

  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.