Configuring a Shibboleth SP from RPMs

From BeSTGRID

This page documents installing a Shibboleth SP from RPMS, instead of compiling from source code. This is a much easier and faster way.

Contents 1 Basic Installation 2 Configure shibboleth 2.1 Comparing RPM distribution shibboleth.xml vs. MAMS 2.2 Changes Done in dist shibboleth.xml 2.3 Configure AAP 3 Start the Shibboleth Service 4 Notes

[edit] Basic Installation

Download RHEL 5 RPMS from http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/1.3.1/RPMS/i386/RHE/5/

• log4shib, opensaml, shibboleth-1.3.1, xerces-c, xml-security-c

• Install all of them (for the sake of simplicity, including debuginfo, doc and devel sub-packages)

wget -r -np http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/1.3.1/RPMS/i386/RHE/5/
rpm -Uvh *.rpm

• This automatically installs the Shibboleth Apache (2.2) module, an Apache configuration file to load the module and configure Shibboleth, and protects "/secure" with shib-session required.

[edit] Configure shibboleth

The following has to be changed in /etc/shibboleth/shibboleth.xml

• Entity Id
• Host Certificates
• Metadata
• WAYF

[edit] Comparing RPM distribution shibboleth.xml vs. MAMS

• Library paths - use dist
• Host name = "sp.example.org" vs. MY_DNS - be careful about that
• <Path> ... MAMS has exportAssertion="true", use that.
• <Sessions> ... dist has consistentAddress="true" - let's keep it
• <SessionInitiator> dist has isDefault="true",
• Keep logoLocation and StyleSheet as /shibboleth-sp/* (dist)

• MAMS has MY_DNS as: <Host name>, <Site id>, <Applications providerId> <Applications homeURL>

[edit] Changes Done in dist shibboleth.xml

• change hostname from sp.example.org to idp.canterbury.ac.nz (Host,Site,Applications)
• set ProviderId in Applications
• set path to credentials
• set certs to /etc/certs/aa-{key,cert}.pem and append CAPath elements for CAUDIT/AusCERT pilot hierarchy.
• NOTE: This does not work for installing a SP on an IdP: The IdP's AA certificates are Web Server only and won't work on a SP. Either get a proper SP back-channel certificate, or use the general-purpose front-channel certificate.
• Thus, set certs to /etc/certs/host-{key,cert}.pem and append a CAPath element for ThawtePremiumServerCA.pem
• pull in Level-2 and BeSTGRID metadata from /usr/local/shibboleth-idp/etc/ (yes, I know it's cheap).
• add exportAssertion="true" to RequestMap->Host->Path
• set wayURL="https://www.federation.org.au/level-2-wayf/WAYF"
• set local initiator Location="/WAYF/level-2.federation.org.au"

[edit] Configure AAP

• Fetch MAMS AAP.xml and use it instead of dist AAP.xml
  • Edit AAP.xml and remove Scoped="true" from eduPersonTargetedID definition - in order to make EPTID work.

[edit] Start the Shibboleth Service

• Start and enable shibd service, and restart Apache

chkconfig shibd on
service shibd start
service httpd restart

[edit] Notes

• Note: Shibboleth SP will likely not work with SELinux. See https://spaces.internet2.edu/display/SHIB/Security+Enhanced+Linux