Page Moved
This page is now being maintained here
AWoods 2012-07-05
Reference
IdP Instance Setup
- start up Alestic 32-bit Ubuntu 11.10 instance (ami-6ba27502)
- users
- prepare for staff accounts
- create staff account
- shib user
sudo useradd -m -k /etc/skel-staff -s /bin/bash -g staff shib sudo passwd shib [shib-password]
- apt
sudo apt-get update sudo apt-get upgrade -y
- utils
sudo apt-get install unzip sudo apt-get install tree
- env
vi ~/.bashrc
- add
export JAVA_HOME=/usr/lib/jvm/java-6-openjdk/jre
- add
Apache
- install
sudo apt-get install apache2-mpm-worker -y
- backup original
sudo cp -a /etc/apache2/ /tmp/2012-02-20.orig sudo mkdir /etc/apache2/.backup sudo mv /tmp/2012-02-20.orig/ /etc/apache2/.backup/
- modules
sudo a2enmod authnz_ldap sudo a2enmod ssl sudo a2enmod rewrite sudo apt-get install libapache2-mod-proxy-html sudo a2enmod proxy sudo a2enmod proxy_http sudo a2enmod proxy_ajp sudo a2ensite default-ssl
- proxy
sudo vi /etc/apache2/mods-enabled/proxy.conf
<Proxy *> AddDefaultCharset off Order deny,allow #Deny from all #Allow from .example.com Allow from all </Proxy> ProxyVia On ProxyPass /idp/ ajp://localhost:8009/idp/
- apache default site
sudo vi /etc/apache2/sites-enabled/000-default
- add
ServerAdmin admin@duraspace.org RewriteEngine On RewriteOptions Inherit
- add
- mod_ssl
sudo vi /etc/apache2/mods-enabled/ssl.conf
- add
SSLVerifyClient optional_no_ca
- add
- apache cert
- ssl setup
sudo vi /etc/apache2/sites-enabled/default-ssl
- add
ServerAdmin admin@duracloud.org RewriteEngine On RewriteOptions Inherit SSLCertificateFile /etc/ssl/certs/duracloud.org.crt SSLCertificateKeyFile /etc/ssl/private/duracloud.org.key #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
- add
- ssl setup
Tomcat
sudo apt-get install tomcat6 -y
- tomcat, jk
sudo mkdir /usr/share/tomcat6/logs sudo mkdir -p /usr/share/tomcat6/conf/jk sudo vi /usr/share/tomcat6/conf/jk/workers.properties
worker.list = worker1 worker.worker1.type = ajp13 worker.worker1.port = 8009 worker.worker1.connection_pool_size = 1 worker.worker1.connection_pool_timeout = 60
sudo chown -R tomcat6 /usr/share/tomcat6/*
sudo cp -a /var/lib/tomcat6/conf/server.xml /var/lib/tomcat6/conf/server.xml.orig sudo vi /var/lib/tomcat6/conf/server.xml
- add
<Connector port="8009" enableLookups="false" protocol="AJP/1.3" tomcatAuthentication="false" address="127.0.0.1" /> <Listener className="org.apache.jk.config.ApacheConfig" modJk="/usr/lib/apache2/modules/mod_jk.so" jkConfig="/usr/share/tomcat6/conf/jk/mod_jk.conf" workersConfig="/usr/share/tomcat6/conf/jk/workers.properties" />
- comment out
<!-- <Connector port="8080... -->
- add
Identity Provider
mkdir /tmp/shib cd /tmp/shib wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identityprovider-2.3.5-bin.zip wget http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identityprovider-2.3.5-bin.zip.asc gpg shibboleth-identityprovider-2.3.5-bin.zip.asc gpg --keyserver pgpkeys.mit.edu --recv-key A1EAE3E8 gpg shibboleth-identityprovider-2.3.5-bin.zip.asc unzip shibboleth-identityprovider-2.3.5-bin.zip sudo mkdir /opt/shibboleth-idp sudo chown shib /opt/shibboleth-idp cd /tmp/shib/shibboleth-identityprovider-2.3.5 sudo su shib ./install.sh
Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp] <enter> The directory '/opt/shibboleth-idp' already exists. Would you like to overwrite this Shibboleth configuration? (yes, [no]) <yes> What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org] <ama.duracloud.org> --> should be idp.dfr.duracloud.org A keystore is about to be generated for you. Please enter a password that will be used to protect it. <some-password>
- tomcat endorsed
sudo mkdir /usr/share/tomcat6/endorsed sudo chown root:tomcat6 /usr/share/tomcat6/endorsed sudo cp /tmp/shib/shibboleth-identityprovider-2.3.5/endorsed/*.jar /usr/share/tomcat6/endorsed/ sudo chown root:tomcat6 /usr/share/tomcat6/endorsed/*.jar sudo service tomcat6 restart
