Shibboleth Service Provider Installation at USC
Contents
- Introduction
- Install Shibboleth
- Configure Shibboleth for Test IdP
- Testing Shibboleth
- Move into Production
- Advanced Topics
- Additional Resources
Introduction
This guide describes the process of installing and configuring a Shibboleth Service Provider to work within the USC environment.
Both Shibboleth 2.x and 3.x setup information are provided. Most information applies to both environments, however where there is a difference, the applicable installation will be appropriately tagged. Setup of 2.x service providers is now deprecated and, although it works and may be needed in some extreme circumstance, should not be used.
Intended Audience
This document is intended for the system administrator that will be installing and maintaining a Shibboleth service provider at USC. This may be a different person than the application developer who will actually be using the attributes which Shibboleth delivers. The following basic skills are expected of the reader, and are beyond the scope of what this document attempts to cover:
- familiarity with the local operating system, including how to install software (On some UNIX systems, this may mean compiling packages from source code or using the ITS-provided package)
- configuring the local web server (Apache, IIS, etc)
- basic understanding of SSL, including how to generate a key and CSR
- basic understanding of XML documents
Policy
It should be noted that this document covers only the technical aspects of setting up Shibboleth and does not attempt to include the equally important policy requirements of accessing the USC Global Directory Service (GDS). In order to have the USC Identity Provider release attributes to your application, a request must be made to and approved by the USC Directory Steering Committee. Until this request is made and approved, no production data will be released to your application. More information on this process can be found on the GDS website at http://www.usc.edu/gds/.
Install Shibboleth
The Shibboleth project offers documentation for installing Shibboleth on various platforms. Follow the appropriate Service Provider Installation instructions at:
Configure Shibboleth for Test IdP
Once you have Shibboleth installed, you'll need to configure it to point to the USC Shibboleth Test Identity Provider. Until you have completed the attribute request to the Directory Steering Committee real data cannot be released to your application, so we have setup a test IdP that will return sample data. This should be enough to verify that Shibboleth is working properly and begin thinking about how your application should consume and use the data Shibboleth makes available.
The location of the following configuration files will vary depending on which Shibboleth installation package you used. The most common locations are
- For Windows:
c:\opt\shibboleth-sp\etc\shibboleth
- For RedHat or Ubuntu Linux:
/etc/shibboleth
- ITS Solaris systems:
/var/local/etc/shibboleth
- For other UNIX systems:
/opt/shibboleth-sp/etc/shibboleth
Shibboleth XML
- shibboleth2.xml in Shib 2.x and Shib 3.x
This is the primary configuration file for Shibboleth and configures things such as what SSL certificate you are using, what resources Shibboleth should protect, and how your application identifies itself to the Shibboleth Identity Provider. Fill out the following form to have your configuration file automatically generated for you.
This form will generate a shibboleth2.xml file
that should be used to replace the existing one in your shibboleth
configuration directory (make sure you keep shibboleth.xml.dist
around so you can refer to it later). Go ahead and look through your new
shibboleth.xml and get a feel for what all it contains and what files on
your local system it references (notably the certificates at the bottom
of the file). For the sake of simplicity a number of assumptions are
made (such as the use of standard TCP ports); if these are not true for
your environment, a full description of everything in this file can be
found here:
Metadata
Download the USC metadata file from https://shibboleth.usc.edu/USC-metadata.xml
and place it in your main shibboleth configuration directory. Make sure
this location corresponds with the uri
attribute of the MetadataProvider
element in your shibboleth.xml or shibboleth2.xml file.
Credentials
An X.509 (SSL) certificate is required to encrypt data between servers and provide server authentication.
It is highly recommended that you simply use a self-generated certificate and key pair. If you have installed an SP by compiling it yourself or using the Windows installer, a certificate and key pair will be generated for you. If you are using a prepared system install (such as in /usr/usc on Solaris if/when that is available) you will need to generate your own. The best way to generate the cert is to use the script keygen.sh (or keygen.bat on Windows). This script is available in the etc/shibboleth configuration area near where the shibboleth.xml or shibboleth2.xml file is located. This script will automatically generate a certificate for you and store it in the files sp-cert.pem and sp-key.pem.
If you really can't or do not want to use that method and you already have a
certificate from VeriSign or Thawte, you may simply use that.
Save both your certificate and key on your server and make sure that the
CredentialResolver
in your shibboleth2.xml accurately reflects the locations of these
files.
