Author: Valery Tschopp <tschopp@switch.ch> - SWITCH
$Date: 2005/04/22 15:40:44 $
$Revision: 1.3 $
This document shows you how to set up a Shibboleth Target 1.2.1a within the SWITCHaai Federation on a Windows 2003 Server running Oracle AS 10g HTTP Server (Apache). It complements the "Shibboleth Target Deployment Guide" of Internet2.
Note: For general information about the deployment of Shibboleth within the SWITCHaai Federation, please consult the Deployment section of our website.
Please make sure you have the following things ready:
Execute the Windows Installer shibboleth-1.2.1a-win32.exe and follow the instructions
Note: In the following, we assume you have installed Shibboleth in D:\shibboleth\. If you have not, you will have to adapt the configuration file accordingly.
When you are done with the installation program
Unzip the special Oracle AS 10g package shibboleth-1.2.1a-win32-oracle-as10g.zip in the Shibboleth install directory D:\shibboleth
The zip file contains specially compiled Shibboleth components, recompiled against the Oracle AS 10g HTTP Server. The following files are installed and/or overwritten:
Using the Oracle Enterprise Manager, modify the Process Management configuration to add the directory D:\shibboleth\lib in the PATH variable of the Oracle HTTP Server.
The Process Management configuration is stored in file: opmn.xml.
Add the <environment> XML block in the HTTP_Server <ias-component> entity as shown below:
...
<ias-component id="HTTP_Server">
<environment>
<variable id="PATH" value="D:\shibboleth\lib" append="true"/>
</environment>
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
...
Then apply the change. The Service Oracle Process Manager should be restarted.
Configure the Shibboleth Target for your specific host. The main configuration file is D:\shibboleth\etc\shibboleth\shibboleth.xml.
<Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" id="default" providerId="urn:mace:switch.ch:SWITCHaai:pilot:{HOSTNAME}">
Check the <Sessions> XML element for the correct wayfURL:
<Sessions lifetime="7200" timeout="3600" checkAddress="true" wayfURL="https://wayf1.switch.ch/SWITCHaai/WAYF" shireURL="/Shibboleth.shire" shireSSL="true"/>
<Errors shire="D:/shibboleth/etc/shibboleth/shireError.html" rm="D:/shibboleth/etc/shibboleth/rmError.html" access="D:/shibboleth/etc/shibboleth/accessError.html" supportContact="support@epfl.ch" logoLocation="/logo.gif" styleSheet="/styles.css"/>
Sets the correct credential private key and certificate for this server. Replace {HOSTNAME} with the fully qualified domain name of your server (same as the certificate Common Name CN).
<Credentials xmlns="urn:mace:shibboleth:credentials:1.0"> <FileResolver Id="SWITCHpki"> <Key format="PEM"> <Path>D:/shibboleth/etc/shibboleth/{HOSTNAME}.key</Path> </Key> <Certificate format="PEM"> <Path>D:/shibboleth/etc/shibboleth/{HOSTNAME}.crt</Path> </Certificate> </FileResolver> </Credentials>
Edit the Apache server configuration file httpd.conf and add the the line below at the end of it. The ServerName directive should match your hostname.
... ServerName {HOSTNAME} ... ## # Shibboleth Target 1.2.1a ## Include "D:\shibboleth\etc\shibboleth\apache_shibboleth.conf"
Then apply the change and restart the HTTP server.
This Shibboleth configuration apache_shibboleth.conf defines an Apache protected Location as follow:
<Location /aai> AuthType shibboleth ShibRequireSession On require valid-user AllowOverride None </Location>