= Configuring Shibboleth SP on Single server Multi virtual host environment = This will guide you through installing Shibboleth Service Provider setup on Ubuntu 20.04 LTS server with Apache2 running as the web server. We will also look into configuring multiple apache virtual hosts and configuring them for SSO login of two different web apps; Wordpress and Moodle. === Requirements === * Linux Server running Ubuntu 20.04 LTS * Apache installed with two different virtual hosts. * SSL/ HTTPS Certificates issued ( May be using Letsencrypt or Otherwise) * Installed Wordpress and Moodle latest editions on above created virtual hosts. * sudo access to the server. All following commands have to be entered as the root user. Best way to do it is, by login in as root with {{{ sudo su }}} == Apache Config recap == === Wordpress Apache Config === '''http''' config: {{{ /etc/apache2/sites-enabled/wp.conf }}} {{{ ServerName wp.Your-Domain ServerAdmin you@yourwebsite.com DocumentRoot /var/www/html #Location of Wordpress installation ErrorLog ${APACHE_LOG_DIR}/wp-error.log CustomLog ${APACHE_LOG_DIR}/wp-access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =wp.Your-Domain RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection }}} '''https''' config: {{{ /etc/apache2/sites-enabled/wp-le-ssl.conf }}} {{{ ServerName wp.Your-Domain ServerAdmin you@yourwebsite.com DocumentRoot /var/www/html #Location of Wordpress installation ErrorLog ${APACHE_LOG_DIR}/wp-error.log CustomLog ${APACHE_LOG_DIR}/wp-access.log combined #SSL Certificates issued by letsencrypt SSLCertificateFile /etc/letsencrypt/live/wp.Your-Domain/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/wp.Your-Domain/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf }}} === Moodle Apache Config === '''http''' config: {{{ /etc/apache2/sites-enabled/mdl.conf }}} {{{ ServerName mdl.Your-Domain ServerAdmin you@yourwebsite.com DocumentRoot /var/www/mdl #Location of Moodle installation ErrorLog ${APACHE_LOG_DIR}/mdl-error.log CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =mdl.Your-Domain RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection }}} '''https''' config: {{{ /etc/apache2/sites-enabled/mdl-le-ssl.conf }}} {{{ ServerName mdl.Your-Domain ServerAdmin you@yourwebsite.com DocumentRoot /var/www/mdl #Location of Moodle installation ErrorLog ${APACHE_LOG_DIR}/mdl-error.log CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined #SSL Certificates issued by letsencrypt SSLCertificateFile /etc/letsencrypt/live/mdl.Your-Domain/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mdl.Your-Domain/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf }}} == Shibboleth SP Installation == Install needed packages: {{{ apt install libapache2-mod-shib ntp --no-install-recommends }}} === Shibboleth SP Configuration === Both of these web apps will be connected to LIAF, therefore, download Federation Metadata Signing Certificate: {{{ cd /etc/shibboleth/ wget https://fr.ac.lk/signedmetadata/metadata-signer -O federation-cert.pem }}} Edit shibboleth2.xml opportunely: {{{ vim /etc/shibboleth/shibboleth2.xml }}} {{{ #!xml . . . . . . . . . SAML2 . . . . . . . . . }}} Above snippet defines two service providers for shibboleth under two different entity id's. Default application as {{{ entityID="https://wp.Your-Domain/shibboleth" }}} and the second as an override with id mdl {{{ }}} Both entities will have common features like metadata providers, attribute maps. But they will have two different certificate sets. Now lets create those certificate pairs. * {{{ /usr/sbin/shib-keygen -n wp-signing -e https://wp.YOUR-DOMAIN/shibboleth }}} * {{{ /usr/sbin/shib-keygen -n wp-encrypt -e https://wp.YOUR-DOMAIN/shibboleth }}} * {{{ /usr/sbin/shib-keygen -n mdl-signing -e https://mdl.YOUR-DOMAIN/shibboleth }}} * {{{ /usr/sbin/shib-keygen -n mdl-encrypt -e