You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 31 Next »

In order to make your application use MIT Touchstone, or Shibboleth, for authentication, several steps have to be performed. MIT Information Services offers consulting services to make this process easier. However, many people at MIT are able to perform each of these simple steps with minimal intervention from IS&T.

The information below is intended to help guide you through your configuration.

Shibboleth SP version information

IS&T is currently supporting customers intending to use Shibboleth 1.3x or 2.x. We recommend that new installations use Shibboleth 2.x based SPs.

Attention

As of June 30, 2010, the Internet2 Shibboleth development team will no longer promise to supply security updates for version 1.3x. The 1.3x version will be considered end of life.

We strongly recommend that sites currently running Shibboleth 1.3 in production plan to upgrade to the current version of Shibboleth well in advance of the announced end-of-life date. This will protect against the possibility of a forced but unplanned migration from 1.3 should a security issue or incompatibility be discovered after the end-of-life date has been reached.

Information about migrating an existing Shibboleth SP 1.3x installation to version 2.x can be found at
https://wikis.mit.edu/confluence/display/TOUCHSTONE/Migrating+a+Shibboleth+1.3+SP+to+2.x

Using installers:

The most current installers from Internet2 can always be found at http://shibboleth.internet2.edu/downloads.html

The link provided above should be used if you are installing a 2.x Service Provider (SP). It is not necessary to download the -debuginfo, -devel, or -docs RPMs.

Historical installers:

Please note that we strongly recommend that no new systems be created using Shibboleth 1.3x. This software will reach its end of life on June 30th, 2010. At that time, security updates for the software will no longer be created. If you still have some need to obtain the 1.3x packages, for now they can still be obtained from Internet 2.

1.3x RPMs remain available from Internet2 for RHEL 4 and 5.

You will typically need the 5 main RPMs: log4shib, opensaml, shibboleth, xerces-c, xml-security-c.
You should normally skip the -devol, -debug, and -doc RPMs from the Internet2 RPM download site.
If your system does not already have curl installed, you will need to install it (via the stock RHEL RPM).

A 1.3x installer for IIS is also available from Internet2.

Some other Linux distributions also maintain binary installers available from the OS distribution point. If you have questions about other distributions please contact touchstone-support and indicate what operating distribution and version you are using.

Building from source:

The Touchstone team recommends that you use the installers available from Internet2 or your operating system vendor.

However, if you need to build from source, please read the following pages:

Once you have built the software successfully, you will need to configure and customize it for use.

Certificate request and configuration

Before proceeding to "Configuration and customization for use" you should obtain a server certificate.

Please make sure that you use lower case servernames in your certificate request. The server name within the certifiacte is case sensitive.

Information about how to generate a certificate request and where to send the request can be found in https://wikis.mit.edu/confluence/display/WSWG/How+to+acquire+and+verify+a+M.I.T.+x509+Server+Certificate

Historical note:

If your server already has a server certificate issued by the MIT Certificate Authority, and it was issued after July 1st, 2008, and it has not expired, you should be able to use it with Shibboleth/MIT Touchstone. If the server certificate was issued prior to July 1st, 2008, you probably need to obtain a new server certificate.

Configure the SP software

The quickest way to get started is to copy the following files from the Touchstone locker (/mit/touchstone/config/shibboleth2-sp) into /etc/shibboleth:

  • attribute-map.xml
  • gen-shib2.sh
  • shibboleth2.xml.in

Note: If you do not have AFS installed on your server, then you can access the above files via http, either from a browser or using wget. The URL is http://web.mit.edu/touchstone/config/shibboleth2-sp/

Then run the gen-shib2.sh script, and answer the prompts, to generate shibboleth2.xml. For example:# cd /etc/shibboleth

  1. cp /mit/touchstone/config/shibboleth2-sp/* .
  2. sh gen-shib2.sh

Note that any changes to the shibboleth2.xml, attribute-map.xml, and attribute-policy.xml files will be detected automatically, i.e. without requiring a restart of shibd.

Note: The gen-shib2.sh procedure described above currently works only on Linux and Solaris systems; it should be portable to other UNIX-based systems without too much effort. Please contact touchstone-support if you are using another operating system and having problems with the gen-shib2.sh script.

The $prefix/etc/shibboleth directory will contain apache.config, apache2.config, and apache22.config, which contain needed and example directives for Apache 1.3, Apache 2.0, and Apache 2.2, respectively; copy and/or include the appropriate file in your Apache config, and customize as needed.

The directory also contains a shibd init script for Red Hat (shibd-redhat) and Debian (shibd-debian) systems.

On Red Hat machines, copy shibd-redhat to /etc/init.d/shibd, make sure it is executable, add it as a managed service with "chkconfig --add shibd", and enable it for run levels 3, 4, and 5 ("chkconfig --level 345 shibd on").

On Solaris machines, the gen-shib.sh script will generate a shibd init script (from shibd.in); this should be installed into /etc/init.d, and configured to start at boot time, after httpd has started.

NOTE: shibd is a daemon that must be running, so make sure it is started at boot time, after Apache httpd has been started.

Historical information

Configuring and customizing the Shibboleth 1.3x SP

Log Files

The Shibboleth Apache module logs by default to $prefix/var/log/httpd/native.log.

