Shibboleth Installation notes

Soffid Federation is based on shibboleth open source project. Actually the installation is a mixed procedure between Shibboleth installation and Soffid configuration. In the future Shibboleth installation will be integrated on Soffid installation in order to assume better integration level. 

 This guides help administrators to streamline shibboleth installation process, but it does not replace the oficial shibboleth documentation in any way. 

 Install shibboleth 

 On ubuntu 

 sudo apt-get install shibboleth-sp2-schemas libshibsp-dev

sudo apt-get install libshibsp-doc libapache2-mod-shib2 opensaml2-tools

sudo apt-get install libapr-memcache-dev libapr-memcache0 policycoreutils 

 On RedHat 

 Follow Installing via Yum instructions on shibboleth wiki: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall 

 On Windows Server 

 Follow installing via Windows Server instructions on Shibboleth wiki: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPWindowsInstall 

 Configure SELinux (if needed) 

 create shibd.te file with this content: 

 module httpd_shibd 1.0;

require {

 type tmp_t;

 type var_run_t;

 type httpd_t;

 type initrc_t;

 class sock_file write;

 class unix_stream_socket connectto;

}

#============= httpd_t ==============

allow httpd_t initrc_t:unix_stream_socket connectto;

allow httpd_t var_run_t:sock_file write; 

 Execute 

 sudo checkmodule -M -m -o shibd.mod shibd.te

sudo semodule_package -o shibd.pp -m shibd.mod

sudo semodule -i shibd.pp

sudo setsebool -P httpd_can_network_connect 1 

 Create service provider Shibboleth keys & metadata 

 Execute 

 sudo shib-keygen -h HOSTNAME -e https://HOSTNAME/shibboleth 

 Verify the permissions of the generated key. 

 At this point, verify the hostname specified matches the ServerName directive at Apache config file, including scheme and port. 

 Edit configuration file 

 Update shibboleth2.xml in order to download the federation data from Soffid master or backup Synchronization Server. You will need to specify the Identity Provider public ID, as it is created on Soffid SAML Federation 

 <ApplicationDefaults entityID="https://HOSTNAME/shibboleth"

 REMOTE_USER="eppn persistent-id targeted-id">

...

 <Sessions>

 <SSO entityID="SOFFID-IDP-public ID">

 SAML2 SAML1

 </SSO>

 <Logout>SAML2 Local</Logout>

...

 </Sessions>

...

 <MetadataProvider type="XML" uri="https://SYNCSERVER:760/SAML/metadata.xml" handlerSSL="true"

 backingFilePath="federation-metadata.xml" reloadInterval="7200">

 </MetadataProvider>

...

</ApplicationDefaults> 

 Finally, uncomment the required attributes on attribute-map.xml. You must also add the following ones: 

 <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>

 <Attribute name="urn:oid:1.3.6.1.4.1.22896.3.1.1" id="sessionId"/>

 <Attribute name="urn:oid:1.3.6.1.4.1.22896.3.1.2" id="soffidSecrets"/>

 <Attribute name="urn:oid:1.3.6.1.4.1.22896.3.1.4" id="userType"/>

 <Attribute name="urn:oid:1.3.6.1.4.1.22896.3.1.5" id="givenNames"/> 

 Enable Single Logout back-channel 

 It's advisable to use single logout back-channel while using non SAML-aware applications. 

 To do this, add a new Logout intitator configuration at shibboleth2.xml file: 

 <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->

 <LogoutInitiator type="Chaining" Location="/Logout">

 <LogoutInitiator type="SAML2"

 template="bindingTemplate.html"/>

 <LogoutInitiator type="Local"/>

 </LogoutInitiator>

 <!-- Logout inititator to be used by WebSSO -->

 <LogoutInitiator type="Chaining" Location="/SOAPLogout">

 <LogoutInitiator type="SAML2"

 outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"

 template="bindingTemplate.html"/>

 <LogoutInitiator type="Local"/>

 </LogoutInitiator>

 

 

 <!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->

 <md:SingleLogoutService Location="/SLO/SOAP"

 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

 <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"

 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

 <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"

 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

 <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"

 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/> 

 For security reasons, you should at the signing parameter at the application defaults tag in order to enable logout message signature: 

 <ApplicationDefaults entityID="..."

                        signing="true"

                        REMOTE_USER="eppn persistent-id targeted-id">

.. 

  Finally 

 Restart services: 

 sudo service apache2 start

sudo service shibd start