Shibboleth2 IdP Setup CentOS
Transcript of Shibboleth2 IdP Setup CentOS
1
Shibboleth 2 IdP Setup Guide
This document is a guide to setting up a Shibboleth 2.0 Identity Provider (IdP) on CentOS v5 using LDAP
for authentication against Windows Active Directory. The information provided is based on my
experience in setting up a test Shibboleth implementation, and is not intended to be an exhaustive
guide to installing and configuring Shibboleth.
The Shibboleth installation was successfully tested against the TestShib server provider. This does not
guarantee that the IdP will work in a production environment. To access learning resources, the identity
provider institution must join the UK Federation (http://www.ukfederation.org.uk).
2
Document Conventions
Commands are displayed on a light green background, as shown in the examples below.
# ls -l # command executed as root user $ ls -l # command executed as non-root user # cp /etc/profile \ > /tmp/profile # multi-line command # wget -P /tmp http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/shibboleth-identityprovider-2.1.2-bin.tar.gz # wrapped single-line command
The first character in a command is the command prompt and should not be typed in. A hash symbol (#)
anywhere other than the first character indicates a comment.
File contents are displayed on a light blue background, as shown in the example below:
APACHE_SERVER_FLAGS="-D SSL"
3
Network Configuration
The Shibboleth IdP server must be accessible by name from the Internet, and the domain name against
which it authenticates must be a valid Internet domain name. The recommendation is to place the IdP
server in a demilitarized zone (DMZ) and open the appropriate ports on the internal and external
firewalls. See Table 1 for port settings.
Table 1
Firewall Port Map To Comment
Internal 389 N/A LDAP queries from IdP to domain controller
Internal 88 N/A Kerberos connection to domain controller.
External 80 80 HTTP
External 443 443 HTTPS
External 8442 8442 Shibboleth single sign-on
External 8443 8443 Shibboleth attributes
Note: Only ports 389, 80 and 443 were opened for successful TestShib authentication.
4
Installation
All commands are executed as the root user, unless otherwise specified.
1. Install CentOS with:
Base packages
Text editors
Command-line Internet
Software required for Shibboleth will be downloaded and installed after the operating system
installation. X-Windows and a windows manager are not required.
2. Open the firewall ports listed in Table 1
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# iptables -A INPUT -p tcp --dport 8442 -j ACCEPT
# iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
3. Shibboleth requires the service and identity providers clocks are in sync. On a physical server,
install and enable the time service and edit /etc/ntp.conf to synchronize with the JANET time
servers listed at http://www.ja.net/services/ntp.
# yum -y install ntp
# vi /etc/ntp.conf # add JANET time servers (line 17)
# ntpdate ntp0.ja.net
# service ntpd start
# chkconfig ntpd on
On a virtual server follow the instructions for synchronizing the clock with the host server for
VMWare or Windows Virtual Server.
4. Install OpenLDAP client. Not required for Shibboleth, used for testing LDAP queries against Active
Directory server
# yum -y install openldap-clients
5. Download and install the Java Runtime Environment version 6.
# wget -O /tmp/jre.rpm.bin http://javadl.sun.com/webapps/download/AutoDL?BundleId=27972
# chmod +x /tmp/jre.rpm.bin
# /tmp/ jre.rpm.bin
5
6. Set the Java environment variables
# touch /etc/profile.d/idp.sh
# chmod +x /etc/profile.d/idp.sh
# echo “export JAVA_HOME=/usr/java/default” >> /etc/profile.d/idp.sh
# echo “export JAVA_OPTS=\”-server\”” >> /etc/profile.d/idp.sh
# source /etc/profile
7. Install Apache HTTP server and the SSL module
# yum -y install httpd mod_ssl
# chkconfig httpd on
8. Download and install Tomcat 6
# wget -P /tmp http://apache.mirror.infiniteconflict.com/tomcat/tomcat-6/v6.0.18/bin/apache-
tomcat-6.0.18.tar.gz # this command is on one line
# tar xvzf /tmp/apache-tomcat-6.0.18.tar.gz -C /usr/local
# ln -s /usr/local/apache-tomcat-6.0.18 /usr/local/apache-tomcat
9. Add the CATALINA_HOME variable to the environment.
# echo “export CATALINA_HOME=/usr/local/apache-tomcat” >> /etc/profile.d/idp.sh
# source /etc/profile
10. Create the tomcat user account
# useradd tomcat
# groupadd tomcat
11. Change the ownership of the Tomcat directory structure to tomcat
chown -R tomcat:tomcat /usr/local/apache-tomcat
12. Edit $CATALINA_HOME/conf/tomcat-users.xml and add an admin user, for example:
<tomcat-users> <user username=”admin” password=”Pa$2w0rd” roles=”admin,manager” /> </tomcat-users>
13. Download and install Shibboleth 2.1.2 identity provider by executing install.sh.
# wget -P /tmp http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/shibboleth-
identityprovider-2.1.2-bin.tar.gz # one line
# tar xvzf /tmp/shibboleth-identityprovider-2.1.2-bin.tar.gz -C /tmp
# cd /tmp/shibboleth-identityprovider-2.1.2
# sh install.sh
6
Provide the following information in response to the installer prompts:
The folder in which to install the IdP (IDP_HOME).