https://mdl.YOUR-DOMAIN/shibboleth }}} Activate required attributes from the {{{ /etc/shibboleth/attribute-map.xml }}} For the example, lets uncomment all, but make sure you didnt messed with the file. Then check the shibboleth configuration for errors by, {{{ shibd -t /etc/shibboleth/shibboleth2.xml }}} === Enable Shibboleth on apache virtual hosts === Edit wordpress virtual host as follows: config file: {{{ /etc/apache2/sites-enabled/wp-le-ssl.conf }}} {{{ ServerName wp.Your-Domain ServerAdmin you@yourwebsite.com DocumentRoot /var/www/html #Location of Wordpress installation ErrorLog ${APACHE_LOG_DIR}/wp-error.log CustomLog ${APACHE_LOG_DIR}/wp-access.log combined #SSL Certificates issued by letsencrypt SSLCertificateFile /etc/letsencrypt/live/wp.Your-Domain/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/wp.Your-Domain/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf AuthType Shibboleth ShibRequestSetting requireSession false Require shibboleth #Wordpress shibboleth plugin needs requireSession to be false }}} Edit Moodle virtual host as follows: config file: {{{ /etc/apache2/sites-enabled/mdl-le-ssl.conf }}} {{{ ServerName mdl.Your-Domain ServerAdmin you@yourwebsite.com DocumentRoot /var/www/mdl #Location of Moodle installation ErrorLog ${APACHE_LOG_DIR}/mdl-error.log CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined #SSL Certificates issued by letsencrypt SSLCertificateFile /etc/letsencrypt/live/mdl.Your-Domain/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mdl.Your-Domain/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf ShibRequestSetting applicationId mdl #Defining shibboleth application override AuthType shibboleth ShibRequestSetting applicationId mdl ShibRequireSession On require valid-user #Double Check Moodle installation path }}} Next, enable apache shibboleth module and restart apache. {{{ #!bash a2enmod shib systemctl reload apache2.service }}} == Register both services with LIAF == We have now set up shibboleth SP for two different entities. They have to be registered with LIAF before using the Federation discovery Service to point different IDP's. Download the metadata from both applications by going to the following URL's. * {{{ https://wp.YOUR-DOMAIN/Shibboleth.sso/Metadata }}} * {{{ https://mdl.YOUR-DOMAIN/Shibboleth.sso/Metadata }}} Now register them with LIAF separately. == Enabling Wordpress plugin == Install and activate the shibboleth plugin by Michael !McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris {{{ https://wordpress.org/plugins/shibboleth/ }}} Then go to '''Settings''' -> '''Shibboleth''' On General Tab: Login URL: {{{ https://wp.YOUR-DOMAIN/Shibboleth.sso/Login }}} Logout URL: {{{ https://wp.YOUR-DOMAIN/Shibboleth.sso/Logout }}} Attribute Access: Environment Variables On User Tab: Tick Automatically Create Accounts. Check the attribute map as well. If you ticked any attribute Manage tick, user will not be able to change the values once they logged in. On Authorization Tab: Select Subscriber as the Default Role. On Logging Tab: Enable all Logging. Click Save. == Enabling Moodle Plugin == As Moodle admin, go to the '''Site administration''' >>> '''Plugins''' >>> '''Authentication''' and click on the '''Shibboleth''' enable '''eye'''. Next go to its settings. Fill in the fields of the form. The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users. Username: eppn Moodle WAYF service: No Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout Data mapping (First name): givenName Data mapping (Surname): surname Data mapping (Email address): mail Update local (Email address): On Creation Lock value (Email address): Locked Click Save. * Adjust attribute-map .xml as {{{ }}} * Adjust attribute-policy.xml as {{{ }}} After, restart shibd and apache2 Now using a private browser, try to log in to both systems using your IDP test user.