Changes between Initial Version and Version 1 of iam2018/SpInstallation


Ignore:
Timestamp:
Sep 21, 2018, 4:32:43 PM (16 months ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • iam2018/SpInstallation

    v1 v1  
     1= Shibboleth SP on Ubuntu Linux LTS 18.04 =
     2
     3Installation assumes you have already installed Ubuntu Server 18.04 with default configuration and has a public IP connectivity with DNS setup
     4
     5Lets Assume your server hostname as '''sp.instXY.ac.lk'''
     6
     7All commands are to be run as root and you may use `sudo su` to become root
     8
     91. Install the packages required:
     10*
     11{{{
     12apt install apache2 ntp ca-certificates vim openssl binutils
     13}}}   
     14
     152. Modify `/etc/hosts`:
     16*
     17{{{
     18vim /etc/hosts
     19}}}
     20{{{
     21     127.0.0.1 sp.instXY.ac.lk sp
     22}}}
     23(Replace `sp.instXY.ac.lk` with your sp FQDN)
     24
     25== Install Shibboleth Service Provider ==
     26
     273. Install dependancies to overcome issues with libcurl libraries. ( Credits: [https://depts.washington.edu/bitblog/2018/06/libcurl3-libcurl4-shibboleth-php-curl-ubuntu-18-04/ Josh L.'s Blog] )
     28*
     29{{{
     30     apt install liblog4shib1v5 libxerces-c3.2 libxml-security-c17v5 libcurl3
     31     cp /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0 /usr/lib/x86_64-linux-gnu/libcurl3.so.4.5.0
     32     apt-get install libcurl4
     33     mkdir ~/temp
     34     cd ~/temp
     35     apt-get download libxmltooling7 # Ignore the warnings
     36     ar x libxmltooling7_1.6.4-1ubuntu2_amd64.deb
     37     tar xf control.tar.xz
     38     sed -i -e 's/libcurl3 (>= 7.16.2)/libcurl4/g' control
     39     tar -cJvf control.tar.xz control md5sums shlibs triggers
     40     ar rcs libxmltooling-local.deb debian-binary control.tar.xz data.tar.xz
     41     dpkg -i libxmltooling-local.deb
     42     mkdir /etc/systemd/system/shibd.service.d
     43}}}
     44* Create the following script to override defaults,
     45*
     46{{{
     47vim /etc/systemd/system/shibd.service.d/override.conf
     48}}}
     49{{{
     50     [Service]
     51     Environment="LD_PRELOAD=libcurl3.so.4.5.0"
     52}}}
     53   
     544. Install Shibboleth SP:
     55{{{
     56     apt install libapache2-mod-shib2 libapache2-mod-php
     57}}}
     58
     59From this point the location of the SP directory is: `/etc/shibboleth`
     60
     61== Configuration Instructions ==
     62
     63=== Configure Apache2 ===
     64
     655. These configurations are based for test purposes with self generated ssl certificates.
     66   If you have purchased ssl certificate from a commercial CA substitute self signed files with those. If you wish to get '''letsencrypt''' certificates on your production, //Skip //to '''Step 10'''.
