- Requirements Hardware
- Software that will be installed
- Other Requirements
- Installation Instructions
- Configuration Instructions
- Test
- Enable Attribute Checker Support on Shibboleth SP
- Increase startup timeout
- OPTIONAL - Maintain 'shibd' working
- Utility
- Authors
- Thanks
- CPU: 2 Core
- RAM: 4 GB
- HDD: 20 GB
- OS: Debian 10
- ca-certificates
- ntp
- vim
- libapache2-mod-php, php, libapache2-mod-shib, apache2 (>= 2.4)
- openssl
- SSL Credentials: HTTPS Certificate & Key
This HOWTO use example.org
as domain name and sp.example.org
as FQDN (Full Qualified Domain Name) to provide example values to this guide.
Please, remember to replace all occurence of example.org
domain name, or part of it, with the SP domain name into the configuration files and also sp.example.org
with the FQDN of your SP server.
-
Become ROOT:
sudo su -
-
Change the default mirror to the GARR ones on
/etc/apt/sources.list
(OPTIONAL):debian.mirror.garr.it
(Debian)ubuntu.mirror.garr.it
(Ubuntu)
-
Update packages:
apt update && apt-get upgrade -y --no-install-recommends
-
Install the packages required:
apt install ca-certificates vim openssl
-
Modify your
/etc/hosts
:-
vim /etc/hosts
127.0.1.1 sp.example.org sp
(Replace
sp.example.org
with your SP Full Qualified Domain Name)(Replace
sp
with your SP Hostname) -
-
Be sure that your firewall doesn't block the traffic on port 443 (or you can't access to your SP)
-
Become ROOT:
sudo su -
-
Install Shibboleth SP:
apt install apache2 libapache2-mod-shib ntp --no-install-recommends
From this point the location of the SP directory is:
/etc/shibboleth
According to NSA and NIST, RSA with 3072 bit-modulus is the minimum to protect up to TOP SECRET over than 2030.
-
Become ROOT:
sudo su -
-
Create the DocumentRoot:
mkdir /var/www/html/$(hostname -f) sudo chown -R www-data: /var/www/html/$(hostname -f) echo '<h1>It Works!</h1>' > /var/www/html/$(hostname -f)/index.html
-
Create the Virtualhost file (please pay attention: you need to edit this file and customize it, check the initial comment inside of it):
wget https://registry.idem.garr.it/idem-conf/shibboleth/SP3/apache2/sp.example.org.conf -O /etc/apache2/sites-available/000-$(hostname -f).conf
-
Put SSL credentials in the right place:
- HTTPS Server Certificate (Public Key) inside
/etc/ssl/certs
- HTTPS Server Key (Private Key) inside
/etc/ssl/private
- Add CA Cert into
/etc/ssl/certs
-
If you use GARR TCS (Sectigo CA):
wget -O /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem https://crt.sh/?d=2475254782 wget -O /etc/ssl/certs/SectigoRSAOrganizationValidationSecureServerCA.crt https://crt.sh/?d=924467857 cat /etc/ssl/certs/SectigoRSAOrganizationValidationSecureServerCA.crt >> /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem rm /etc/ssl/certs/SectigoRSAOrganizationValidationSecureServerCA.crt
-
If you use ACME (Let's Encrypt):
ln -s /etc/letsencrypt/live/<SERVER_FQDN>/chain.pem /etc/ssl/certs/ACME-CA.pem
-
- HTTPS Server Certificate (Public Key) inside
-
Configure the right privileges for the SSL Certificate and Key used by HTTPS:
chmod 400 /etc/ssl/private/$(hostname -f).key chmod 644 /etc/ssl/certs/$(hostname -f).crt
(
$(hostname -f)
will provide your IdP Full Qualified Domain Name) -
Enable proxy_http, SSL and headers Apache2 modules:
a2enmod ssl headers alias include negotiation a2dissite 000-default.conf default-ssl a2ensite 000-$(hostname -f).conf systemctl restart apache2.service
-
Verify the strength of your SP's machine on:
-
Become ROOT:
sudo su -
-
Change the SP entityID and technical contact email address:
sed -i "s/sp.example.org/$(hostname -f)/" /etc/shibboleth/shibboleth2.xml sed -i "s/root@localhost/<TECH-CONTACT-EMAIL-ADDRESS-HERE>/" /etc/shibboleth/shibboleth2.xml sed -i 's/handlerSSL="false"/handlerSSL="true"/' /etc/shibboleth/shibboleth2.xml sed -i 's/cookieProps="http"/cookieProps="https"/' /etc/shibboleth/shibboleth2.xml sed -i 's/cookieProps="https">/cookieProps="https" redirectLimit="exact">/' /etc/shibboleth/shibboleth2.xml
-
Create SP metadata Signing and Encryption credentials:
-
Ubuntu:
cd /etc/shibboleth shib-keygen -u _shibd -g _shibd -h $(hostname -f) -y 30 -e https://$(hostname -f)/shibboleth -n sp-signing -f shib-keygen -u _shibd -g _shibd -h $(hostname -f) -y 30 -e https://$(hostname -f)/shibboleth -n sp-encrypt -f /usr/sbin/shibd -t systemctl restart shibd.service systemctl restart apache2.service
-
Debian
cd /etc/shibboleth ./keygen.sh -u shibd -g shibd -h $(hostname -f) -y 30 -e https://$(hostname -f)/shibboleth -n sp-signing -f ./keygen.sh -u shibd -g shibd -h $(hostname -f) -y 30 -e https://$(hostname -f)/shibboleth -n sp-encrypt -f LD_LIBRARY_PATH=/opt/shibboleth/lib64 /usr/sbin/shibd -t systemctl restart shibd.service systemctl restart apache2.service
-
-
Enable Shibboleth Apache2 configuration:
a2enmod shib
-
Remove the
#
character from the#Redirect ...
line on the Apache2 configuration to enable it:-
vim /etc/apache2/sites-available/000-$(hostname -f).conf
#Redirect "/shibboleth" "/Shibboleth.sso/Metadata"
-
-
Reload Apache2 service to apply changes:
systemctl reload apache2.service
-
Now you are able to reach your Shibboleth SP Metadata from its entityID:
https://sp.example.org/shibboleth
or from its Metadata endpoint:
-
https://sp.example.org/Shibboleth.sso/Metadata
(Replace
sp.example.org
with your SP Full Qualified Domain Name)
-
Create the Apache2 configuration for the application:
-
sudo su -
-
vim /etc/apache2/conf-available/secure.conf
RedirectMatch ^/$ /secure <Location /secure> Authtype shibboleth ShibRequireSession On require valid-user </Location>
-
a2enconf secure
-
-
Create the "
secure
" application into the DocumentRoot:mkdir -p /var/www/html/$(hostname -f)/secure wget https://registry.idem.garr.it/idem-conf/shibboleth/SP3/secure/index.php.txt -O /var/www/html/$(hostname -f)/secure/index.php
-
Install needed packages and restart Apache2:
apt install libapache2-mod-php php systemctl restart apache2.service
The Attribute Map file is used by the Service Provider to recognize and support new attributes released by an Identity Provider
Enable attribute support by removing comment from the related content into /etc/shibboleth/attribute-map.xml
than restart shibd
service:
sudo systemctl restart shibd.service
Follow these steps IF AND ONLY IF your organization will join as a Partner or a Member into IDEM Federation
-
Register you SP on IDEM Entity Registry: (your entity has to be approved by an IDEM Federation Operator before become part of IDEM Test Federation):
- Go to
https://registry.idem.garr.it
, follow "Insert a New Service Provider into the IDEM Test Federation" and insert your SP metadata
- Go to
-
Configure the SP to retrieve the Federation Metadata:
-
IDEM MDX (recommended): https://mdx.idem.garr.it/
-
IDEM MDS (legacy):
-
Retrieve the IDEM GARR Federation Certificate needed to verify the signed metadata:
cd /etc/shibboleth/
curl https://md.idem.garr.it/certs/idem-signer-20241118.pem -o federation-cert.pem
- Check the validity:
-
cd /etc/shibboleth
-
openssl x509 -in federation-cert.pem -fingerprint -sha1 -noout
(sha1: 0E:21:81:8E:06:02:D1:D9:D1:CF:3D:4C:41:ED:5F:F3:43:70:16:79)
-
openssl x509 -in federation-cert.pem -fingerprint -md5 -noout
(md5: 73:B7:29:FA:7C:AE:5C:E7:58:1F:10:0B:FC:EE:DA:A9)
-
-
Edit
shibboleth2.xml
opportunely:-
vim /etc/shibboleth/shibboleth2.xml
<!-- If it is needed to manage the authentication on several IdPs install and configure the Shibboleth Embedded Discovery Service by following this HOWTO: https://u.garr.it/howtoshibeds --> <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.idem-test.garr.it/WAYF"> SAML2 </SSO> <!-- other things --> </Sessions> <MetadataProvider type="XML" url="http://md.idem.garr.it/metadata/idem-test-metadata-sha256.xml" backingFilePath="idem-test-metadata-sha256.xml" maxRefreshDelay="7200"> <MetadataFilter type="Signature" certificate="federation-cert.pem"/> <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /> </MetadataProvider>
-
-
-
-
Jump to Test
Follow these steps IF you need to connect one SP with only one IdP. It is useful for test purposes.
