wiki:SamlSP2021/Agenda/WebappsSso

Configuring Shibboleth SP on Single server Multi virtual host environment

This will guide you through installing Shibboleth Service Provider setup on Ubuntu 20.04 LTS server with Apache2 running as the web server. We will also look into configuring multiple apache virtual hosts and configuring them for SSO login of two different web apps; Wordpress and Moodle.

Requirements

  • Linux Server running Ubuntu 20.04 LTS
  • Apache installed with two different virtual hosts.
  • SSL/ HTTPS Certificates issued ( May be using Letsencrypt or Otherwise)
  • Installed Wordpress and Moodle latest editions on above created virtual hosts.
  • sudo access to the server. All following commands have to be entered as the root user. Best way to do it is, by login in as root with sudo su

Apache Config recap

Wordpress Apache Config

http config: /etc/apache2/sites-enabled/wp.conf 

<VirtualHost *:80>

	ServerName wp.Your-Domain
	ServerAdmin you@yourwebsite.com
	DocumentRoot /var/www/html #Location of Wordpress installation

	ErrorLog ${APACHE_LOG_DIR}/wp-error.log
	CustomLog ${APACHE_LOG_DIR}/wp-access.log combined

	
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =wp.Your-Domain
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
</VirtualHost>

https config: /etc/apache2/sites-enabled/wp-le-ssl.conf 

<IfModule mod_ssl.c>
<VirtualHost *:443>
	
	ServerName wp.Your-Domain
	ServerAdmin you@yourwebsite.com
	DocumentRoot /var/www/html #Location of Wordpress installation

	ErrorLog ${APACHE_LOG_DIR}/wp-error.log
	CustomLog ${APACHE_LOG_DIR}/wp-access.log combined

        #SSL Certificates issued by letsencrypt
        SSLCertificateFile /etc/letsencrypt/live/wp.Your-Domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/wp.Your-Domain/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Moodle Apache Config

http config: /etc/apache2/sites-enabled/mdl.conf 

<VirtualHost *:80>

	ServerName mdl.Your-Domain
	ServerAdmin you@yourwebsite.com
	DocumentRoot /var/www/mdl #Location of Moodle installation

	ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
	CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined

	
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =mdl.Your-Domain
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
</VirtualHost>

https config: /etc/apache2/sites-enabled/mdl-le-ssl.conf 

<IfModule mod_ssl.c>
<VirtualHost *:443>
	
	ServerName mdl.Your-Domain
	ServerAdmin you@yourwebsite.com
	DocumentRoot /var/www/mdl #Location of Moodle installation

	ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
	CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined

        #SSL Certificates issued by letsencrypt
        SSLCertificateFile /etc/letsencrypt/live/mdl.Your-Domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mdl.Your-Domain/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Shibboleth SP Installation

Install needed packages:

apt install libapache2-mod-shib ntp --no-install-recommends

Shibboleth SP Configuration

Both of these web apps will be connected to LIAF, therefore, download Federation Metadata Signing Certificate: 

    cd /etc/shibboleth/
    wget https://fr.ac.lk/signedmetadata/metadata-signer -O federation-cert.pem

Edit shibboleth2.xml opportunely: vim /etc/shibboleth/shibboleth2.xml 

. . .

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://wp.Your-Domain/shibboleth"
        REMOTE_USER="eppn subject-id pairwise-id persistent-id"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">

. . .

        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="https">

. . .

            <SSO discoveryProtocol="SAMLDS" discoveryURL="https://fds.ac.lk">
              SAML2
            </SSO>

. . .

        <Errors supportContact="you@you-domain"
             helpLocation="/about-this-service.html"
             styleSheet="/shibboleth-sp/main.css"/>

. . .

        <MetadataProvider type="XML" url="https://fr.ac.lk/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" reloadInterval="600">

                <MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false"/>

                <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
        </MetadataProvider>

. . .

        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
        <CredentialResolver type="File" use="signing"
            key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/>
        <CredentialResolver type="File" use="encryption"
            key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/>

        <ApplicationOverride id="mdl" entityID="https://mdl.Your-Domain/shibboleth">
                <CredentialResolver type="File" use="signing"
                        key="mdl-signing-key.pem" certificate="mdl-signing-cert.pem"/>
                <CredentialResolver type="File" use="encryption"
                        key="mdl-encrypt-key.pem" certificate="mdl-encrypt-cert.pem"/>
        </ApplicationOverride>
    </ApplicationDefaults>

    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

Above snippet defines two service providers for shibboleth under two different entity id's.

Default application as entityID="https://wp.Your-Domain/shibboleth" and the second as an override with id mdl <ApplicationOverride id="mdl" entityID="https://mdl.Your-Domain/shibboleth">

Both entities will have common features like metadata providers, attribute maps. But they will have two different certificate sets.