- apache basic auth
sudo vi /etc/apache2/sites-enabled/default-ssl
- add
<Location /idp/Authn/RemoteUser> AuthType Basic AuthName "DfR Identity Provider" AuthUserFile /opt/shibboleth-idp/credentials/user.db require valid-user </Location>
- add
- basic auth db
sudo htpasswd -c /opt/shibboleth-idp/credentials/user.db myself sudo chown root:root /opt/shibboleth-idp/credentials/user.db password=myself
- tomcat deploy idp
sudo chgrp tomcat6 /opt/shibboleth-idp/logs sudo chgrp tomcat6 /opt/shibboleth-idp/metadata sudo cp /opt/shibboleth-idp/war/idp.war /var/lib/tomcat6/webapps/
Configure IdP
- shib IdP configure
sudo cp /opt/shibboleth-idp/conf/relying-party.xml /opt/shibboleth-idp/conf/relying-party.xml.orig sudo vi /opt/shibboleth-idp/conf/relying-party.xml
- Uncomment the URLMD <MetadataProvider>. Change the metadataURL to http://www.testshib.org/metadata/testshib-providers.xml and the backingFile to something like testshib.xml.
- Comment out the entire <MetadataFilter>, from the ChainingFilter on down. These filters check the expiration and signature on the metadata. While that's important for production, everyone already knows TestShib is untrustworthy.
<!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element --> <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider" metadataURL="https://dev.duracloud.org/Shibboleth.sso/Metadata" backingFile="/opt/shibboleth-idp/metadata/dfr-sp-metadata.xml"> <!-- <metadata:MetadataFilter xsi:type="metadata:ChainingFilter"> <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil" maxValidityInterval="P7D" /> <metadata:MetadataFilter xsi:type="metadata:SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" requireSignedMetadata="true" /> <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList"> <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole> </metadata:MetadataFilter> </metadata:MetadataFilter> --> </metadata:MetadataProvider>
- attribute resolver
sudo cp /opt/shibboleth-idp/conf/attribute-resolver.xml /opt/shibboleth-idp/conf/attribute-resolver.xml.orig sudo vi /opt/shibboleth-idp/conf/attribute-resolver.xml
- add
<!-- Name Identifier related attributes --> <!-- <resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId"> <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </resolver:AttributeDefinition> --> <resolver:AttributeDefinition id="principal" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> </resolver:AttributeDefinition>
- add
- attribute filter
sudo cp /opt/shibboleth-idp/conf/attribute-filter.xml /opt/shibboleth-idp/conf/attribute-filter.xml.orig sudo vi /opt/shibboleth-idp/conf/attribute-filter.xml
- add
<afp:AttributeFilterPolicy id="releasePrincipalToAnyone"> <afp:PolicyRequirementRule xsi:type="basic:ANY"/> <afp:AttributeRule attributeID="principal"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>
- add
- idp-metadata.xml
sudo cp /opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idp-metadata.xml.orig sudo vi /opt/shibboleth-idp/metadata/idp-metadata.xml
remove all 8443 ports
- logging
sudo cp /opt/shibboleth-idp/conf/logging.xml /opt/shibboleth-idp/conf/logging.xml.orig sudo vi /opt/shibboleth-idp/conf/logging.xml
from: <!-- Logs IdP, but not OpenSAML, messages --> <logger name="edu.internet2.middleware.shibboleth" level="INFO"/> <!-- Logs OpenSAML, but not IdP, messages --> <logger name="org.opensaml" level="WARN"/> to: <!-- Logs IdP, but not OpenSAML, messages --> <logger name="edu.internet2.middleware.shibboleth" level="DEBUG"/> <!-- Logs OpenSAML, but not IdP, messages --> <logger name="org.opensaml" level="DEBUG"/> <!-- Logs LDAP related messages --> <logger name="edu.vt.middleware.ldap" level="DEBUG"/>
Restart
sudo service apache2 restart sudo service tomcat6 restart
Register (optional)
This step is only used to test the IdP without a DuraSpace SP
- shib IdP register