-
Edit
shibboleth2.xml
opportunely:-
vim /etc/shibboleth/shibboleth2.xml
<!-- If it is needed to manage the authentication on several IdPs install and configure the Shibboleth Embedded Discovery Service by following this HOWTO: https://url.garrlab.it/nakt7 --> <SSO entityID="https://idp.example.org/idp/shibboleth"> SAML2 </SSO> <!-- ... other things ... --> <MetadataProvider type="XML" validate="true" url="https://idp.example.org/idp/shibboleth" backingFilePath="idp-metadata.xml" maxRefreshDelay="7200" />
(Replace
entityID
with the IdP entityID andurl
with an URL where it can be downloaded its metadata)(
idp-metadata.xml
will be saved into/var/cache/shibboleth
)
-
-
Restart
shibd
andApache2
daemon:sudo systemctl restart shibd
sudo systemctl restart apache2
-
Jump to Test
Open the https://sp.example.org/secure
application into your web browser
(Replace sp.example.org
with your SP Full Qualified Domain Name)
-
Add a sessionHook for attribute checker:
sessionHook="/Shibboleth.sso/AttrChecker"
and themetadataAttributePrefix="Meta-"
toApplicationDefaults
:-
vim /etc/shibboleth/shibboleth2.xml
<ApplicationDefaults entityID="https://sp.example.org/shibboleth" REMOTE_USER="eppn subject-id pairwise-id persistent-id" cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" sessionHook="/Shibboleth.sso/AttrChecker" metadataAttributePrefix="Meta-" >
-
-
Add the attribute checker handler with the list of required attributes to Sessions (in the example below:
displayName
,givenName
,mail
,cn
,sn
,eppn
,schacHomeOrganization
,schacHomeOrganizationType
). The attributes' names HAVE TO MATCH with those are defined onattribute-map.xml
:-
vim /etc/shibboleth/shibboleth2.xml
... <!-- Attribute Checker --> <Handler type="AttributeChecker" Location="/AttrChecker" template="attrChecker.html" attributes="displayName givenName mail cn sn eppn schacHomeOrganization schacHomeOrganizationType" flushSession="true"/> </Sessions>
If you want to describe more complex scenarios with required attributes, operators such as "AND" and "OR" are available.
