= Shibboleth SPv3 Installation on Ubuntu 22.04 LTS =

Installation assumes you have already installed Ubuntu Server 22.04 with default configuration and has a public IP connectivity with DNS setup

Lets Assume your server hostname as sp.YOUR-DOMAIN

All commands are to be run as root and you may use sudo su to become root

1. Install the packages required:

{{{
apt update
apt install apache2 ca-certificates vim openssl binutils
}}}

2. Modify /etc/hosts

{{{
nano /etc/hosts
}}}
{{{
127.0.0.1 sp.YOUR-DOMAIN sp
}}}


== Install Shibboleth Service Provider ==

3. Install Shibboleth SP:

{{{
apt install libapache2-mod-shib ntp --no-install-recommends
}}}

From this point the location of the SP directory is: /etc/shibboleth

== Apache Configuration ==

Here we have to create SSL certificates and assign them to the virtual hosts created. We can create SSL certificates using three methods.
1. Generate a self-signed certificates (Steps 5 to 9)
2. Create certificates using Let's Encrypt free SSL service. (Steps 10 to )
3. Receiving certificates from a Commercial Certificate Authority.

As below you can use any of the above methods. Follow the steps as you prefer.

4. These configurations are based for test purposes with self generated ssl certificates. If you have purchased ssl certificate from a commercial CA substitute those with the self signed files. If you wish to get letsencrypt certificates Skip to Step 10.

5. Create a Certificate and a Key self-signed for HTTPS:

{{{
    openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/ssl-sp.key -out /etc/ssl/certs/ssl-sp.crt -nodes -days 1095
}}}

6. Modify the file /etc/apache2/sites-available/sp-ssl.conf as follows:

{{{
<IfModule mod_ssl.c>
   <VirtualHost *:443>

       ServerName sp.YOUR-DOMAIN

       ServerAdmin webmaster@localhost
       DocumentRoot /var/www/html

       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined

     SSLCertificateFile /etc/ssl/certs/ssl-sp.crt
     SSLCertificateKeyFile /etc/ssl/private/ssl-sp.key
     </VirtualHost>
</IfModule>
}}}

7. Enable proxy_http, SSL and headers Apache2 modules:

{{{

    a2enmod proxy_http ssl headers alias include negotiation
    a2ensite sp-ssl.conf
    systemctl restart apache2
}}}

8. Configure Apache2 to open port 80 only for localhost:

{{{
nano /etc/apache2/ports.conf

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 127.0.0.1:80

<IfModule ssl_module>
  Listen 443
</IfModule>

<IfModule mod_gnutls.c>
  Listen 443
</IfModule>
}}}

9. Configure Apache2 to redirect all on HTTPS:

{{{
nano /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
   ServerName "sp.YOUR-DOMAIN"
   Redirect permanent "/" "https://sp.YOUR-DOMAIN/"
   RedirectMatch permanent ^/(.*)$ https://sp.YOUR-DOMAIN/$1
</VirtualHost>
}}}

10. Let'sencrypt setup (Skip this step if you already configured SSL with self signed or CA provided certificates)

Disable the default configuration

{{{

    cd /etc/apache2/sites-available/
    a2dissite 000-default.conf
    systemctl reload apache2

}}}

Create a new conf file as sp.conf

cp 000-default.conf sp.conf

Edit sp.conf with following

{{{
nano sp.conf

<VirtualHost *:80>
 
        ServerName sp.YOUR-DOMAIN
        ServerAdmin YOUR-Email
        DocumentRoot /var/www/html
        
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
}}}