Context Navigation

SP-Installation-VHosts

Timestamp:: Mar 30, 2023, 11:57:18 PM (20 months ago)
Author:: admin
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

Iam2023/Agenda/SP-Installation-VHosts

-              v4
+              v5
 In this lab we are going to enable shibboleth login for Moodle and Wordpress web applications. Installation assumes you have already installed Ubuntu Server 22.04 with default configuration and has a public IP connectivity.
+Here we will install applications under below sub domains.
+Moodle => lms.YOUR-DOMAIN
+Wordpress => wp.YOUR-DOMAIN
 == Install Apache Web Server ==
 …
 [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/Csle2022/Agenda/databaseandweb/web30.png)]]
+Now as below edit the hosts file and add you domains with the IP address of your guest VM.
+[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/Csle2022/Agenda/databaseandweb/web31.png)]]
+Now edit the hosts file.
+[[Image(https://ws.learn.ac.lk/raw-attachment/wiki/Iam2023/Agenda/SP-Installation-VHosts/web31.png)]]
+Add the below entries to the end of the file. IP is your SP virtual machine public IP given for the lab.
+.248.6.X wp.YOUR-DOMAIN
+.248.6.X lms.YOUR-DOMAIN
 == Add domains to the hosts file in Linux ==
 …
 For Moodle,
+{{{
 sudo mkdir -p /var/www/lms.YOUR-DOMAIN/public_html
+}}}
 For Wordpress,
+{{{
 sudo mkdir -p /var/www/wp.YOUR-DOMAIN/public_html
+}}}
 Then add relevant apache configuration file for Moodle as below.
 …
 }}}
+{{{
 <VirtualHost *:80>
     ServerName wp.YOUR-DOMAIN
 …
     CustomLog ${APACHE_LOG_DIR}/wp.YOUR-DOMAIN-access.log combined
 </VirtualHost>
+}}}
 Once we do the configurations we have to enable the created sites as below,
 …
 Now we should be able to enter above URLs on the browser to check whether they are working. You may get empty web pages since we haven't yet installed our web sites.
+== Securing Web Sites ==
 Here we have to create SSL certificates and assign them to the virtual hosts created. We can create SSL certificates using three methods.
 . Generate a self-signed certificates (Steps 5 to 9)
 . Create certificates using Let's Encrypt free SSL service. (Steps 10 to )
+. Generate a self-signed certificates
+. Create certificates using Let's Encrypt free SSL service.
 . Receiving certificates from a Commercial Certificate Authority.
+As below you can use any of the above methods. Follow the steps as you prefer.
+Here we will the method 1 and generate self-signed certificates for the domains.
+To generate self signed certificates for the Moodle LMS enter below command.
+{{{
 openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/ssl-lms.key -out /etc/ssl/certs/ssl-lms.crt -nodes -days 1095
+}}}
+Here you will be prompted for some domain related informations and enter them as appropriately.
+{{{
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 …
 Common Name (e.g. server FQDN or YOUR name) []:lms.dhammikalalantha.com
 Email Address []:lalantha@learn.ac.lk
+}}}
+After generating certificates you have to enable ssl module and restart apache.
+{{{
 sudo a2enmod ssl
 sudo systemctl restart apache2
+}}}
+Since we have now SSL certificates we will use them to enable SSL on our created web sites/domains.
+Go to the directory below and create the SSL configuration file,
+{{{
+cd /etc/apache2/sites-available
 nano lms.YOUR-DOMAIN-ssl.conf
+}}}
+{{{
 <IfModule mod_ssl.c>
         <VirtualHost *:443>
 …
                 CustomLog ${APACHE_LOG_DIR}/lms-access.log combined
                 SSLCertificateFile /etc/ssl/certs/ssl-lms.crt
                 SSLCertificateKeyFile /etc/ssl/private/ssl-lms.key
-                RewriteEngine on
-                RewriteCond %{SERVER_NAME} =lms.YOUR-DOMAIN
-                 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
         </VirtualHost>
 </IfModule>
+}}}
+Then to enable the site
+{{{
 a2ensite lms.YOUR-DOMAIN-ssl.conf
+}}}
 Also create SSL site configuration file for Wordpress site too.