<Handler type="AttributeChecker" Location="/AttrChecker" template="attrChecker.html" flushSession="true"> <OR> <Rule require="displayName"/> <AND> <Rule require="givenName"/> <Rule require="surname"/> </AND> </OR> </Handler>
-
-
Add the following
<AttributeExtractor>
element under<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
:-
vim /etc/shibboleth/shibboleth2.xml
<!-- Extracts support information for IdP from its metadata. --> <AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName" InformationURL="informationURL" PrivacyStatementURL="privacyStatementURL" OrganizationURL="organizationURL"> <ContactPerson id="Technical-Contact" contactType="technical" formatter="$EmailAddress" /> <Logo id="Small-Logo" height="16" width="16" formatter="$_string"/> </AttributeExtractor>
-
-
Save and restart "shibd" service:
systemctl restart shibd.service
-
Customize Attribute Checker template:
cd /etc/shibboleth
cp attrChecker.html attrChecker.html.orig
wget https://raw.githubusercontent.com/CSCfi/shibboleth-attrchecker/master/attrChecker.html -O attrChecker.html
sed -i 's/SHIB_//g' /etc/shibboleth/attrChecker.html
sed -i 's/eduPersonPrincipalName/eppn/g' /etc/shibboleth/attrChecker.html
sed -i 's/Meta-Support-Contact/Meta-Technical-Contact/g' /etc/shibboleth/attrChecker.html
sed -i 's/supportContact/technicalContact/g' /etc/shibboleth/attrChecker.html
sed -i 's/support/technical/g' /etc/shibboleth/attrChecker.html
There are three locations needing modifications to do on
attrChecker.html
:-
The pixel tracking link after the comment "PixelTracking". The Image tag and all required attributes after the variable must be configured here. After "
miss=
" define all required attributes you updated inshibboleth2.xml
using shibboleth tagging.Eg
<shibmlpifnot $attribute>-$attribute</shibmlpifnot>
(this echoes $attribute if it's not received by shibboleth). The attributes' names HAVE TO MATCH with those are defined onattribute-map.xml
.This example uses "
-
" as a delimiter. -
The table showing missing attributes between the tags "
<!--TableStart-->
" and "<!--TableEnd-->
". You have to insert again all the same attributes as above.Define row for each required attribute (eg:
displayName
below)<tr <shibmlpifnot displayName> class='warning text-danger'</shibmlpifnot>> <td>displayName</td> <td><shibmlp displayName /></td> </tr>
-
The email template between the tags "<textarea>" and "</textarea>". After "The attributes that were not released to the service are:".
Again define all required attributes using shibboleth tagging like in section 1 ( eg:
<shibmlpifnot $attribute> * $attribute</shibmlpifnot>
). The attributes' names HAVE TO MATCH with those are defined onattribute-map.xml
. Note that for SP identifier target URL is used instead of entityID. There arent yet any tag for SP entityID so you can replace this target URL manually.
-
Enable Logging:
-
Create your
track.png
with into your DocumentRoot:echo "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8z8BQDwAEhQGAhKmMIQAAAABJRU5ErkJggg==" | base64 -d > /var/www/html/$(hostname -f)/track.png
-
Results into
/var/log/apache2/other_vhosts_access.log
:
./apache2/other_vhosts_access.log:193.206.129.66 - - [20/Sep/2018:15:05:07 +0000] "GET /track.png?idp=https://garr-idp-test.irccs.garr.it/idp/shibboleth&miss=-SHIB_givenName-SHIB_cn-SHIB_sn-SHIB_eppn-SHIB_schacHomeOrganization-SHIB_schacHomeOrganizationType HTTP/1.1" 404 637 "https://sp.example.org/Shibboleth.sso/AttrChecker?return=https%3A%2F%2Fsp.example.org%2FShibboleth.sso%2FSAML2%2FPOST%3Fhook%3D1%26target%3Dss%253Amem%253A43af2031f33c3f4b1d61019471537e5bc3fde8431992247b3b6fd93a14e9802d&target=https%3A%2F%2Fsp.example.org%2Fsecure%2F"
-
Shibboleth Documentation: https://wiki.shibboleth.net/confluence/display/SP3/LinuxSystemd
sudo mkdir /etc/systemd/system/shibd.service.d
echo -e '[Service]\nTimeoutStartSec=60min' | sudo tee /etc/systemd/system/shibd.service.d/timeout.conf
sudo systemctl daemon-reload
sudo systemctl restart shibd.service
-
Edit '
shibd
' init script:-
vim /etc/init.d/shibd
#...other lines... ### END INIT INFO # Import useful functions like 'status_of_proc' needed to 'status' . /lib/lsb/init-functions #...other lines... # Add 'status' operation status) status_of_proc -p "$PIDFILE" "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2 exit 1 ;; esac exit 0
-
-
Create a new watchdog for '
shibd
':-
vim /etc/cron.hourly/watch-shibd.sh
#! /bin/bash SERVICE=/etc/init.d/shibd STOPPED_MESSAGE="failed" if [[ "`$SERVICE status`" == *"$STOPPED_MESSAGE"* ]]; then $SERVICE stop sleep 1 $SERVICE start fi
-
-
Reload daemon:
systemctl daemon-reload
- The Mozilla Observatory: The Mozilla Observatory has helped over 240,000 websites by teaching developers, system administrators, and security professionals how to configure their sites safely and securely.
- Marco Malavolti ([email protected])
- eduGAIN Wiki: For the original How to configure Shibboleth SP attribute checker