Installation and Configuration - SWITCH
Transcript of Installation and Configuration - SWITCH
![Page 2: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/2.jpg)
2005 © SWITCH 2AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
Deployment Guides
HOWTOs and Guides
http://www.switch.ch/aai/howto/
Shibboleth Target Deployment Guides
http://www.switch.ch/aai/targetdeployment.html
Apache Compilation and Installation on Linux (debian stable)
Compilation and Installation on Solaris
Configuration Guide for Linux and Solaris
IIS Deployment Guide for Windows
![Page 3: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/3.jpg)
2005 © SWITCH 3AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
What you need to get...
Shibboleth Install Package:
http://www.switch.ch/aai/docs/shibboleth/internet2/1.2/
Sample configuration files for SWITCHaaihttp://www.switch.ch/aai/docs/shibboleth/SWITCH/1.2/
SWITCHpki certificate for your Web Serverhttp://www.switch.ch/aai/certificates.html
![Page 4: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/4.jpg)
2005 © SWITCH 4AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
SWITCHaai Settings
shibboleth.switchaai.xml
Identifier in <Applications>
providerId=urn:mace:switch.ch:SWITCHaai:pilot:{HOSTNAME}
SWITCHpki Server Certificate Location in <Credentials>
/etc/apache/ssl.key/{HOSTNAME}.key
/etc/apache/ssl.crt/{HOSTNAME}.crt
Error Pages Customization in <Errors>
supportContact={CONTACT_EMAIL}
HTML pages, logo and stylesheet
SWITCHaai Federation Metadata
{FederationProvider} for sites.switchaai.xml
{TrustProvider} for trust.switchaai.xml
{AAPProvider} for AAP.switchaai.xml
![Page 5: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/5.jpg)
2005 © SWITCH 5AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
SWITCHaai Settings specific for IIS
IIS specific settings in shibboleth.xml
Protected Web Locations in <RequestMapProvider>(Access Rules Configuration)
IIS Site ID Mapping in <Implementation>
![Page 6: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/6.jpg)
2005 © SWITCH 6AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
Federation Metadata
SWITCHaai Federation MetadataAccepted Certification Authority certificates within SWITCHaai
trust.xml
Home Organizations participating within SWITCHaai
sites.xml
More information:
http://www.switch.ch/aai/metadata.htmlhttp://www.switch.ch/aai/ca-acceptance-policy.html
![Page 7: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/7.jpg)
2005 © SWITCH 7AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
Federation Metadata - Auto-Updates
SiterefreshShell script (Standard Linux shell / Windows Cygwin)
Automatical updates of the Federation Metadata (sites.xml / trust.xml)
Security given by verification of the files’ signatures
Get the script and documentation:
http://www.switch.ch/aai/siterefresh.html
![Page 9: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/9.jpg)
2005 © SWITCH 9AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
Apache Software Components
Apache
Apache Webserver
Shibboleth Target (mod_shib)
Tomcat Connector (mod_jk)
PHP (mod_php) Modulesmod_shib mod_php mod_jk
PHPApplication Tomcat
JavaApplication
1
JavaApplication
2
Dynamic Web Pages (PHP,
Java, …)
SHAR Shibboleth Target (SHAR)
![Page 10: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/10.jpg)
2005 © SWITCH 10AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
Using access rules
ShibbolethComponent
SWITCHaai Test Home
Organization
Login: demostudentPW: demo
affiliation: studenthomeOrganizationType: others
Web Server
Access Rule:
Affiliation = StudentHomeOrgType = Not VHO
![Page 11: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/11.jpg)
2005 © SWITCH 11AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
Static Authorization in Apache
<Location /secure> AuthType shibboleth ShibRequireSession On require valid-user</Location>
<Location /secure> AuthType shibboleth ShibRequireSession On require affiliation student require homeOrganizationType ~ ^[^vV][^hH][^oO] </Location>
Rules in httpd.conf or .htaccess for Shibboleth Target 1.2.1
Any AAI user
All students without VHO
<Location /restricted> AuthType shibboleth ShibRequireSession On require uniqueID [email protected]</Location>
One specific user
Reference: http://www.switch.ch/aai/docs/shibboleth/internet2/1.2/deploy-guide-target1.2.1.html#4.d.
![Page 13: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/13.jpg)
2005 © SWITCH 13AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
Software Components
IIS Web Server
Shibboleth Target (isapi_shib)
Dynamic Web Pages (ASP,
Java, PHP, …)
Shibboleth Target (SHAR)
Tomcat via JK (isapi redirector)
Web Server
CGI
PHPApplication
Tomcat
JavaApplication
ASPApplication
isapi_shib
SHAR
ISAPI Filter
ISAPI Extension
![Page 14: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/14.jpg)
2005 © SWITCH 14AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
Configuring Access Rules in IIS
... <RequestMap applicationId="default"> <Host name=”some.host.ch"> <Path name="secure" requireSession="true" exportAssertion="false"> </Path> </Host> </RequestMap>
...
isapi_shib filter forces Shibboleth authentication on requests for files in http://some.host.ch/secure/
Rules in shibboleth.xml for Shibboleth Target 1.2.1
equivivalent to setting “require valid-userrequire valid-user” in Apache
![Page 15: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/15.jpg)
2005 © SWITCH 15AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
Access Rules Management with IIS
Content
Services
PersonalInformation
Restricted Area
autologin
LocalusersDatabase
AAI Protected Area
Swepuid
WaitingList
No:Attributeschecking
Checks if useralready exists
WaitingList
Yes
AAI Inscription at first visit
Courtesy of ISREC, Yan Corneille, Pascal Py
![Page 16: Installation and Configuration - SWITCH](https://reader030.fdocuments.in/reader030/viewer/2022012607/619b8bcb114fc912b1406fe8/html5/thumbnails/16.jpg)
2005 © SWITCH 16AAI Resource Workshop, 31.05.2005, Ueli Kienholz, Valéry Tschopp, Patrik Schnellmann
Questions ?
Q & A
http://www.switch.ch/aai