Changes between Version 1 and Version 2 of SamlSP2021/Agenda/WebappsSso


Ignore:
Timestamp:
Mar 29, 2021, 7:08:16 PM (4 years ago)
Author:
admin
Comment:

end of shib

Legend:

Unmodified
Added
Removed
Modified

  • SamlSP2021/Agenda/WebappsSso

    v1 v2  
    1010* SSL/ HTTPS Certificates issued ( May be using Letsencrypt or Otherwise)
    1111* Installed Wordpress and Moodle latest editions on above created virtual hosts.
     12* sudo access to the server. All following commands have to be entered as the root user. Best way to do it is login as root by {{{ sudo su }}}
    1213
    1314== Apache Config recap ==
     
    103104</IfModule>
    104105}}}
     106
     107
     108== Shibboleth SP Installation ==
     109
     110Install needed packages:
     111
     112{{{ apt install libapache2-mod-shib ntp --no-install-recommends }}}
     113
     114=== Shibboleth SP Configuration ===
     115
     116
     117Both of these web apps will be connected to LIAF, therefore, download Federation Metadata Signing Certificate:
     118
     119{{{
     120    cd /etc/shibboleth/
     121    wget https://fr.ac.lk/signedmetadata/metadata-signer -O federation-cert.pem
     122}}}
     123
     124Edit shibboleth2.xml opportunely: {{{ vim /etc/shibboleth/shibboleth2.xml }}}
     125
     126some code
     127
     128{{{
     129#!xml
     130. . .
     131
     132    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
     133    <ApplicationDefaults entityID="https://wp.Your-Domain/shibboleth"
     134        REMOTE_USER="eppn subject-id pairwise-id persistent-id"
     135        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
     136
     137. . .
     138
     139        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
     140                  checkAddress="false" handlerSSL="true" cookieProps="https">
     141
     142. . .
     143
     144            <SSO discoveryProtocol="SAMLDS" discoveryURL="https://fds.ac.lk">
     145              SAML2
     146            </SSO>
     147
     148. . .
     149
     150        <Errors supportContact="you@you-domain"
     151             helpLocation="/about-this-service.html"
     152             styleSheet="/shibboleth-sp/main.css"/>
     153
     154. . .
     155
     156        <MetadataProvider type="XML" url="https://fr.ac.lk/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" reloadInterval="600">
     157
     158                <MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false"/>
     159
     160                <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
     161        </MetadataProvider>
     162
     163. . .
     164
     165        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
     166        <CredentialResolver type="File" use="signing"
     167            key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/>
     168        <CredentialResolver type="File" use="encryption"
     169            key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/>
     170
     171        <ApplicationOverride id="mdl" entityID="https://mdl.Your-Domain/shibboleth">
     172                <CredentialResolver type="File" use="signing"
     173                        key="mdl-signing-key.pem" certificate="mdl-signing-cert.pem"/>
     174                <CredentialResolver type="File" use="encryption"
     175                        key="mdl-encrypt-key.pem" certificate="mdl-encrypt-cert.pem"/>
     176        </ApplicationOverride>
     177    </ApplicationDefaults>
     178
     179    <!-- Policies that determine how to process and authenticate runtime messages. -->
     180    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
     181
     182}}}
     183
     184Above snippet defines two service providers for shibboleth under two different entity id's.
     185
     186Default application as {{{ entityID="https://wp.Your-Domain/shibboleth" }}} and the second as an override with id mdl {{{ <ApplicationOverride id="mdl" entityID="https://mdl.Your-Domain/shibboleth"> }}}
     187
     188Both entities will have common features like metadata providers, attribute maps. But they will have two different certificate sets.
     189
     190Now lets create those certificate pairs.
     191
     192* {{{ /usr/sbin/shib-keygen -n wp-signing -e https://wp.YOUR-DOMAIN/shibboleth }}}
     193* {{{ /usr/sbin/shib-keygen -n wp-encrypt -e https://wp.YOUR-DOMAIN/shibboleth }}}
     194* {{{ /usr/sbin/shib-keygen -n mdl-signing -e https://mdl.YOUR-DOMAIN/shibboleth }}}
     195* {{{ /usr/sbin/shib-keygen -n mdl-encrypt -e https://mdl.YOUR-DOMAIN/shibboleth }}}
     196
     197Then check the shibboleth configuration for errors by,
     198
     199{{{ shibd -t /etc/shibboleth/shibboleth2.xml }}}
     200
     201Next, enable apache shibboleth module and restart apache.
     202
     203{{{
     204#!bash
     205    a2enmod shib2
     206    systemctl reload apache2.service
     207}}}