Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Initial Version and Version 1 of idpiam2018

Timestamp:: Sep 3, 2018, 7:09:22 AM (6 years ago)
Author:: admin
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

idpiam2018

               v1
+= Shibboleth IdP v3.3.2 on Ubuntu Linux LTS 18.04 =
+Installation assumes you have already installed Ubuntu Server 18.04 with default configuration and has a public IP connectivity with DNS setup
+Lets Assume your server hostname as '''idp.YOUR-DOMAIN'''
+All commands are to be run as root and you may use `sudo su` to become root
+. Install the packages required:
+   {{{
+apt-get install vim default-jdk ca-certificates openssl tomcat8 apache2 ntp expat
+}}}
+. Modify `/etc/hosts`:
+   {{{
+vim /etc/hosts
+}}}
+    {{{
+.0.0.1 idp.YOUR-DOMAIN idp
+    }}}
+   (Replace `idp.YOUR-DOMAIN` with your IdP FQDN)
+. Define the costants `JAVA_HOME` and `IDP_SRC` inside `/etc/environment`:
+ *
+{{{
+update-alternatives --config java
+}}}
+ (copy the path without /bin/java)
+ *
+{{{
+vim /etc/environment```
+}}}
+{{{
+     JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
+     IDP_SRC=/usr/local/src/shibboleth-identity-provider-3.3.2
+}}}
+ *
+{{{
+source /etc/environment
+}}}
+ *
+{{{
+export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
+}}}
+ *
+{{{
+export IDP_SRC=/usr/local/src/shibboleth-identity-provider-3.3.2
+}}}
+. Configure '''/etc/default/tomcat8''':
+ *
+{{{
+update-alternatives --config java
+}}}
+ (copy the path without /bin/java)
+ *
+{{{
+update-alternatives --config javac
+}}}
+ *
+{{{
+vim /etc/default/tomcat8
+}}}
+     {{{
+     JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
+     ...
+     JAVA_OPTS="-Djava.awt.headless=true -XX:+DisableExplicitGC -XX:+UseParallelOldGC -Xms256m -Xmx1g -Djava.security.egd=file:/dev/./urandom"
+     }}}
+     (This settings configure the memory of the JVM that will host the IdP Web Application.
+     The Memory value depends on the phisical memory installed on the machine.
+     On production environment Set the "'''Xmx'''" (max heap space available to the JVM) at least to '''2GB''')
+. Download the Shibboleth Identity Provider v3.3.2:
+ *
+{{{
+cd /usr/local/src
+}}}
+ *
+{{{
+wget http://shibboleth.net/downloads/identity-provider/3.3.2/shibboleth-identity-provider-3.3.2.tar.gz
+}}}
+ *
+{{{
+tar -xzvf shibboleth-identity-provider-3.3.2.tar.gz
+}}}
+ *
+{{{
+cd shibboleth-identity-provider-3.3.2
+}}}
+. Generate Passwords for later use in the installation
+ *
+{{{
+   tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
+}}}
+> '''Note: You will need two password string, ###PASSWORD-FOR-BACKCHANNEL### and ###PASSWORD-FOR-COOKIE-ENCRYPTION###'''
+. Run the installer `install.sh` to install Shibboleth Identity Provider v3.3.2:
+ *
+{{{
+   ./bin/install.sh
+}}}
+{{{
+   root@idp:/usr/local/src/shibboleth-identity-provider-3.3.2# ./bin/install.sh
+   Source (Distribution) Directory: [/usr/local/src/shibboleth-identity-provider-3.3.2]
+   Installation Directory: [/opt/shibboleth-idp]
+   Hostname: [localhost.localdomain]
+   idp.YOUR-DOMAIN
+   SAML EntityID: [https://idp.YOUR-DOMAIN/idp/shibboleth]
+   Attribute Scope: [localdomain]
+   YOUR-DOMAIN
+   Backchannel PKCS12 Password: ###PASSWORD-FOR-BACKCHANNEL###
+   Re-enter password:           ###PASSWORD-FOR-BACKCHANNEL###
+   Cookie Encryption Key Password: ###PASSWORD-FOR-COOKIE-ENCRYPTION###
+   Re-enter password:              ###PASSWORD-FOR-COOKIE-ENCRYPTION###
+}}}
+   From this point the variable '''idp.home''' refers to the directory: `/opt/shibboleth-idp`
+. Import the JST libraries to visualize the IdP `status` page:
+ *
+   {{{
+   cd /opt/shibboleth-idp/edit-webapp/WEB-INF/lib
+}}}
+ *
+   {{{
+   wget https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar
+ }}}
+ *
+{{{
+   cd /opt/shibboleth-idp/bin ; ./build.sh -Didp.target.dir=/opt/shibboleth-idp
+}}}
+. Change the owner to enable '''tomcat8''' user to access on the following directories:
+ *
+   {{{
+   chown -R tomcat8 /opt/shibboleth-idp/logs/
+}}}
+ *
+   {{{
+   chown -R tomcat8 /opt/shibboleth-idp/metadata/
+}}}
+ *
+   {{{
+   chown -R tomcat8 /opt/shibboleth-idp/credentials/
+}}}
+ *
+   {{{
+   chown -R tomcat8 /opt/shibboleth-idp/conf/
+}}}
+== Configure SSL on Apache2 with Letsencrypt ==
+If you do this installation in Lab setup please skip to implementing https with self-signed certificates as described in '''step 13'''.
