Versions Compared

Old Version 24

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 25

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configuration files to create from scratch or import


Location on SPDescription
key pair

/etc/shibboleth/sp-key.pem

/etc/shibboleth/sp-cert.pem

Create a key pair; include the content of the public key certificate (sp-cert.pem) in sp-metadata.xml (see below), and the paths of the key and certificate as xml attributes of the <CredentialResolver> element of shibboleth2.xml (see below) (what if the private key is password protected?)
idp-metadata.xml/etc/shibboleth/idp-metadata.xmlA copy of your IdP's metadata. You'll need to ask the admin(s) of your idP for a copy of it.

Configuration files based on samples in Git

...

Location in Git Repo (under shrine-setup/src/main/resources)Location on SPDescription
sso/apache/sp-metadata.xml-sample

/var/www/html/sp-metadata.xml 

– as long as your Apache configuration sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) 

To be shared dynamically with your site's IdP (i.e. make it available at a given URL and share that URL with your IdP's maintainers/admins); or omit from the SP's web server, and instead share it securely with the IdP admins whenever it changes (if it does)

In either case, populate the entityID, public key certificate, and consumer service location with yours

sso/shibboleth/shibboleth2.xml-sample/etc/shibboleth/shibboleth2.xml

Specifies many aspects of your SP. You need to populate the <ApplicationDefaults> element's entityID and the <SSO> element's entityID xml attribute. Note that the REMOTE_USER xml attribute is set to "userId" which should match the id of exactly one attribute in attribute-map.xml.

The <CredentialResolver> element specifies the private+public key to use for encryption and signing while communicating with the iDPidP. If you put the keys in the location specified above, there is no need to modify this element. Otherwise edit this file to reflect to the location of the keys. Private key should be in a "safe" location. what if it is password-protected?)

The <AttributeExtractor> element specifies the location of the file that specifies which attribute(s) returned by the idP must be made available to the Tomcat Servlet as Servlet Request attributes.

sso/shibboleth/attribute-map.xml-sample/etc/shibboleth/attribute-map.xml The file name and path of this file is specified in the <AttributeExtractor> element's path xml attribute in shibboleth2.xml. This file specifies the SAML content that your SP turns into "attributes". These will be made available to the java code running on Tomcat as Servlet Request attribute. 
sso/apache/sp.conf-sample/etc/httpd/conf.d/sp.conf

Tells Apache to require Shibboleth login for Shrine Urls (proxy all the HTTP requests for URLs under /shrine-api/* ), and to proxy all the relevant HTTP requests to the Shrine application using the AJP protocol.

Tomcat should open port 8009 only to localhost, and should reside on the same host as Apache.

Also tells Shibboleth to require SSO login before accessing /shrine-api/(staticData|ontology|qep|steward|shrine-webclient) 

sso/tomcat/server.xml-sample/opt/shrine/tomcat/conf/server.xml

Merge it into the existing server.xml.

Sets up the receiving end of AJP over NIO2 connection with Apache. 

sso/shrine/shrine.conf-sample

or

sso/shrine/override.conf-sample

/opt/shrine/tomcat/lib/shrine.conf

or

/opt/shrine/tomcat/lib/override.conf

Set Shrine configuration option options for using SSO for log in. Specify the logout URL. Specify Shrine's session timeout in ms. You should use either file and merge it into the existing shrine.conf or override.conf

...