The Internet-visible DNS name of the IdP server.
A password for the self-signed certificate
The self-signed certificate is stored in $IDP_HOME/credentials. Before going live, this should be
replaced with an X.509 digital certificate recognised by the federation.
14. Make the tomcat user the owner of IDP_HOME and its contents.
# chown -R tomcat:tomcat /usr/local/shibboleth-idp
15. Edit $CATALINA_HOME/conf/catalina.properties and append /usr/local/shibboleth-idp
/lib/endorsed/*.jar to the common.loader entry.
16. Copy $IDP_HOME /war/idp.war to $ CATALINA_HOME/webapps as the tomcat user.
# su tomcat
$ cp /usr/local/idp/war/idp.war $CATALINA_HOME/webapps
$ exit
7
Configuration
Configuration of the Shibboleth IdP requires:
Enabling SSL on Apache.
Configuring Apache to accept connections on behalf of Tomcat.
Enabling LDAP authentication for the IdP.
Defining source of user attributes and mapping between attribute names.
Define which attributes to release to service provider.
The following sections describe what files are to be edited to configure the IdP. The paths used reflect
the test installation and should be changed to reflect your configuration.
Enable SSL on Apache
1. Edit /etc/httpd/conf.d/ssl.conf and configure a virtual host listening on port 443 by replacing the
existing virtual host with the following:
<VirtualHost _default_:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLOptions +StdEnvvars
################## replace with signed certificate
SSLCertificateFile "/usr/local/shibboleth-idp/credentials/idp.crt"
SSLCertificateKeyFile "/usr/local/shibboleth-idp/credentials/idp.key"
# may need to include an entry for SSLCertificateChainFile
###################################################################
ErrorLog logs/ssl_443_error_log"
TransferLog logs/ssl_443_access_log"
LogLevel warn
CustomLog logs/ssl_443_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
2. Create a virtual host that listens on port 8443 by adding the following to
/etc/httpd/conf.d/ssl.conf:
<VirtualHost _default_:8443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLOptions +StdEnvvars +ExportCertData
SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
8
################## replace with signed certificate
SSLCertificateFile "/usr/local/shibboleth-idp/credentials/idp.crt"
SSLCertificateKeyFile "/usr/local/shibboleth-idp/credentials/idp.key"
# may need to include an entry for SSLCertificateChainFile
###################################################################
ErrorLog logs/ssl_8443_error_log"
TransferLog logs/ssl_8443_access_log"
LogLevel warn
CustomLog logs/ssl_8443_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Configure Apache to Accept Connections on Behalf of Tomcat
1. Append the following to /etc/httpd/conf.d/proxy-ajp.conf:
ProxyPass /idp/ ajp://localhost:8009/idp/
Configure Tomcat
1. Configure a connector on port 8009 in $CATALINA_HOME/conf/server.xml as follows:
<Connector
port="8009"
request.tomcatauthentication="false"
address="127.0.0.1"
enableLookups="false"
protocol="AJP/1.3"
redirectPort="8443"
/>
Testing
1. Restart Apache server
# service httpd restart
2. Restart Tomcat
# su tomcat -c $CATALINA_HOME/bin/shutdown.sh
# su tomcat -c $CATALINA_HOME/bin/startup.sh
3. Browse to home page
# curl http://localhost
HTML content of default home page is printed to the terminal window.
4. Browse to home page over SSL
# curl -k https://localhost
9
HTML content of default home page is printed to the terminal window.
5. Browse to IdP status page
# curl http://localhost/idp/profile/Status
ok is printed to the terminal window
6. Review $CATALINA_HOME/logs/catalina.out and $IDP_HOME/logs/idp-process.log files for
errors.
Enable LDAP Authentication for IdP
1. Edit $IDP_HOME/conf/login.config and uncomment the LdapLoginModule section. See Table 2
for the parameters to set that will allow IdP to login to and verify credentials against Active
Directory.
