Installation of Shibboleth SP in Ubuntu
Configure Apache
When installing Shibboleth SP , we have to make sure that the Apache web server is installed. If not, the server can be installed using the following command.
sudo apt-get update
sudo apt-get install apache2I n my example I am going to change the default service port 80 of Apache to 8090. You can skip this step if you are willing to run Apache in the default port.
Edit the /etc/apache2/ports.conf file.
sudo vi /etc/apache2/ports.confFind the line containing the follow.
Listen 80Replace it with the port you are willing to have. In this example I use the port 8090.
Listen 8090Now save the file and close it. Then change the port number of the file found at /etc/apache2/sites-enabled/000-default.conf
sudo gedit /etc/apache2/sites-enabled/000-default.confChange the port number as follow.
<VirtualHost *:8090>Restart the Apache server
sudo systemctl restart apache2Open the browser and navigate to http://localhost:8090
Note: If the above URL doesn’t bring you the default Apache server page, make sure that your /etc/hosts file contains the following entry.
127.0.0.1 localhostIf not,open the file and add it.
sudo gedit /etc/hostsNow you should get the default Apache server page. :-)
Then enable ssl using the following command.
sudo a2enmod sslEnable ssl virtual host.
sudo a2ensite default-ssl.confCreate a self-signed certificate(SSL).
sudo mkdir /etc/apache2/sslsudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Install Shibboleth SP
After configuring the Apache server now you can install the shibboleth SP as an Apache module.
sudo apt-get install libapache2-mod-shib2
sudo a2enmod auth_basic
sudo a2enmod shib2Now set the shibboleth certificate using the following command.
sudo shib-keygen -h localhost
openssl x509 -text -noout -in /etc/shibboleth/sp-cert.pemOpen the shibboleth SP configuration file.
sudo nano /etc/shibboleth/shibboleth2.xmlIn the configuration file, <ApplicationDefaults> set the entityId. In my example, I have used https://localhost/shibboleth
Under the <Sessions> set handlerSSL to true and cookieProps to https.
Under the <SSO> alter the entity ID to your IDP. I have enabled Shibboleth IDP and I use https://idp.shibboleth.com/idp/shibboleth
If you have not configured the Shibboleth IDP you can refer my blog on installing the IDP from here.
Under the <Handler> add your IP address.
Under the <Errors> change the supportContact to something valid.
Include the <MetadataProvider> as below.
<MetadataProvider type="XML"
file="idp-metadata.xml"/>Copy the IDP metadata file to the /etc/shibboleth directory.
Save and close the shibboleth2.xml file.
My sample shibboleth2.xml page is displayed below.
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180"><!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
--><!--
To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands.
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
--><!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://localhost/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id"><!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https"><!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="https://idp.shibboleth.com/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO><!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/><!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.1.1 ::1"/><!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/><!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/></Sessions><!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="winma@test"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. --><MetadataProvider type="XML"
file="idp-metadata.xml"/><!--
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>
--><!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
--><!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/><!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/><!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/><!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/><!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/></SPConfig>
Now restart the Shibboleth SP.
sudo service shibd restartTest the SP
You can test the functionality of the SP by accessing the browser.
https://localhost/Shibboleth.sso/Status