| Version 2 (modified by , 3 years ago) ( diff ) |
|---|
Configuring Shibboleth SP on Single server Multi virtual host environment
This will guide you through installing Shibboleth Service Provider setup on Ubuntu 20.04 LTS server with Apache2 running as the web server. We will also look into configuring multiple apache virtual hosts and configuring them for SSO login of two different web apps; Wordpress and Moodle.
Requirements
- Linux Server running Ubuntu 20.04 LTS
- Apache installed with two different virtual hosts.
- SSL/ HTTPS Certificates issued ( May be using Letsencrypt or Otherwise)
- Installed Wordpress and Moodle latest editions on above created virtual hosts.
- sudo access to the server. All following commands have to be entered as the root user. Best way to do it is login as root by
sudo su
Apache Config recap
Wordpress Apache Config
http config: /etc/apache2/sites-enabled/wp.conf
<VirtualHost *:80>
ServerName wp.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/html #Location of Wordpress installation
ErrorLog ${APACHE_LOG_DIR}/wp-error.log
CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =wp.Your-Domain
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
</VirtualHost>
https config: /etc/apache2/sites-enabled/wp-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName wp.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/html #Location of Wordpress installation
ErrorLog ${APACHE_LOG_DIR}/wp-error.log
CustomLog ${APACHE_LOG_DIR}/wp-access.log combined
#SSL Certificates issued by letsencrypt
SSLCertificateFile /etc/letsencrypt/live/wp.Your-Domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wp.Your-Domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Moodle Apache Config
http config: /etc/apache2/sites-enabled/mdl.conf
<VirtualHost *:80>
ServerName mdl.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/mdl #Location of Moodle installation
ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =mdl.Your-Domain
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] # port 80 -- > 443 redirection
</VirtualHost>
https config: /etc/apache2/sites-enabled/mdl-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mdl.Your-Domain
ServerAdmin you@yourwebsite.com
DocumentRoot /var/www/mdl #Location of Moodle installation
ErrorLog ${APACHE_LOG_DIR}/mdl-error.log
CustomLog ${APACHE_LOG_DIR}/mdl-access.log combined
#SSL Certificates issued by letsencrypt
SSLCertificateFile /etc/letsencrypt/live/mdl.Your-Domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mdl.Your-Domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Shibboleth SP Installation
Install needed packages:
apt install libapache2-mod-shib ntp --no-install-recommends
Shibboleth SP Configuration
Both of these web apps will be connected to LIAF, therefore, download Federation Metadata Signing Certificate:
cd /etc/shibboleth/
wget https://fr.ac.lk/signedmetadata/metadata-signer -O federation-cert.pem
Edit shibboleth2.xml opportunely: vim /etc/shibboleth/shibboleth2.xml
some code
. . .
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://wp.Your-Domain/shibboleth"
REMOTE_USER="eppn subject-id pairwise-id persistent-id"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
. . .
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
. . .
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://fds.ac.lk">
SAML2
</SSO>
. . .
<Errors supportContact="you@you-domain"
helpLocation="/about-this-service.html"
styleSheet="/shibboleth-sp/main.css"/>
. . .
<MetadataProvider type="XML" url="https://fr.ac.lk/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" reloadInterval="600">
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
</MetadataProvider>
. . .
<!-- Simple file-based resolvers for separate signing/encryption keys. -->
<CredentialResolver type="File" use="signing"
key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption"
key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/>
<ApplicationOverride id="mdl" entityID="https://mdl.Your-Domain/shibboleth">
<CredentialResolver type="File" use="signing"
key="mdl-signing-key.pem" certificate="mdl-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption"
key="mdl-encrypt-key.pem" certificate="mdl-encrypt-cert.pem"/>
</ApplicationOverride>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
Above snippet defines two service providers for shibboleth under two different entity id's.
Default application as entityID="https://wp.Your-Domain/shibboleth" and the second as an override with id mdl <ApplicationOverride id="mdl" entityID="https://mdl.Your-Domain/shibboleth">
Both entities will have common features like metadata providers, attribute maps. But they will have two different certificate sets.
Now lets create those certificate pairs.
/usr/sbin/shib-keygen -n wp-signing -e https://wp.YOUR-DOMAIN/shibboleth/usr/sbin/shib-keygen -n wp-encrypt -e https://wp.YOUR-DOMAIN/shibboleth/usr/sbin/shib-keygen -n mdl-signing -e https://mdl.YOUR-DOMAIN/shibboleth/usr/sbin/shib-keygen -n mdl-encrypt -e https://mdl.YOUR-DOMAIN/shibboleth
Then check the shibboleth configuration for errors by,
shibd -t /etc/shibboleth/shibboleth2.xml
Next, enable apache shibboleth module and restart apache.
