Configuring Shibboleth 1.1 target side on
Debian GNU/Linux testing/i386 (sarge)
-----------------------------------------

* location: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/
*           [where you also find sample config files]
* authors:  Thomas Lenggenhager & Urs Marti, SWITCH
* contact:  aai@switch.ch
* version:  2.4 - 20030813

* This guide is only an addition to the original Shibboleth 1.1
* Target-Deployment Guide which you should read first.
* References to that original guide are marked as
*    (see TARG-chapter#)


PHP4 (see TARG-3.a)
----
There is no problem with interoperating with PHP4 under Debian,
since the Debian package 'php4' neither includes 'pspell' nor
'xslt-sablot'.


/etc/init.d/apache (see TARG-3.c)
------------------
A modifyed apache script for Debian, which starts and shutsdown
the shar process as well, you can find in the sample file
init.d-apache-debian


/etc/apache/httpd.conf (see TARG-3.c, TARG-4.d, TARG-5.a)
--------------------------
# this is just an extract of an Apache 1.3.x httpd.conf file with
# the special things required for SWITCHaai integration.

LoadModule shibrm_module /usr/local/libexec/mod_shibrm.so
LoadModule shire_module /usr/local/libexec/mod_shire.so

SHIREConfig /usr/local/etc/shibboleth/shibboleth.ini
SHIREURL /shibboleth/SHIRE

<Location /shibboleth/SHIRE>
  SetHandler shib-shire-post
</Location>

# some sample auhorization restrictions derived from the SWITCHaai demo server
#
<Location /restricted>
  AuthType shibboleth
  ShibExportAssertion On
  require uniqueID 3141592@domain.ch
</Location>

<Location /secure>
  AuthType shibboleth
  ShibExportAssertion On
  require valid-user
</Location>

<Location /staff>
  AuthType shibboleth
  ShibExportAssertion On
  require affiliation ~ ^staff$
</Location>

<Location /student>
  AuthType shibboleth
  ShibExportAssertion On
  require affiliation ~ ^student$
</Location>


/usr/local/etc/shibboleth/shar.logger
-------------------------------------
log4j.rootCategory=DEBUG, syslog
log4j.appender.syslog=org.apache.log4j.RollingFileAppender
log4j.appender.syslog.fileName=/var/log/shibboleth/shar.log
log4j.appender.syslog.maxFileSize=1000000
log4j.appender.syslog.maxBackupIndex=10
log4j.appender.syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.syslog.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n


/usr/local/etc/shibboleth/shire.logger
--------------------------------------
log4j.rootCategory=DEBUG, syslog
log4j.appender.syslog=org.apache.log4j.RollingFileAppender
log4j.appender.syslog.fileName=/var/log/shibboleth/shire.log
log4j.appender.syslog.maxFileSize=1000000
log4j.appender.syslog.maxBackupIndex=10
log4j.appender.syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.syslog.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n


/var/log/shibboleth
-------------------
Make the directory for the shar and shire logfiles
$ su
Password
# mkdir /var/log/shibboleth
# exit

Make sure that /var/log/shibboleth/shire.log is writable for the
web server, since SHIRE is an Apache module and runs with the web
server privileges.


/usr/local/etc/shibboleth/shibboleth.ini (see TARG-4)
----------------------------------------
[general]
logger=/usr/local/etc/shibboleth/shibboleth.logger
schemadir=/usr/local/etc/shibboleth
sharsocket=/tmp/shar-socket

# SERVER CONFIGURATION

# Optional, may also be set per-server (or per-directory in Apache)
#normalizeRequest = true
#checkIPAddress = false
#contentSSLOnly = false
#exportAssertion = false
# These timeouts apply to session validity at the target for IIS
# Apache session control is per-directory with Apache commands
#authLifetime = 7200
#authTimeout = 3600

supportContact=target-support@domain.ch
logoLocation=/logo.gif

# Mandatory
wayfURL = https://wayf1.switch.ch/SWITCHaai/WAYF
cookieName = shib-cookie
shireSSLOnly = false
shireError=/usr/local/etc/shibboleth/shireError.html
rmError=/usr/local/etc/shibboleth/rmError.html
accessError=/usr/local/etc/shibboleth/accessError.html