Now lets create those certificate pairs.

  • /usr/sbin/shib-keygen -n wp-signing -e https://wp.YOUR-DOMAIN/shibboleth
  • /usr/sbin/shib-keygen -n wp-encrypt -e https://wp.YOUR-DOMAIN/shibboleth
  • /usr/sbin/shib-keygen -n mdl-signing -e https://mdl.YOUR-DOMAIN/shibboleth
  • /usr/sbin/shib-keygen -n mdl-encrypt -e https://mdl.YOUR-DOMAIN/shibboleth

Activate required attributes from the /etc/shibboleth/attribute-map.xml For the example, lets uncomment all, but make sure you didnt messed with the file.

Then check the shibboleth configuration for errors by,

shibd -t /etc/shibboleth/shibboleth2.xml

Enable Shibboleth on apache virtual hosts

Edit wordpress virtual host as follows:

config file: /etc/apache2/sites-enabled/wp-le-ssl.conf 

<IfModule mod_ssl.c>
<VirtualHost *:443>
	
	ServerName wp.Your-Domain
	ServerAdmin you@yourwebsite.com
	DocumentRoot /var/www/html #Location of Wordpress installation

	ErrorLog ${APACHE_LOG_DIR}/wp-error.log
	CustomLog ${APACHE_LOG_DIR}/wp-access.log combined

        #SSL Certificates issued by letsencrypt
        SSLCertificateFile /etc/letsencrypt/live/wp.Your-Domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/wp.Your-Domain/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

        <Location />
           AuthType Shibboleth
           ShibRequestSetting requireSession false 
           Require shibboleth
        </Location>
        #Wordpress shibboleth plugin needs requireSession to be false

</VirtualHost>
</IfModule>

Edit Moodle virtual host as follows:

config file: /etc/apache2/sites-enabled/mdl-le-ssl.conf 

<IfModule mod_ssl.c>
<VirtualHost *:443>
	
	ServerName mdl.Your-Domain
	ServerAdmin you@yourwebsite.com
	DocumentRoot /var/www/mdl #Location of Moodle installation

	ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
	CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined

        #SSL Certificates issued by letsencrypt
        SSLCertificateFile /etc/letsencrypt/live/mdl.Your-Domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mdl.Your-Domain/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

        <Location />
             ShibRequestSetting applicationId mdl  
        </Location>
        #Defining shibboleth application override

        <Directory /var/www/mdl/auth/shibboleth/index.php> 
             AuthType shibboleth
             ShibRequestSetting applicationId mdl
             ShibRequireSession On
             require valid-user
        </Directory>
        #Double Check Moodle installation path

</VirtualHost>
</IfModule>

Next, enable apache shibboleth module and restart apache.

Error: Failed to load processor bash
No macro or processor named 'bash' found

Register both services with LIAF

We have now set up shibboleth SP for two different entities. They have to be registered with LIAF before using the Federation discovery Service to point different IDP's.

Download the metadata from both applications by going to the following URL's.

  • https://wp.YOUR-DOMAIN/Shibboleth.sso/Metadata
  • https://mdl.YOUR-DOMAIN/Shibboleth.sso/Metadata

Now register them with LIAF separately.

Enabling Wordpress plugin

Install and activate the shibboleth plugin by Michael McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris https://wordpress.org/plugins/shibboleth/

Then go to Settings -> Shibboleth

On General Tab:

Login URL: https://wp.YOUR-DOMAIN/Shibboleth.sso/Login

Logout URL: https://wp.YOUR-DOMAIN/Shibboleth.sso/Logout

Attribute Access: Environment Variables

On User Tab:

Tick Automatically Create Accounts. Check the attribute map as well. If you ticked any attribute Manage tick, user will not be able to change the values once they logged in.

On Authorization Tab:

Select Subscriber as the Default Role.

On Logging Tab:

Enable all Logging.

Click Save.

Enabling Moodle Plugin

As Moodle admin, go to the Site administration >>> Plugins >>> Authentication and click on the Shibboleth enable eye. Next go to its settings.

Fill in the fields of the form.

The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.

Username: eppn

Moodle WAYF service: No

Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout

Data mapping (First name): givenName

Data mapping (Surname): surname

Data mapping (Email address): mail

Update local (Email address): On Creation

Lock value (Email address): Locked

Click Save.

  • Adjust attribute-map .xml as 
        <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
    <Attribute name="urn:mace:dir:attribute-def:email" id="email"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="email"/>
  • Adjust attribute-policy.xml as 
        <AttributeRule attributeID="sn">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="mail">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="email">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

After, restart shibd and apache2

Now using a private browser, try to log in to both systems using your IDP test user.

Last modified 3 months ago Last modified on Sep 1, 2024, 8:01:36 PM
Note: See TracWiki for help on using the wiki.