Info |
---|
|
This page is now being maintained here AWoods 2012-07-05 |
Reference
IdP Instance Setup
- start up Alestic 32-bit Ubuntu 11.10 instance (ami-6ba27502)
- users
- prepare for staff accounts
- create staff account
- shib user
No Format |
---|
sudo useradd -m -k /etc/skel-staff -s /bin/bash -g staff shib
sudo passwd shib [shib-password]
|
- apt
Code Block |
---|
sudo apt-get update
sudo apt-get upgrade -y
|
- utils
Code Block |
---|
sudo apt-get install unzip
sudo apt-get install tree
|
- env
- add
No Format |
---|
export JAVA_HOME=/usr/lib/jvm/java-6-openjdk/jre
|
Apache
- install
Code Block |
---|
sudo apt-get install apache2-mpm-worker -y
|
- backup original
Code Block |
---|
sudo cp -a /etc/apache2/ /tmp/2012-02-20.orig
sudo mkdir /etc/apache2/.backup
sudo mv /tmp/2012-02-20.orig/ /etc/apache2/.backup/
|
- modules
Code Block |
---|
sudo a2enmod authnz_ldap
sudo a2enmod ssl
sudo a2enmod rewrite
sudo apt-get install libapache2-mod-proxy-html
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo a2ensite default-ssl
|
- proxy
Code Block |
---|
sudo vi /etc/apache2/mods-enabled/proxy.conf
|
No Format |
---|
<Proxy *>
AddDefaultCharset off
Order deny,allow
#Deny from all
#Allow from .example.com
Allow from all
</Proxy>
ProxyVia On
ProxyPass /idp/ ajp://localhost:8009/idp/
|
- apache default site
Code Block |
---|
sudo vi /etc/apache2/sites-enabled/000-default
|
- add
No Format |
---|
ServerAdmin admin@duraspace.org
RewriteEngine On
RewriteOptions Inherit
|
- mod_ssl
Code Block |
---|
sudo vi /etc/apache2/mods-enabled/ssl.conf
|
- add
No Format |
---|
SSLVerifyClient optional_no_ca
|
- apache cert
- ssl setup
Code Block |
---|
sudo vi /etc/apache2/sites-enabled/default-ssl
|
- add
No Format |
---|
ServerAdmin admin@duracloud.org
RewriteEngine On
RewriteOptions Inherit
SSLCertificateFile /etc/ssl/certs/duracloud.org.crt
SSLCertificateKeyFile /etc/ssl/private/duracloud.org.key
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
|
Tomcat
Code Block |
---|
sudo apt-get install tomcat6 -y
|
- tomcat, jk
Code Block |
---|
sudo mkdir /usr/share/tomcat6/logs
sudo mkdir -p /usr/share/tomcat6/conf/jk
sudo vi /usr/share/tomcat6/conf/jk/workers.properties
|
No Format |
---|
worker.list = worker1
worker.worker1.type = ajp13
worker.worker1.port = 8009
worker.worker1.connection_pool_size = 1
worker.worker1.connection_pool_timeout = 60
|
Code Block |
---|
sudo chown -R tomcat6 /usr/share/tomcat6/*
|
Code Block |
---|
sudo cp -a /var/lib/tomcat6/conf/server.xml /var/lib/tomcat6/conf/server.xml.orig
sudo vi /var/lib/tomcat6/conf/server.xml
|
- add
No Format |
---|
<Connector port="8009"
enableLookups="false" protocol="AJP/1.3"
tomcatAuthentication="false" address="127.0.0.1" />
<Listener className="org.apache.jk.config.ApacheConfig" modJk="/usr/lib/apache2/modules/mod_jk.so" jkConfig="/usr/share/tomcat6/conf/jk/mod_jk.conf" workersConfig="/usr/share/tomcat6/conf/jk/workers.properties" />
|
- comment out
No Format |
---|
<!--
<Connector port="8080...
-->
|
Identity Provider
Code Block |
---|
mkdir /tmp/shib
cd /tmp/shib
wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identityprovider-2.3.5-bin.zip
wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identityprovider-2.3.5-bin.zip.asc
gpg shibboleth-identityprovider-2.3.5-bin.zip.asc
gpg --keyserver pgpkeys.mit.edu --recv-key A1EAE3E8
gpg shibboleth-identityprovider-2.3.5-bin.zip.asc
unzip shibboleth-identityprovider-2.3.5-bin.zip
sudo mkdir /opt/shibboleth-idp
sudo chown shib /opt/shibboleth-idp
cd /tmp/shib/shibboleth-identityprovider-2.3.5
sudo su shib
./install.sh
|
No Format |
---|
Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]
<enter>
The directory '/opt/shibboleth-idp' already exists. Would you like to overwrite this Shibboleth configuration? (yes, [no])
<yes>
What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org]
<ama.duracloud.org> --> should be idp.dfr.duracloud.org
A keystore is about to be generated for you. Please enter a password that will be used to protect it.
