Versions Compared

Old Version 67

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 68

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

idP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).

...

-metadata.xmlidpA copy of your IdP's metadata.
FilenameLocation on SPNotes
idp-metadata.xml

/etc/shibboleth/idp-metadata.xml

A copy of your IdP's metadata.
key pair

/etc/shibboleth/sp-key.pem

/etc/shibboleth/sp-cert.pem

Create a key pair; include the certificate (sp-cert.pem) in sp

-metadata.xml

/etc/shibboleth/idp-metadata.xml

sp-metadata.xml

/var/www/html/sp-metadata.xml 

– if your Apache sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) 

To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL and share that URL with your idP's maintainers/admins; or omit from the SP, and instead email it to the IdP admins

In either case, populate the public key certificate with yours

attribute-map.xml /etc/shibboleth/attribute-map.xml Specifies the user-information that your IdP sends to the SP upon login
sp.conf/etc/httpd/conf.d/sp.conf

Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*) .

Tomcat should open port 8080 only to localhost (???), and should reside on the same host as your SP

shibboleth2.xml/etc/shibboleth/shibboleth2.xmlSpecifies miscellaneous many aspects of your SP

shrine.conf

/opt/shrine/tomcat/lib/shrine.conf

replace "shrine-sso-node01" with your own node name

add the the shrine element:

  queryEntryPoint {
   authenticationType = "sso"
 }

...

    <ApplicationDefaults entityID="https://shrine-sso-node01.catalyst.harvard.edu"
                         REMOTE_USER="ecommonsid eppn uid persistent-id targeted-id"
                         signing="true"
    >

TBDSessions configuration documentation is available at https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334342/Sessions

<!--
 Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
 You MUST supply an effectively unique handlerURL value for each of your applications.
 The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
 a relative value based on the virtual host. Using handlerSSL="true", the default, will force
 the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
 Note that while we default checkAddress to "false", this has a negative impact on the
 security of your site. Stealing sessions via cookie theft is much easier with this disabled.
 -->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">

...

<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

We left this and the file (s) it points to unchanged:

<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

...

<CredentialResolver type="File" key="/etc/shibboleth/sp-key.pem" certificate="/etc/shibboleth/sp-cert.pem"/>

We left this and the file (s) it points to unchanged:

<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

...