Configuring Shibboleth 1.0 target side on
Debian GNU/Linux testing/i386 (sarge)
-----------------------------------------

* location: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.0/
*           [where you also find sample config files]
* authors:  Thomas Lenggenhager & Urs Marti, SWITCH
* contact:  aai@switch.ch
* version:  2.3 - 20030711

* This guide is only an addition to the original Shibboleth 1.0
* Target-Deployment Guide which you should read first.
* References to that original guide are marked as
*    (see TARG-chapter#)


PHP4 (see TARG-3.a)
----
There is no problem with interoperating with PHP4 under Debian,
since the Debian package 'php4' neither includes 'pspell' nor
'xslt-sablot'.


/etc/init.d/apache (see TARG-3.c)
------------------
A modifyed apache script for Debian, which starts and shutsdown
the shar process as well, you can find in the sample file
init.d-apache-debian


/etc/apache/httpd.conf (see TARG-3.c, TARG-4.d, TARG-5.a)
--------------------------
# this is just an extract of an Apache 1.3.x httpd.conf file with
# the special things required for SWITCHaai integration.

LoadModule shibrm_module /usr/local/libexec/mod_shibrm.so
LoadModule shire_module /usr/local/libexec/mod_shire.so

SHIREConfig /usr/local/etc/shibboleth/shibboleth.ini
SHIREURL /shibboleth/SHIRE

<Location /shibboleth/SHIRE>
  SetHandler shib-shire-post
</Location>

# Be aware - the URIs of the standard attribute mappings starting with
#       urn:mace:dir:attribute-def
# might change there was no final agreement yet within Internet2 MACE for it.
#
ShibMapAttribute urn:mace:dir:attribute-def:sn Shib-LDAP-Surname surname
ShibMapAttribute urn:mace:dir:attribute-def:telephoneNumber Shib-LDAP-telephoneNumber telephoneNumber
ShibMapAttribute urn:mace:dir:attribute-def:facsimileTelephoneNumber Shib-LDAP-facsimileTelephoneNumber facsimileTelephoneNumber
ShibMapAttribute urn:mace:dir:attribute-def:postalAddress Shib-LDAP-postalAddress postalAddress
ShibMapAttribute urn:mace:dir:attribute-def:givenName Shib-LDAP-givenName givenName
ShibMapAttribute urn:mace:dir:attribute-def:homePhone Shib-LDAP-homePhone homePhone
ShibMapAttribute urn:mace:dir:attribute-def:homePostalAddress Shib-LDAP-homePostalAddress homePostalAddress
ShibMapAttribute urn:mace:dir:attribute-def:mail Shib-LDAP-mail mail
ShibMapAttribute urn:mace:dir:attribute-def:mobile Shib-LDAP-mobile mobile
ShibMapAttribute urn:mace:dir:attribute-def:preferredLanguage Shib-LDAP-preferredLanguage preferredLanguage
#
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonPrincipalName Shib-EP-PrincipalName eppn
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonAffiliation Shib-EP-Affiliation affiliation
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonScopedAffiliation Shib-EP-ScopedAffiliation scopedAffiliation
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonEntitlement Shib-EP-Entitlement entitlement
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonOrgDN Shib-EP-OrgDN orgDN
ShibMapAttribute urn:mace:dir:attribute-def:eduPersonOrgUnitDN Shib-EP-OrgUnitDN orgUnitDN
#
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID Shib-SwissEP-UniqueID uniqueID
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth Shib-SwissEP-DateOfBirth dateOfBirth
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonGender Shib-SwissEP-Gender gender
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization Shib-SwissEP-HomeOrganization homeOrganization
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType Shib-SwissEP-HomeOrganizationType homeOrganizationType
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1 Shib-SwissEP-StudyBranch1 studyBranch1
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2 Shib-SwissEP-StudyBranch2 studyBranch2
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3 Shib-SwissEP-StudyBranch3 studyBranch3
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel Shib-SwissEP-StudyLevel studyLevel
ShibMapAttribute urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory Shib-SwissEP-StaffCategory staffCategory

# some sample auhorization restrictions derived from the SWITCHaai demo server
#
<Location /restricted>
  AuthType shibboleth
  ShibExportAssertion On
  require uniqueID 3141592@domain.ch
</Location>

<Location /secure>
  AuthType shibboleth
  ShibExportAssertion On
  require valid-user
</Location>

<Location /staff>
  AuthType shibboleth
  ShibExportAssertion On
  require affiliation ~ ^staff$
</Location>

<Location /student>
  AuthType shibboleth
  ShibExportAssertion On
  require affiliation ~ ^student$
</Location>


/usr/local/etc/shibboleth/shar.logger
-------------------------------------
log4j.rootCategory=DEBUG, syslog
log4j.appender.syslog=org.apache.log4j.RollingFileAppender
log4j.appender.syslog.fileName=/var/log/shibboleth/shar.log
log4j.appender.syslog.maxFileSize=1000000
log4j.appender.syslog.maxBackupIndex=10
log4j.appender.syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.syslog.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n