+{{{
 nano wp.YOUR-DOMAIN-ssl.conf
+}}}
+{{{
 <IfModule mod_ssl.c>
         <VirtualHost *:443>
 …
                 CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
                 SSLCertificateFile /etc/ssl/certs/ssl-lms.crt
                 SSLCertificateKeyFile /etc/ssl/private/ssl-lms.key
-                RewriteEngine on
-                RewriteCond %{SERVER_NAME} =wp.YOUR-DOMAIN
-                RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
         </VirtualHost>
 </IfModule>
+}}}
+Enable SSL site,
+{{{
 a2ensite wp.YOUR-DOMAIN-ssl.conf
+. Let'sencrypt setup (Skip this step if you already configured SSL with self signed or CA provided certificates)
+Install Letsencypt and enable https
+{{{
+apt install certbot python3-certbot-apache
+certbot --apache
+}}}
+Go through the interactive prompt and include your server details. Make sure you select redirect option when asked.
+Let's forward http traffic to https
+        RewriteEngine on
+        RewriteCond %{SERVER_NAME} =lms.YOUR-DOMAIN
+        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
+Then enable the Apache rewrite module.
+sudo a2enmod rewrite
+}}}
+Now check whether you can browse the SSL sites in your web browser
+https://lms.YOUR-DOMAIN/
+https://wp.YOUR-DOMAIN/
 == Install Shibboleth Service Provider ==
+. Install Shibboleth SP:
+Now we will install Shibboleth SP software.
 {{{
 …
 }}}
 From this point the location of the SP directory is: /etc/shibboleth
+SP configuration directory should be created at /etc/shibboleth
 == Configure Shibboleth SP ==
 . Download Federation Metadata Signing Certificate:
+Now we need to download Federation Metadata Signing Certificate:
 {{{
 cd /etc/shibboleth/
 …
 }}}
+. Edit shibboleth2.xml opportunely:
+Edit shibboleth2.xml opportunely. Make sure to change fields entityID, discoveryURL
 {{{
 …
 }}}
+{{{
+...
+<ApplicationDefaults entityID="https://lms.YOUR-DOMAIN/shibboleth"
+Do the modifications as described below.
+Change the ApplicationDefaults tag to your domain name.
+{{{
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://lms.YOUR-DOMAIN/shibboleth"
         REMOTE_USER="eppn subject-id pairwise-id persistent-id"
         cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
+...
+<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https">
+...
+<SSO discoveryProtocol="SAMLDS" discoveryURL="https://fds.ac.lk">
+   SAML2
+</SSO>
+...
+<MetadataProvider type="XML" url="https://fr.ac.lk/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200">
+      <MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false"/>
+      <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
+</MetadataProvider>
+<!-- Simple file-based resolvers for separate signing/encryption keys. -->
+<CredentialResolver type="File" use="signing"
+      key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+<CredentialResolver type="File" use="encryption"
+      key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+}}}
+. Create SP metadata credentials for both sites:
+}}}
+Modify the SSO tag as below.
+{{{
+            <SSO  discoveryProtocol="SAMLDS" discoveryURL="https://fds.ac.lk">
+              SAML2
+            </SSO>
+}}}
+Change the MetadataProvider section as well.
+{{{
+        <MetadataProvider type="XML" url="https://fr.ac.lk/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay>
+                <MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false"/>
+                <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
+        </MetadataProvider>
+}}}
+Change the key and certificate fields as given. We will later generate these keys and certificates.
+{{{
+        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
+        <CredentialResolver type="File" use="signing"
+            key="lms-signing-key.pem" certificate="lms-signing-cert.pem"/>
+        <CredentialResolver type="File" use="encryption"
+            key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem"/>
+}}}
+Add below section just before the </ApplicationDefaults> tag.