Important note when updating certificates: An updated certificate
must be generated using the same key or it will break communications between
the SP and the IdP until the new matching certificate is recorded in the IdP.
So, for example, if you have used your front-end webserver cert and listed it
as the cert to use with the shibboleth service, updates to the webserver cert
can break shibboleth services. To avoid this type of common maintenance pain, keep
the shibboleth certificate and key separate, self-signed, and long-lived.
Attribute Access
- Replace the default attribute-map.xml and attribute-policy.xml with: attribute-map.xml and attribute-policy.xml.
Testing Shibboleth
Request Map
The RequestMap
by default is configured to only protect a
directory named "secure". This should be modified to define the actual URLs of
your application that should be protected. A lot of information on protecting
resources is available here:
Confirming attribute release
A good way to test your installation is to use a test script which will display the
environment and headers of your application. This can be used from "/secure" or any
protected location you configure using the RequestMap or the equivalent Apache commands.
Test scripts which directly show the environment are available here: http://shib.kuleuven.be/download/sp/test_scripts/
in your /secure
directory in order to see the HTTP headers being
populated.
If you don't want to bother with a script, most browsers have a developer console available through a menu item or installable as a plugin. These browser tools can show you the headers.
Another good way to test is to use the built-in service provider session information service. This service is accessed by constructing a URL based on the hostname plus the contents of your "handlerURL" setting plus "/Session". For example, for the sample service provider installation, this value is: https://shibboleth-test.usc.edu/docs/sp/install/Shibboleth.sso/Session
Inside the shibboleth2.xml is a configuration block described by a comment "Session Diagnostic Service". It looks like this:
<Handler type="Session" Location="/Session" showAttributeValues="false" />
It may not have the showAttributeValues option at all, but if you add it and set it to true,
you will be able to see the actual values provided to the session. The default is false,
so this is best used for testing and then when not needed anymore, set it back to false.
Attributes Received
If successfully configured, you should receive the following attributes from
the Test Identity Provider. This is only sample data, but is formatted to
look exactly like the production data will. For example, all entitlement
values will begin with urn:mace:usc.edu:gds:entitlement
but the
last portion will vary between applications. Also note that you will be
receiving multiple entitlement values — be aware of how multi-valued
attributes appear to your application (semi-colon delimited).
urn:mace:dir:attribute-def:mail | tommy.trojan@usc.edu |
---|---|
urn:mace:dir:attribute-def:displayName | Tommy Trojan |
urn:mace:usc.edu:gds:attribute-def:uscPvid | stbm3sj4 |
urn:mace:dir:attribute-def:eduPersonEntitlement | urn:mace:usc.edu:gds:entitlement:stdr9ph2 urn:mace:usc.edu:gds:entitlement:stmn7vt3 |
After all of this is setup, you should have something similar to https://shibboleth-test.usc.edu/docs/sp/install/sample.
Move into Production
When the Directory Steering Committee has approved your attribute request you will be able to point to the production Identity Provider and receive live data from the GDS. This will require only a few very minor changes.
Change hostnames
The hostname shibboleth-test.usc.edu
appears twice in your
shibboleth.xml file, as part of the SessionInitiator
and
SingleLogoutService
elements. Replace both of these instances
with shibboleth.usc.edu
.
Create ticket with metadata or shibboleth2.xml and certificate
You will need to create a ticket containing your exported metadata file or
your shibboleth2.xml
configuration
file and SSL certificate (NOT the SSL key) so that your
metadata can be imported and the IdP can be configured to release the
appropriate data to your application.
A note about credentials
At this time, the Test Identity Provider does not actually authenticate Service Providers with the SSL certificate they present. This means that while your SP may operate correctly with the test IdP, it may fail with the production IdP due to misconfigured certificates. This may not be obvious at first, so if you have problems when moving your SP to the production IdP, we recommend you email the shib-discuss mailing list.
Attributes
When you move to the Production IdP, the attributes your application
receives will likely differ from those you received from the Test IdP. The
attributes released to your application will be based on what was included in
your request to the Directory Steering Committee (see Policy) and may require changes to your
attribute mapping file:
attribute-map.xml
Strategies for Limiting Access
All users that are authorized to use your application are granted a specific eduPersonEntitlement value, which should be delivered to your application. In order to verify that a given user is indeed authorized, you'll need to look for this entitlement value, which can be done a number of ways:
-
Configure access control within the main shibboleth configuration.
-
Use standard .htaccess files to control access (Apache only).
