Monday, July 30, 2012

Shibboleth SP part 1 (Installation)

SP Installation

  • In debian 6, Installation of Shibboleth SP can be done using these steps:
apt-get update
apt-get install libapache2-mod-shib2 shibboleth-sp2-schemas
  • Enable Shibboleth SP module:
a2enmod shib2
and restart apache.

SP Configuration

Apache module

  • Add the following entry in to file /etc/apache2/mods-enabled/shib2.conf
ShibConfig /etc/shibboleth/shibboleth2.xml

# Used for example logo and style sheet in error templates.
<IfModule mod_alias.c>

 <Location /shibboleth-sp>
   Allow from all
 </Location>

 Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
 Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg

</IfModule>

<Files *.sso>
   SetHandler shib-handler
</Files>

Enable SSL

  • Install openssl
apt-get install openssl
a2enmod ssl
  • Create key and certificate
Create key:
openssl genrsa -out sp-key.pem 2048
Create certificate:
openssl req -new -x509 -key sp-key.pem -out sp-cert.pem -days 1095
  • Load the certificate in the apache configuration
Enable ssl configuration
a2ensite default-ssl
Copy both files to /etc/ssl/ and add the following line inside virtual host configuration (default-ssl)
SSLEngine on
SSLCertificateFile    /etc/ssl/sp-key.pem
SSLCertificateKeyFile /etc/ssl/sp-cert.pem

Shibboleth SP

  • In Shibboleth SP, the configuration is only done in attribute-map.xml and shibboleth.xml. To make Shibboleth IdP and SP can cooperate, Shibboleth SP must have IdP metadata and vice versa. This can be done manually by copying or automatically by configuration in shibboleth.xml, don't forget to define the certificate from IdP server if the IdP metadata configured automatically.
  • In this example, we use three different application (virtual host) with a single Shibboleth SP installation.

attribute-map.xml

  • Uncomment the attributes that are needed by the application (based on attributes from the Shibboleth IDP) for example:
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
    <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
    <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>

<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
   <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>

<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
   <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
   <Attribute name="urn:oid:2.16.840.1.113719.1.1.4.1.25" id="group"/>
   <Attribute name="urn:oid:2.16.840.1.113719.1.1.4.1.120" id="fn"/>
   <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
   <Attribute name="urn:oid:2.5.4.4" id="sn"/>
   <Attribute name="urn:oid:2.5.4.42" id="givenname"/>
   <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>

shibboleth.xml

  • Edit in ISAPI section and add all virtual site:
<Site id="1" name="typo3.example.com"/>
<Site id="2" name="wordpress.example.com"/>
<Site id="3" name="moodle.example.com"/>
  • Edit in RequestMap section and add all virtual host:
<Host name="typo3.example.com">
   <Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>

<Host name="wordpress.example.com" applicationId="wp" authType="shibboleth" requireSession="true"/>
<Host name="moodle.example.com" applicationId="moodle" authType="shibboleth" requireSession="true"/>
  • Edit in ApplicationDefaults section :
<ApplicationDefaults id="default" policyId="default"
 entityID="https://typo3.example.com/shibboleth"
 homeURL="https://typo3.example.com"
 REMOTE_USER="uid eppn persistent-id targeted-id"
 signing="true" encryption="true">
  • Edit in SessionInitiator section and put the IdP entityID here:
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://idp.example.com/idp/shibboleth">
<SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
</SessionInitiator>
  • Edit in ApplicationOverride section to make different application could use the same Shibboleth SP by overriding the entityID:
<ApplicationOverride id="wp" entityID="https://wordpress.example.com/shibboleth"/>
<ApplicationOverride id="moodle" entityID="https://moodle.example.com/shibboleth"/>
  • Add the following syntax inside <MetadataProvider type="Chaining"> section to configure IDP metadata:
  1. To automatically get IdP metadata, use this configuration (don't forget to save idp certificate to /etc/shibboleth/certificate/idp-cert.pem):
    <MetadataProvider type="XML" uri="https://idp.example.com/idp/profile/Metadata/SAML" backingFilePath="/etc/shibboleth/idp-metadata.xml" reloadInterval="7200">
    <MetadataFilter type="Signature" certificate="/etc/shibboleth/certificate/idp-cert.pem"/>
    </MetadataProvider>
    
  2. To manually load IdP metadata use this configuration:
    <MetadataProvider id="incommon" type="XML" file="idp-metadata.xml"/>
    
  • In CredentialResolver section, define the path to the webserver certificate and key file:
<CredentialResolver type="File" key="/etc/ssl/private/server.key" certificate="/etc/ssl/certs/server.crt"/>
  • Copy IDP certificate and put in certificate directory if uses automatic IDP metadata retrieval.

Additional Configuration in Shibboleth IDP

  • After configuring SP, don't forget to activate SP metadata in the IDP server, in file relying-party.xml, example:
<MetadataProvider id="T3MD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="https://typo3.example.com/Shibboleth.sso/Metadata"
backingFile="/opt/shibboleth-idp/metadata/typo3-metadata-backingFile.xml">
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
  <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata" trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="false" />
    <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
 <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
    </MetadataFilter>
  </MetadataFilter>
</MetadataProvider>
  • Set requireSignedMetadata="false" if <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> is defined in shibboleth.xml (SP configuration)
  • Load SP certificate inside security:TrustEngine section:
<security:Credential id="typo3Cert" xsi:type="security:X509Filesystem">
  <security:Certificate>/opt/shibboleth-idp/credentials/typo3-cert.crt</security:Certificate>
</security:Credential>
  • Import SP certificate to the java keystore:
keytool -import -trustcacerts -alias "typo3" -file credentials/typo3-cert.crt -keystore /usr/lib/jvm/jdk1.6.0_30/jre/lib/security/cacerts
  • To allow only specific SP could retrieve attributes, edit attribute-filter.xml and add SP entity ID inside AttributeFilterPolicy section:
<afp:AttributeFilterPolicy id="releaseToSpesificSP">
   <afp:PolicyRequirementRule xsi:type="basic:OR">
      <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://typo3.example.com/shibboleth" />
       <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://moodle.example.com/shibboleth" />
      </afp:PolicyRequirementRule>
   ...

   </afp:AttributeFilterPolicy>


<< Shibboleth IdP SLO part 3 (Configuration) |  Shibboleth SP part 2 (Typo3 Configuration) >>

No comments: