Skip to content

Home

Jump to bottom Edit New page
sharayumungel edited this page Mar 3, 2013 · 28 revisions

Welcome to the grisu-webstat wiki!

Shibboleth-enabling Grisu web app (with Tuakiri (test) federation):

Install Shibboleth Service Provider

  1. Installation instructions for various platforms can be found under the "Native Service Provider (SP)" section at: https://wiki.shibboleth.net/confluence/display/SHIB2/Installation

Registering a Service Provider:

  1. Register the Service provider with the Tuakiri (Test) Federation
  2. Configure Shibboleth for the new Service Provider

Follow the instructions at the below page, for steps 1 and 2: https://tuakiri.ac.nz/confluence/display/Tuakiri/Adding+a+Service+Provider+to+the+Tuakiri+Federation

Configuring Shibboleth Service Provider:

For Windows:

Assuming, the configuration is for the test-tuakiri federation, with identity provider as The University of Auckland and shibboleth-sp installation directory is C:\opt\shibboleth-sp\etc\shibboleth\

  • Changes to shibboleth2.xml (found in C:\opt\shibboleth-sp\etc\shibboleth):
  1. Sessions tag: Change the handlerURL to an absolute URL instead of a relative one
    lifetime and timeout values can be customized

Example:
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false"
handlerURL="https://sp.example.ac.nz/Shibboleth.sso" handlerSSL="true" cookieProps="http"
consistentAddress="false">

  1. RequestMap tag: In the tag, change the name to sp.example.ac.nz and set requireSession attribute to "false"

Example: <Host name="sp.example.ac.nz">
<Path name="secure" authType="shibboleth" requireSession="false"/>
</Host>

  1. ApplicationDefaults tag: change the entityID attribute to https://sp.example.ac.nz/shibboleth
    Example:
    <ApplicationDefaults entityID="https://sp.example.ac.nz/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">

  2. SSO tag: Change the entityID to the identity provider's url eg: <SSO entityID="http://iam.test.auckland.ac.nz/idp" discoveryProtocol="SAMLDS" discoveryURL="https://directory.test.tuakiri.ac.nz/ds/DS" > SAML2 SAML1 </SSO>

  3. MetadataProvider tag:

Example:
<MetadataProvider type="XML" uri="https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml" backingFilePath="metadata.tuakiri-test.xml" reloadInterval="7200"> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> <MetadataFilter type="Signature" certificate="tuakiri-test-metadata-cert.pem"/>
</MetadataProvider>

  • Ensure that the tuakiri-test-metadata-cert.pem is present in C:\opt\shibboleth-sp\etc\shibboleth
  • Ensure that sp-key.pem and sp-cert.pem are present in C:\opt\shibboleth-sp\etc\shibboleth

Steps for creating a self-signed ssl certificate using open-ssl (windows):

Detailed instructions can be found at: http://rubayathasan.com/tutorial/apache-ssl-on-windows/

Run the following commands from command-prompt:

  1. cd "C:\Program Files\Apache Software Foundation\Apache2.x\bin"
  2. set OPENSSL_CONF=C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf
  3. openssl req -new -out server.csr

It will ask you some questions and you can safely ignore them and just answer the following questions: PEM pass phrase: Password associated with the private key you’re generating (anything of your choice).
Common Name: The fully-qualified domain name associated with this certificate (i.e. www.your-domain.com)

  1. openssl rsa -in privkey.pem -out server.key
  2. Now we need to set up an expiry date, we use 365 days below:

openssl x509 -in server.csr -out server.cert -req -signkey server.key -days 365

Changes to httpd-ssl.conf (found in C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra)

Change the following in the <VirtualHost _default_:443> section (add, if not present)

ServerName sp.example.ac.nz
ServerAdmin your@email
DocumentRoot "Your Root folder location"
ServerAlias domain.com:443
ErrorLog "logs/anyFile-error.log"
CustomLog "logs/anyFile-access.log" common
SSLEngine on
SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.cert"
SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.key"

changes to apache2x.conf file (found in C:\opt\shibboleth-sp\etc\shibboleth)

Add another section for protecting /my-app to the apache2.x.conf file (which is included in httpd.conf) By default, this file only protects /secure.

<Location /my-app>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shibboleth
ShibUseHeaders On
</Location>

"ShibHeaders On" and "requireSession" is needed for accessing the shibboleth session and attributes in the application.

Add a custom footer
Add a custom sidebar
Clone this wiki locally