This file must be writable by Apache, which may require that you set its directory's ownership and/or permissions to allow write access by the user Apache is configured to run under. You may also choose to change the location of the file, by modifying the log4j.appender.native_log.fileName setting in $prefix/etc/shibboleth/native.logger.

Protecting Content

For information on configuring Shibboleth to protect content, see the Shibboleth wiki at Internet2, as well as the information in the sections below.

Customize the error pages

This is optional, but recommended.

You will probably also want to customize the error pages and support contact information listed in the Errors element in $prefix/etc/shibboleth/shibboleth.xml (search for "You should customize these pages!"), e.g.:

<Errors session="/usr/local/shibboleth/etc/shibboleth/sessionError.html"
  metadata="/usr/local/shibboleth/etc/shibboleth/metadataError.html"
  rm="/usr/local/shibboleth/etc/shibboleth/rmError.html"
  access="/usr/local/shibboleth/etc/shibboleth/accessError.html"
  ssl="/usr/local/shibboleth/etc/shibboleth/sslError.html"
  supportContact="root@localhost"
  logoLocation="/shibboleth-sp/logo.jpg"
  styleSheet="/shibboleth-sp/main.css"/>

The pages are used as follows:

  • session
        displayed if a session cannot be created after successful authentication,
        for example if shibd is not running. In a standard configuration, you can
        force this page to be displayed by visiting the server's /Shibboleth.sso location, e.g.:
        https://my-sp.mit.edu/Shibboleth.sso
  • metadata
        displayed in certain cases where there is no valid metadata
        for an identity provider. This should not happen using our
        standard configuration; it should only be possible when
        using the Artifact profile, or "lazy sessions", and there
        is a configuration problem.  You can force the page to be
        displayed by visiting:
        https://my-sp.mit.edu/Shibboleth.sso?providerId=NoSuchIdP
  • rm
        displayed when an exception occurs when exporting assertions into
        request headers.  This indicates a software problem, and should
        not happen.
  • access
        displayed for access control failures.  This should only
        happen if you have access control directives in the Apache
        configuration for your Shibboleth-protected content.  You
        can force the page to be displayed by adding an access
        control directive that is certain to fail, for example
        "require NoSuchAlias" (remember to remove this configuration
        when you have completed testing).
  • ssl
        displayed when a POST is attempted using http instead of https,
        and RedirectToSSL is in effect.  This should not happen on a
        properly configured server.

Letting the IdP know about your application

Until the MIT Identity Providers know about your application, they won't release information about an authenticated user to your server. Each Touchstone enabled application running on a server needs to be registered with the IdPs.

To register your application server with the MIT IdPs sendmail to touchstone-support with the following information:

  • A contact email address. We strongly recommend that this be an email list rather than an indivdual's persoanl email address.
  • The server or host name. If you have multiple applications installed on the same server, you will actually need to register each application's provider ID. See below for more details.
  • Organization name. This is typically the name of the MIT department, lab, or center running the application.
  • Organization URL. The URL that provides some basic information about your department, lab, or center.

We also encourage you to send the following optional information with your registration information:

  • The application URL. The actual URL which will be used to access your application.
  • Your server platform. (RHEL 4, RHEL 5, Windows, Debian, Solaris, ...)

The IdP doesn't really need to know your hostname. It does need to know the Provider ID that uniquely identifies your application. Typical MIT installations that use the gen-shib.sh script (see above) hide this detail from you so that we simply need the hostname. If you want to learn more about provder ID naming please see EntityNamingat the Internet2 wiki site.

A single Shibboleth SP installation is designed to support multiple applications installed on that server, but there are different deployment and configuration strategies to support multiple applications. At MIT we recommend that each application be configured to use a separate Apache vhost, in addtion to simply creating additional ProviderIDs for each application. More information is available here:

Keep your metadata up to date

You should ensure that your SP's copy of the MIT metadata is kept up to date. The current metadata is available in http://web.mit.edu/touchstone/shibboleth/config/metadata/MIT-metadata.xml.

The easiest way to maintain the metadata is via a cron job which runs a script to download and install the latest metadata. A sample of such a script is available in http://web.mit.edu/touchstone/shibboleth/config/metadata/update-metadata.sh-example. Adjust it as necessary for your installation; in particular, if you did not install from the stock RPMs from Internet2, you will need to adjust the setting for the Shibboleth etc directory at the top of the script.

The Shibboleth SP software detects and loads the updated metadata automatically; there is no need to restart the web server or shibd.

Example code and configuration information for third party applications

We have some pointers to example code written in various lanaguages. We do expect the examples to increase over time. We are also creating some local documentation that covers the configuration of third party software. However, users are encouraged to look at resources outside of MIT as well. If you do find useful information please do bring it to our attention.

Some simple examples:

  • Display the results of the SAML assertion in various languages.

Third party applications:

Support Resources

Consulting Services:

Consulting service may be arranged by sending mail to touchstone-support. This will open an RT case and a person will be assigned to work with you.

Training

Classes held during IAP of 2009 were poorly attended. No training classes are scheduled at this time. If you are interested, please send mail to touchstone-support. If there is sufficient interest a class will be scheduled and you will be informed.

Who to Contact:

Web: MIT Touchstone
Email: touchstone-support@mit.edu

  • No labels