Versions Compared

Old Version 102

changes.mady.by.user Rich Ledoux

Saved on

compared with

New Version 103

changes.mady.by.user Robert A Basch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add a note about confirming that the Shibboleth handler is active

...

Panel

On a Linux server, the quickest way to get started is to use Touchstone's mit-config-shib.sh script to generate an initial configuration from a template.

In the /etc/shibboleth directory (as root), download and run the mit-config-shib.sh script from the touchstone.mit.edu web server, e.g.:

No Format
# cd /etc/shibboleth
# wget -N https://touchstone.mit.edu/config/shibboleth-sp-3/mit-config-shib.sh
# sh mit-config-shib.sh

mit-config-shib.sh will use either the wget utility or curl utility, if available, to download the other files needed to configure the SP. If you do not have either wget or curl on your system, you must download the following files manually from https://touchstone.mit.edu/config/shibboleth-sp-3/ and install them into the /etc/shibboleth directory:

Here is a sample typescript from running the procedure for a web server whose public name (the host name entered by users as the URL to access your application) is mywebsite.mit.edu, but is hosted on a machine named simulacrum.mit.edu:

No Format
[root@simulacrum shibboleth]# sh mit-config-shib.sh

Download latest shibboleth2.xml.in? [Y] 

Download latest attribute-map.xml? [Y] 
Saving previous version as attribute-map.xml.old

Enter the web server host name: [simulacrum.mit.edu] mywebsite.mit.edu

Enter the path for the Shibboleth signing certificate file: [sp-signing-cert.pem] 
The certificate's subject CN must match your web server host name.
(The subject CN is simulacrum.mit.edu, given host name is mywebsite.mit.edu).

Generate a new (self-signed) certificate/key pair? [Y] 
Saving sp-signing-cert.pem to sp-signing-cert.pem.saved-by-mit-config-shib...
Saving sp-signing-key.pem to sp-signing-key.pem.saved-by-mit-config-shib...
Generating sp-signing-cert.pem and sp-signing-key.pem...
Please include the contents of sp-signing-cert.pem when you register the server.

Enter the path for the Shibboleth signing private key file: [sp-signing-key.pem] 

Enter the path for the Shibboleth encryption certificate file: [sp-encrypt-cert.pem] 
The certificate's subject CN must match your web server host name.
(The subject CN is simulacrum.mit.edu, given host name is mywebsite.mit.edu).

Generate a new (self-signed) certificate/key pair? [Y] 
Saving sp-encrypt-cert.pem to sp-encrypt-cert.pem.saved-by-mit-config-shib...
Saving sp-encrypt-key.pem to sp-encrypt-key.pem.saved-by-mit-config-shib...
Generating sp-encrypt-cert.pem and sp-encrypt-key.pem...
Please include the contents of sp-encrypt-cert.pem when you register the server.

Enter the path for the Shibboleth encryption private key file: [sp-encrypt-key.pem] 

Always use SSL for Shibboleth handler? [Y] 

Set cookies secure (requires SSL for all protected content)? [Y] 

To avoid loops, be sure to redirect any non-https requests to SSL.
Enter <return> to continue: 

Support contact email address? [mywebsite-help@mit.edu] 


Will this server be joining the InCommon Federation? [N] 
Using prefix /usr...
shibboleth2.xml already exists, saving previous version as shibboleth2.xml.old

Notes:

  • The default web server host name is the machine host name, but we override that in this example with the user-visible web server host name, mywebsite.mit.edu.
  • We require that you generate and use a pair of self-signed certificates with Shibboleth (one pair for signing, another for encryption), instead of sharing the MIT (or commercial) SSL certificate used for browser-facing https traffic. The mit-config-shib.sh script can generate proper certificates as needed; in this example, it regenerates the certificates created when the shibboleth RPM was installed, so that the subject CN matches the web server host name, instead of the machine host name.  You must include the contents of these certificate files (normally sp-signing-cert.pem and sp-encrypt-cert.pem) when emailing your registration request to touchstone-support (see below).

  • We recommend that you set Shibboleth cookies to be secure (i.e. only sent by the browser via https connections), to minimize the risk of a session being hijacked. This requires, though, you configure your server to use SSL for all Shibboleth-protected content; otherwise a browser loop may be introduced. Shibboleth provides a special option to force a redirect for any attempted http access to SSL (https), which can be specified via an Apache directive:

    No Format
      ShibRequestSetting redirectToSSL 443

    (replace 443 with the appropriate number, if using a non-standard port for https traffic).