+. Disable default apache configuration:
+ *
+   {{{
+   a2dissite 000-default
+}}}
+. Create a new configuration file as `idp.conf` with the following:
+ *
+   {{{
+   vim /etc/apache2/site-available/idp.conf
+}}}
+{{{
+   <VirtualHost *:80>
+     ServerName idp.YOUR-DOMAIN
+     ServerAdmin admin@YOUR-DOMAIN
+     DocumentRoot /var/www/html
+   </VirtualHost>
+}}}
+   Enable Apache2 modules:
+ *
+   {{{
+   a2enmod proxy_http ssl headers alias include negotiation
+}}}
+   Restart the Apache service:
+ *
+   {{{
+   service apache2 restart
+}}}
+. Install Letsencrypt and enable HTTPS:
+ *
+   {{{
+   add-apt-repository ppa:certbot/certbot
+}}}
+ *
+   {{{
+   apt install python-certbot-apache
+}}}
+ *
+   {{{
+   certbot --apache -d idp.YOUR-DOMAIN
+}}}
+{{{
+   Plugins selected: Authenticator apache, Installer apache
+   Enter email address (used for urgent renewal and security notices) (Enter 'c' to
+   cancel): YOU@YOUR-DOMAIN
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   Please read the Terms of Service at
+   https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
+   agree in order to register with the ACME server at
+   https://acme-v02.api.letsencrypt.org/directory
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   (A)gree/(C)ancel: A
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   Would you be willing to share your email address with the Electronic Frontier
+   Foundation, a founding partner of the Let's Encrypt project and the non-profit
+   organization that develops Certbot? We'd like to send you email about our work
+   encrypting the web, EFF news, campaigns, and ways to support digital freedom.
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   (Y)es/(N)o: Y
+   Obtaining a new certificate
+   Performing the following challenges:
+   http-01 challenge for idp.YOUR-DOMAIN
+   Waiting for verification...
+   Cleaning up challenges
+   Created an SSL vhost at /etc/apache2/sites-available/idp-le-ssl.conf
+   Enabled Apache socache_shmcb module
+   Enabled Apache ssl module
+   Deploying Certificate to VirtualHost /etc/apache2/sites-available/idp-le-ssl.conf
+   Enabling available site: /etc/apache2/sites-available/idp-le-ssl.conf
+   Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+: No redirect - Make no further changes to the webserver configuration.
+: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
+   new sites, or if you're confident your site works on HTTPS. You can undo this
+   change by editing your web server's configuration.