     67
     68Create a Certificate and a Key self-signed for HTTPS:
     69*
     70{{{
     71openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/ssl-sp.key -out /etc/ssl/certs/ssl-sp.crt -nodes -days 1095
     72}}}
     73
     746. Create the file ```/etc/apache2/sites-available/sp-ssl.conf``` as follows:
     75
     76{{{
     77   <IfModule mod_ssl.c>
     78      SSLStaplingCache        shmcb:/var/run/ocsp(128000)
     79      <VirtualHost _default_:443>
     80        ServerName sp.instXY.ac.lk:443
     81        ServerAdmin admin@instXY.ac.lk
     82        DocumentRoot /var/www/html
     83       
     84        SSLEngine On
     85       
     86        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
     87        SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
     88
     89        SSLHonorCipherOrder on
     90
     91        # Disable SSL Compression
     92        SSLCompression Off
     93       
     94        # OCSP Stapling, only in httpd/apache >= 2.3.3
     95        SSLUseStapling          on
     96        SSLStaplingResponderTimeout 5
     97        SSLStaplingReturnResponderErrors off
     98       
     99        # Enable HTTP Strict Transport Security with a 2 year duration
     100        Header always set Strict-Transport-Security "max-age=63072000;includeSubDomains;preload"
     101       
     102        SSLCertificateFile /etc/ssl/certs/ssl-sp.crt
     103        SSLCertificateKeyFile /etc/ssl/private/ssl-sp.key
     104        #SSLCertificateChainFile /root/certificates/ssl-ca.pem
     105       
     106      </VirtualHost>
     107   </IfModule>
     108}}}
     109
     1107. Enable '''proxy_http''', '''SSL''' and '''headers''' Apache2 modules:
     111*
     112{{{
     113a2enmod proxy_http ssl headers alias include negotiation
     114}}}
     115*
     116{{{
     117a2ensite sp-ssl.conf
     118}}}
     119*
     120{{{
     121systemctl restart apache2
     122}}}
     123
     1248. Configure Apache2 to open port '''80''' only for localhost:
     125*
     126{{{
     127vim /etc/apache2/ports.conf
     128}}}
     129{{{
     130     # If you just change the port or add more ports here, you will likely also
     131     # have to change the VirtualHost statement in
     132     # /etc/apache2/sites-enabled/000-default.conf
     133
     134     Listen 127.0.0.1:80
     135 
     136     <IfModule ssl_module>
     137       Listen 443
     138     </IfModule>
     139   
     140     <IfModule mod_gnutls.c>
     141       Listen 443
     142     </IfModule>
     143}}}
     1449. Configure Apache2 to redirect all on HTTPS:
     145*
     146{{{
     147vim /etc/apache2/sites-enabled/000-default.conf
     148}}}
     149{{{
     150     <VirtualHost *:80>
     151        ServerName "sp.instXY.ac.lk"
     152        Redirect permanent "/" "https://sp.instXY.ac.lk/"
     153        RedirectMatch permanent ^/(.*)$ https://sp.instXY.ac.lk/$1
     154     </VirtualHost>
     155}}}
     156
     157*
     158{{{
     159systemctl restart apache2
     160}}}
     161
     16210. '''Let'sencrypt''' setup (//Skip this step if you already configured SSL with self signed or CA provided certificates//) (Optional)
     163
     164Disable the default configuration
     165*
     166{{{
     167cd /etc/apache2/sites-available/
     168}}}
     169*
     170{{{
     171a2dissite 000-default.conf
     172}}}
     173*
     174{{{
     175systemctl reload apache2
     176}}}
     177Create a new conf file as `sp.conf`
     178*
     179{{{
     180cp 000-default.conf sp.conf
     181}}}
     182Edit `sp.conf` with following
     183*
     184{{{
     185vim sp.conf
     186}}}
     187{{{
     188<VirtualHost *:80>
     189 
     190        ServerName sp.instXY.ac.lk
     191        ServerAdmin YOUR-Email
     192        DocumentRoot /var/www/html
     193       
     194        ErrorLog ${APACHE_LOG_DIR}/error.log
     195        CustomLog ${APACHE_LOG_DIR}/access.log combined
     196
     197</VirtualHost>
     198}}}
     199Enable sp site by,
     200*
     201{{{
     202a2ensite sp
     203}}}
     204and restart Apache
     205*
     206{{{
     207systemctl reload apache2
     208}}}   
     209Install Letsencypt and enable https
     210{{{
     211add-apt-repository ppa:certbot/certbot
     212apt install python-certbot-apache
     213certbot --apache -d sp.instXY.ac.lk
     214}}}
     215{{{
     216Plugins selected: Authenticator apache, Installer apache
     217Enter email address (used for urgent renewal and security notices) (Enter 'c' to
     218cancel): YOU@instXY.ac.lk
     219
     220- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     221Please read the Terms of Service at
     222https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
     223agree in order to register with the ACME server at
     224https://acme-v02.api.letsencrypt.org/directory
     225- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     226(A)gree/(C)ancel: A
     227
     228- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     229Would you be willing to share your email address with the Electronic Frontier
     230Foundation, a founding partner of the Let's Encrypt project and the non-profit
     231organization that develops Certbot? We'd like to send you email about our work
     232encrypting the web, EFF news, campaigns, and ways to support digital freedom.
