Page History

Shrine SSO runs on three software components: Tomcat, Apache, and Shibboleth.

It is assumed that you are running the CentOS 7 operating system (which is recommended for Shrine).

The following instructions further

Very Basic Overview of SSO

IdP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called a SP (for Service Provider).

In this implementation of SSO, the SP consists of the Shibboleth SP version 3 software. See https://shibboleth.atlassian.net/wiki/spaces/SP3/overview .

Upon successful login at the IdP, the IdP will send information about the user back to the SP as "attributes".

Among other things, The SP must be configured to specify which of these attributes should be passed to the shrine code (in the form of HTTP request attributes).

Installation Layout

The following instructions assume that (1) you have installed Shrine, and hence are using Tomcat as your application server, and (2) you will install Apache and Tomcat are running on the same host as Tomcat and (3) you will therefore install Shibboleth SP 3 on the same host . Shibboleth SP software as well, since Shibboleth runs as an apache module + daemon.

For our own local installation the following layout is used:

/opt/shrine/tomcat ← Tomcat home

/etc/shibboleth ← Shibboleth configuration files

/etc/httpd/* ← Apache configuration files

).

Software Installation

Tomcat

Tomcat (install as user shrine): You are running Shrine, and so Tomcat is already installed. If you followed the instructions for installing Shrine you are running version 9.0.52 (as per SHRINE 4.0.0 Chapter 5 - Set up Apache Tomcat). Shrine SSO has been tested with the same Tomcat version.

The Tomcat home should be /opt/shrine/tomcat

Prepare for Apache Installation

Enable more recent version of apache (which are not available as yum packages):

Create a file called "codeit.repo" and place it in /etc/yum.repos.d

In this file put the following:

[CodeIT]

name=CodeIT repo for newer httpd versions

baseurl=https://repo.codeit.guru/packages/centos/7/$basearch

enabled=1

gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit

gpgcheck=1

Prepare for Shibboleth Installation

Create file named shibboleth.repo in /etc/yum.repos.d/

in it, put:

[shibboleth]

name=Shibboleth (CentOS_7)

# Please report any problems to https://shibboleth.atlassian.net/jira

type=rpm-md

mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7

gpgcheck=1

gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
       https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key

enabled=1

Install Apache, mod_ssl and Shibboleth:

Note: Apache version should be 2.4.10 or higher so that the local address request field gets populated for use in the back-end code. (see: https://bz.apache.org/bugzilla/show_bug.cgi?id=56661). If it isn't populated the back-end fails with an NPE when looking for the local address in the request. 

yum install httpd-2.4.54-1.codeit.el7 mod_ssl-1:2.4.54-1.codeit.el7 shibboleth-3.3.0-1

Install Key and Certificate in Apache

• acquire a TLS certificate from your CA (certificate authority) of choice; letsencrypt.org is a popular free option
• upload (via ftp, scp, or similar) your private key and certificate files and enable them in Apache as described here

Verify Installation

The Apache configuration files should be in /etc/httpd/

The Apache document root should be /var/www/html (as specified in /var/www/html ← Apache static content as set in, for instance, /etc/httpd/conf/httpd.conf)

...

The Shibboleth configuration files

...

should be in /etc/shibboleth

The Tomcat configuration files should be in /opt/shrine/tomcat/conf and /opt/shrine/tomcat/lib

Next Step:

Fast forward: SHRINE 4.0.0 Appendix A.2 - Quick Configuration

or

SHRINE 4.0.0 Appendix A.3 - More Details : Shibboleth ConfigurationThey can be found in the Git repository in the shrine-setup module, specifically at shrine-setup/src/main/resources/sso