Guides: Debian GNU/Linux 6.0 from sources Windows with IIS Solaris from sources
URL: https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.4/sp/deployment/solaris-source.html Author: Lukas Hämmerle - SWITCH $Date: 2012-07-30 11:07:13 +0200 (Mo, 30 Jul 2012) $ $Revision: 1858 $
This guide describes the installation and configuration of a
Shibboleth Sevice Provider (SP)
2.4.3 on a Solaris from sources system.
It covers the installation of the Shibboleth web server module as
well as the Shibboleth daemon and their configuration for the SWITCHaai or AAI Test
federation.
For further information about the Shibboleth Sevice Provider, please have a look at the references.
openssl
and not gnutls
.
In order make configuration easier and more convenient we kindly ask you to provide some information about your environment. This allows aut-generating and custom-tailoring some of the configuration files.
If you are in a hurry and know the whole setup process, you can download all relevant configuration files directly here:
SPROcc
and SPROcpl
.
Please follow the instructions on https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSolaris10SourceBuild or listed below.
if [ -L /opt/shibboleth-sp2 ] ; then sudo rm /opt/shibboleth-sp2 ; fi; sudo ln -sf $SHIB_HOME /opt/shibboleth-sp2
# Load the shibboleth module LoadModule mod_shib /opt/shibboleth-sp/lib/shibboleth/mod_shib_22.so
# Global Configuration # This is the XML file that contains all the global, non-apache-specific # configuration. Look at this file for most of your configuration parameters. ShibConfig /etc/shibboleth/shibboleth2.xml # Used for example logo and style sheet in error templates. <IfModule mod_alias.c> <Location /shibboleth-sp> Allow from all </Location> Alias /shibboleth-sp/main.css /opt/shibboleth-sp/share/doc/shibboleth-2.4.3/main.css Alias /shibboleth-sp/logo.jpg /opt/shibboleth-sp/share/doc/shibboleth-2.4.3/logo.jpg </IfModule>
... ... # This file is generated from envvars-std.in # export LD_LIBRARY_PATH=/opt/shibboleth-sp/lib
sudo a2enmod shib
cp $SHIB_HOME/etc/shibboleth/shibd-debian /etc/init.d/shibdAdjust the init script:
PATH=/sbin:/bin:/usr/sbin:/usr/bin DESC="Shibboleth 2 daemon" NAME=shibd SHIB_HOME=/opt/shibboleth-sp/ SHIBSP_CONFIG=/etc/shibboleth/shibboleth2.xml LD_LIBRARY_PATH=$SHIB_HOME/lib DAEMON=$SHIB_HOME/sbin/shibd SCRIPTNAME=/etc/init.d/$NAME PIDFILE=/var/run/$NAME.pid ...Install the init script:
chmod +x /etc/init.d/shibd cd /etc/init.d ln -s shibd /etc/rcS.d/K28shibd ln -s shibd /etc/rc0.d/K28shibd ln -s shibd /etc/rc1.d/K28shibd ln -s shibd /etc/rc2.d/K28shibd ln -s shibd /etc/rc3.d/S15shibd
mkdir /etc/shibboleth/ cp $SHIB_HOME/etc/shibboleth/native.logger /etc/shibboleth/ cp $SHIB_HOME/etc/shibboleth/shibd.logger /etc/shibboleth/ cp $SHIB_HOME/etc/shibboleth/syslog.logger /etc/shibboleth/
mkdir -p /var/log/shibboleth/ touch /var/log/shibboleth/shibd.log touch /var/log/shibboleth/native.log touch /var/log/shibboleth/native_warn.log chgrp www-data /var/log/shibboleth/native.log chmod g+w /var/log/shibboleth/native.log chgrp www-data /var/log/shibboleth/native_warn.log chmod g+w /var/log/shibboleth/native_warn.log
if [ -L /opt/shibboleth-sp2 ] ; then rm /opt/shibboleth-sp2 ; fi; ln -sf $SHIB_HOME /opt/shibboleth-sp2
For creating a self signed certificate follow these steps:
cd /etc/shibboleth/ sudo sh $SHIB_HOME/etc/shibboleth/keygen.sh -h sp.example.org -y 3 -e https://sp.example.org/shibboleth
The Shibboleth Apache module log is configured by /etc/shibboleth/native.logger:
... log4j.appender.native_log.fileName=/var/log/shibboleth/native.log ... log4j.appender.warn_log.fileName=/var/log/shibboleth/native_warn.log ...
The Shibboleth daemon log (shibd.log) and the transaction log (transaction.log) are configured in the file /etc/shibboleth/shibd.logger:
... log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log ... log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log ... log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log ... log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log ...
