Changes between Version 3 and Version 4 of Iam2023/Agenda/SP-Installation-VHosts

Timestamp:

Mar 30, 2023, 8:02:23 PM (20 months ago)

Author:

admin

Comment:

--

Iam2023/Agenda/SP-Installation-VHosts

@@ -268 +268 @@
 
 Now we should be able to enter above URLs on the browser to check whether they are working. You may get empty web pages since we haven't yet installed our web sites.
+
 
 
@@ -299 +300 @@
 sudo systemctl restart apache2
 
-nano lms-ssl.conf
+nano lms.YOUR-DOMAIN-ssl.conf
 
 <IfModule mod_ssl.c>
@@ -321 +322 @@
 </IfModule>
 
-a2ensite lms-ssl.conf
+a2ensite lms.YOUR-DOMAIN-ssl.conf
+
+Also create SSL site configuration file for Wordpress site too.
+
+nano wp.YOUR-DOMAIN-ssl.conf
+
+<IfModule mod_ssl.c>
+        <VirtualHost *:443>
+
+                ServerName wp.YOUR-DOMAIN
+                ServerAdmin you@YOUR-DOMAIN
+                DocumentRoot /var/www/wp.YOUR-DOMAIN/public_html
+
+                ErrorLog ${APACHE_LOG_DIR}/wp-error.log
+                CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
+        
+
+                SSLCertificateFile /etc/ssl/certs/ssl-lms.crt
+                SSLCertificateKeyFile /etc/ssl/private/ssl-lms.key
+
+                RewriteEngine on
+                RewriteCond %{SERVER_NAME} =wp.YOUR-DOMAIN
+                RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
+        </VirtualHost>
+</IfModule>
+
+a2ensite wp.YOUR-DOMAIN-ssl.conf
 
 10. Let'sencrypt setup (Skip this step if you already configured SSL with self signed or CA provided certificates)
@@ -372 +399 @@
 {{{
 ...
-<ApplicationDefaults entityID="https://sp.YOUR-DOMAIN/shibboleth"
+<ApplicationDefaults entityID="https://lms.YOUR-DOMAIN/shibboleth"
         REMOTE_USER="eppn subject-id pairwise-id persistent-id"
         cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
@@ -395 +422 @@
 }}}
 
-13. Create SP metadata credentials:
+13. Create SP metadata credentials for both sites:
 {{{
 
     /usr/sbin/shib-keygen -n lms-signing -e https://lms.YOUR-DOMAIN/shibboleth
     /usr/sbin/shib-keygen -n lms-encrypt -e https://lms.YOUR-DOMAIN/shibboleth
+
+    /usr/sbin/shib-keygen -n wp-signing -e https://wp.YOUR-DOMAIN/shibboleth
+    /usr/sbin/shib-keygen -n wp-encrypt -e https://wp.YOUR-DOMAIN/shibboleth
+
     shibd -t /etc/shibboleth/shibboleth2.xml (Check Shibboleth configuration)
 
