Guides: Debian GNU/Linux 6.0 from sources Windows with IIS Solaris from sources
URL: https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.4/sp/deployment/ Author: Lukas Hämmerle - SWITCH $Date: 2012-07-30 11:07:13 +0200 (Mo, 30 Jul 2012) $ $Revision: 1858 $
This guide describes the installation and configuration of a
Shibboleth Sevice Provider (SP)
2.4.3 on a Debian GNU/Linux 6.0 from sources system.
It covers the installation of the Shibboleth web server module as
well as the Shibboleth daemon and their configuration for the SWITCHaai or AAI Test
federation.
For further information about the Shibboleth Sevice Provider, please have a look at the references.
openssl
and not gnutls
.
In order make configuration easier and more convenient we kindly ask you to provide some information about your environment. This allows aut-generating and custom-tailoring some of the configuration files.
If you are in a hurry and know the whole setup process, you can download all relevant configuration files directly here:
export MYBUILD=~/shibsp2.4.3-build mkdir $MYBUILD
wget http://shibboleth.net/downloads/log4shib/latest/log4shib-1.0.4.tar.gz -P $MYBUILD wget http://shibboleth.net/downloads/c++-opensaml/latest/xmltooling-1.4.2.tar.gz -P $MYBUILD wget http://shibboleth.net/downloads/c++-opensaml/latest/opensaml-2.4.3.tar.gz -P $MYBUILD wget http://shibboleth.net/downloads/service-provider/latest/shibboleth-sp-2.4.3.tar.gz -P $MYBUILD wget http://mirror.switch.ch/mirror/apache/dist/santuario/c-library/xml-security-c-1.6.1.tar.gz -P $MYBUILD
for f in $MYBUILD/*.tar.gz; do tar -xzvf $f -C $MYBUILD; done
SHIB_HOME
if the target directory is somewhere else: export SHIB_HOME=/opt/shibboleth-sp-2.4.3
sudo mkdir $SHIB_HOME
cd $MYBUILD/log4shib-1.0.4/ ./configure --prefix=$SHIB_HOME --disable-static --disable-doxygen make sudo make install
cd $MYBUILD/xml-security-c-1.6.1/ ./configure --prefix=$SHIB_HOME make sudo make install
cd $MYBUILD/xmltooling-1.4.2/ ./configure --prefix=$SHIB_HOME --with-log4shib=$SHIB_HOME --with-xmlsec=$SHIB_HOME -C make sudo make install
cd $MYBUILD/opensaml-2.4.3/ ./configure --prefix=$SHIB_HOME --with-log4shib=$SHIB_HOME -C make sudo make install
cd $MYBUILD/shibboleth-2.4.3/ ./configure --prefix=$SHIB_HOME --enable-apache-22 \ --with-log4shib=$SHIB_HOME --with-xmltooling=$SHIB_HOME --with-saml=$SHIB_HOME -C make sudo make install
if [ -L
Notice: Undefined variable: link in /var/sites/ch.switch.help/aai/docs/shibboleth/SWITCH/2.4/sp/deployment/profiles/debian-source.php on line 156
] ; then sudo rm
Notice: Undefined variable: link in /var/sites/ch.switch.help/aai/docs/shibboleth/SWITCH/2.4/sp/deployment/profiles/debian-source.php on line 156
; fi; sudo ln -sf $SHIB_HOME
Notice: Undefined variable: link in /var/sites/ch.switch.help/aai/docs/shibboleth/SWITCH/2.4/sp/deployment/profiles/debian-source.php on line 157
... ... # This file is generated from envvars-std.in # export LD_LIBRARY_PATH=/opt/shibboleth-sp/lib
sudo a2enmod shib
sudo cp $SHIB_HOME/etc/shibboleth/shibd-debian /etc/init.d/shibdAdjust the init script:
PATH=/sbin:/bin:/usr/sbin:/usr/bin DESC="Shibboleth 2 daemon" NAME=shibd SHIB_HOME=/opt/shibboleth-sp SHIBSP_CONFIG=/etc/shibboleth/shibboleth2.xml LD_LIBRARY_PATH=$SHIB_HOME/lib DAEMON=$SHIB_HOME/sbin/shibd SCRIPTNAME=/etc/init.d/$NAME PIDFILE=/var/run/$NAME.pid ...Install the init script:
sudo chmod +x /etc/init.d/shibd sudo update-rc.d shibd defaults
sudo mkdir /etc/shibboleth/ sudo cp $SHIB_HOME/etc/shibboleth/protocols.xml /etc/shibboleth/ sudo cp $SHIB_HOME/etc/shibboleth/security-policy.xml /etc/shibboleth/ sudo cp $SHIB_HOME/etc/shibboleth/native.logger /etc/shibboleth/ sudo cp $SHIB_HOME/etc/shibboleth/shibd.logger /etc/shibboleth/ sudo cp $SHIB_HOME/etc/shibboleth/syslog.logger /etc/shibboleth/
sudo mkdir -p /var/log/shibboleth/ sudo touch /var/log/shibboleth/shibd.log sudo touch /var/log/shibboleth/native.log sudo touch /var/log/shibboleth/native_warn.log sudo chgrp www-data /var/log/shibboleth/native.log sudo chmod g+w /var/log/shibboleth/native.log sudo chgrp www-data /var/log/shibboleth/native_warn.log sudo chmod g+w /var/log/shibboleth/native_warn.log
For creating a self signed certificate follow these steps:
cd /etc/shibboleth/ sudo sh $SHIB_HOME/etc/shibboleth/keygen.sh -h sp.example.org -y 3 -e https://sp.example.org/shibboleth
The Shibboleth Apache module log is configured by /etc/shibboleth/native.logger:
... log4j.appender.native_log.fileName=/var/log/shibboleth/native.log ... log4j.appender.warn_log.fileName=/var/log/shibboleth/native_warn.log ...