<some-password>
|
- tomcat endorsed
Code Block |
---|
sudo mkdir /usr/share/tomcat6/endorsed
sudo chown root:tomcat6 /usr/share/tomcat6/endorsed
sudo cp /tmp/shib/shibboleth-identityprovider-2.3.5/endorsed/*.jar /usr/share/tomcat6/endorsed/
sudo chown root:tomcat6 /usr/share/tomcat6/endorsed/*.jar
sudo service tomcat6 restart
|
- apache basic auth
Code Block |
---|
sudo vi /etc/apache2/sites-enabled/default-ssl
|
- add
No Format |
---|
<Location /idp/Authn/RemoteUser>
AuthType Basic
AuthName "DfR Identity Provider"
AuthUserFile /opt/shibboleth-idp/credentials/user.db
require valid-user
</Location>
|
- basic auth db
Code Block |
---|
sudo htpasswd -c /opt/shibboleth-idp/credentials/user.db myself
sudo chown root:root /opt/shibboleth-idp/credentials/user.db
password=myself
|
- tomcat deploy idp
Code Block |
---|
sudo chgrp tomcat6 /opt/shibboleth-idp/logs
sudo chgrp tomcat6 /opt/shibboleth-idp/metadata
sudo cp /opt/shibboleth-idp/war/idp.war /var/lib/tomcat6/webapps/
|
- shib IdP configure
Code Block |
---|
sudo cp /opt/shibboleth-idp/conf/relying-party.xml /opt/shibboleth-idp/conf/relying-party.xml.orig
sudo vi /opt/shibboleth-idp/conf/relying-party.xml
|
- Uncomment the URLMD <MetadataProvider>. Change the metadataURL to http://www.testshib.org/metadata/testshib-providers.xml and the backingFile to something like testshib.xml.
- Comment out the entire <MetadataFilter>, from the ChainingFilter on down. These filters check the expiration and signature on the metadata. While that's important for production, everyone already knows TestShib is untrustworthy.
No Format |
---|
<!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->
<metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="https://dev.duracloud.org/Shibboleth.sso/Metadata"
backingFile="/opt/shibboleth-idp/metadata/dfr-sp-metadata.xml">
<!--
<metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
<metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil"
maxValidityInterval="P7D" />
<metadata:MetadataFilter xsi:type="metadata:SignatureValidation"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" />
<metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
<metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
</metadata:MetadataFilter>
</metadata:MetadataFilter>
-->
</metadata:MetadataProvider>
|
- attribute resolver
Code Block |
---|
sudo cp /opt/shibboleth-idp/conf/attribute-resolver.xml /opt/shibboleth-idp/conf/attribute-resolver.xml.orig
sudo vi /opt/shibboleth-idp/conf/attribute-resolver.xml
|
- add
No Format |
---|
<!-- Name Identifier related attributes -->
<!--
<resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">
<resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
<resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</resolver:AttributeDefinition>
-->
<resolver:AttributeDefinition id="principal" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
<resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</resolver:AttributeDefinition>
|
- attribute filter
Code Block |
---|
sudo cp /opt/shibboleth-idp/conf/attribute-filter.xml /opt/shibboleth-idp/conf/attribute-filter.xml.orig
sudo vi /opt/shibboleth-idp/conf/attribute-filter.xml
|
- add
No Format |
---|
<afp:AttributeFilterPolicy id="releasePrincipalToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY"/>
<afp:AttributeRule attributeID="principal">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
|
- idp-metadata.xml
Code Block |
---|
sudo cp /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idp-metadata.xml.orig
sudo vi /opt/shibboleth-idp/metadata/idp-metadata.xml
|
No Format |
---|
remove all 8443 ports
|
- logging
Code Block |
---|
sudo cp /opt/shibboleth-idp/conf/logging.xml /opt/shibboleth-idp/conf/logging.xml.orig
sudo vi /opt/shibboleth-idp/conf/logging.xml
|
No Format |
---|
from:
<!-- Logs IdP, but not OpenSAML, messages -->
<logger name="edu.internet2.middleware.shibboleth" level="INFO"/>
<!-- Logs OpenSAML, but not IdP, messages -->
<logger name="org.opensaml" level="WARN"/>
to:
<!-- Logs IdP, but not OpenSAML, messages -->
<logger name="edu.internet2.middleware.shibboleth" level="DEBUG"/>
<!-- Logs OpenSAML, but not IdP, messages -->
<logger name="org.opensaml" level="DEBUG"/>
<!-- Logs LDAP related messages -->
<logger name="edu.vt.middleware.ldap" level="DEBUG"/>
|
Restart
Code Block |
---|
sudo service apache2 restart
sudo service tomcat6 restart
|
Register (optional)
This step is only used to test the IdP without a DuraSpace SP
LDAP Setup
here