Changes between Version 2 and Version 3 of SamlSP2021/Agenda/WebappsSso

Timestamp:

Mar 29, 2021, 8:07:25 PM (4 years ago)

Author:

admin

Comment:

--

SamlSP2021/Agenda/WebappsSso

@@ -10 +10 @@
 * SSL/ HTTPS Certificates issued ( May be using Letsencrypt or Otherwise)
 * Installed Wordpress and Moodle latest editions on above created virtual hosts.
-* sudo access to the server. All following commands have to be entered as the root user. Best way to do it is login as root by {{{ sudo su }}}
+* sudo access to the server. All following commands have to be entered as the root user. Best way to do it is, by login in as root with {{{ sudo su }}}
 
 == Apache Config recap ==
@@ -195 +195 @@
 * {{{ /usr/sbin/shib-keygen -n mdl-encrypt -e https://mdl.YOUR-DOMAIN/shibboleth }}}
 
+
+Activate required attributes from  the {{{ /etc/shibboleth/attribute-map.xml }}} For the example, lets uncomment all, but make sure you didnt messed with the file.  
+
+
 Then check the shibboleth configuration for errors by, 
 
 {{{ shibd -t /etc/shibboleth/shibboleth2.xml }}}
+
+
+=== Enable Shibboleth on apache virtual hosts ===
+
+Edit wordpress virtual host as follows:
+
+config file:  {{{ /etc/apache2/sites-enabled/wp-le-ssl.conf }}}
+
+
+{{{
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+        
+        ServerName wp.Your-Domain
+        ServerAdmin you@yourwebsite.com
+        DocumentRoot /var/www/html #Location of Wordpress installation
+
+        ErrorLog ${APACHE_LOG_DIR}/wp-error.log
+        CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
+
+        #SSL Certificates issued by letsencrypt
+        SSLCertificateFile /etc/letsencrypt/live/wp.Your-Domain/fullchain.pem
+        SSLCertificateKeyFile /etc/letsencrypt/live/wp.Your-Domain/privkey.pem
+        Include /etc/letsencrypt/options-ssl-apache.conf
+
+        <Location />
+           AuthType Shibboleth
+           ShibRequestSetting requireSession false #Wordpress shibboleth plugin needs requireSession to be false
+           Require shibboleth
+        </Location>
+
+</VirtualHost>
+</IfModule>
+
+}}}
+
+Edit Moodle virtual host as follows:
+
+config file: {{{ /etc/apache2/sites-enabled/mdl-le-ssl.conf }}}
+
+
+{{{
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+        
+        ServerName mdl.Your-Domain
+        ServerAdmin you@yourwebsite.com
+        DocumentRoot /var/www/mdl #Location of Moodle installation
+
+        ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
+        CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined
+
+        #SSL Certificates issued by letsencrypt
+        SSLCertificateFile /etc/letsencrypt/live/mdl.Your-Domain/fullchain.pem
+        SSLCertificateKeyFile /etc/letsencrypt/live/mdl.Your-Domain/privkey.pem
+        Include /etc/letsencrypt/options-ssl-apache.conf
+
+        <Location />
+             ShibRequestSetting applicationId mdl  #Defining shibboleth application override
+        </Location>
+
+
+        <Directory /var/www/mdl/auth/shibboleth/index.php> #Double Check Moodle installation path
+             AuthType shibboleth
+             ShibRequestSetting applicationId mdl
+             ShibRequireSession On
+             require valid-user
+        </Directory>
+
+</VirtualHost>
+</IfModule>
+}}}
 
 Next, enable apache shibboleth module and restart apache.
@@ -206 +282 @@
     systemctl reload apache2.service
 }}}
+
+== Register both services with LIAF ==
+
+We have now set up shibboleth SP for two different entities. They have to be registered with LIAF before using the Federation discovery Service to point different IDP's.
+
+Download the  metadata from both applications by going to the following URL's. 
+
+* {{{ https://wp.YOUR-DOMAIN/Shibboleth.sso/Metadata }}}
+* {{{ https://mdl.YOUR-DOMAIN/Shibboleth.sso/Metadata }}}
+
+Now register them with LIAF separately. 
+
+== Enabling Wordpress plugin ==
+
+Install and activate the shibboleth plugin by Michael !McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris {{{ https://wordpress.org/plugins/shibboleth/ }}}
+
+Then go to '''Settings''' -> '''Shibboleth'''
+
+
+On General Tab:
+
+Login URL: {{{ https://wp.YOUR-DOMAIN/Shibboleth.sso/Login }}}
+
+Logout URL: {{{ https://wp.YOUR-DOMAIN/Shibboleth.sso/Logout }}}
+
+Attribute Access: Environment Variables
+
+
+On User Tab:
+
+Tick Automatically Create Accounts.
+Check the attribute map as well. If you ticked any attribute Manage tick, user will not be able to change the values once they logged in.
+
+
+On Authorization Tab:
+
+Select Subscriber as the Default Role.
+
+
+On Logging Tab:
+
+Enable all Logging.
+
+
+
+Click Save.
+
+
+== Enabling Moodle Plugin ==
+
+As Moodle admin, go to the '''Site administration''' >>> '''Plugins''' >>> '''Authentication''' and click on the '''Shibboleth''' enable '''eye'''. Next go to its settings.
+
+
+Fill in the fields of the form. 
+
+The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.
+
+Username: eppn
+
+Moodle WAYF service: No
+
+Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout
+
+Data mapping (First name): givenName
+
+Data mapping (Surname): surname
+
+Data mapping (Email address): mail
+
+Update local (Email address): On Creation
+
+Lock value (Email address): Locked
+
+
+Click Save.
+
+
+Now using a private browser, try to log in to both systems using your IDP test user.