     233- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     234(Y)es/(N)o: Y
     235
     236Obtaining a new certificate
     237Performing the following challenges:
     238http-01 challenge for sp.instXY.ac.lk
     239Waiting for verification...
     240Cleaning up challenges
     241Created an SSL vhost at /etc/apache2/sites-available/sp-le-ssl.conf
     242Enabled Apache socache_shmcb module
     243Enabled Apache ssl module
     244Deploying Certificate to VirtualHost /etc/apache2/sites-available/sp-le-ssl.conf
     245Enabling available site: /etc/apache2/sites-available/sp-le-ssl.conf
     246
     247
     248Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
     249- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     2501: No redirect - Make no further changes to the webserver configuration.
     2512: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
     252new sites, or if you're confident your site works on HTTPS. You can undo this
     253change by editing your web server's configuration.
     254- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     255Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
     256Redirecting vhost in /etc/apache2/sites-enabled/sp.conf to ssl vhost in /etc/apache2/sites-available/sp-le-ssl.conf
     257
     258- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     259Congratulations! You have successfully enabled https://sp.instXY.ac.lk
     260
     261}}}
     262=== Configure Shibboleth SP ===
     26311. Download Federation Metadata Signing Certificate:
     264*
     265{{{
     266cd /etc/shibboleth/
     267}}}
     268*
     269{{{
     270wget https://fr-training.ac.lk/metadata-signer -O federation-cert.pem
     271}}}
     27212. Edit `shibboleth2.xml` opportunely:
     273*
     274{{{
     275vim /etc/shibboleth/shibboleth2.xml
     276}}}
     277{{{
     278     ...
     279     <ApplicationDefaults entityID="https://sp.instXY.ac.lk/shibboleth"
     280          REMOTE_USER="eppn persistent-id targeted-id">
     281     ...
     282     <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerSSL="true" cookieProps="https">
     283     ...
     284     <SSO discoveryProtocol="SAMLDS" discoveryURL="https://fds-training.ac.lk/shibboleth-ds/index.html">
     285        SAML2
     286     </SSO>
     287     ...
     288     <MetadataProvider type="XML" uri="https://fr-training.ac.lk/signed-metadata.xml" legacyOrgName="true" backingFilePath="LEARN-metadata.xml" reloadInterval="600">
     289           
     290           <MetadataFilter type="Signature" certificate="federation-cert.pem"/>
     291           
     292           <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
     293     </MetadataProvider>
     294}}}
     29513. Create SP metadata credentials:
     296*
     297{{{
     298/usr/sbin/shib-keygen
     299}}}
     300*
     301{{{
     302shibd -t /etc/shibboleth/shibboleth2.xml
     303}}}
     304(Check Shibboleth configuration)
     30514. Enable Shibboleth Apache2 configuration:
     306*
     307{{{
     308a2enmod shib2
     309}}}
     310*
     311{{{
     312service shibd restart
     313systemctl reload apache2.service
     314}}}
     31515. Now you are able to download your Shibboleth SP Metadata on:
     316*
     317{{{
     318https://sp.instXY.ac.lk/Shibboleth.sso/Metadata
     319}}}
     320(change `sp.instXY.ac.lk` to you SP full qualified domain name)
     321
     322If you cannot see any metadata specific to your service, you may have to reload your URL several times for metadata to be created. Your correct metadata should contain your sp specific service url's and certificate.
     323
     32416. Register you SP on LEARN test federation:
     325* Go to `https://fr-training.ac.lk/rr3/providers/sp_registration` and continue registration with pasting the content of your metadata file
     326
     327* When Applying for the membership of the federation the form will ask lot of questions to identify your service. Therefore, answer all of them as per the following,
     328   * On the SP registration page start with pasting the whole xml metadata from `https://sp.instXY.ac.lk/Shibboleth.sso/Metadata` and click next.