- In application - because Shibboleth can make all of the received attributes available to an application, you can just let your application code check for the appropriate entitlement. This gives you a little more control over what to do with an unauthorized user.
It is not appropriate to use any other attribute to determine if a given user is authorized to use an application. Doing so introduces additional assumptions about what attributes a user may have, that may not be true for all users at all times.
A note about timestamps
It is very important to keep your server synchronized with a Network Time Protocol (NTP) service. USC Solaris servers connect to a set of USC-provided NTP servers. The following example entry in the root crontab file can keep your service up to date:
16 3,9,15,21 * * * exec ntpdate ntp1 ntp2 ntp3 >/var/adm/ntpdate.log 2>&1
Alternatively, if you have a Windows server, you can set the server to automatically keep up-to-date using the "Date and Time" tool in the control panel and then accessing the "Internet Time" tab. Make sure the checkbox is checked next to "Automatically synchronize with an Internet time server" In the "Server: " box, you can choose any NTP service you wish, or you can enter, for instance, "ntp1.usc.edu" into the box. Click "Update Now" to verify that it is working.
Failing to set regular NTP updates will usually lead to a sudden loss of Shibboleth services after some long period of time when the drift of the internal hardware clock suddenly exceeds the skew window. For more information see: Shibboleth Clock Skew
Advanced Topics
Understanding Logout
The current version of Shibboleth does not support single logout, so it is
important to understand what options are available to your application. The
only way for a user to completely log out of all Shibboleth services is to
close their browser. Short of that, the present recommendation is to first do
whatever clean up is necessary within your application and then redirect the
user to the Shibboleth SP SingleLogoutService
. This URL is
dependent on your installation and is constructed as a combination of your
hostname, handlerURL
, and SingleLogoutService
location (all defined within shibboleth2.xml). It will likely be of the form
https://my-app.usc.edu/Shibboleth.sso/Logout
. When the user is
redirected to this URL, their Shibboleth SP session will be destroyed and they
will be redirected to the Shibboleth IdP logout URL. At this point, their
Shibboleth IdP session will be destroyed and instructions will be provided for
truly completing the logout if they wish (ie. closing their browser).
Multiple Applications
A single Shibboleth SP installation is designed to support multiple applications installed on that server, but there are different deployment and configuration strategies to support this. More information is available here: Shib 1.3 Add Separate Application Those instructions are for shibboleth 1.3, but the example maps pretty closely to the configuration changes required in 2.x and 3.x -- there is no particular wiki page updated for this particular issue on the Shib 3.x wiki, but you can find all the relevant information in the various API pages.
Lazy Sessions
For some applications, it only makes sense for authenticated users to use the application. For example, what would an unauthenticated user do at a webmail application? Not much, most likely. However, there are many applications where it does make sense to offer a basic set of services to anonymous users and additional services only to authenticated users. In these case, it may be useful to make use of a feature in Shibboleth known as "Lazy Sessions" (sometimes referred to as "passive sessions"). Find out more at LazySession (Again, note that this is information on the Shib 1 wiki which also applies generally to Shib 3.x).
Federated Access to Applications
Shibboleth SP installations support logins from any identity provider configured. Some applications may be more open to access from external institutions. Institutions wishing to share information with each other generally join what is called a "Federation" and these institutions then can set up a trust framework which streamlines the approach to enabling trusted access to applications between institutions.
USC is a member of the InCommon Federation. As such, we have the ability to more easily log in to applications at member institutions, and we can also set up applications which allow logins from members of those institutions. A list of the member institutions can be found here.
Setup for Federated Access
Several configuration changes to the shibboleth2.xml will be required when enabling federated access. Policies regarding institutions which are allowed access may also be needed in the attribute-policy.xml. Additional attribute definitions may also be needed in the attribute-map.xml depending on which attributes are released by the institutions you allow to login.
First, you will need to load the metadata for the participating institutions. To do this, replace the
MetadataProvider
element with this one:
<MetadataProvider type="Chaining">
<!-- Use this MetadataProvider to federate with only those IdPs that are supported. -->
<MetadataProvider type="XML"
url="https://shibboleth.usc.edu/ds/supported-idp-metadata.xml"
backingFilePath="/var/local/etc/shibboleth/USC-metadata.xml"
reloadInterval="86400"/>
<!--
For applications that wish to federate openly with InCommon participants, delete the above
MetadataProvider and use this one.
