Page History
...
idP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).
...
Filename | Location on SP | Notes | |||
---|---|---|---|---|---|
idp-metadata.xml | /etc/shibboleth/idp-metadata.xml | A copy of your IdP's metadata. | |||
key pair | /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem | Create a key pair; include the certificate (sp-cert.pem) in sp | -metadata.xmlidp-metadata.xml | /etc/shibboleth/idp-metadata.xml | A copy of your IdP's metadata.|
sp-metadata.xml | /var/www/html/sp-metadata.xml – if your Apache sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) | To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL and share that URL with your idP's maintainers/admins; or omit from the SP, and instead email it to the IdP admins In either case, populate the public key certificate with yours | |||
attribute-map.xml | /etc/shibboleth/attribute-map.xml | Specifies the user-information that your IdP sends to the SP upon login | |||
sp.conf | /etc/httpd/conf.d/sp.conf | Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*) . Tomcat should open port 8080 only to localhost (???), and should reside on the same host as your SP | |||
shibboleth2.xml | /etc/shibboleth/shibboleth2.xml | Specifies miscellaneous many aspects of your SP | |||
shrine.conf | /opt/shrine/tomcat/lib/shrine.conf | replace "shrine-sso-node01" with your own node name add the the shrine element: queryEntryPoint { |
...
<ApplicationDefaults entityID="https://shrine-sso-node01.catalyst.harvard.edu"
REMOTE_USER="ecommonsid eppn uid persistent-id targeted-id"
signing="true"
>
TBDSessions configuration documentation is available at https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334342/Sessions
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.-->
<Sessions
lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
...
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
We left this and the file (s) it points to unchanged:
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
...
<CredentialResolver type="File" key="/etc/shibboleth/sp-key.pem" certificate="/etc/shibboleth/sp-cert.pem"/>
We left this and the file (s) it points to unchanged:
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
...