Shibboleth SP Setup (ubuntu)
...
Command:
sudo a2enmod shib2
You will need to create a key/cert:
...
This will make 2 files sp-key.pem and sp-cert.pem.
Apache uses its own cert/key that is defined in this file:
/etc/apache2/sites-available/default-ssl
Man Page for keygen:
http://manpages.ubuntu.com/manpages/karmic/man8/shib-keygen.8.html
Enable SSL:
Run these commands:
sudo a2enmod ssl
sudo a2ensite default-ssl
Restart apache and shib
Run commands:
sudo service apache2 restart
/etc/init.d/shibd start
Edit shibboleth2.xml
The shibboleth2.xml (/ectetc/shibboleth/shibboleth.xml) file needs very little editing. Change the entityID to your server address and begin testing there. It should be something like:
entityID=”https://sp2.lunaimaging.com”
...
Check to see if you get XML data when you go to the status page:
https://sp2.lunaimaging.com/Shibboleth.sso/Status
You should see XML code and 2 blocks of certificate code if you scroll down a bit. This indicates Shibboleth is operational and it is using the cert/key you generated.
Make metadata for idp to use:
You need to give the metadata created by the sp to the idp you are connecting to. To get the metadata from the sp:
https://sp2.lunaimaging.com/Shibboleth.sso/Metadata
(save this and hand off to idp)
Note: Make sure you use https:// to request the metadata so all the links it creates are also using https. Not matching "https" between the metadata and the shibboleth2.xml file will result in an error “2 SSO profile is not configured for relaying party”.
The entityID in the shibboleth2.xml file needs to match the metadata entityID you pass to the idp. The metadata is created based off the info you provide to the shibboleth2.xml file so it should not be a problem but is worth mentioning.
At this point if this is your first time working with Shibboleth I recommend you try to connect to testshib.com. They have an idp setup that you can easily upload the metadata you just made to. You will receive back a shibboleth2.xml file that you can make active and see if you can connect with. If you can connect to testshib.com then you are ready to begin trying to connect to the idp you want/need to connect to.
Edit /etc/apache2/sites-available/default
Add to the bottom after "</Virtualhost>":
...
Setting up to connect to an IDP (Identity Provider)
You will need to hand-off your metadata to the IDP (created here https://yourdomain.com/Shibboleth.sso/Metadata). the IDP will need to supply you with:
- EntityID (this goes in the <SSO portion of shibboleth2.xml)
- The IDP's Metadata file which you place into /etc/shibboleth/
You need to specify this file in the shibboleth2.xml file for "locally maintained metadata" ie: <MetadataProvider type="XML" file="IDPMetadata.xml"/>
(you may need to uncomment this line to make it active) - A username and password to log into the IDP with.
Luna - Attribute file:
Adjust the names of the attributes you are receiving from the IDP to match in this file.
/LUNA/tomcat/luna_apps/luna.war/WEB-INF/luna-servlet.xml
Shib Attribute file:
/etc/shibboleth/attribute-map.xml
Important commands:
/etc/init.d/shibd start/stop/restart
shibd -t (to test configuration)
See if you have session data:
http://sp2.lunaimaging.com/Shibboleth.sso/Session
Associated files (not necessary to test)
They can be found in /etc/shibboleth/
...
/var/log/shibboleth/shibd_warn.log
Helpful Links
https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPGettingStarted
...