+{{{
+        <ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth">
+                <CredentialResolver type="File" use="signing"
+                        key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/>
+                <CredentialResolver type="File" use="encryption"
+                        key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/>
+        </ApplicationOverride>
+}}}
+Create SP metadata credentials for both sites:
 {{{
 …
     /usr/sbin/shib-keygen -n wp-encrypt -e https://wp.YOUR-DOMAIN/shibboleth
+    shibd -t /etc/shibboleth/shibboleth2.xml (Check Shibboleth configuration)
+}}}
+Now check the shibboleth configuration,
+{{{
+shibd -t /etc/shibboleth/shibboleth2.xml
 }}}
 === Enable Shibboleth on apache virtual hosts ===
+Now to enable shibboleth login of our install applications we need to modify the relevant configurations files as below.
+First for the Moodle application.
+{{{
+cd /etc/apache2/sites-available
+nano lms.YOUR-DOMAIN-ssl.conf
+}}}
+{{{
 <IfModule mod_ssl.c>
         <VirtualHost *:443>
 …
         </VirtualHost>
 </IfModule>
+}}}
+Then change the Wordpress configuration file.
+{{{
 nano wp.YOUR-DOMAIN-ssl.conf
+}}}
+{{{
 <IfModule mod_ssl.c>
         <VirtualHost *:443>
 …
         </VirtualHost>
 </IfModule>
+. Enable Shibboleth Apache2 configuration:
+{{{
+}}}
+Then enable Shibboleth Apache2 configuration:
+{{{
     a2enmod shib
     systemctl reload apache2.service
 }}}
+. We have now set up shibboleth SP for two different entities. They have to be registered with LIAF before using the Federation discovery Service to point different IDP's.
+== Register both services with LIAF ==
+We have now set up shibboleth SP for two different entities. They have to be registered with LIAF before using the Federation discovery Service to point different IDP's.
 Download the metadata from both applications by going to the following URL's.
 …
 Now register them with LIAF separately.
-. Register your SP on LEARN test federation:
 Go to https://liaf.ac.lk/#join and follow the Service provider registration. Once the federation operator approves your request, you will be asked to use the content of your metadata file on federation registry registration.
 You may have to answer several questions describing your service to the federation provider.
+Once you registered successfully you have enable the Shibboleth support in the application itself. For that Moodle and Wordpress has pluggins to be enabled and configured.
+== Enabling Moodle Plugin ==
+As Moodle admin, go to the '''Site administration''' >>> '''Plugins''' >>> '''Authentication''' and click on the '''Shibboleth''' enable '''eye'''. Next go to its settings.
+Fill in the fields of the form.
+The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.
+Username: eppn
+Moodle WAYF service: No
+Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout
+Data mapping (First name): givenName
+Data mapping (Surname): surname
+Data mapping (Email address): mail
+Update local (Email address): On Creation
+Lock value (Email address): Locked
+Click Save.
 == Enabling Wordpress plugin ==
 …
 Click Save.
+== Enabling Moodle Plugin ==
+As Moodle admin, go to the '''Site administration''' >>> '''Plugins''' >>> '''Authentication''' and click on the '''Shibboleth''' enable '''eye'''. Next go to its settings.
+Fill in the fields of the form.
+The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.
+Username: eppn
+Moodle WAYF service: No
+Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout
+Data mapping (First name): givenName
+Data mapping (Surname): surname
+Data mapping (Email address): mail
+Update local (Email address): On Creation
+Lock value (Email address): Locked
+Click Save.
+Now using a private browser, try to log in to both systems using your IDP test user.
+. Create the Apache2 configuration for Moodle:
+{{{
+nano /etc/apache2/sites-available/moodle.conf
+}}}
+{{{
+<Location /moodle>
+        #ShibRequestSetting applicationId mdl
+</Location>
+<Directory /var/www/html/moodle/auth/shibboleth/index.php>
+        AuthType shibboleth
+        #ShibRequestSetting applicationId mdl
+        ShibRequireSession On
+        require valid-user
+</Directory>
+}}}
+. Then enable the site and restart the apache and shibboleth daemon to make changes to effect.
+{{{
+a2ensite mooodle
+systemctl restart shibd
+systemctl restart apache2
+}}}
+Now you may browse to https://sp.YOUR-DOMAIN/moodle and select your IDP to log in.
+Now you may browse to https://sp.YOUR-DOMAIN/ and select your preferred IDP to log in.