Configuring Shibboleth 1.0 target side on
Debian GNU/Linux testing/i386 (sarge)
-----------------------------------------
* location: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.0/
* [where you also find sample config files]
* authors: Thomas Lenggenhager & Urs Marti, SWITCH
* contact: aai@switch.ch
* version: 2.3 - 20030711
* This guide is only an addition to the original Shibboleth 1.0
* Target-Deployment Guide which you should read first.
* References to that original guide are marked as
* (see TARG-chapter#)
PHP4 (see TARG-3.a)
----
There is no problem with interoperating with PHP4 under Debian,
since the Debian package 'php4' neither includes 'pspell' nor
'xslt-sablot'.
/etc/init.d/apache (see TARG-3.c)
------------------
A modifyed apache script for Debian, which starts and shutsdown
the shar process as well, you can find in the sample file
init.d-apache-debian
/etc/apache/httpd.conf (see TARG-3.c, TARG-4.d, TARG-5.a)
--------------------------
# this is just an extract of an Apache 1.3.x httpd.conf file with
# the special things required for SWITCHaai integration.
LoadModule shibrm_module /usr/local/libexec/mod_shibrm.so
LoadModule shire_module /usr/local/libexec/mod_shire.so
SHIREConfig /usr/local/etc/shibboleth/shibboleth.ini
SHIREURL /shibboleth/SHIRE
SetHandler shib-shire-post
# Be aware - the URIs of the standard attribute mappings starting with
# urn:mace:dir:attribute-def
# might change there was no final agreement yet within Internet2 MACE for it.
#
ShibMapAttribute urn:mace:dir:attribute-def:sn Shib-LDAP-Surname surname
ShibMapAttribute urn:mace:dir:attribute-def:telephoneNumber Shib-LDAP-telephoneNumber telephoneNumber
ShibMapAttribute urn:mace:dir:attribute-def:facsimileTelephoneNumber Shib-LDAP-facsimileTelephoneNumber facsimileTelephoneNumber
ShibMapAttribute urn:mace:dir:attribute-def:postalAddress Shib-LDAP-postalAddress postalAddress
ShibMapAttribute urn:mace:dir:attribute-def:givenName Shib-LDAP-givenName givenName
ShibMapAttribute urn:mace:dir:attribute-def:homePhone Shib-LDAP-homePhone homePhone
ShibMapAttribute urn:mace:dir:attribute-def:homePostalAddress Shib-LDAP-homePostalAddress homePostalAddress
ShibMapAttribute urn:mace:dir:attribute-def:mail Shib-LDAP-mail mail
ShibMapAttribute urn:mace:dir:attribute-def:mobile Shib-LDAP-mobile mobile
ShibMapAttribute urn:mace:dir:attribute-def:preferredLanguage Shib-LDAP-preferredLanguage preferredLanguage
#
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonPrincipalName Shib-EP-PrincipalName eppn
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonAffiliation Shib-EP-Affiliation affiliation
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonScopedAffiliation Shib-EP-ScopedAffiliation scopedAffiliation
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonEntitlement Shib-EP-Entitlement entitlement
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonOrgDN Shib-EP-OrgDN orgDN
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonOrgUnitDN Shib-EP-OrgUnitDN orgUnitDN
#
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID Shib-SwissEP-UniqueID uniqueID
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth Shib-SwissEP-DateOfBirth dateOfBirth
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonGender Shib-SwissEP-Gender gender
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization Shib-SwissEP-HomeOrganization homeOrganization
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType Shib-SwissEP-HomeOrganizationType homeOrganizationType
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1 Shib-SwissEP-StudyBranch1 studyBranch1
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2 Shib-SwissEP-StudyBranch2 studyBranch2
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3 Shib-SwissEP-StudyBranch3 studyBranch3
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel Shib-SwissEP-StudyLevel studyLevel
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory Shib-SwissEP-StaffCategory staffCategory
# some sample auhorization restrictions derived from the SWITCHaai demo server
#
AuthType shibboleth
ShibExportAssertion On
require uniqueID 3141592@domain.ch
AuthType shibboleth
ShibExportAssertion On
require valid-user
AuthType shibboleth
ShibExportAssertion On
require affiliation ~ ^staff$
AuthType shibboleth
ShibExportAssertion On
require affiliation ~ ^student$
/usr/local/etc/shibboleth/shar.logger
-------------------------------------
log4j.rootCategory=DEBUG, syslog
log4j.appender.syslog=org.apache.log4j.RollingFileAppender
log4j.appender.syslog.fileName=/var/log/shibboleth/shar.log
