Panel |
---|
In order to make your application use MIT Touchstone, or Shibboleth, for authentication, several steps have to be performed. MIT Information Services offers consulting services to make this process easier. However, many people at MIT are able to perform each of these simple steps with minimal intervention from IS&T. The information below is intended to help guide you through your configuration. |
...
Panel | |||||||
---|---|---|---|---|---|---|---|
IS&T currently supports new customers intending to use current versions of Shibboleth 2SP 3.x. We recommend that new installations use Shibboleth 2.x based SPs.
|
Using installers:
Please see https://wiki.shibboleth.net/confluence/display/SP3/Home for information on the current releases of Shibboleth.
|
Installing native SP software:
Panel | ||
---|---|---|
| ||
Panel | ||
Some other Linux distributions also maintain binary installers available from the OS distribution point. If you For Debian/Ubuntu, please install the |
...
Panel | ||
---|---|---|
However, if you need to build from source, please read the following pages:
Once you have built the software successfully, you will need to configure and customize it for use. |
Server SSL Certificate request and configuration
Panel | ||||
---|---|---|---|---|
Please make sure that you use lower case servernames in your certificate A server certificate, issued either by the MIT CA or a commercial CA, is required for SSL (https) traffic to your server; we strongly recommend using SSL for all Shibboleth-protected content. Please make sure that you use lower case server names in your certificate request. The server name within the certifiacte certificate is case sensitive. Information about how to generate a certificate request and where to send the request can be found in https://wikis.mit.edu/confluence/display/WSWG/How+to+acquire+and+verify+a+M.I.T.+x509+Server+Certificate
|
Configure the SP software
Panel | |||||||
---|---|---|---|---|---|---|---|
The quickest way to get started is to copy the following files from the Touchstone locker (
Note: If you do not have AFS installed on your server, then you can access the above files via http, either from a browser or using wget. The URL is http://web.mit.edu/touchstone/config/shibboleth2-sp/ Then run the gen-shib2.sh script, and answer the prompts, to generate shibboleth2.xml. For example:
Note that any changes to the shibboleth2.xml, attribute-map.xml, and attribute-policy.xml files will be detected automatically, i.e. without requiring a restart of shibd. Note: The gen-shib2.sh procedure described above currently works only on Linux and Solaris systems; it should be portable to other UNIX-based systems without too much effort. Please contact touchstone-support if you are using another operating system and having problems with the gen-shib2.sh script. The $prefix/etc/shibboleth directory will contain apache.config, apache2.config, and apache22.config, which contain needed and example directives for Apache 1.3, Apache 2.0, and Apache 2.2, respectively; copy and/or include the appropriate file in your Apache config, and customize as needed. The directory also contains a shibd init script for Red Hat (shibd-redhat) and Debian (shibd-debian) systems. The current Red Hat RPMs also install the init script into /etc/init.d/shibd, and adds it as a managed service. On Solaris machines, the gen-shib.sh script will generate a shibd init script (from shibd.in); this should be installed into /etc/init.d, and configured to start at boot time, after httpd has started. NOTE: shibd is a daemon that must be running, so make sure it is started at boot time, after Apache httpd has been started.
|
Log Files
Panel |
---|
The Shibboleth Apache module logs by default to $prefix/var/log/httpd/native.log. This file must be writable by Apache, which may require that you set its directory's ownership and/or permissions to allow write access by the user Apache is configured to run under. You may also choose to change the location of the file (for example to /var/log/shibboleth/httpd/native.log), by modifying the log4j.appender.native_log.fileName setting in $prefix/etc/shibboleth/native.logger, and appropriately creating the containing directory. The Shibboleth daemon logs to shibd.log and transaction.log in $prefix/var/log/shibboleth/. |
Protecting Content
Panel |
---|
For information on configuring Shibboleth to protect content, see the Shibboleth wiki at Internet2, as well as the information in the sections below. |
Customize the error pages
Panel | ||||
---|---|---|---|---|
You will probably also want to customize the error pages and support contact information listed in the Errors element in $prefix/etc/shibboleth/shibboleth.xml (search for "You should customize these pages!"), e.g.:
The pages are used as follows:
|
Letting the IdP know about your application
Panel | ||||
---|---|---|---|---|
We also encourage you to send the following optional information with your registration information:
The IdP doesn't really need to know your hostname. It does need to know the Provider ID that uniquely identifies your application. Typical MIT installations that use the gen-shib.sh script (see above) hide this detail from you so that we simply need the hostname. If you want to learn more about provder ID naming please see EntityNamingat the Internet2 wiki site. A single Shibboleth SP installation is designed to support multiple applications installed on that server, but there are different deployment and configuration strategies to support multiple applications. At MIT we recommend that each application be configured to use a separate Apache vhost, in addtion to simply creating additional ProviderIDs for each application. More information is available here: |
Keep your metadata up to date
While some older MIT SPs still use an MIT-issued server SSL certificate with Shibboleth (e.g. when the Shibboleth SP authenticates to an IdP), we now require using a separate, self-signed certificate for that purpose, so new installs must generate and provide us with that certificate. Please see below for details. |
Ensure your system clock is accurate
Panel |
---|
The authentication request by the SP includes a timestamp, and the IdP verifies that the timestamp is current, to prevent replay attempts. Requests with an invalid timestamp (either too far in the past, or too far in the future), will be rejected by the IdP, resulting in an error. Therefore, it is essential that your server's system clock is accurate. On Linux servers, this is typically accomplished by running |
Letting the IdP know about your application
Panel | ||||
---|---|---|---|---|
Before registering your service provider with the MIT Identity Providers, please make sure that the Shibboleth software is installed and running on your server. You should confirm that Shibboleth is running properly by connecting successfully to https://localhost/Shibboleth.sso/Status from the server; Touchstone support will attempt to confirm the SP configuration by connecting (remotely) to https://myhost/Shibboleth.sso/Metadata.