# Mandatory for IIS, set for Apache with SHIREURL command
#shireURL = /Shibboleth.shire

[shire]
logger=/usr/local/etc/shibboleth/shire.logger
metadata=metadata_shire

[shar]
logger=/usr/local/etc/shibboleth/shar.logger
# If using a TCP-based SHAR, space delimit the allowed client IPs
#sharacl = 127.0.0.1
metadata=metadata_shar

# Should provide a key-pair and certificate
# Can use mod_ssl's server.crt/server.key if you set file permissions
certfile=/etc/apache/ssl.crt/serverKey.crt
keyfile=/etc/apache/sssl.key/serverKey.key
#keypass=
calist=/etc/apache/ssl.crt/ca-bundle.crt

# Controls timeouts for AA queries (in seconds)
AATimeout=60
AAConnectTimeout=30

# The following shar items are session caching parameters
# The default cache now uses a MySQL embedded database
cacheType=memory
#cacheType=mysql
# how often to run the cache cleanup thread (in seconds)
cacheClean=300
# These timeouts apply to session caching, irrespesctive of validity
# Sessions can be deleted before they expire, so these should usually
# be at least as long as session policy itself.
cacheTimeout=3600
#mysql-cache-timeout = 14400

# Only needed if the MySQL cache plugin is used.
[extensions:saml]
#mysql = /usr/local/libexec/shib-mysql-ccache.so

# Arguments for the MySQL embedded database
# Make sure the datadir exists.
[mysql]
#arg1 = --language=/opt/shibboleth/share/english
#arg2 = --datadir=/opt/shibboleth/data

[metadata_shire]
edu.internet2.middleware.shibboleth.metadata.XML=/usr/local/etc/shibboleth/sites.xml
edu.internet2.middleware.shibboleth.target.AAP.XML=/usr/local/etc/shibboleth/AAP.xml

[metadata_shar]
edu.internet2.middleware.shibboleth.metadata.XML=/usr/local/etc/shibboleth/sites.xml
edu.internet2.middleware.shibboleth.trust.XML=/usr/local/etc/shibboleth/trust.xml
edu.internet2.middleware.shibboleth.target.AAP.XML=/usr/local/etc/shibboleth/AAP.xml

[isapi]
# When using the ISAPI filter version, map IIS Instance IDs to server names.
#
#1=my.server.name

[policies]
# This is a sample policy URI used by the InCommon pilot origins.
# You can filter incoming users at a high level by listing the policies to allow.
# InQueue=urn:mace:inqueue
SWITCHaai=urn:mace:switch.ch:SWITCHaai:pilot

# To define per-server or per-vhost settings, create a section
# for the server's hostname and set or override configuration.
#[my.server.name]
#normalizeRequest = true
#checkIPAddress = false
#contentSSLOnly = false
#authLifetime = 7200
#authTimeout = 3600
#exportAssertion = false
# For IIS, determine what content to protect by specifying strings
# to match against the request path. Separate matches with semicolons.
#mustContain = /secure/;/protected/
# list of attributes to request for server "my.server.name"
# requests everything if this doesn't exist or is empty
#requestAttributes =


AAP.xml (see TARG-4.e)
-------
The sample AAP.xml contains all attributes defined in the 'Authorization
Attribute Specification'
You can find the long file at
   http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/target/AAP.xml


siterefresh (see TARG-4.g)
-----------
$ /usr/local/bin/siterefresh --out sites.xml \
--url http://wayf1.switch.ch/SWITCHaai/sites.xml \
--cert /etc/apache/ssl.crt/ca-bundle.crt

However, siterefresh didn't work in my environment yet.
Alternatively use regularly
$ wget https://wayf1.switch.ch/SWITCHaai/sites.xml
$ wget https://wayf1.switch.ch/SWITCHaai/trust.xml