Versions Compared

Old Version 4

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 5

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview: How it Works



Installation Layout

Apache Configuration

Here is the entire content of the Apache configuration for using shibboleth

ServerName shrine-sso-node01.catalyst.harvard.edu

Timeout 300

ProxyTimeout 300

Set up proxy to Tomcat for URLs that start with shrine-api

ProxyIOBufferSize 65536


#### serve content from Tomcat

ProxyPassReverse "/shrine-api/" "http://127.0.0.1:8080/shrine-api/"

ProxyPass "/shrine-api/" "http://127.0.0.1:8080/shrine-api/"

Serve metadata dynamically but as though an XML file was being accessed, from Tomcat

#### serve metadata

ProxyPass "/sp-metadata.xml" "http://127.0.0.1:8080/shrine-api/sso/rest/util/sp-metadata"

as per https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335062/Apache

# "You do not have to set UseCanonicalName On, but you usually should ..."

UseCanonicalName On

The following tells Apache to use Shibboleth for authentication of any URL starting with "shrine-api":

#### whitelist URLs which need to be protected by Shibboleth

<LocationMatch "/shrine-api/">

  AuthType shibboleth

  ShibRequestSetting requireSession 1

  Require valid-user local

The following tells Shibboleth to make the attributes it collects from the idP available as request headers in Apache. This is the opposite of what is recommended. However the recommended (and default) setup (ShibUseEnvironment=On and ShibUseHeaders=Off) requires proxying to Tomcat using AJP, which we are not using.

  # as per https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig,

  # ShibUseEnvironment is strongly favored over ShibUseHeaders

  ShibUseEnvironment Off

  ShibUseHeaders On

</LocationMatch>


Shibboleth Configuration

Shibboleth consists of a Daemon plus an apache module. This Apache module must be configured for Shibboleth to intercept certain requests. When a request is intercepted, Shibboleth will decide whether the user (1) needs to login at the configured idP (which will present a login form to the user), or (2) is already logged in (and Shibboleth will let the request be served as if it wasn't there to intercept it)

...

<SSO entityID="http://sso.med.harvard.edu/adfs/services/trust">
< SAML2

Installation Layout

apache

Shibboleth

tomcat

Configuration

Tomcat Configuration

  • Accessing data received from the idP (Request Headers)

shibboleth2.xml

attribute-map.xml

sp.conf

Serving Metadata

Certificate

Developer tools

  • SAML 

...

Serving Metadata

...

Appendix: a Decent Book