Versions Compared

Old Version 66

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 67

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

idP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).

...

 /var/www/html ← Apache static content as set in, for instance, /etc/httpd/conf/httpd.conf

Quick

...

Instructions for Adjusting Configuration and Getting Going 

The following instructions are meant to get you going as quickly as possible. If you want to understand a better understanding of what's going on, go to the next section of this document.

There are five eight configuration files that need to go on the host that is running shibd (Shibboleth SP). They will be installed upon installing Shibboleth SP, and they need to be overlayed/modified to reflect your installation, as follows:

FilenameLocation on SPNotes
key pair

/etc/shibboleth/sp-key.pem

/etc/shibboleth/sp-cert.pem

Create a key pair; include the certificate (sp-cert.pem) in sp-metadata.xml

idp-metadata.xml

/etc/shibboleth/idp-metadata.xml

A copy of your IdP's metadata.
sp-metadata.xml

/var/www/html/sp-metadata.xml 

– if your Apache sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) 

To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL and share that URL with your idP's maintainers/admins)Or ; or omit from the SP, and instead email it to the IdP admins

In either case, populate the public key certificate with yours

attribute-map.xml /etc/shibboleth/attribute-map.xml Specifies the user-information that your IdP sends to the SP upon login
sp.conf/etc/httpd/conf.d/sp.conf

Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*) .

Tomcat should open port 8080 only to localhost (???), and should reside on the same host as your SP

shibboleth2.xml/etc/shibboleth/shibboleth2.xmlSpecifies miscellaneous aspects of your SP

shrine.conf

/opt/shrine/tomcat/lib/shrine.conf

replace "shrine-sso-node01" with your own node name

add the the shrine element:

  queryEntryPoint {
   authenticationType = "sso"
 }

...

The following tells Shibboleth to make the attributes it collects from the idP available as request headers in Apache. This is the opposite of what is recommended, i.e. the Shibboleth documentation says that ideally ShibUseEnvironment should be On (resulting in request attributes) and ShibUseHeaders should be Off. However the recommended setup requires proxying to Tomcat using the AJP protocol, which we are not using because it is being phased out of Tomcat (so we are proxying using the HTTP protocol). Also, see https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig.

...

Shibboleth consists of a Daemon plus an apache module. This Apache module must be configured for Shibboleth to intercept certain requests (see Apache Configuration above). When a request is intercepted, Shibboleth will decide whether the user (1) needs to login at the configured idP (which will present a login form to the user), or (2) is already logged in (and Shibboleth will let the request be served as if it wasn't there to intercept it)

...

REMOTE_USER: how REMOTE_USER will be populated. Note that "ecommonsid which is specific to HMS IT, comes first, so for this environment REMOTE_USER will be set to its the value of "ecommonsid". Otherwise, the first attribute name that matches an attribute returned by the idP will be used.

...