Table 2
Parameter Description Example
host Space separated list of full DNS names of domain controllers
rsc-dns3.rscwmsystems.org.uk
base Path of directory from which to begin searching
dc=rscwmsystems,dc=org,dc=uk
port LDAP port (must be open on internal firewall)
389
ssl true if SSL connection to domain controllers, false otherwise
userField Name of field containing user id samAccountName
subtreeSearch true to search entire subtree of base, false to search only immediate children
serviceUser Account that IdP uses to connect to Active Directory
cn=Idp Login,ou=Shibboleth, dc=rscwmsystems,dc=org,dc=uk
serviceCredential Password for serviceUser account
2. Edit $IDP_HOME/conf/handler.xml, activate the UsernamePassword login handler and remove
the RemoteUser login handler, as follows:
<!-- ------------------------------------------------ COMMENTED OUT -----------------------
<LoginHandler xsi:type="RemoteUser">
<AuthenticationMethod>
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</AuthenticationMethod>
</LoginHandler>
------------------------------------------------------------------------------------------------------------- -->
<LoginHandler
xsi:type="UsernamePassword"
10
jaasConfigurationLocation="file:///usr/local/shibboleth-idp/conf/login.config">
<AuthenticationMethod>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</AuthenticationMethod>
</LoginHandler>
Attribute Resolution Configuration
The IdP can retrieve attributes from either LDAP or a relational database; generate attributes based on
other attributes; or define them statically. The $IDP_HOME/conf/attribute-resolver.xml file defines
data connectors (resolver:DataConnector) for connecting to the attribute sources, and attribute
definitions (resolver:AttributeDefinition) that define the attribute type (xsi:type) and how it maps to the
source attribute (sourceAttributeID). Attribute definitions are associated with a data connector via the
ref parameter of the resolver:Dependency child node.
See https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute for details.
The service provider will specify the attributes that it requires. The UK Federation defines the following
core attributes:
eduPersonScopedAffiliation: user’s role in the organisation, e.g. [email protected].
eduPersonTargetedID: service provider-specific user id
eduPersonPrincipalName: user id defined by identity provider
eduPersonEntitlement: extensible list of URIs for extra properties
Restart the IdP web application after modifying the attribute-resolver file.
Examples
<resolver:DataConnector
id="conLDAP"
xsi:type="LDAPDirectory"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://rsc-dns3.rscwmsystems.org.uk:389"
baseDN="ou=Shibboleth,dc=rscwmsystems,dc=org,dc=uk"
principal="[email protected]"
principalCredential="Pa$2w0rd">
<FilterTemplate>
<![CDATA[
(samAccountName=$requestContext.principalName)
]]>
</FilterTemplate>
</resolver:DataConnector>
Figure 1: LDAP Data Connector
11
<resolver:DataConnector
id="conStatic"
xsi:type="Static"
xmlns="urn:mace:shibboleth:2.0:resolver:dc">
<Attribute id="eduPersonAffiliation">
<Value>member</Value>
</Attribute>
<Attribute id="eduPersonEntitlement">
<Value>urn:example.org:entitlement:entitlement1</Value>
<Value>urn:mace:dir:entitlement:common-lib-terms</Value> </Attribute>
</resolver:DataConnector>
Figure 2: Static Data Connector
<resolver:DataConnector
xsi:type="ComputedId"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="conComputed"
generatedAttributeID="attComputed"
sourceAttributeID="objectGUID"
salt="your random string here">
<resolver:Dependency ref="conLDAP" />
</resolver:DataConnector>
Figure 3: Computed Data Connector
<resolver:AttributeDefinition
id="email"
xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="mail">
<resolver:Dependency ref="conLDAP" />
<resolver:AttributeEncoder
xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:mail" />
<resolver:AttributeEncoder
xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:0.9.2342.19200300.100.1.3"
friendlyName="mail" />
</resolver:AttributeDefinition>
Figure 4: LDAP Attribute
12
<resolver:AttributeDefinition
id="eduPersonAffiliation"
xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="eduPersonAffiliation">
<resolver:Dependency ref="conStatic" />
<resolver:AttributeEncoder
xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
<resolver:AttributeEncoder
xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="eduPersonAffiliation" />
</resolver:AttributeDefinition>
Figure 6: Static Attribute
<resolver:AttributeDefinition
id="eduPersonTargetedID"
xsi:type="SAML2NameID"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
sourceAttributeID="attComputed">
<resolver:Dependency ref="conComputed" />
<resolver:AttributeEncoder
xsi:type="SAML1XMLObject"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
<resolver:AttributeEncoder
xsi:type="SAML2XMLObject"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
friendlyName="eduPersonTargetedID" />
</resolver:AttributeDefinition>
Figure 5: Computed Attribute
13
<resolver:AttributeDefinition
id="eduPersonAffiliation"
xsi:type="Script"
xmlns="urn:mace:shibboleth:2.0:resolver:ad" >
<resolver:Dependency ref="conLDAP" />
<resolver:AttributeEncoder
xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonAffiliation"/>
<resolver:AttributeEncoder
xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="eduPersonAffiliation"/>
<Script>
<![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
eduPersonAffiliation = new BasicAttribute("eduPersonAffiliation");
dn = distinguishedName.getValues().get(0).toLowerCase();
if (dn.contains("ou=staff")) {
eduPersonAffiliation.getValues().add("staff");
} else if (dn.contains("ou=student")) {
eduPersonAffiliation.getValues().add("student");
} else {
eduPersonAffiliation.getValues().add("member");
}
]]>
</Script>
</resolver:AttributeDefinition>
Figure 7: Scripted Attribute
14
Attribute Release Policy Definition
The $IDP_HOME/conf/attribute-filter.xml file defines which attributes to release to specific service
providers. The file contains a set of attribute filter policy (AttributeFilterPolicy) nodes that define rules
(PolicyRequirementRule) for allowing a service provider access to the attributes, and attribute filters that
define which attributes are released.
