= Configuring Shibboleth SP on Single server Multi virtual host environment =
This will guide you through installing Shibboleth Service Provider setup on Ubuntu 20.04 LTS server with Apache2 running as the web server. We will also look into configuring multiple apache virtual hosts and configuring them for SSO login of two different web apps; Wordpress and Moodle.
=== Requirements ===
* Linux Server running Ubuntu 20.04 LTS
* Apache installed with two different virtual hosts.
* SSL/ HTTPS Certificates issued ( May be using Letsencrypt or Otherwise)
* Installed Wordpress and Moodle latest editions on above created virtual hosts.
* sudo access to the server. All following commands have to be entered as the root user. Best way to do it is, by login in as root with {{{ sudo su }}}
== Apache Config recap ==
=== Wordpress Apache Config ===
'''http''' config: {{{ /etc/apache2/sites-enabled/wp.conf }}}
{{{
ServerName wp.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/html #Location of Wordpress installation
ErrorLog ${APACHE_LOG_DIR}/wp-error.log
CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =wp.Your-Domain
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
}}}
'''https''' config: {{{ /etc/apache2/sites-enabled/wp-le-ssl.conf }}}
{{{
ServerName wp.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/html #Location of Wordpress installation
ErrorLog ${APACHE_LOG_DIR}/wp-error.log
CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
#SSL Certificates issued by letsencrypt
SSLCertificateFile /etc/letsencrypt/live/wp.Your-Domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wp.Your-Domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
}}}
=== Moodle Apache Config ===
'''http''' config: {{{ /etc/apache2/sites-enabled/mdl.conf }}}
{{{
ServerName mdl.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/mdl #Location of Moodle installation
ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =mdl.Your-Domain
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
}}}
'''https''' config: {{{ /etc/apache2/sites-enabled/mdl-le-ssl.conf }}}
{{{
ServerName mdl.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/mdl #Location of Moodle installation
ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined
#SSL Certificates issued by letsencrypt
SSLCertificateFile /etc/letsencrypt/live/mdl.Your-Domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mdl.Your-Domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
}}}
== Shibboleth SP Installation ==
Install needed packages:
{{{ apt install libapache2-mod-shib ntp --no-install-recommends }}}
=== Shibboleth SP Configuration ===
Both of these web apps will be connected to LIAF, therefore, download Federation Metadata Signing Certificate:
{{{
cd /etc/shibboleth/
wget https://fr.ac.lk/signedmetadata/metadata-signer -O federation-cert.pem
}}}
Edit shibboleth2.xml opportunely: {{{ vim /etc/shibboleth/shibboleth2.xml }}}
{{{
#!xml
. . .
. . .
. . .
SAML2
. . .
. . .
. . .
}}}
Above snippet defines two service providers for shibboleth under two different entity id's.
Default application as {{{ entityID="https://wp.Your-Domain/shibboleth" }}} and the second as an override with id mdl {{{ }}}
Both entities will have common features like metadata providers, attribute maps. But they will have two different certificate sets.
Now lets create those certificate pairs.
* {{{ /usr/sbin/shib-keygen -n wp-signing -e https://wp.YOUR-DOMAIN/shibboleth }}}
* {{{ /usr/sbin/shib-keygen -n wp-encrypt -e https://wp.YOUR-DOMAIN/shibboleth }}}
* {{{ /usr/sbin/shib-keygen -n mdl-signing -e https://mdl.YOUR-DOMAIN/shibboleth }}}
* {{{ /usr/sbin/shib-keygen -n mdl-encrypt -e https://mdl.YOUR-DOMAIN/shibboleth }}}
Activate required attributes from the {{{ /etc/shibboleth/attribute-map.xml }}} For the example, lets uncomment all, but make sure you didnt messed with the file.
Then check the shibboleth configuration for errors by,
{{{ shibd -t /etc/shibboleth/shibboleth2.xml }}}
=== Enable Shibboleth on apache virtual hosts ===
Edit wordpress virtual host as follows:
config file: {{{ /etc/apache2/sites-enabled/wp-le-ssl.conf }}}
{{{
ServerName wp.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/html #Location of Wordpress installation
ErrorLog ${APACHE_LOG_DIR}/wp-error.log
CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
#SSL Certificates issued by letsencrypt
SSLCertificateFile /etc/letsencrypt/live/wp.Your-Domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wp.Your-Domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
AuthType Shibboleth
ShibRequestSetting requireSession false
Require shibboleth
#Wordpress shibboleth plugin needs requireSession to be false
}}}
Edit Moodle virtual host as follows:
config file: {{{ /etc/apache2/sites-enabled/mdl-le-ssl.conf }}}
{{{
ServerName mdl.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/mdl #Location of Moodle installation
ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined
#SSL Certificates issued by letsencrypt
SSLCertificateFile /etc/letsencrypt/live/mdl.Your-Domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mdl.Your-Domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ShibRequestSetting applicationId mdl
#Defining shibboleth application override
AuthType shibboleth
ShibRequestSetting applicationId mdl
ShibRequireSession On
require valid-user
#Double Check Moodle installation path
}}}
Next, enable apache shibboleth module and restart apache.
{{{
#!bash
a2enmod shib
systemctl reload apache2.service
}}}
== Register both services with LIAF ==
We have now set up shibboleth SP for two different entities. They have to be registered with LIAF before using the Federation discovery Service to point different IDP's.
Download the metadata from both applications by going to the following URL's.
* {{{ https://wp.YOUR-DOMAIN/Shibboleth.sso/Metadata }}}
* {{{ https://mdl.YOUR-DOMAIN/Shibboleth.sso/Metadata }}}
Now register them with LIAF separately.
== Enabling Wordpress plugin ==
Install and activate the shibboleth plugin by Michael !McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris {{{ https://wordpress.org/plugins/shibboleth/ }}}
Then go to '''Settings''' -> '''Shibboleth'''
On General Tab:
Login URL: {{{ https://wp.YOUR-DOMAIN/Shibboleth.sso/Login }}}
Logout URL: {{{ https://wp.YOUR-DOMAIN/Shibboleth.sso/Logout }}}
Attribute Access: Environment Variables
On User Tab:
Tick Automatically Create Accounts.
Check the attribute map as well. If you ticked any attribute Manage tick, user will not be able to change the values once they logged in.
On Authorization Tab:
Select Subscriber as the Default Role.
On Logging Tab:
Enable all Logging.
Click Save.
== Enabling Moodle Plugin ==
As Moodle admin, go to the '''Site administration''' >>> '''Plugins''' >>> '''Authentication''' and click on the '''Shibboleth''' enable '''eye'''. Next go to its settings.
Fill in the fields of the form.
The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.
Username: eppn
Moodle WAYF service: No
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout
Data mapping (First name): givenName
Data mapping (Surname): surname
Data mapping (Email address): mail
Update local (Email address): On Creation
Lock value (Email address): Locked
Click Save.
* Adjust attribute-map .xml as
{{{
}}}
* Adjust attribute-policy.xml as
{{{
}}}
After, restart shibd and apache2
Now using a private browser, try to log in to both systems using your IDP test user.