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <!-- By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache are used. See example-shibboleth2.xml for samples of explicitly configuring them. --> <!-- The OutOfProcess section contains properties affecting the shibd daemon. --> <OutOfProcess logger="/etc/shibboleth/shibd.logger"/> <!-- The InProcess section contains settings affecting web server modules. Required for IIS, but can be removed when using other web servers. --> <InProcess logger="/etc/shibboleth/native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true"> <!-- Maps IIS Instance ID values to the host scheme/name/port. The name is required so that the proper <Host> in the request map above is found without having to cover every possible DNS/IP combination the user might enter. --> <Site id="1" name="sp.example.org"/> <!-- When the port and scheme are omitted, the HTTP request's port and scheme are used. If these are wrong because of virtualization, they can be explicitly set here to ensure proper redirect generation. --> <!-- <Site id="42" name="virtual.example.org" scheme="https" port="443"/> --> </ISAPI> </InProcess> <!-- To customize behavior for specific resources on Apache, and to link vhosts or resources to ApplicationOverride settings below, use web server options/commands. See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help. For more examples of the RequestMap XML syntax instead, see the example-shibboleth2.xml file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic. --> <RequestMapper type="Native"> <RequestMap applicationId="default"> <!-- The example below requires a session for documents in /secure on the containing host with http and https on the default ports. Note that the name and port in the <Host> elements MUST match Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element below. --> <Host name="sp.example.org"> <Path name="secure" authType="shibboleth" requireSession="true"/> </Host> </RequestMap> </RequestMapper> <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> <ApplicationDefaults entityID="https://sp.example.org/shibboleth" homeURL="https://sp.example.org/" REMOTE_USER="uniqueID persistent-id targeted-id" signing="back" requireTransportAuth="false"> <!-- Controls session lifetimes, address checks, cookie handling, and the protocol handlers. You MUST supply an effectively unique handlerURL value for each of your applications. The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing a relative value based on the virtual host. Using handlerSSL="true", the default, will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure" in that case. Note that while we default checkAddress to "false", this has a negative impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled. --> <Sessions lifetime="28800" timeout="3600" checkAddress="false" consistentAddress="true" relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; secure; HttpOnly"> <!-- In order to use a default Identity Provider add an attribute like: entityID="https://idp.example.org/shibboleth" to the SSO element. It's value should be the entityID of the default Identity Provider. --> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.switch.ch/SWITCHaai/WAYF"> SAML2 SAML1 </SSO> <!-- SAML and local-only logout. --> <Logout>SAML2 Local</Logout> <!-- In addition to the standard SessionInitiator it is also possible to define custom SessionInitiators to enforce specific settings. More information is available at: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator --> <!-- <SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie" isDefault="true"> <SessionInitiator type="SAML2" acsByIndex="false" acsIndex="1" template="bindingTemplate.html" /> <SessionInitiator type="Shib1" acsIndex="5"/> <SessionInitiator type="SAMLDS" URL="https://wayf.switch.ch/SWITCHaai/WAYF"/> </SessionInitiator> --> <!-- Extension service that generates "approximate" metadata based on SP configuration. --> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> <!-- Status reporting service. --> <!-- Please note that the IP 130.59.138.32 is used by the AAI Resource Registry. By allowing the Resource Registry to periodically access the status handler, it is possible to monitor this Service Provider and to specifically alert administrators in case of configuration or security relevant issues. If you feel uncomfortable with this, set acl="127.0.0.1" --> <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 130.59.138.32"/> <!-- Session diagnostic service. --> <Handler type="Session" Location="/Session" showAttributeValues="false"/> <!-- JSON feed of discovery information. --> <!-- <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> --> </Sessions> <!-- Allows overriding of error template information/filenames. You can also add attributes with values that can be plugged into the templates. --> <Errors supportContact="aai@example.org" logoLocation="https://www.switch.ch/aai/design/images/SWITCHaai.gif" styleSheet="https://www.switch.ch/aai/design/shib-error.css"/> <!-- Example of locally maintained metadata. --> <!-- <MetadataProvider type="XML" file="partner-metadata.xml"/> --> <MetadataProvider type="XML" validate="true" uri="http://metadata.aai.switch.ch/metadata.switchaai.xml" backingFilePath="/etc/shibboleth/metadata.switchaai.xml" reloadInterval="3600"> <MetadataFilter type="RequireValidUntil" maxValidityInterval="604800"/> <MetadataFilter type="Signature" verifyName="false"> <TrustEngine type="StaticPKIX" certificate="/etc/shibboleth/SWITCHaaiRootCA.crt.pem" verifyDepth="2" checkRevocation="fullChain"/> </MetadataFilter> </MetadataProvider> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="/etc/shibboleth/attribute-map.xml"/> <!