The following instructions are meant to get you going as quickly as possible. If you want a better understanding of what's going on, go to the next sections of this document.
In summary, the folders containing configuration files which matter are:
/opt/shrine/tomcat ← Tomcat home
/etc/shibboleth ← Shibboleth configuration files
/etc/httpd/* ← Apache configuration files
/var/www/html ← Apache static content as set in, for instance, /etc/httpd/conf/httpd.conf
Sample configuration files
Sample configuration files can be found in the Git repository in the shrine-setup module, specifically at shrine-setup/src/main/resources/sso
- sso/apache/sp.conf-sample
- sso/apache/sp-metadata.xml-sample
- sso/shibboleth/attribute-map.xml-sample
- sso/shibboleth/shibboleth2.xml-sample
- sso/tomcat/server.xml-sample
Among the many configuration files, there are nine which need to be modified to reflect your installation, as follows in the table below. Search for the marker: 'ADJUST_FOR_YOUR_SITE' in those files for indications of what / where you need to edit.
The files ca be found in the following git repository: https://open.catalyst.harvard.edu/stash/scm/shrine/shrine-sso-configs.git in the "develop" branch (to be changed!)
5 Configuration files based on samples in the Git repository
| Directory and Filename in Git Repo | Location on SP | Notes |
|---|---|---|
| sp-metadata.xml | /var/www/html/sp-metadata.xml – if your Apache sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) | To be shared dynamically with your site's Shibboleth IdP (i.e. make it available at a given URL and share that URL with your IdP's maintainers/admins); or omit from the SP's web server, and instead email it to / share it securely with the IdP admins whenever it changes (if it does) In either case, populate the entityID, public key certificate, and consumer service location with yours |
| shibboleth2.xml | /etc/shibboleth/shibboleth2.xml | Specifies many aspects of your SP. You need to populate the <ApplicationDefaults> element's entityID and the <SSO> element's entityID xml attribute. Note that we do not make use of the REMOTE_USER xml attribute in our implementation. Instead the remote user is specified in the attribute-map.xml. The <CredentialResolver> element specifies the private+public key to use for encryption and signing while communicating with the iDP. If you put the keys in the location specified above, there is no need to modify this element. (private key should be in a "safe" location and password protected. see what iTeam/Simon does) The <AttributeExtractor> element specifies the location of the file that specifies which attribute(s) returned by the iDP must be made available to the the Tomcat's java code as Servlet Request attributes. |
| attribute-map.xml | /etc/shibboleth/attribute-map.xml | The file name and path of this file is specified in the <AttributeExtractor> element's path xml attribute in shibboleth2.xml. This file specifies the SAML content that your SP turns into "attributes". In our implementation it specifies that the "ecommonsid" SAML attribute returned by the iDP upon successful login will be made available to the java code running on Tomcat as the Servlet Request attribute "remoteUser". |
| shrine-setup/src/main/resources/sso/apache/sp.conf-sample | /etc/httpd/conf.d/sp.conf | Tells Apache to require Shibboleth login for Shrine Urls (/shrine-api/*), and to proxy all the relevant HTTP requests to the Shrine application using the AJP protocol. Tomcat should open port 8009 only to localhost, and should reside on the same host as Apache. |
| server.xml | /opt/shrine/tomcat/conf/server.xml | Aready set up as the receiving end of AJP over NIO2 connection with Apache. No changes are needed. |
4 More Configuration Files
| idp-metadata.xml | /etc/shibboleth/idp-metadata.xml | A copy of your IdP's metadata. You'll need to ask the admin(s) of your iDP for a copy of it. |
| key pair | /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem | Create a key pair; include the content of the certificate (sp-cert.pem) in sp-metadata.xml (see below), and the paths of the key and certificate as xml attributes of the <CredentialResolver> element of shibboleth2.xml (see below) (private key should be in a "safe" location and password protected. see what iTeam/Simon does) |
shrine.conf override.conf | /opt/shrine/tomcat/lib/shrine.conf /opt/shrine/tomcat/lib/override.conf | Set configuration option for using "sso" for log in. |
| server.xml | /opt/shrine/tomcat/conf/server.xml | Aready set up as the receiving end of AJP over NIO2 connection with Apache. No changes are needed. |
Overview
Content Tools