The Shibboleth daemon log (shibd.log) and the transaction log (transaction.log) are configured in the file /etc/shibboleth/shibd.logger:
... log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log ... log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log ... log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log ... log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log ...
sudo wget -nc https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.4/sp/deployment/download/attribute-map.xml \ -P /etc/shibboleth/
sudo wget -nc https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.4/sp/deployment/download/attribute-policy.xml \ -P /etc/shibboleth/
sudo wget http://ca.aai.switch.ch/SWITCHaaiRootCA.crt.pem -P /etc/shibboleth/
Compare the certificate fingerprint with the fingerprint of the SWITCHaai Root CA certificate shown on https://www.switch.ch/pki/aai/:
openssl x509 -in /etc/shibboleth/SWITCHaaiRootCA.crt.pem -fingerprint -sha1 -noout
SHA1 Fingerprint=3C:E2:5A:E0:9D:B4:BB:2B:FD:33:3C:22:80:39:F7:FC:4A:F9:2C:E9
According to the convention, the entityID should have the form of a URL. If the entityID is used as a URL (https://sp.example.org/shibboleth), this URL should return an entity's metadata. In order for this to work, the web server must be configured accordingly.
<VirtualHost sp.example.org:443> ... Redirect seeother /shibboleth https://sp.example.org/Shibboleth.sso/Metadata </VirtualHost>Make sure to set all the SSLCertificateFiles to the right ones.
sudo a2ensite default-ssl
sudo a2enmod ssl
sudo /opt/shibboleth-sp/sbin/shibd -t -c /etc/shibboleth/shibboleth2.xml
sudo /etc/init.d/shibd start
sudo apache2ctl configtest sudo apache2ctl restart
In order to activate the Service Provider within the federation it is necessary to register it with the Resource Registry. After this procedure, the metadata of this Service Provider will be included in the federation metadata. Therefore, all AAI components will learn about this new Service Provider.
The purpose of the Resource Registry is to have an up-to date list of all Identity Providers and Service Providers in the SWITCHaai Federation.
(See the information about the Resource Registry) in order to generate federation metadata and various configuration files.
<VirtualHost sp.example.org:443> ... <Location /secure> AuthType shibboleth ShibRequireSession On require valid-user </Location> </VirtualHost>
sudo apache2ctl restart
After restarting Apache, try to access: https://sp.example.org/secure/. This directory is protected by Shibboleth in the default configuration. Even if the directory does not exist. When accessing this URL the authentication should
be initiated and one should be redirected either to the WAYF
or to an Identity Provider.
Upon successful authentication, a HTTP 404 error
(File not found) might be returned, because there might be no directory /secure in the web server root directory.
Anyway, if you can access
https://sp.example.org/Shibboleth.sso/Session
and get back information about the session like the issuer (IdP) and released
attributes, this is a good test that the Service Provider was set up successfully.
<html><body><pre> <?php print_r($_SERVER); ?> </pre></body></html>This PHP script has to be placed in a Shibboleth protected directory (e.g. /secure from above). If successfully authenticated and authorized, you should see some environment variables that contain your user attributes.
If some of the above tests are unsuccessful, we recommend the following procedure:
log4j.appender.native_log.fileName
defined in log4j.appender.shibd_log.fileName
set in
WARN
and ERROR
messages.
/var/log/shibboleth/native.log
and /var/log/shibboleth/shibd.log
.
log4j.rootCategory
) of /etc/shibboleth/native.logger and
/etc/shibboleth/shibd.logger to DEBUG
. WARN
or INFO
to prevent your log files from growing too big.
In case you don't understand or don't find the cause of the error, have a look at the NativeSPTroubleshootingCommonErrors web page.
Some good practices according Service Provider productionalization:
<Errors session="sessionError.html" metadata="metadataError.html" access="accessError.html" ssl="sslError.html" localLogout="localLogout.html" globalLogout="globalLogout.html" supportContact="aai@example.org" logoLocation="https://www.switch.ch/aai/design/images/SWITCHaai.gif" styleSheet="https://www.switch.ch/aai/design/shib-error.css"/>Adjust at minimum the logoLocation and styleSheet. You may want to fully customize the html pages.
-- $Id: index.php 1858 2012-07-30 09:07:13Z haemmer $