wiki:Iam2023/Agenda/SP-Installation

Version 3 (modified by admin, 20 months ago) ( diff )

--

Shibboleth SPv3 Installation on Ubuntu 22.04 LTS

Installation assumes you have already installed Ubuntu Server 22.04 with default configuration and has a public IP connectivity with DNS setup

Lets Assume your server hostname as sp.YOUR-DOMAIN

All commands are to be run as root and you may use sudo su to become root

  1. Install the packages required: 
apt update
apt install apache2 ca-certificates vim openssl binutils
  1. Modify /etc/hosts 
nano /etc/hosts

127.0.0.1 sp.YOUR-DOMAIN sp

Install Shibboleth Service Provider

  1. Install Shibboleth SP: 
apt install libapache2-mod-shib ntp --no-install-recommends

From this point the location of the SP directory is: /etc/shibboleth

Apache Configuration

Here we have to create SSL certificates and assign them to the virtual hosts created. We can create SSL certificates using three methods.

  1. Generate a self-signed certificates (Steps 5 to 9)
  2. Create certificates using Let's Encrypt free SSL service. (Steps 10 to )
  3. Receiving certificates from a Commercial Certificate Authority.

As below you can use any of the above methods. Follow the steps as you prefer.

  1. These configurations are based for test purposes with self generated ssl certificates. If you have purchased ssl certificate from a commercial CA substitute those with the self signed files. If you wish to get letsencrypt certificates Skip to Step 10.
  1. Create a Certificate and a Key self-signed for HTTPS: 
    openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/ssl-sp.key -out /etc/ssl/certs/ssl-sp.crt -nodes -days 1095
  1. Modify the file /etc/apache2/sites-available/sp-ssl.conf as follows: 
<IfModule mod_ssl.c>
   <VirtualHost *:443>

       ServerName sp.YOUR-DOMAIN

       ServerAdmin webmaster@localhost
       DocumentRoot /var/www/html

       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined

     SSLCertificateFile /etc/ssl/certs/ssl-sp.crt
     SSLCertificateKeyFile /etc/ssl/private/ssl-sp.key
     </VirtualHost>
</IfModule>
  1. Enable proxy_http, SSL and headers Apache2 modules: 
    a2enmod proxy_http ssl headers alias include negotiation
    a2ensite sp-ssl.conf
    systemctl restart apache2
  1. Configure Apache2 to open port 80 only for localhost: 
nano /etc/apache2/ports.conf

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 127.0.0.1:80

<IfModule ssl_module>
  Listen 443
</IfModule>

<IfModule mod_gnutls.c>
  Listen 443
</IfModule>
  1. Configure Apache2 to redirect all on HTTPS: 
nano /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
   ServerName "sp.YOUR-DOMAIN"
   Redirect permanent "/" "https://sp.YOUR-DOMAIN/"
   RedirectMatch permanent ^/(.*)$ https://sp.YOUR-DOMAIN/$1
</VirtualHost>
  1. Let'sencrypt setup (Skip this step if you already configured SSL with self signed or CA provided certificates)

Disable the default configuration 

    cd /etc/apache2/sites-available/
    a2dissite 000-default.conf
    systemctl reload apache2

Create a new conf file as sp.conf

cp 000-default.conf sp.conf

Edit sp.conf with following 

nano sp.conf

<VirtualHost *:80>
 
        ServerName sp.YOUR-DOMAIN
        ServerAdmin YOUR-Email
        DocumentRoot /var/www/html
        
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Enable sp site by, 

a2ensite sp

and reload Apache 

systemctl reload apache2

Install Letsencypt and enable https 

apt install certbot python3-certbot-apache
certbot --apache

Go through the interactive prompt and include your server details. Make sure you select redirect option when asked.

Configure Shibboleth SP

  1. Download Federation Metadata Signing Certificate: 
    cd /etc/shibboleth/
wget https://fr.ac.lk/signedmetadata/metadata-signer -O federation-cert.pem
  1. Edit shibboleth2.xml opportunely: 
nano /etc/shibboleth/shibboleth2.xml

...
<ApplicationDefaults entityID="https://sp.YOUR-DOMAIN/shibboleth"
        REMOTE_USER="eppn subject-id pairwise-id persistent-id"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
...
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https">
...
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://fds.ac.lk">
   SAML2
</SSO>
...
<MetadataProvider type="XML" url="https://fr.ac.lk/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200">
      
      <MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false"/>
      
      <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
</MetadataProvider>
<!-- Simple file-based resolvers for separate signing/encryption keys. -->
<CredentialResolver type="File" use="signing"
      key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption"
      key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
  1. Create SP metadata credentials: 
        /usr/sbin/shib-keygen -n sp-signing -e https://sp.YOUR-DOMAIN/shibboleth
    /usr/sbin/shib-keygen -n sp-encrypt -e https://sp.YOUR-DOMAIN/shibboleth
    shibd -t /etc/shibboleth/shibboleth2.xml (Check Shibboleth configuration)
  1. Enable Shibboleth Apache2 configuration: 
        a2enmod shib
    systemctl reload apache2.service
  1. Now you are able to reach your Shibboleth SP Metadata on: 
    https://sp.YOUR-DOMAIN/Shibboleth.sso/Metadata (change sp.YOUR-DOMAIN to you SP full qualified domain name)
  1. Register your SP on LEARN test federation:

Go to https://liaf.ac.lk/#join and follow the Service provider registration. Once the federation operator approves your request, you will be asked to use the content of your metadata file on federation registry registration.

You may have to answer several questions describing your service to the federation provider.

Configure Moodle as an Federated Resource

Here as a prerequisite you need a working moodle installation at the path https://sp.YOUR-DOMAIN/moodle. For this please refer to the link here.

  1. Create the Apache2 configuration for Moodle: 
nano /etc/apache2/sites-available/moodle.conf

<Location /moodle>
        #ShibRequestSetting applicationId mdl
</Location>

<Directory /var/www/html/moodle/auth/shibboleth/index.php>
        AuthType shibboleth
        #ShibRequestSetting applicationId mdl
        ShibRequireSession On
        require valid-user
</Directory>
  1. Then enable the site and restart the apache and shibboleth daemon to make changes to effect. 
a2ensite secure

systemctl restart shibd

systemctl restart apache2

Now you may browse to https://sp.YOUR-DOMAIN/moodle and select your IDP to log in.

Note: See TracWiki for help on using the wiki.