Shibboleth SP Setup

Reference

• https://wiki.shibboleth.net/confluence/display/SHIB2/IdPSPLocalTestInstall

SP Instance Setup

1. start up Alestic 32-bit Ubuntu 11.10 instance (ami-6ba27502)
2. apt

   sudo apt-get update
   sudo apt-get upgrade -y
   

3. users
   1. prepare for staff accounts
   2. create staff account
   3. shib

      sudo useradd -m -k /etc/skel-staff -s /bin/bash -g staff shib
      sudo passwd shib [shib-password]
      

4. utils

   sudo apt-get install unzip -y
   sudo apt-get install tree -y
   

5. env

   vi ~/.bashrc
   

   • add

     export JAVA_HOME=/usr/lib/jvm/java-6-openjdk/jre
     

apache

1. install

   sudo apt-get install apache2-mpm-worker -y
   

2. backup original

   sudo cp -a /etc/apache2/ /tmp/2012-02-21.orig
   sudo mkdir /etc/apache2/.backup
   sudo mv /tmp/2012-02-21.orig/ /etc/apache2/.backup/
   

3. modules

   sudo a2enmod authnz_ldap
   sudo a2enmod ssl
   sudo a2enmod rewrite
   sudo apt-get install libapache2-mod-proxy-html
   sudo a2enmod proxy
   sudo a2enmod proxy_http
   sudo a2enmod proxy_ajp
   sudo a2ensite default-ssl
   

4. proxy

   sudo vi /etc/apache2/mods-enabled/proxy.conf
   

   <Proxy *>
       AddDefaultCharset off
       Order deny,allow
       #Deny from all
       #Allow from .example.com
       Allow from all
   </Proxy>
   
   ProxyVia On
   
   ProxyPass / ajp://localhost:8009/
   

5. apache default site

   sudo vi /etc/apache2/sites-enabled/000-default
   

   • add

     ServerAdmin admin@duraspace.org
     
     RewriteEngine On
     RewriteOptions Inherit
     

apache cert

1. reference

   sudo vi /etc/apache2/sites-enabled/default-ssl
   

   • add

     ServerAdmin admin@duracloud.org
     
     RewriteEngine On
     RewriteOptions Inherit
     
     SSLCertificateFile    /etc/ssl/certs/duracloud.org.crt
     SSLCertificateKeyFile /etc/ssl/private/duracloud.org.key
     #SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
     #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
     
     SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt
     #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
     

tomcat

sudo apt-get install tomcat6 -y

1. tomcat, jk

   sudo mkdir /usr/share/tomcat6/logs
   sudo mkdir -p /usr/share/tomcat6/conf/jk
   sudo vi /usr/share/tomcat6/conf/jk/workers.properties
   

   worker.list = worker1
   worker.worker1.type = ajp13
   worker.worker1.port = 8009
   worker.worker1.connection_pool_size = 1
   worker.worker1.connection_pool_timeout = 60
   

   sudo chown -R tomcat6 /usr/share/tomcat6/*
   

   sudo cp -a /var/lib/tomcat6/conf/server.xml /var/lib/tomcat6/conf/server.xml.orig
   sudo vi /var/lib/tomcat6/conf/server.xml
   

   • add

     <Connector port="8009"
         enableLookups="false" redirectPort="8443" protocol="AJP/1.3"
         tomcatAuthentication="false" address="127.0.0.1" />
     
     <Listener className="org.apache.jk.config.ApacheConfig" modJk="/usr/lib/apache2/modules/mod_jk.so" jkConfig="/usr/share/tomcat6/conf/jk/mod_jk.conf" workersConfig="/usr/share/tomcat6/conf/jk/workers.properties" />
     

2. tomcat, sample.war
   1. deploy sample.war to /var/lib/tomcat6/webapps/

shib SP

1. debian package

   sudo apt-get install libapache2-mod-shib2 -y
   note, patch required after initial install attempt: https://bugs.launchpad.net/ubuntu/+source/shibboleth-sp2/+bug/884402 (borice 2011-11-22)
   sudo apt-get install libshibsp-dev -y
   sudo apt-get install libshibsp-doc
   sudo a2enmod shib2
   

2. shibboleth2.xml update

   sudo cp /etc/shibboleth/shibboleth2.xml /etc/shibboleth/shibboleth2.xml.orig
   sudo vi /etc/shibboleth/shibboleth2.xml
   

   • diff of shibboleth2.xml and shibboleth2.xml.orig
3. attribute-map.xml

   sudo cp /etc/shibboleth/attribute-map.xml /etc/shibboleth/attribute-map.xml.orig
   sudo vi /etc/shibboleth/attribute-map.xml
   

   • add

         <!-- Principal ID -->
         <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" id="principal-id"/>
     

4. logger

   sudo cp /etc/shibboleth/shibd.logger /etc/shibboleth/shibd.logger.orig
   sudo vi /etc/shibboleth/shibd.logger
   

   from:
   log4j.rootCategory=INFO, shibd_log, warn_log
   to:
   log4j.rootCategory=DEBUG, shibd_log, warn_log
   

5. shib keys http://www.ctrip.ufl.edu/shiboleth2-sp-on-debian-lenny-howto

   cd /usr/sbin
   sudo ./shib-keygen -h shib.dfr.duracloud.org
   

6. shib / apache

   sudo vi /etc/apache2/sites-available/default-ssl
   

   • add at bottom

             <Location /sample/hello*>
               AuthType shibboleth
               ShibRequireSession On
               require valid-user
             </Location>
     
             <Location /sample/basic*>
               AuthType basic
               AuthName "Woods Basic"
               AuthUserFile /home/shib/shib.db
               require valid-user
             </Location>
     
             <LocationMatch /sample/[^b]>
               AuthType shibboleth
               ShibRequireSession On
               require valid-user
             </LocationMatch>
     

     sudo vi /etc/apache2/httpd.conf
     

   • add

     <Location />
      AuthType shibboleth
      ShibRequireSession Off
      require valid-user
      ShibUseHeaders On
      require shibboleth
     </Location>
     

restart

sudo service apache2 restart
sudo service tomcat6 restart
sudo service shibd restart

Test

1. Hit the sample URL: https://dev.duracloud.org/sample/hello.jsp
   1. Verify that user is prompted for credentials (at least first time)
   2. Verify that REMOTE_USER is populated with username (on webpage)