  • If your application will support user bases from other InCommon Federation institutions, i.e. other than MIT and Collaboration accounts, then answer Yes to the question about joining the InCommon Federation.  The necessary configuration will be added to Shibboleth.  Also remember to indicate that you want to register with InCommon when you submit your registration request to touchstone-support.

 

Notes

Note that some changes to the shibboleth2.xml, attribute-map.xml, and attribute-policy.xml files will be detected automatically, i.e. without requiring a restart of shibd.

Note: The mit-config-shib.sh procedure described above is currently supported on Linux systems only; it should be portable to other UNIX-based systems with minimal effort. Please contact touchstone-support if you are using another operating system and having problems with the mit-config-shib.sh script.

The $prefix/etc/shibboleth directory will contain apache.config, apache2.config, apache22.config, and apache24.config, which contain needed and example directives for Apache 1.3, Apache 2.0, Apache 2.2, and Apache 2.4, respectively.  If you install from Red Hat RPMs, the appropriate version of this file will be installed in /etc/httpd/conf.d/shib.conf; we recommend that you add your Shibboleth directives to a separate file, to avoid having to merge changes to shib.conf when the RPM is updated. Otherwise, copy and/or include the appropriate version of the file in your Apache config, and customize as needed.

shibd is a daemon that must be running, so make sure it is started at boot time.  Installing from Red Hat RPMs also take care of this, by adding shibd as a managed service.  The $prefix/etc/shibboleth directory will contain init files (shibd-*) for various other types of installations.

On Windows/IIS machines, the shibboleth2.xml.windows-example file in the locker is a good starting point for the shibboleth2.xml file. You will need to edit the file for it to work on your server; please see the comments at the top of the file for the details. The attribute-map.xml file in the locker should work without modification.

Log Files

Panel

The Shibboleth Apache module logs by default to httpd's own error log.

The Shibboleth daemon logs to shibd.log, shibd_warn.log, and transaction.log in $prefix/var/log/shibboleth/.

For information on logging by the SP, please see https://wiki.shibboleth.net/confluence/display/SP3/Logging.

...

Letting the IdP know about your application

Panel

Before registering your service provider with the MIT Identity Providers, please make sure that the Shibboleth software is installed and running on your server. You should confirm that Shibboleth is running properly by connecting successfully to https://localhost/Shibboleth.sso/Status from the server; Touchstone support will attempt to confirm the SP configuration by connecting (remotely) to https://myhost/Shibboleth.sso/Metadata.

Info

Until the MIT Identity Providers know about your application, they won't release information about an authenticated user to your server. Each Touchstone enabled application running on a server needs to be registered with the IdPs, by our adding it to metadata.

Tip

To register your application server with the MIT IdPs send mail to touchstone-support with the following information:

  • A contact email address. We strongly recommend that this be an email list rather than an individual's personal email address. Note that this address will be published in the MIT metadata file.
  • The web server host name, i.e. the host name that a user would specify when entering the URL to access your site. This should be the same as the Subject CN in your server's SSL certificate, and match the host name entered in response to mit-config-shib's initial prompt. This name will be used to create a unique Entity ID by which the IdPs will identify your SP; by convention, this ID is the URI https://mywebsite.mit.edu/shibboleth. (For more information on entity ID naming, please see EntityNaming at the Internet2 wiki site). If you have multiple applications installed on the same machine, served by different host names (e.g. using different Apache vhosts), you will also need to provide each application's host name, as Shibboleth endpoints on each host must be registered in metadata. In some cases, different applications will require the use of separate entity IDs; please see below.
  • Indicate if the SP should be registered with the InCommon Federation, if your application needs to support users at other InCommon institutions; the default is to register the SP for the MIT IdPs only, in which case only MIT and Collaboration account users will be supported.
  • The certificates for the SP. This should be the self-signed certificate files generated at install time (in /etc/shibboleth/), i.e. sp-signing-cert.pem and sp-encrypt-cert.pem); do not send the private key files.
  • Organization name. This is typically the name of the MIT department, lab, or center running the application.
  • Organization URL. The URL that provides some basic information about your department, lab, or center.

We also encourage you to send the following optional information with your registration information:

  • The application URL. The actual URL which will be used to access your application.
  • Your server machine's host name(s), if different from the web server host name.
  • Your server platform and version. (e.g. RHEL 7, Windows 2012, Debian 8, ...)

A single Shibboleth SP installation is designed to support multiple applications installed on that server, but there are different deployment and configuration strategies to support multiple applications. At MIT we recommend that each application simply be configured to use a separate Apache vhost; more complex configurations, e.g. creating separate entity IDs for each application, are also possible. For more information, please see:

An example of when separate entity IDs are needed would be if one application requires a non-standard set of attributes to be released to it. Please consult with touchstone-support as needed.

...