Restart the IdP web application after modifying the attribute-filter file.
<resolver:AttributeDefinition
id="eduPersonScopedAffiliation"
xsi:type="Scoped"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="eduPersonAffiliation"
scope="rscwmsystems.org.uk">
<resolver:Dependency ref="eduPersonAffiliation" />
<resolver:AttributeEncoder
xsi:type="SAML1ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
<resolver:AttributeEncoder
xsi:type="SAML2ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation" />
</resolver:AttributeDefinition>
Figure 8: Attribute Derived From Another Attribute
15
Examples
<AttributeFilterPolicy>
<PolicyRequirementRule
xsi:type="basic:AttributeRequesterString"
value="https://sp1.example.org" />
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonTargetedID">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
Figure 9: Release Policy For Specific Service Provider
<AttributeFilterPolicy>
<PolicyRequirementRule
xsi:type="saml:AttributeRequesterInEntityGroup"
groupID="http://ukfederation.org.uk" />
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" />
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
Figure 10: Release Policy For Specific Service Provider Group
16
Testing
The Shibboleth IdP 2 installation can be tested against the TestShib service as follows:
1. Register with TestShib (http://www.testshib.org/testshib-two/join.jsp)
2. Modify $IDP_HOME/conf/relying-party.xml as described on http://www.testshib.org/testshib-
two/configure.jsp.
3. Add an attribute filter policy to $IDP_HOME/conf/attribute-filter.xml to release the
eduPersonScopedAffiliation and eduPersonTargetedID attributes to https://sp.testshib.org
/shibboleth-sp (see examples in previous section).
4. Restart the IdP web application.
5. Create a test Active Directory account.
6. Use ldapsearch to verify that the principal account specified in login.config and attribute-
resolver.xml can connect to Active Directory. For example:
# ldapsearch -x -L \
> -b "ou=Shibboleth,dc=rscwmsystems,dc=org,dc=uk" \
> -H "ldap://rsc-dns3.rscwmsystems.org.uk:389" \
> -D "cn=Idp Login,ou=Shibboleth,dc=rscwmsystems,dc=org,dc=uk" -W \
> "samAccountName=*"
7. Browse to https://sp.testshib.org, specify the DNS name of the IdP server and log in with the test
account.
If successful, a result similar to the following will be returned:
Shibboleth-protected TestShib Content
This page is protected by the TestShib Service Provider. If you're reading this, your IdP successfully provided
authentication information. If you have data about you and an assertion below, then your IdP also released attribute
and authorization information. Cool!
…Here are some pieces of information I can tell about you using the information Shibboleth gives me:
Keep-Alive is: 300
Shib-Session-ID is: _5e3c154ea5ca0c9b93bcc89345e95ad0
Shib-Identity-Provider is: https://dns1.rscwmsystems.org.uk/idp/shibboleth
Shib-Authentication-Instant is: 2009-03-26T11:17:39.512Z
Shib-AuthnContext-Decl is: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
affiliation is: [email protected]
unscoped-affiliation is: member
entitlement is: urn:example.org:entitlement:entitlement1;urn:mace:dir:entitlement:common-lib-terms
persistent-id is: https://dns1.rscwmsystems.org.uk/idp/shibboleth!https://sp.testshib.org/shibboleth-
sp!ajV02X7Yv9s2WKk9L4WB2Mz6/5k= Shib-Application-ID is: default
17
Useful Links
UK Federation joining instructions.
UK Federation technical recommendations for participants (pdf).
login.config documentation.
attribute-resolver.xml documentation.
attribute-filter.xml documentation.
relying-party.xml documentation.
Nottingham Trent University Windows IdP Installation wiki.
EduGate Shibboleth 2.1 installation lab exercise
Active Directory schema attributes.