Changes between Version 2 and Version 3 of Iam2023/Agenda/SP-Installation

Timestamp:

Mar 21, 2023, 12:31:13 PM (3 years ago)

Author:

admin

Comment:

--

Iam2023/Agenda/SP-Installation

@@ -144 +144 @@
 </VirtualHost>
 }}}
+
+Enable sp site by,
+{{{
+a2ensite sp
+}}}
+
+and reload Apache
+{{{
+systemctl reload apache2
+}}}
+
+Install Letsencypt and enable https
+{{{
+apt install certbot python3-certbot-apache
+certbot --apache
+}}}
+
+Go through the interactive prompt and include your server details. Make sure you select redirect option when asked.
+
+== Configure Shibboleth SP ==
+
+11. Download Federation Metadata Signing Certificate:
+{{{
+cd /etc/shibboleth/
+wget https://fr.ac.lk/signedmetadata/metadata-signer -O federation-cert.pem
+}}}
+
+12. Edit shibboleth2.xml opportunely:
+
+{{{
+nano /etc/shibboleth/shibboleth2.xml
+}}}
+
+{{{
+...
+<ApplicationDefaults entityID="https://sp.YOUR-DOMAIN/shibboleth"
+        REMOTE_USER="eppn subject-id pairwise-id persistent-id"
+        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
+...
+<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https">
+...
+<SSO discoveryProtocol="SAMLDS" discoveryURL="https://fds.ac.lk">
+   SAML2
+</SSO>
+...
+<MetadataProvider type="XML" url="https://fr.ac.lk/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200">
+      
+      <MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false"/>
+      
+      <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
+</MetadataProvider>
+<!-- Simple file-based resolvers for separate signing/encryption keys. -->
+<CredentialResolver type="File" use="signing"
+      key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+<CredentialResolver type="File" use="encryption"
+      key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
+}}}
+
+13. Create SP metadata credentials:
+{{{
+
+    /usr/sbin/shib-keygen -n sp-signing -e https://sp.YOUR-DOMAIN/shibboleth
+    /usr/sbin/shib-keygen -n sp-encrypt -e https://sp.YOUR-DOMAIN/shibboleth
+    shibd -t /etc/shibboleth/shibboleth2.xml (Check Shibboleth configuration)
+
+}}}
+
+14. Enable Shibboleth Apache2 configuration:
+{{{
+
+    a2enmod shib
+    systemctl reload apache2.service 
+}}}
+
+15. Now you are able to reach your Shibboleth SP Metadata on:
+{{{
+https://sp.YOUR-DOMAIN/Shibboleth.sso/Metadata (change sp.YOUR-DOMAIN to you SP full qualified domain name)
+}}}
+
+16. Register your SP on LEARN test federation:
+
+Go to https://liaf.ac.lk/#join and follow the Service provider registration. Once the federation operator approves your request, you will be asked to use the content of your metadata file on federation registry registration.
+
+You may have to answer several questions describing your service to the federation provider.
+
+== Configure Moodle as an Federated Resource ==
+
+Here as a prerequisite you need a working moodle installation at the path https://sp.YOUR-DOMAIN/moodle. For this please refer to the link [https://ws.learn.ac.lk/wiki/Csle2022/Agenda/databaseandweb, here].
+
+
+17. Create the Apache2 configuration for Moodle:
+
+{{{
+nano /etc/apache2/sites-available/moodle.conf
+}}}
+
+{{{
+<Location /moodle>
+        #ShibRequestSetting applicationId mdl
+</Location>
+
+<Directory /var/www/html/moodle/auth/shibboleth/index.php>
+        AuthType shibboleth
+        #ShibRequestSetting applicationId mdl
+        ShibRequireSession On
+        require valid-user
+</Directory>
+}}}
+
+18. Then enable the site and restart the apache and shibboleth daemon to make changes to effect.
+
+{{{
+a2ensite secure
+
+systemctl restart shibd
+
+systemctl restart apache2
+}}}
+
+Now you may browse to https://sp.YOUR-DOMAIN/moodle and select your IDP to log in.