-- Use a SAML query if no attributes are supplied during SSO. --> <AttributeResolver type="Query" subjectMatch="false"/> <!-- Default filtering policy for recognized attributes, lets other data pass. --> <AttributeFilter type="XML" validate="true" reloadChanges="false" path="/etc/shibboleth/attribute-policy.xml"/> <!-- Simple file-based resolver for using a single keypair. --> <CredentialResolver type="File" key="/etc/shibboleth/sp-key.pem" certificate="/etc/shibboleth/sp-cert.pem"/> <!-- The default settings can be overridden by creating ApplicationOverride elements (see the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic). Resource requests are mapped by web server commands, or the RequestMapper, to an applicationId setting. Example of a second application (for a second vhost) that has a different entityID. Resources on the vhost would map to an applicationId of "admin": --> <!-- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/> --> </ApplicationDefaults> <!-- Policies that determine how to process and authenticate runtime messages. --> <SecurityPolicyProvider type="XML" validate="true" reloadChanges="false" path="/etc/shibboleth/security-policy.xml"/> <!-- Low-level configuration about protocols and bindings available for use. --> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="/etc/shibboleth/protocols.xml"/> </SPConfig>
sudo wget -nc https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.4/sp/deployment/download/attribute-map.xml \ -P /etc/shibboleth/
sudo wget -nc https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.4/sp/deployment/download/attribute-policy.xml \ -P /etc/shibboleth/
sudo wget http://ca.aai.switch.ch/SWITCHaaiRootCA.crt.pem -P /etc/shibboleth/
Compare the certificate fingerprint with the fingerprint of the SWITCHaai Root CA certificate shown on https://www.switch.ch/pki/aai/:
openssl x509 -in /etc/shibboleth/SWITCHaaiRootCA.crt.pem -fingerprint -sha1 -noout
SHA1 Fingerprint=3C:E2:5A:E0:9D:B4:BB:2B:FD:33:3C:22:80:39:F7:FC:4A:F9:2C:E9
According to the convention, the entityID should have the form of a URL. If the entityID is used as a URL (https://sp.example.org/shibboleth), this URL should return an entity's metadata. In order for this to work, the web server must be configured accordingly.
<VirtualHost sp.example.org:443> ... Redirect seeother /shibboleth https://sp.example.org/Shibboleth.sso/Metadata </VirtualHost>Make sure to set all the SSLCertificateFiles to the right ones.
sudo a2ensite default-ssl
sudo a2enmod ssl
sudo /opt/shibboleth-sp/sbin/shibd -t -c /etc/shibboleth/shibboleth2.xml
sudo /etc/init.d/shibd start
sudo apache2ctl configtest sudo apache2ctl restart
In order to activate the Service Provider within the federation it is necessary to register it with the Resource Registry. After this procedure, the metadata of this Service Provider will be included in the federation metadata. Therefore, all AAI components will learn about this new Service Provider.
The purpose of the Resource Registry is to have an up-to date list of all Identity Providers and Service Providers in the SWITCHaai Federation.
(See the information about the Resource Registry) in order to generate federation metadata and various configuration files.
<VirtualHost sp.example.org:443> ... <Location /secure> AuthType shibboleth ShibRequireSession On require valid-user </Location> </VirtualHost>
sudo apache2ctl restart
After restarting Apache, try to access: https://sp.example.org/secure/. This directory is protected by Shibboleth in the default configuration. Even if the directory does not exist. When accessing this URL the authentication should
be initiated and one should be redirected either to the WAYF
or to an Identity Provider.
Upon successful authentication, a HTTP 404 error
(File not found) might be returned, because there might be no directory /secure in the web server root directory.
Anyway, if you can access
https://sp.example.org/Shibboleth.sso/Session
and get back information about the session like the issuer (IdP) and released
attributes, this is a good test that the Service Provider was set up successfully.
<html><body><pre> <?php print_r($_SERVER); ?> </pre></body></html>This PHP script has to be placed in a Shibboleth protected directory (e.g. /secure from above). If successfully authenticated and authorized, you should see some environment variables that contain your user attributes.
If some of the above tests are unsuccessful, we recommend the following procedure:
log4j.appender.native_log.fileName
defined in log4j.appender.shibd_log.fileName
set in
WARN
and ERROR
messages.
/var/log/shibboleth/native.log
and /var/log/shibboleth/shibd.log
.
log4j.rootCategory
) of /etc/shibboleth/native.logger and
/etc/shibboleth/shibd.logger to DEBUG
. WARN
or INFO
to prevent your log files from growing too big.
In case you don't understand or don't find the cause of the error, have a look at the NativeSPTroubleshootingCommonErrors web page.
Some good practices according Service Provider productionalization:
<Errors session="sessionError.html" metadata="metadataError.html" access="accessError.html" ssl="sslError.html" localLogout="localLogout.html" globalLogout="globalLogout.html" supportContact="aai@example.org" logoLocation="https://www.switch.ch/aai/design/images/SWITCHaai.gif" styleSheet="https://www.switch.ch/aai/design/shib-error.css"/>Adjust at minimum the logoLocation and styleSheet. You may want to fully customize the html pages.
-- $Id: index.php 1858 2012-07-30 09:07:13Z haemmer $