/usr/local/etc/shibboleth/shire.logger
--------------------------------------
log4j.rootCategory=DEBUG, syslog
log4j.appender.syslog=org.apache.log4j.RollingFileAppender
log4j.appender.syslog.fileName=/var/log/shibboleth/shire.log
log4j.appender.syslog.maxFileSize=1000000
log4j.appender.syslog.maxBackupIndex=10
log4j.appender.syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.syslog.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n


/var/log/shibboleth
-------------------
Make the directory for the shar and shire logfiles
$ su
Password
# mkdir /var/log/shibboleth
# exit


/usr/local/etc/shibboleth/shibboleth.ini (see TARG-4)
----------------------------------------
[general]
logger=/usr/local/etc/shibboleth/shibboleth.logger
schemadir=/usr/local/etc/shibboleth
sharsocket=/tmp/shar-socket

# SERVER CONFIGURATION

# Optional
#normalizeRequest = true
#checkIPAddress = true

supportContact=target-support@domain.ch
logoLocation=/logo.gif

# Mandatory
wayfURL = https://wayf1.switch.ch/SWITCHaai/WAYF
cookieName = shib-cookie
shireSSLOnly = false
shireError=/usr/local/etc/shibboleth/shireError.html
rmError=/usr/local/etc/shibboleth/rmError.html
accessError=/usr/local/etc/shibboleth/accessError.html

[shire]
logger=/usr/local/etc/shibboleth/shire.logger
#aap-uri=/usr/local/etc/shibboleth/AAP.xml
metadata=metadata_shire

[shar]
logger=/usr/local/etc/shibboleth/shar.logger
metadata=metadata_shar

# Should provide a key-pair and certificate
# Can use mod_ssl's server.crt/server.key if you set file permissions
certfile=/etc/apache/ssl.crt/serverKey.crt
keyfile=/etc/apache/sssl.key/serverKey.key
#keypass=
calist=/etc/apache/ssl.crt/ca-bundle.crt

# Controls timeouts for AA queries (in seconds)
AATimeout=60
AAConnectTimeout=30

# The following shar items are for caching parameters
cacheType=memory
# how often to run the cache cleanup (in seconds)
cacheClean=300
# idle timeout (in seconds)
cacheTimeout=14400

[metadata_shire]
edu.internet2.middleware.shibboleth.metadata.XML=/usr/local/etc/shibboleth/sites.xml

[metadata_shar]
edu.internet2.middleware.shibboleth.metadata.XML=/usr/local/etc/shibboleth/sites.xml
edu.internet2.middleware.shibboleth.trust.XML=/usr/local/etc/shibboleth/trust.xml

[attributes]
# These are sample eduPerson attributes used in the InCommon pilot.
# When defining new attributes, be sure to define them in the AAP file, if any,
# as well as defining them to Apache or other web server.
urn:mace:dir:attribute-def:eduPersonPrincipalName=scoped
urn:mace:dir:attribute-def:eduPersonAffiliation=simple
urn:mace:dir:attribute-def:eduPersonScopedAffiliation=scoped
urn:mace:dir:attribute-def:eduPersonEntitlement=simple
urn:mace:dir:attribute-def:eduPersonOrgDN=simple
urn:mace:dir:attribute-def:eduPersonOrgUnitDN=simple
urn:mace:dir:attribute-def:sn=simple
urn:mace:dir:attribute-def:telephoneNumber=simple
urn:mace:dir:attribute-def:facsimileTelephoneNumber=simple
urn:mace:dir:attribute-def:postalAddress=simple
urn:mace:dir:attribute-def:givenName=simple
urn:mace:dir:attribute-def:homePhone=simple
urn:mace:dir:attribute-def:homePostalAddress=simple
urn:mace:dir:attribute-def:mail=simple
urn:mace:dir:attribute-def:mobile=simple
urn:mace:dir:attribute-def:preferredLanguage=simple
urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID=simple
urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth=simple
urn:mace:switch.ch:attribute-def:swissEduPersonGender=simple
urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization=simple
urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType=simple
urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1=simple
urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2=simple
urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3=simple
urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel=simple
urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory=simple

[policies]
# This is a sample policy URI used by the InCommon pilot origins.
# You can filter incoming users at a high level by listing the policies to allow.
# InQueue=urn:mace:inqueue
SWITCHaai=urn:mace:switch.ch:SWITCHaai:pilot

[my.server.name]
# list of attributes to request for server "my.server.name"
# requests everything if this doesn't exist or is empty
requestAttributes = 


AAP.xml (see TARG-4.e)
-------
There is no sample config yet available. We first have to test it
ourselves. Will be supplied later on.