Shibboleth 2.0 IdP Training:Basics and Installation

January, 2009

IdP Basics: Terms – SAML

• Security Access Markup Language

• XML-based standard for authentication and authorization data interchange

• Identity Provider – producer of assertions

• Service Provider – consumer of assertions

• Current Version: 2.0

• Shibboleth 2.0 implements SAML 2.0

IdP Basics: Terms – Entity ID

• A unique URI for a Shibboleth Identity Provider (IdP) or Service Provider (SP)

• The recommended format is a URL

• https://idp.colostate.edu/idp/shibboleth

• InCommon Federation uses URNs:

• urn:mace:incommon:colostate.edu

IdP Basics: Terms – Relying Party

• The SAML peer to which the IdP is communicating with

• The peer in most cases for an IdP is an SP

IdP Basics: Terms – Profile

• A description of how to use SAML to accomplish a specific task

• Profiles define the interface for SAML peers

IdP Basics: Terms – Metadata

• A description of the SAML features supported by a SAML entity

• This includes the URLs for communicating with the entity

• Shibboleth also uses this information to build technical trust between entities

IdP Installation Prerequisites

• Three basic prerequisites for installation:

• Java Virtual Machine

• Java Servlet Container

• HTTP Listener

• You should be comfortable installing software on your platform

IdP Installation Prerequisites

Prerequisite What we’re using

Java Virtual Machine Sun Java SE 6

Java Servlet Container Apache Tomcat 6

HTTP Listener Apache HTTPD 2.2 + mod_proxy_ajp

Apache Tomcat Shibboleth

Prerequisites• Set in

TOMCAT_HOME/conf/server.xml

• Turn off Apache Tomcat authentication (optional)

• Set AJP listener to accept connections from localhost only

Lab: Shibboleth Installation

• Unzip the distribution archive

• Run an install script

• Answer questions

• Deploy a WAR file

• Restart Tomcat and verify the installation on port 8080

Shibboleth Home (SHIB_HOME)

• /opt/shibboleth-idp should contain

• The Shibboleth documentation refers to this directory as SHIB_HOME

bin logs

conf metadata

credentials war

lib

SHIB_HOME/bin• Contains command line tools

• aacli: attribute authority command line interface

• version: returns the IdP version

SHIB_HOME/conf

• Contains the IdP’s configuration files:

• We will cover most of these today

attribute-filter.xml logging.xml

attribute-resolver.xml

login.config

handler.xml relying-party.xml

internal.xml service.xml

SHIB_HOME/credentials

• Credentials used by the IdP

• The installer creates these:

• idp.key (IdP key)

• idp.crt (certificate)

• idp.jks (keystore)

• You can use this directory to store Federation certificates

SHIB_HOME/lib• Copies of libraries in the WAR file

that make up the IdP

• Used by the command line tools

SHIB_HOME/logs• Contains the IdP log files

• idp-process.log*

• idp-access.log

• idp-audit.log

• * Often referred to when troubleshooting

SHIB_HOME/metadata

• Contains metadata files

• Files placed in this directory are not automatically loaded

SHIB_HOME/war• Contains the IdP WAR file created by

the installer

• Note that we configured Apache Tomcat to run the IdP directly from the WAR file

HTTP Listener• Apache Tomcat has a built-in HTTP

listener and can be used as a standalone

• Apache HTTPD is a web server often implemented as a HTTP listener for Tomcat

• Using both can offer flexibility

• And interface well with legacy components

Apache HTTPD and Tomcat

• Use mod_proxy_ajp

• Define VirtualHosts for the Shibboleth SAML profiles, which listen on ports 443 and optionally 8443

• mod_proxy directive to connect to Tomcat

• Certificate settings

• Others as required (logging, etc.)

Lab: Apache HTTPD• Configure Apache HTTPD as the HTTP

listener for Apache Tomcat

• mod_proxy_ajp has already been installed

• Modify /etc/httpd/conf/httpd.conf

• Add the ProxyPass for /idp

• Restart Apache HTTPD

Logging

• Configured using the logging.xml file

• 5 Logging levels

• ERROR

• WARN

• INFO

• DEBUG

• TRACE

Lab: Logging• Change the logging level of the

edu.internet2.middleware.shibboleth logger and evaluate the difference in the logging messages

Metadata: General• Describes SAML features supported

by the IdP and SP

• Includes the URLs for communicating with the IdP and SP

• Certificates for IdPs and SPs to trust each other

• Federations will typically control and publish metadata

Metadata: Configuration

• Metadata can be stored and loaded locally (use SHIB_HOME/metadata)

• Metadata can also be loaded from a remote source

• We will discuss both configurations

Metadata: Configuration

• Metadata is loaded into the IdP by metadata providers

• Metadata providers are defined in the relying-party.xml file

• A single metadata “container” provider is defined where you will define within it your metadata providers

Metadata: Defining a Provider

• Metadata providers are defined using the <MetadataProvider> element

• Every metadata provider must have a:

• Unique ID using the id attribute

• Type using the xsi:type attribute

• Each type of metadata provider has its own set of configuration attributes

Metadata: Filesystem Provider• The Filesystem metadata provider

loads a metadata file from the local filesystem.

• Use type definition:

• xsi:type="FilesystemMetadataProvider"

• Configuration attribute

• metadataFile

Metadata: File-backed HTTP

Provider• Loads metadata via HTTP and backs

it up to local file

• Type definition:• xsi:type="FileBackedHTTPMetadataProvider"

• Configuration attributes:

• metadataURL

• backingFile

Lab: Metadata Providers

• Define a file-backed HTTP metadata provider

Multiple Metadata Providers

• The chaining metadata provider processes children metadata providers in the order they are defined

• If the same entity is defined in more than one metadata provider, only the first definition found will be used

Metadata Registration

• Metadata must be shared between relying parties

• Federations typically have a centralized registration process and systems

• Register certificates and profiles

Lab: Metadata Registration

• Register your IdP so it can interact with the SP/DS in the lab

References

• More information on IdP basics and installation can be found at:

• https://spaces.internet2.edu/display/SHIB2/Installation