<MetadataProvider type="XML"
url="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
backingFilePath="/var/local/etc/shibboleth/incommon-metadata.xml"
reloadInterval="86400"/>
-->
</MetadataProvider>
Next, you will want to set up a custom login form which will enable access from the institutions we participate with. This is very flexible and allows you to specify as many or as few of the InCommon participants as you wish, however, in order to use the USC central directory information about these guests, it is recommended to use the login form which dynamically accesses this list from the shibboleth.usc.edu server. This set of example files will provide a foundation for your login page, subject to your styling and customization changes. (Hint -- search for references to "myfederatedapp" and replace it with the name of your application).
To use this login form, it is necessary to customize the SessionInitiator
element
in the shibboleth2.xml. Normally, for an application located at myserver.usc.edu/myfederatedapp,
there will be an ApplicationOverride
block at the end of the shibboleth2.xml which
provides an area for custom settings for this application.
By default, there is a Sessions
element there, and it looks something like this:
<Sessions handlerURL="/myfederatedapp/Shibboleth.sso"
handlerSSL="true"
cookieProps="; path=/myfederatedapp; secure"
checkAddress="false"
lifetime="7200" timeout="3600" />
This should be changed to the following, replacing the application name and path to the form as appropriate:
<Sessions handlerURL="/myfederatedapp/Shibboleth.sso"
handlerSSL="true"
cookieProps="; path=/myfederatedapp; secure"
checkAddress="false"
lifetime="7200" timeout="3600" >
<SessionInitiator type="Chaining" Location="/DS"
id="myfederatedapp-sessioninit"
forceAuthn="false"
relayState="cookie"
acsByIndex="false"
>
<SessionInitiator type="Cookie" isDefault="true" />
<SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
<SessionInitiator type="Form" relayState="cookie" template="/var/local/full/path/to/fed-form.html"/>
</SessionInitiator>
</Sessions>
If these pages and stylesheets are served from somewhere within the protection of shibboleth, it will be necessary to remove the requirement for a shibboleth session on the particular web location that serves these forms, for instance by using an Apache directive such as:
<LocationMatch /myfederatedapp/(images|styles|SP)/>
AuthType shibboleth
ShibRequireSession Off
</LocationMatch>
To enable the provisioning of entitlements and data from the USC environment, it will be necessary to
reconfigure the AttributeResolver
. Normally, this is in the shibboleth2.xml and looks like:
<AttributeResolver type="Query"/>
This should be changed to the following:
<AttributeResolver type="Chaining">
<AttributeResolver type="Query"/>
<AttributeResolver type="SimpleAggregation" attributeId="eduPersonPrincipalName" format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
<Entity>urn:mace:incommon:usc.edu</Entity>
<Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonEntitlement"/>
</AttributeResolver>
</AttributeResolver>
Additional requested Attribute
entries may be needed
according to your committee-approved attribute release permissions.
Though, this rule will retrieve all attributes configured for release
by the IdP release policy.
Attributes from federated entities ususally release EPPN, and sometimes just an opaque persistent identifier. Some sites such as ProtectNetwork release additional fields such as name fields for display. This attribute-map.xml contains additional attribute definitions to help with decoding the attributes released by partner organizations.
One final optional configuration which might be needed is to set aside the federated login part on a separate link while the main application continues operating as it usually does from the main links. This is done by configuring the Host/Path blocks at the top of the shibboleth2.xml file and using the requireSessionWith directive. This will configure a particular link to use the SessionInitiator with the id specified in the requireSessionWith directive. The original SessionInitiator must be copied into the ApplicationOverride so that it is used for regular access to the application if needed. For example:
<Host name="myserver.usc.edu"
applicationId="myfederatedapp"
authType="shibboleth"
requireSessionWith="sessioninit-orig"
exportAssertion="false">
<AccessControl>
<Rule require="entitlement">urn:mace:usc.edu:gds:entitlement:sctxxxxx</Rule>
</AccessControl>
<Path name="federatedloginlink"
applicationId="myfederatedapp"
authType="shibboleth"
requireSessionWith="sessioninit-fed"
exportAssertion="false"/>
</Host>
Additional Resources
- Shibboleth Wiki - the Shibboleth Wiki is the primary source of documentation for all aspects of installing and configuring Shibboleth.
- Internet2 Mailing Lists - the Shibboleth project maintains three mailing lists to announce news and discuss Shibboleth development and deployment. You are strongly encouraged to join shibboleth-users if you have any trouble installing or configuring Shibboleth. Subscription details are avaliable at http://shibboleth.internet2.edu/support.html#lists.