The following instructions are meant to get you going as quickly as possible. If you want a better understanding of what's going on, go to the next sections of this document.
Configuration Directories
In summary, the folders containing configuration files which need to be modified are:
/opt/shrine/tomcat ← Tomcat home
/etc/shibboleth ← Shibboleth configuration files
/etc/httpd/** ← Apache configuration files
/var/www/html ← Apache static content as set in, for instance, /etc/httpd/conf/httpd.conf
Configuration files to create from scratch or import
| Location on SP | Description | |
|---|---|---|
| key pair | /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem | Create a key pair; include the content of the public key certificate (sp-cert.pem) in sp-metadata.xml (see below), and the paths of the key and certificate as xml attributes of the <CredentialResolver> element of shibboleth2.xml (see below) (what if the private key is password protected?) |
| idp-metadata.xml | /etc/shibboleth/idp-metadata.xml | A copy of your IdP's metadata. You'll need to ask the admin(s) of your idP for a copy of it. Rename it to idp-metadata.xml and put it in /etc/shibboleth |
Configuration files based on samples in Git
Sample configuration files can be found in the Git repository (https://open.catalyst.harvard.edu/stash/scm/shrine/shrine.git, "sso-phase1.1" branch – update later) in the shrine-setup module, specifically at shrine-setup/src/main/resources/sso:
- sso/apache/sp.conf-sample
- sso/apache/sp-metadata.xml-sample
- sso/shibboleth/attribute-map.xml-sample
- sso/shibboleth/shibboleth2.xml-sample
- sso/tomcat/server.xml-sample
- sso/shrine/shrine.conf-sample
- sso/shrine/override.conf-sample
Copy these files to the Location on the SP (i.e. your server) indicated in the table below.
Then search for the marker: 'ADJUST_FOR_YOUR_SITE' in each of these files for indications of what / where you need to edit.
| Location in Git Repo (under shrine-setup/src/main/resources) | Location on SP | Description |
|---|---|---|
| sso/apache/sp-metadata.xml-sample | /var/www/html/sp-metadata.xml – as long as your Apache configuration sets DocumentRoot to /var/www/html (for instance in /etc/httpd/conf/httpd.conf) | To be shared dynamically with your site's IdP (i.e. make it available at a given URL and share that URL with your IdP's maintainers/admins); or omit from the SP's web server, and instead share it securely with the IdP admins whenever it changes (if it does) In either case, populate the entityID, public key certificate, and consumer service location with yours |
| sso/shibboleth/shibboleth2.xml-sample | /etc/shibboleth/shibboleth2.xml | Specifies many aspects of your SP. Populate the entityID attribute in <ApplicationDefaults> to match the entityID in sp-metadata.xml. Populate the entityID attribute in <SSO> to match the entityID in idp-metadata.xml. Note that the REMOTE_USER xml attribute of <ApplicationDefaults> is set to "userId" which matches the "userId" in attribute-map.xml. The <CredentialResolver> element specifies the private+public key to use for encryption and signing while communicating with the idP. If you put the keys in the location specified above, there is no need to modify this element. Otherwise edit this file to reflect the location of the keys. Private key should be in a "safe" location. what if it is password-protected? |
| sso/shibboleth/attribute-map.xml-sample | /etc/shibboleth/attribute-map.xml | Set the idP's user id attribute name |
| sso/apache/sp.conf-sample | /etc/httpd/conf.d/sp.conf | Populate the ServerName and ProxyPass directives with your hostname. |
sso/tomcat/server.xml-sample | /opt/shrine/tomcat/conf/server.xml | Populate certificateKeystorePassword, certificateKeyAlias and proxyName. Merge the contents of server.xml-sample into the existing server.xml. |
sso/shrine/shrine.conf-sample or sso/shrine/override.conf-sample | /opt/shrine/tomcat/lib/shrine.conf or /opt/shrine/tomcat/lib/override.conf | Set Shrine configuration options for using SSO for log in. Specify the logout URL. Specify Shrine's session timeout in ms. You should use either file and merge it into the existing shrine.conf or override.conf |
Overview
Content Tools