     329   * If you have correctly entered metadata you will be asked to select a Federation.
     330   * Select "Federation for Training"
     331   * Fill in your contact Details
     332   * Go to Organization tab and Fill in all details for language English(en) by clicking "Add in new language" button
     333   * Go to Contacts tab and add at least "Support" and "Technical" contacts
     334   * On UI Information tab you will see some data extracted from metadata. Apart from those fill-in the rest
     335   * On Certificates tab, make sure it contains Certificate details, if not start Over by reloading IDP's metadata and pasting them.
     336   * On Required Attribute Tab select any attribute your application needs. eg: email as a required and mobile as a desired attribute.
     337   * Finally click Register.
     338
     339
     340=== Configure an example federated resource "secure" ===
     34117. Create the Apache2 configuration for the application:
     342*
     343{{{
     344sudo su -
     345}}}
     346*
     347{{{
     348vim /etc/apache2/site-available/secure.conf
     349}}}
     350{{{
     351     RedirectMatch    ^/$  /secure
     352
     353     <Location /secure>
     354       Authtype shibboleth
     355       ShibRequireSession On
     356       require valid-user
     357     </Location>
     358}}}
     35918. Create the "`secure`" application into the IDocumentRoot:
     360*
     361{{{
     362mkdir /var/www/html/secure
     363}}}
     364*
     365{{{
     366vim /var/www/html/secure/index.php
     367}}}
     368{{{
     369     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
     370     <html>
     371       <head>
     372         <title></title>
     373         <meta name="GENERATOR" content="Quanta Plus">
     374         <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
     375       </head>
     376       <body>
     377         <p>
     378          <a href="https://www.instXY.ac.lk/privacy.html">Privacy Policy</a>
     379         </p>
     380         <?php
     381         
     382         foreach ($_SERVER as $key => $value){
     383            print $key." = ".$value."<br>";
     384         }
     385         /*foreach ($_ENV as $key => $value){
     386            print $key." = ".$value."<br>";
     387         }
     388         foreach ($_COOKIE as $key => $value){
     389            print $key." = ".$value."<br>";
     390         }*/
     391         ?>
     392       </body>
     393     </html>
     394}}}
     39519. Install needed packages:
     396*
     397{{{
     398apt install libapache2-mod-php
     399}}}
     400*  Enable secure site and restart apache
     401{{{
     402a2ensite secure
     403}}}
     404{{{
     405service shibd restart
     406systemctl restart apache2.service
     407}}}
     408=== Enable Attribute Support on Shibboleth SP ===
     40920. Enable attributes by remove comment from the related content into `/etc/shibboleth/attribute-map.xml`
     410
     411      Also you have to Disable `First deprecated/incorrect version` from `attribute-map.xml`
     412{{{
     413<!-- <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
     414        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
     415         <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
     416</Attribute> -->
     417}}}
     418=== Enable Single Logout ===
     41921. Change <Logout> element in /etc/shibboleth/shibboleth2.xml. They get passed as attributes to the SAML2 logoutInitiator that gets created by the Logout element.  The fully unfolded configuration with settings identical to default is:
     420{{{
     421<Logout asynchronous="true" outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
     422  SAML2 Local
     423</Logout>
     424}}}
     425Setting asynchronous="false" would make the flow return back to the SP (this otherwise only happens for the SOAP binding which cannot be done asynchronously).
