In order to make your application use MIT Touchstone, or Shibboleth, for authentication, several steps have to be performed. MIT Information Services offers consulting services to make this process easier. However, many people at MIT are able to perform each of these simple steps with minimal intervention from IS&T. The information below is intended to help guide you through your configuration. |
Shibboleth SP version information
IS&T is currently supporting customers intending to use Shibboleth 1.3x or 2.x. We recommend that new installations use Shibboleth 2.x based SPs.
|
Using installers:
Some other Linux distributions also maintain binary installers available from the OS distribution point. If you have questions about other distributions please contact touchstone-support and indicate what operating distribution and version you are using. |
Building from source:
However, if you need to build from source, please read the following pages:
Once you have built the software successfully, you will need to configure and customize it for use. |
Certificate request and configuration
Please make sure that you use lower case servernames in your certificate request. The server name within the certifiacte is case sensitive. Information about how to generate a certificate request and where to send the request can be found in https://wikis.mit.edu/confluence/display/WSWG/How+to+acquire+and+verify+a+M.I.T.+x509+Server+Certificate
|
Configuration and customization for use
Note: The gen-shib.sh procedure described below currently works only on Linux and Solaris systems; it should be portable to other UNIX-based systems without too much effort. When you have successfully built and installed the Shibboleth SP, you will need to configure things to work against our test and pilot IdPs. We have some template files and a script in AFS (the touchstone locker) to generate the needed config files from the templates: cd to shibboleth's etc directory ($prefix/etc/shibboleth), and copy in the following files from /mit/touchstone/shibboleth/config/shibboleth-sp/ (or just copy all files from the directory):
Note: If you do not have AFS installed on your server, then you can access the above files via http, either from a browser or using wget. The URL is http://web.mit.edu/touchstone/shibboleth/config/shibboleth-sp/ On Solaris, also copy:
Then run the gen-shib.sh script: sh ./gen-shib.sh and answer its prompts, which will hopefully be clear. Remember that the certificate it wants should be enabled for client as well as server use. Any MIT server certificates that have been created after July of 2008 will be enabled for client as well as server use. The $prefix/etc/shibboleth directory will contain apache.config, apache2.config, and apache22.config, which contain needed and example directives for Apache 1.3, Apache 2.0, and Apache 2.2, respectively; copy and/or include the appropriate file in your Apache config, and customize as needed. The directory also contains a shibd init script for Red Hat (shibd-redhat) and Debian (shibd-debian) systems. On Red Hat machines, copy shibd-redhat to /etc/init.d/shibd, make sure it is executable, add it as a managed service with "chkconfig --add shibd", and enable it for run levels 3, 4, and 5 ("chkconfig --level 345 shibd on"). On Solaris machines, the gen-shib.sh script will generate a shibd init script (from shibd.in); this should be installed into /etc/init.d, and configured to start at boot time, after httpd has started. NOTE: shibd is a daemon that must be running, so make sure it is started at boot time, after Apache httpd has been started. The Shibboleth Apache module logs by default to $prefix/var/log/httpd/native.log. This file must be writable by Apache, which may require that you set its directory's ownership and/or permissions to allow write access by the user Apache is configured to run under. You may also choose to change the location of the file, by modifying the log4j.appender.native_log.fileName setting in $prefix/etc/shibboleth/native.logger. For information on configuring Shibboleth to protect content, see the Shibboleth wiki at Internet2, as well as the information in the sections below. You will probably also want to customize the error pages and support contact information listed in the Errors element in $prefix/etc/shibboleth/shibboleth.xml (search for "You should customize these pages!"), e.g.: <Errors session="/usr/local/shibboleth/etc/shibboleth/sessionError.html" metadata="/usr/local/shibboleth/etc/shibboleth/metadataError.html" rm="/usr/local/shibboleth/etc/shibboleth/rmError.html" access="/usr/local/shibboleth/etc/shibboleth/accessError.html" ssl="/usr/local/shibboleth/etc/shibboleth/sslError.html" supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> The pages are used as follows:
|
Letting the IdP know about your application
We also encourage you to send the following optional information with your registration information:
The IdP doesn't really need to know your hostname. It does need to know the Provider ID that uniquely identifies your application. Typical MIT installations that use the gen-shib.sh script (see above) hide this detail from you so that we simply need the hostname. If you want to learn more about provder ID naming please see EntityNamingat the Internet2 wiki site. A single Shibboleth SP installation is designed to support multiple applications installed on that server, but there are different deployment and configuration strategies to support multiple applications. At MIT we recommend that each application be configured to use a separate Apache vhost, in addtion to simply creating additional ProviderIDs for each application. More information is available here: Shib 1.3 Add Separate Application. |
Keep your metadata up to date
|
Example code and configuration information for third party applications
We have some pointers to example code written in various lanaguages. We do expect the examples to increase over time. We are also creating some local documentation that covers the configuration of third party software. However, users are encouraged to look at resources outside of MIT as well. If you do find useful information please do bring it to our attention. Some simple examples:
Third party applications: |
Support Resources
|
Who to Contact:
Web: MIT Touchstone |