Versions Compared

Old Version 81

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 82

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IdP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).

...

FilenameLocation on SPNotes
idp-metadata.xml

/etc/shibboleth/idp-metadata.xml

A copy of your IdP's metadata.
key pair

/etc/shibboleth/sp-key.pem

/etc/shibboleth/sp-cert.pem

Create a key pair; include the certificate (sp-cert.pem) in sp-metadata.xml

sp-metadata.xml

/var/www/html/sp-metadata.xml 

– if your Apache sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) 

To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL and share that URL with your IdP's maintainers/admins; or omit from the SP, and instead email it to the IdP admins

In either case, populate the public key certificate with yours

shibboleth2.xml/etc/shibboleth/shibboleth2.xmlSpecifies many aspects of your SP
attribute-map.xml /etc/shibboleth/attribute-map.xml Specifies the user-information that your IdP sends to the SP upon a successful SSO login
sp.conf/etc/httpd/conf.d/sp.conf

Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*) .

Tomcat should open port 8080 only to localhost (???), and should reside on the same host as your SP

shrine.conf

override.conf

/opt/shrine/tomcat/lib/shrine.conf

/opt/shrine/tomcat/lib/override.conf

replace "shrine-sso-node01" with your own node name

add the following element under the top-level "shrine" element:

  queryEntryPoint {
   authenticationType = "sso"
 }

OR add the following line to override.conf:

shrine.queryEntryPoint.authenticationType = "sso"


server.xml/opt/shrine/tomcat/conf/server.xmlSet up as the receiving end of AJP over NIO2 connection with Apache 

Each of these files needs to be adjusted to the particulars of your site, your requirements. 

...

REMOTE_USER: how the REMOTE_USER attribute will be populated, in the form of a list of attribute names. Note that "ecommonsid" which is specific to HMS IT, comes first, so for this environment REMOTE_USER will be set to the value of "ecommonsid". Otherwise, the first attribute name from the list which matches the name of an attribute returned by the IdP will be used. "attributePrefix" must be set to "AJP_" so that the attributes from the "attribute-map.xml" file (see below) will be passed to Tomcat as request attributes (as opposed to request headers). See also server.xml on the same topic.

    <ApplicationDefaults entityID="https://shrine-sso-node01.catalyst.harvard.edu"
                         REMOTE_USER="ecommonsid eppn uid persistent-id targeted-id"
                         signing="true"
                         attributePrefix="AJP_"
    >

...

Our Shibboleth configuration has been pared down to the essential ( ? ). If needed, for instance if we want to add functionality to our Shibboleth installation, refer to shibboleth2.xml.dist

File idp-metadata.xml

Get from your IdP (Probably do not (need to) distribute ours)

File attribute-map.xml

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

...

    <Connector port="6443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
        <SSLHostConfig clientAuth="none" sslProtocol="TLS" sslEnabledProtocols="TLSv1.3,TLSv1.2"
               honorCipherOrder="true" ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,
               TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256">
            <Certificate certificateKeystoreFile="/opt/shrine/shrine.keystore"
                         certificateKeystorePassword="changeit"
                         certificateKeyAlias="*.catalyst.harvard.edu" />
        </SSLHostConfig>
    </Connector>

Configure the AJP connector. Note the "allowedRequestAttributesPattern=".*" attribute. That is needed for the AJP connection so that the attributes from the "attribute-map.xml" file (see above) will be passed to the ServletRequest object as request attributes (as opposed to request headers). See also shibboleth2.xml on the same topic.

<Connector protocol="org.apache.coyote.ajp.AjpNio2Protocol" 
               proxyName="shrine-sso-node01"
               enableLookups="true"
               address="0.0.0.0"
                allowedRequestAttributesPattern=".*"
               port="8009" 
               secretRequired="false"
               redirectPort="6443" />

File sp-metadata.xml

The entityId attribute specifies who we are

...