     426
     427
     428To initiate, create a button or link to go to a URL on the SP of the form: https://sp.instXY.ac.lk/Shibboleth.sso/Logout
     429
     430You may use following as an example by putting it just above the closing body tag of `/var/www/html/secure/index.php` as
     431
     432{{{
     433<p><a href="https://sp.instXY.ac.lk/Shibboleth.sso/Logout">Logout</a></p>
     434}}}
     435
     436>The SLO would use an asynchronous message to the IdP and the flow would end at the IdP Logout page.  The user would be returned to the return URL only if the SLO is done in synchronous mode and the flow returns back to the SP.  To set the return URL, pass it in the return parameter as a query string to the Logout initiator - e.g.: https://sp.instXY.ac.lk/Shibboleth.sso/Logout?return=https://sp.instXY.ac.lk/logout-completed.html
     437
     438=== Enable service provider from your IDP ===
     43922. To be able to login to your new SP, you must enable it from your IDP.
     440
     441* Log in to your IDP and become root
     442
     443*  You may want to enable any SP who is a member of the federation, edit `relying-party.xml` by
     444
     445{{{
     446vim /opt/shibboleth-idp/conf/relying-party.xml
     447}}}
     448
     449And uncomment the following from '''shibboleth.!UnverifiedRelyingParty''' bean
     450
     451{{{
     452<bean parent="SAML2.SSO" p:encryptAssertions="false" />
     453}}}
     454
     455Then restart the tomcat
     456
     457
     45823. Now you may visit https://sp.instXY.ac.lk/secure and try login using your IDP's credentials, check out the consent page at the first login.
     459
     460      Then you should see only the `Scoped Affiliation` attribute of the user as by default other attributes are not included in your attribute filter file.
     461
     462      You will be asked to select one of the option accepting the consent. On acception check-out the passed attribute on your SP page
     463
     464
     465* To release specific attributes for a SP you can add it to `/opt/shibboleth-idp/conf/attribute-filter.xml` of your '''IDP'''
     466
     467   Consult Service Provider guidelines and https://fr-training.ac.lk/attribute-filter-LEARN-Production.xml on deciding what attributes you should release.
     468
     469   As an example lets allow EPPN, CN, mail and mobile  for your sp.
     470
     471   On your IDP,
     472
     473{{{
     474vim /opt/shibboleth-idp/conf/attribute-filter.xml
     475}}}
     476
     477   Add the following to the tail before the closing `</AttributeFilterPolicyGroup>` tag.
     478{{{
     479   <!-- Release some attributes to SP. -->
     480    <AttributeFilterPolicy id="sp.instXY">
     481            <PolicyRequirementRule xsi:type="Requester" value="https://sp.instXY.ac.lk/shibboleth" />
     482
     483        <AttributeRule attributeID="eduPersonPrincipalName">
     484            <PermitValueRule xsi:type="ANY" />
     485        </AttributeRule>
     486
     487        <AttributeRule attributeID="commonName">
     488            <PermitValueRule xsi:type="ANY" />
     489        </AttributeRule>
     490
     491        <AttributeRule attributeID="mobile">
     492            <PermitValueRule xsi:type="ANY" />
     493        </AttributeRule>
     494
     495        <AttributeRule attributeID="mail">
     496            <PermitValueRule xsi:type="ANY" />
     497        </AttributeRule>
     498    </AttributeFilterPolicy>
     499
     500}}}
     501
     502   Reload shibboleth.!AttributeFilterService to apply the new SP
     503
     504{{{
     505/opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.AttributeFilterService
     506}}}
     507
     508
     509   Re-visit `https://sp.instXY.ac.lk/secure` ,  at the login page select '''Clear prior granting of permission for release of your information to this service.''', this will redirect you to the consent page where you can check the attributes that are released by the filter created above.
     510
     511   Once you accept the consent you can see the attributes that were used by your SP. If you can't see attributes like `mobile` in your page, you need to allow them on your attribute-map of the SP.
     512
     513   To do that edit `/etc/shibboleth/attribute-map.xml` on your '''SP'''
     514
     515{{{
     516vim /etc/shibboleth/attribute-map.xml
     517}}}
     518
     519   Uncomment '''Examples of LDAP-based attributes''' section at the end and before the closing `</Attributes>` line,  include,
     520
     521{{{
     522<Attribute name="urn:oid:0.9.2342.19200300.100.1.41" id="mobile"/>
     523<Attribute name="urn:mace:dir:attribute-def:mobile" id="mobile"/>
     524}}}
     525   
     526  And restart shibd and apache2 services and revisit.