log4j.appender.syslog.maxFileSize=1000000
log4j.appender.syslog.maxBackupIndex=10
log4j.appender.syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.syslog.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
/usr/local/etc/shibboleth/shire.logger
--------------------------------------
log4j.rootCategory=DEBUG, syslog
log4j.appender.syslog=org.apache.log4j.RollingFileAppender
log4j.appender.syslog.fileName=/var/log/shibboleth/shire.log
log4j.appender.syslog.maxFileSize=1000000
log4j.appender.syslog.maxBackupIndex=10
log4j.appender.syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.syslog.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
/var/log/shibboleth
-------------------
Make the directory for the shar and shire logfiles
$ su
Password
# mkdir /var/log/shibboleth
# exit
/usr/local/etc/shibboleth/shibboleth.ini (see TARG-4)
----------------------------------------
[general]
logger=/usr/local/etc/shibboleth/shibboleth.logger
schemadir=/usr/local/etc/shibboleth
sharsocket=/tmp/shar-socket
# SERVER CONFIGURATION
# Optional
#normalizeRequest = true
#checkIPAddress = true
supportContact=target-support@domain.ch
logoLocation=/logo.gif
# Mandatory
wayfURL = https://wayf1.switch.ch/SWITCHaai/WAYF
cookieName = shib-cookie
shireSSLOnly = false
shireError=/usr/local/etc/shibboleth/shireError.html
rmError=/usr/local/etc/shibboleth/rmError.html
accessError=/usr/local/etc/shibboleth/accessError.html
[shire]
logger=/usr/local/etc/shibboleth/shire.logger
#aap-uri=/usr/local/etc/shibboleth/AAP.xml
metadata=metadata_shire
[shar]
logger=/usr/local/etc/shibboleth/shar.logger
metadata=metadata_shar
# Should provide a key-pair and certificate
# Can use mod_ssl's server.crt/server.key if you set file permissions
certfile=/etc/apache/ssl.crt/serverKey.crt
keyfile=/etc/apache/sssl.key/serverKey.key
#keypass=
calist=/etc/apache/ssl.crt/ca-bundle.crt
# Controls timeouts for AA queries (in seconds)
AATimeout=60
AAConnectTimeout=30
# The following shar items are for caching parameters
cacheType=memory
# how often to run the cache cleanup (in seconds)
cacheClean=300
# idle timeout (in seconds)
cacheTimeout=14400
[metadata_shire]
edu.internet2.middleware.shibboleth.metadata.XML=/usr/local/etc/shibboleth/sites.xml
[metadata_shar]
edu.internet2.middleware.shibboleth.metadata.XML=/usr/local/etc/shibboleth/sites.xml
edu.internet2.middleware.shibboleth.trust.XML=/usr/local/etc/shibboleth/trust.xml
[attributes]
# These are sample eduPerson attributes used in the InCommon pilot.
# When defining new attributes, be sure to define them in the AAP file, if any,
# as well as defining them to Apache or other web server.
urn:mace:dir:attribute-def:eduPersonPrincipalName=scoped
urn:mace:dir:attribute-def:eduPersonAffiliation=simple
urn:mace:dir:attribute-def:eduPersonScopedAffiliation=scoped
urn:mace:dir:attribute-def:eduPersonEntitlement=simple
urn:mace:dir:attribute-def:eduPersonOrgDN=simple
urn:mace:dir:attribute-def:eduPersonOrgUnitDN=simple
urn:mace:dir:attribute-def:sn=simple
urn:mace:dir:attribute-def:telephoneNumber=simple
urn:mace:dir:attribute-def:facsimileTelephoneNumber=simple
urn:mace:dir:attribute-def:postalAddress=simple
urn:mace:dir:attribute-def:givenName=simple
urn:mace:dir:attribute-def:homePhone=simple
urn:mace:dir:attribute-def:homePostalAddress=simple
urn:mace:dir:attribute-def:mail=simple
urn:mace:dir:attribute-def:mobile=simple
urn:mace:dir:attribute-def:preferredLanguage=simple
urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID=simple
urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth=simple
urn:mace:switch.ch:attribute-def:swissEduPersonGender=simple
urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization=simple
urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType=simple
urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1=simple
urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2=simple
urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3=simple
urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel=simple
urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory=simple
[policies]
# This is a sample policy URI used by the InCommon pilot origins.
# You can filter incoming users at a high level by listing the policies to allow.
# InQueue=urn:mace:inqueue
SWITCHaai=urn:mace:switch.ch:SWITCHaai:pilot
[my.server.name]
# list of attributes to request for server "my.server.name"
# requests everything if this doesn't exist or is empty
requestAttributes =
AAP.xml (see TARG-4.e)
-------
There is no sample config yet available. We first have to test it
ourselves. Will be supplied later on.