Page History

/etc/shibboleth/sp-key.pem

/etc/shibboleth/sp-cert.pem

If the Shibboleth installer has not already done so, create a key pair; include the content of the public key certificate (sp-cert.pem) in sp-metadata.xml (see below), and the paths of the key and certificate as xml attributes of the <CredentialResolver> element of shibboleth2.xml (see below)

To create a key pair, use /etc/shibboleth/keygen.sh; as per https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2067398706/keygen and also https://docs.shib.ncsu.edu/docs/configure/index.html.

You don't need to create separate key pairs for signing and for encryption.

/var/www/html/sp-metadata.xml 

– if as long as your Apache configuration sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) 

To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL as a document at the document root and share that URL with your IdP's maintainers/admins); or omit from the SP's (i.e. your) web server, and instead email it to / share it securely with the IdP admins whenever it changes (if it does)

In either case, populate the entityID, public key certificate, and consumer service location with yours.

Populate the entityID attribute in<ApplicationDefaults> to match your entityID in sp-metadata.xml.

Populate the entityID attribute in <SSO> to match the idP's entityID in idp-metadata.xml. 

Populate the supportContact attribute of the <Errors> element with an email address.Specifies many aspects of your SP. You need to populate the <ApplicationDefaults> element's entityID and the <SSO> element's entityID xml attribute. Note that we do not make use of the REMOTE_USER xml attribute in our implementation. Instead the remote user is specified in the attribute-map.xml. 

The <CredentialResolver> element specifies the private+public key to use for encryption and signing while communicating with the iDPidP. If you put the keys in the location specified above and the private key is not password-protected, then there is no need to modify this element. (. Otherwise edit this file to reflect the location of the keys and optionally the private key password.

The private key should be stored in a "safe" location and . If it is password protected. see what iTeam/Simon does)-protected, that should be reflected in the <CredentialResolver>'s password attribute.

The <AttributeExtractor> element specifies the location of the file that specifies which attribute(s) returned by the iDP must be made available to the the Tomcat's java code as Servlet Request attributes.

Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*), and to proxy all the relevant HTTP requests to the Shrine application using the AJP protocol.

Tomcat should open port 8009 only to localhost, and should reside on the same host as Apache.

Populate the ServerName, ProxyPass and Header set Access-Control-Allow-Origin directives with your hostname.

Most likely the following 3 attributes of <Connector port="6443"... /> are already populated, but if not then populate certificateKeystoreFile, certificateKeystorePassword, certificateKeyAlias.

You will need to populate proxyName in the AjpNio2Protocol connector.

Once done, Merge the contents  of server.xml-sample into the existing /opt/shrine/tomcat/conf/server.xml.

sso/shrine/shrine.conf-sample

or

sso/shrine/override.conf-sample

/opt/shrine/tomcat/lib/shrine.conf

or

/opt/shrine/tomcat/lib/override.conf

Set Shrine configuration

options for using SSO for login/logout.

In override.conf it would look like:

• Specify that we are using SSO: shrine.queryEntryPoint.authenticationType = "sso"
• Specify the logout URL (shrine.webclient.ssoLogoutUrl) = (see override.conf-sample)
• Specify Shrine's session timeout as such: shrine.webclient.sessionTimeout = "30 minutes".

You should use either file and merge it into the existing shrine.conf or override.conf in /opt/shrine/tomcat/

lib