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
+   Redirecting vhost in /etc/apache2/sites-enabled/rr3.conf to ssl vhost in /etc/apache2/sites-available/rr3-le-ssl.conf
+   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+   Congratulations! You have successfully enabled https://idp.YOUR-DOMAIN
+}}}
+. (OPTIONAL) If you haven't follow the letsencrypt method Create a Certificate and a Key self-signed for HTTPS
+ *
+   {{{
+   mkdir /root/certificates
+}}}
+ *
+   {{{
+   openssl req -x509 -newkey rsa:4096 -keyout /root/certificates/idp-key-server.key -out /root/certificates/idp-cert-server.crt -nodes -days 1095
+}}}
+   If you purchased SSL certificates from a Public CA, move the Certificate and the Key file for HTTPS server to `/root/certificates`:
+ *
+   {{{
+   mv /location-to-crts/idp-cert-server.crt /root/certificates
+}}}
+ *
+   {{{
+   mv /location-to-crts/idp-key-server.key /root/certificates
+}}}
+ *
+   {{{
+   mv /location-to-crts/PublicCA.crt /root/certificates
+}}}
+   Then,
+ *
+   {{{
+   chmod 400 /root/certificates/idp-key-server.key
+}}}
+ *
+   {{{
+   chmod 644 /root/certificates/idp-cert-server.crt
+}}}
+ *
+   {{{
+   chmod 644 /root/certificates/PublicCA.crt
+}}}
+   Create the file `/etc/apache2/sites-available/idp-ssl.conf` as follows:
+   {{{
+   <IfModule mod_ssl.c>
+      SSLStaplingCache        shmcb:/var/run/ocsp(128000)
+      <VirtualHost _default_:443>
+        ServerName idp.YOUR-DOMAIN:443
+        ServerAdmin admin@example.org
+        DocumentRoot /var/www/html
+        ...
+        SSLEngine On
+        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+        SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
+        SSLHonorCipherOrder on
+        # Disable SSL Compression
+        SSLCompression Off
+        # OCSP Stapling, only in httpd/apache >= 2.3.3
+        SSLUseStapling          on
+        SSLStaplingResponderTimeout 5
+        SSLStaplingReturnResponderErrors off
+        # Enable HTTP Strict Transport Security with a 2 year duration
+        Header always set Strict-Transport-Security "max-age=63072000;includeSubDomains;preload"
+        ...
+        SSLCertificateFile /root/certificates/idp-cert-server.crt
+        SSLCertificateKeyFile /root/certificates/idp-key-server.key
+        SSLCertificateChainFile /root/certificates/publicCA.crt
+        ...
+      </VirtualHost>
+   </IfModule>
+}}}
+   Enable '''proxy_http''', '''SSL''' and '''headers''' Apache2 modules:
+ *
+   {{{
+   a2enmod proxy_http ssl headers alias include negotiation
+}}}
+ *
+   {{{
+   a2ensite idp-ssl.conf
+}}}
+ *
+   {{{
+   service apache2 restart
+}}}
+   Configure Apache2 to redirect all on HTTPS:
+ *
+   {{{
+   vim /etc/apache2/sites-enabled/000-default.conf
+}}}
+{{{
+   <VirtualHost *:80>
+        ServerName "idp.YOUR-DOMAIN"
+        Redirect "/" "https://idp.YOUR-DOMAIN/"
+   </VirtualHost>
+}}}
+== Configure Apache Tomcat 8 ==
+. Modify `server.xml`:
+ *
+   {{{
+   vim /etc/tomcat8/server.xml
+}}}
+     Comment out the Connector 8080 (HTTP):
+{{{
+     <!-- A "Connector" represents an endpoint by which requests are received
+          and responses are returned. Documentation at :
+          Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+          Java AJP  Connector: /docs/config/ajp.html
+          APR (HTTP/AJP) Connector: /docs/apr.html
+          Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
+     -->
+     <!--
+     <Connector port="8080" protocol="HTTP/1.1"
+                connectionTimeout="20000"
+                URIEncoding="UTF-8"
+                redirectPort="8443" />
+     -->
+}}}
+     Enable the Connector 8009 (AJP):
+     ```apache
+     <!-- Define an AJP 1.3 Connector on port 8009 -->
+     <Connector port="8009" protocol="AJP/1.3" redirectPort="443" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false"/>
+     ```
+     Check the integrity of XML files just edited with:
+     ```xmlwf -e UTF-8 /etc/tomcat8/server.xml```
+. Create and change the file ```idp.xml```:
+ *
+   {{{
+   sudo vim /etc/tomcat8/Catalina/localhost/idp.xml```
+     ```apache
+     <Context docBase="/opt/shibboleth-idp/war/idp.war"
+              privileged="true"
+              antiResourceLocking="false"