 }}}
+
+=== Enable Shibboleth on apache virtual hosts ===
+
+<IfModule mod_ssl.c>
+        <VirtualHost *:443>
+
+                ServerName lms.YOUR-DOMAIN
+                ServerAdmin you@YOUR-DOMAIN
+                DocumentRoot /var/www/lms.YOUR-DOMAIN/public_html
+
+                ErrorLog ${APACHE_LOG_DIR}/lms-error.log
+                CustomLog ${APACHE_LOG_DIR}/lms-access.log combined
+        
+
+                SSLCertificateFile /etc/ssl/certs/ssl-lms.crt
+                SSLCertificateKeyFile /etc/ssl/private/ssl-lms.key
+
+                <Location /moodle>
+                           #ShibRequestSetting applicationId mdl
+                </Location>
+
+                <Directory /var/www/html/moodle/auth/shibboleth/index.php>
+                            AuthType shibboleth
+                            #ShibRequestSetting applicationId mdl
+                            ShibRequireSession On
+                            require valid-user
+                </Directory>
+        </VirtualHost>
+</IfModule>
+
+nano wp.YOUR-DOMAIN-ssl.conf
+
+<IfModule mod_ssl.c>
+        <VirtualHost *:443>
+
+                ServerName wp.YOUR-DOMAIN
+                ServerAdmin you@YOUR-DOMAIN
+                DocumentRoot /var/www/wp.YOUR-DOMAIN/public_html
+
+                ErrorLog ${APACHE_LOG_DIR}/wp-error.log
+                CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
+        
+
+                SSLCertificateFile /etc/ssl/certs/ssl-lms.crt
+                SSLCertificateKeyFile /etc/ssl/private/ssl-lms.key
+
+                <Location />
+                           AuthType Shibboleth
+                           ShibRequestSetting requireSession false 
+                           Require shibboleth
+                </Location>
+                #Wordpress shibboleth plugin needs requireSession to be false
+        </VirtualHost>
+</IfModule>
 
 14. Enable Shibboleth Apache2 configuration:
@@ -411 +496 @@
 }}}
 
-15. Now you are able to reach your Shibboleth SP Metadata on:
-{{{
-https://sp.YOUR-DOMAIN/Shibboleth.sso/Metadata (change sp.YOUR-DOMAIN to you SP full qualified domain name)
-}}}
+15. We have now set up shibboleth SP for two different entities. They have to be registered with LIAF before using the Federation discovery Service to point different IDP's.
+
+Download the metadata from both applications by going to the following URL's. 
+{{{
+https://lms.YOUR-DOMAIN/Shibboleth.sso/Metadata 
+https://wp.YOUR-DOMAIN/Shibboleth.sso/Metadata 
+}}}
+
+Now register them with LIAF separately.
 
 16. Register your SP on LEARN test federation:
@@ -422 +512 @@
 You may have to answer several questions describing your service to the federation provider.
 
-== Configure Moodle as an Federated Resource ==
-
-Here as a prerequisite you need a working moodle installation at the path https://sp.YOUR-DOMAIN/moodle. For this please refer to the link [https://ws.learn.ac.lk/wiki/Csle2022/Agenda/databaseandweb here].
+== Enabling Wordpress plugin ==
+
+Install and activate the shibboleth plugin by Michael !McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris {{{ https://wordpress.org/plugins/shibboleth/ }}}
+
+Then go to '''Settings''' -> '''Shibboleth'''
+
+
+On General Tab:
+
+Login URL: {{{ https://wp.YOUR-DOMAIN/Shibboleth.sso/Login }}}
+
+Logout URL: {{{ https://wp.YOUR-DOMAIN/Shibboleth.sso/Logout }}}
+
+Attribute Access: Environment Variables
+
+
+On User Tab:
+
+Tick Automatically Create Accounts.
+Check the attribute map as well. If you ticked any attribute Manage tick, user will not be able to change the values once they logged in.
+
+
+On Authorization Tab:
+
+Select Subscriber as the Default Role.
+
+
+On Logging Tab:
+
+Enable all Logging.
+
+
+
+Click Save.
+
+
+== Enabling Moodle Plugin ==
+
+As Moodle admin, go to the '''Site administration''' >>> '''Plugins''' >>> '''Authentication''' and click on the '''Shibboleth''' enable '''eye'''. Next go to its settings.
+
+
+Fill in the fields of the form. 
+
+The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.
+
+Username: eppn
+
+Moodle WAYF service: No
+
+Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout
+
+Data mapping (First name): givenName
+
+Data mapping (Surname): surname
+
+Data mapping (Email address): mail
+
+Update local (Email address): On Creation
+
+Lock value (Email address): Locked
+
+
+Click Save.
+
+
+Now using a private browser, try to log in to both systems using your IDP test user.