Configuring Shibboleth SP on Single server Multi virtual host environment
This will guide you through installing Shibboleth Service Provider setup on Ubuntu 20.04 LTS server with Apache2 running as the web server. We will also look into configuring multiple apache virtual hosts and configuring them for SSO login of two different web apps; Wordpress and Moodle.
Requirements
- Linux Server running Ubuntu 20.04 LTS
- Apache installed with two different virtual hosts.
- SSL/ HTTPS Certificates issued ( May be using Letsencrypt or Otherwise)
- Installed Wordpress and Moodle latest editions on above created virtual hosts.
- sudo access to the server. All following commands have to be entered as the root user. Best way to do it is, by login in as root with
sudo su
Apache Config recap
Wordpress Apache Config
http config: /etc/apache2/sites-enabled/wp.conf
<VirtualHost *:80>
ServerName wp.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/html #Location of Wordpress installation
ErrorLog ${APACHE_LOG_DIR}/wp-error.log
CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =wp.Your-Domain
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
</VirtualHost>
https config: /etc/apache2/sites-enabled/wp-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName wp.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/html #Location of Wordpress installation
ErrorLog ${APACHE_LOG_DIR}/wp-error.log
CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
#SSL Certificates issued by letsencrypt
SSLCertificateFile /etc/letsencrypt/live/wp.Your-Domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wp.Your-Domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Moodle Apache Config
http config: /etc/apache2/sites-enabled/mdl.conf
<VirtualHost *:80>
ServerName mdl.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/mdl #Location of Moodle installation
ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =mdl.Your-Domain
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
</VirtualHost>
https config: /etc/apache2/sites-enabled/mdl-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mdl.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/mdl #Location of Moodle installation
ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined
#SSL Certificates issued by letsencrypt
SSLCertificateFile /etc/letsencrypt/live/mdl.Your-Domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mdl.Your-Domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Shibboleth SP Installation
Install needed packages:
apt install libapache2-mod-shib ntp --no-install-recommends
Shibboleth SP Configuration
Both of these web apps will be connected to LIAF, therefore, download Federation Metadata Signing Certificate:
cd /etc/shibboleth/
wget https://fr.ac.lk/signedmetadata/metadata-signer -O federation-cert.pem
Edit shibboleth2.xml opportunely: vim /etc/shibboleth/shibboleth2.xml
. . .
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://wp.Your-Domain/shibboleth"
REMOTE_USER="eppn subject-id pairwise-id persistent-id"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
. . .
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
. . .
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://fds.ac.lk">
SAML2
</SSO>
. . .
<Errors supportContact="you@you-domain"
helpLocation="/about-this-service.html"
styleSheet="/shibboleth-sp/main.css"/>
. . .
<MetadataProvider type="XML" url="https://fr.ac.lk/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" reloadInterval="600">
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
</MetadataProvider>
. . .
<!-- Simple file-based resolvers for separate signing/encryption keys. -->
<CredentialResolver type="File" use="signing"
key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption"
key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/>
<ApplicationOverride id="mdl" entityID="https://mdl.Your-Domain/shibboleth">
<CredentialResolver type="File" use="signing"
key="mdl-signing-key.pem" certificate="mdl-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption"
key="mdl-encrypt-key.pem" certificate="mdl-encrypt-cert.pem"/>
</ApplicationOverride>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
Above snippet defines two service providers for shibboleth under two different entity id's.
Default application as entityID="https://wp.Your-Domain/shibboleth" and the second as an override with id mdl <ApplicationOverride id="mdl" entityID="https://mdl.Your-Domain/shibboleth">
Both entities will have common features like metadata providers, attribute maps. But they will have two different certificate sets.
Now lets create those certificate pairs.
/usr/sbin/shib-keygen -n wp-signing -e https://wp.YOUR-DOMAIN/shibboleth/usr/sbin/shib-keygen -n wp-encrypt -e https://wp.YOUR-DOMAIN/shibboleth/usr/sbin/shib-keygen -n mdl-signing -e https://mdl.YOUR-DOMAIN/shibboleth/usr/sbin/shib-keygen -n mdl-encrypt -e https://mdl.YOUR-DOMAIN/shibboleth
Activate required attributes from the /etc/shibboleth/attribute-map.xml For the example, lets uncomment all, but make sure you didnt messed with the file.
Then check the shibboleth configuration for errors by,
shibd -t /etc/shibboleth/shibboleth2.xml
Enable Shibboleth on apache virtual hosts
Edit wordpress virtual host as follows:
config file: /etc/apache2/sites-enabled/wp-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName wp.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/html #Location of Wordpress installation
ErrorLog ${APACHE_LOG_DIR}/wp-error.log
CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
#SSL Certificates issued by letsencrypt
SSLCertificateFile /etc/letsencrypt/live/wp.Your-Domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wp.Your-Domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
<Location />
AuthType Shibboleth
ShibRequestSetting requireSession false
Require shibboleth
</Location>
#Wordpress shibboleth plugin needs requireSession to be false
</VirtualHost>
</IfModule>
Edit Moodle virtual host as follows:
config file: /etc/apache2/sites-enabled/mdl-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mdl.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/mdl #Location of Moodle installation
ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined
#SSL Certificates issued by letsencrypt
SSLCertificateFile /etc/letsencrypt/live/mdl.Your-Domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mdl.Your-Domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
<Location />
ShibRequestSetting applicationId mdl
</Location>
#Defining shibboleth application override
<Directory /var/www/mdl/auth/shibboleth/index.php>
AuthType shibboleth
ShibRequestSetting applicationId mdl
ShibRequireSession On
require valid-user
</Directory>
#Double Check Moodle installation path
</VirtualHost>
</IfModule>
Next, enable apache shibboleth module and restart apache.
Register both services with LIAF
We have now set up shibboleth SP for two different entities. They have to be registered with LIAF before using the Federation discovery Service to point different IDP's.
Download the metadata from both applications by going to the following URL's.
https://wp.YOUR-DOMAIN/Shibboleth.sso/Metadatahttps://mdl.YOUR-DOMAIN/Shibboleth.sso/Metadata
Now register them with LIAF separately.
Enabling Wordpress plugin
Install and activate the shibboleth plugin by Michael McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris https://wordpress.org/plugins/shibboleth/
Then go to Settings -> Shibboleth
On General Tab:
Login URL: https://wp.YOUR-DOMAIN/Shibboleth.sso/Login
Logout URL: https://wp.YOUR-DOMAIN/Shibboleth.sso/Logout
Attribute Access: Environment Variables
On User Tab:
Tick Automatically Create Accounts. Check the attribute map as well. If you ticked any attribute Manage tick, user will not be able to change the values once they logged in.
On Authorization Tab:
Select Subscriber as the Default Role.
On Logging Tab:
Enable all Logging.
Click Save.
Enabling Moodle Plugin
As Moodle admin, go to the Site administration >>> Plugins >>> Authentication and click on the Shibboleth enable eye. Next go to its settings.
Fill in the fields of the form.
The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.
Username: eppn
Moodle WAYF service: No
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout
Data mapping (First name): givenName
Data mapping (Surname): surname
Data mapping (Email address): mail
Update local (Email address): On Creation
Lock value (Email address): Locked
Click Save.
Now using a private browser, try to log in to both systems using your IDP test user.
