Versions Compared

Old Version 113

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 114

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IdP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).

...

FilenameLocation on SPNotes
idp-metadata.xml

/etc/shibboleth/idp-metadata.xml

A copy of your IdP's metadata. You'll need to ask the admins of your iDP for a copy of it.
key pair

/etc/shibboleth/sp-key.pem

/etc/shibboleth/sp-cert.pem

Create a key pair; include the content of the certificate (sp-cert.pem) in sp-metadata.xml, and the paths of the key and certificate xml as xml attributes in of the <CredentialResolver> element of shibboleth2.xml

sp-metadata.xml

/var/www/html/sp-metadata.xml 

– if your Apache sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) 

To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL and share that URL with your IdP's maintainers/admins); or omit from the SP's web server, and instead email it to the IdP admins whenever it changes (if it does)

In either case, populate the entityID, public key certificate, and consumer service location with yours

shibboleth2.xml/etc/shibboleth/shibboleth2.xmlSpecifies many aspects of your SP. You need to populate the <ApplicationDefaults> element's entityID and REMOTE_USER xml attributes, and  and the <SSO> element's entityID xml attribute. Note that we do not make use of the REMOTE_USER xml attribute in our implementation. The remote user is specified in the attribute-map.xml instead of in shibboleth2.xml. 
attribute-map.xml /etc/shibboleth/attribute-map.xml The file name and path of this file is specified in the <AttributeExtractor> element's path xml attribute in shibboleth2.xml. This file specifies the SAML content that your SP turns into "attributes". In our implementation it specifies that the "ecommonsid" SAML attribute returned by the iDP upon successful login will be made available to the java code running on Tomcat as the Servlet Request attribute "remoteUser". 
sp.conf/etc/httpd/conf.d/sp.conf

Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*), and to proxy all the relevant requests to the Shrine application.

Tomcat should open port 8009 only to localhost, and should reside on the same host as your SP.

shrine.conf

override.conf

/opt/shrine/tomcat/lib/shrine.conf

/opt/shrine/tomcat/lib/override.conf

replace "shrine-sso-node01" with your own node name

add the following element under the top-level "shrine" element:

  queryEntryPoint {
   authenticationType = "sso"
 }

OR add the following line to override.conf:

shrine.queryEntryPoint.authenticationType = "sso"


server.xml/opt/shrine/tomcat/conf/server.xmlSet up as the receiving end of AJP over NIO2 connection with Apache 

...