We also encourage you to send the following optional information with your registration information:
A single Shibboleth SP installation is designed to support multiple applications installed on that server, but there are different deployment and configuration strategies to support multiple applications. At MIT we recommend that each application simply be configured to use a separate Apache vhost; more complex configurations, e.g. creating separate entity IDs for each application, are also possible. For more information, please see: An example of when separate entity IDs are needed would be if one application requires a non-standard set of attributes to be released to it. Please consult with touchstone-support as needed. Once Touchstone support has created your application integration in Okta, we will provide you with the Okta external ID you will need to supply in the configuration procedure (see below) |
Configure the SP software for Touchstone
Panel | ||||||
---|---|---|---|---|---|---|
On a Linux server, the quickest way to get started is to use Touchstone's In the /etc/shibboleth directory (as root), download and run the mit-config-shib.sh script from the touchstone.mit.edu web server, e.g.:
If you are not using the Okta IdP, then you will also need to download the MIT metadata signing certificate, mit-md-cert.pem Here is a sample typescript from running the procedure for a web server whose public name (the host name entered by users as the URL to access your application) is mywebsite.mit.edu, but is hosted on a machine named simulacrum.mit.edu:
Notes:
NotesNote that some changes to the shibboleth2.xml, attribute-map.xml, and attribute-policy.xml files will be detected automatically, i.e. without requiring a restart of shibd. Note: The mit-config-shib.sh procedure described above is currently supported on Linux systems only; it should be portable to other UNIX-based systems with minimal effort. Please contact touchstone-support if you are using another operating system and having problems with the mit-config-shib.sh script. The $prefix/etc/shibboleth directory will contain apache.config, apache2.config, apache22.config, and apache24.config, which contain needed and example directives for Apache 1.3, Apache 2.0, Apache 2.2, and Apache 2.4, respectively. If you install from Red Hat RPMs, the appropriate version of this file will be installed in shibd is a daemon that must be running, so make sure it is started at boot time. Installing from Red Hat RPMs also take care of this, by adding shibd as a managed service. The $prefix/etc/shibboleth directory will contain init files (shibd-*) for various other types of installations. On Windows/IIS machines, the shibboleth2.xml.windows-example file in the locker is a good starting point for the shibboleth2.xml file. You will need to edit the file for it to work on your server; please see the comments at the top of the file for the details. The attribute-map.xml file in the locker should work without modification. |
Log Files
Panel |
---|
The Shibboleth Apache module logs by default to httpd's own error log. The Shibboleth daemon logs to shibd.log, shibd_warn.log, and transaction.log in $prefix/var/log/shibboleth/. For information on logging by the SP, please see https://wiki.shibboleth.net/confluence/display/SP3/Logging. |
Protecting Content
Panel |
---|
For information on configuring Shibboleth to protect content, please see the Shibboleth wiki, as well as the information in the sections below. |
Customize the error pages
Panel | ||||
---|---|---|---|---|
You will probably also want to customize the error pages and support contact information listed in the <Errors> element in $prefix/etc/shibboleth/shibboleth2.xml, e.g.:
The error template files are located in $prefix/etc/shibboleth/ (you can override these locations in the <Errors> element). For more information, see https://wiki.shibboleth.net/confluence/display/SP3/Errors |
Testing your Shibboleth configuration
Panel | ||||
---|---|---|---|---|
Once your SP is properly registered with the IdP, you can test your SP's configuration by visiting either the Shibboleth handler's session initiation location (
Once you have confirmed that your SP is getting the proper set of attributes, we recommend that you set the handler's
|
Keep your metadata up to date
Panel | ||
---|---|---|
| ||
Panel | ||
|
...
Panel |
---|
We have some pointers to example code written in various lanaguageslanguages. We do expect the examples to increase over time. We are also creating some local documentation that covers the configuration of third party software. However, users are encouraged to look at resources outside of MIT as well. If you do find useful information please do bring it to our attention.our attention. For basic information on accessing attributes provided by a Shibboleth session, see: Some simple examples:
Third party applications: |
Support Resources
Support Resources
Panel | ||||||
---|---|---|---|---|---|---|
Please send email to touchstone-support for assistance with setting up your SP | ||||||
Panel | ||||||
Note | | |||||
|
Who to Contact:
Panel |
---|
Web: MIT Touchstone |