+              swallowOutput="true"/>
+     ```
+. Create the Apache2 configuration file for IdP:
+ *
+   {{{
+   vim /etc/apache2/sites-available/idp-proxy.conf```
+     ```apache
+     <IfModule mod_proxy.c>
+       ProxyPreserveHost On
+       RequestHeader set X-Forwarded-Proto "https"
+       <Proxy ajp://localhost:8009>
+         Require all granted
+       </Proxy>
+       ProxyPass /idp ajp://localhost:8009/idp retry=5
+       ProxyPassReverse /idp ajp://localhost:8009/idp retry=5
+     </IfModule>
+     ```
+. Enable **proxy_ajp** apache2 module and the new IdP site:
+ *
+   {{{
+   a2enmod proxy_ajp```
+ *
+   {{{
+   a2ensite idp-proxy.conf```
+ *
+   {{{
+   service apache2 restart```
+. Modify **context.xml** to prevent error of *lack of persistence of the session objects* created by the IdP :
+ *
+   {{{
+   vim /etc/tomcat8/context.xml```
+     and remove the comment from:
+     ```<Manager pathname="" />```
+. Restart Tomcat8:
+ *
+   {{{
+   service tomcat8 restart```
+. Verify if the IdP works by opening this page on your browser:
+ *
+   {{{
+   https://idp.YOUR-DOMAIN/idp/shibboleth``` (you should see the IdP metadata)
+### Speed up Tomcat 8 startup
+. Find out the JARs that can be skipped from the scanning:
+  *
+   {{{
+   cd /opt/shibboleth-idp/```
+  *
+   {{{
+   ls webapp/WEB-INF/lib | awk '{print $1",\\"}'```
+    Insert the output list into ```/etc/tomcat8/catalina.properties``` at the tail of  ```tomcat.util.scan.StandardJarScanFilter.jarsToSkip```
+    Make sure about the  ```,\``` symbols
+    Restart Tomcat 8:
+  *
+   {{{
+   service tomcat8 restart```
+### Configure Shibboleth Identity Provider v3.2.1 to release the persistent-id (Stored mode)
+. Test IdP by opening a terminal and running these commands:
+ *
+   {{{
+   cd /opt/shibboleth-idp/bin```
+ *
+   {{{
+   ./status.sh``` (You should see some informations about the IdP installed)
+. Install **MySQL Connector Java** and other useful libraries used by Tomcat for MySQL DB (if you don't have them already):
+ *
+   {{{
+   apt-get install mysql-server libmysql-java libcommons-dbcp-java libcommons-pool-java```
+ *
+   {{{
+   cd /usr/share/tomcat8/lib/```
+ *
+   {{{
+   ln -s ../../java/mysql.jar mysql-connector-java.jar```
+ *
+   {{{
+   ln -s ../../java/commons-pool.jar commons-pool.jar```
+ *
+   {{{
+   ln -s ../../java/commons-dbcp.jar commons-dbcp.jar```
+ *
+   {{{
+   ln -s ../../java/tomcat-jbcp.jar tomcat-jbcp.jar```
+   Ignore if you get errors for some of the ```ln``` commands as the files might be already there.
+. Rebuild the **idp.war** of Shibboleth with the new libraries:
+ *
+   {{{
+   cd /opt/shibboleth-idp/ ; ./bin/build.sh```
+   You may need to press enter on `Installation Directory: [/opt/shibboleth-idp]`
+. Create and prepare the "**shibboleth**" MySQL DB to host the values of the several **persistent-id** and **StorageRecords** MySQL DB to host other useful information about user consent:
+    * `mysql_secure_installation`
+```
+Securing the MySQL server deployment.
+Connecting to MySQL using a blank password.
+VALIDATE PASSWORD PLUGIN can be used to test passwords
+and improve security. It checks the strength of password
+and allows the users to set only those passwords which are
+secure enough. Would you like to setup VALIDATE PASSWORD plugin?
+Press y|Y for Yes, any other key for No: y
+There are three levels of password validation policy:
+LOW    Length >= 8
+MEDIUM Length >= 8, numeric, mixed case, and special characters
+STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
+Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1
+Please set the password for root here.
+New password:
+Re-enter new password:
+Estimated strength of the password: 50
+Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y
+By default, a MySQL installation has an anonymous user,
+allowing anyone to log into MySQL without having to have
+a user account created for them. This is intended only for
+testing, and to make the installation go a bit smoother.
+You should remove them before moving into a production
+environment.
+Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
+Success.
+Normally, root should only be allowed to connect from
+'localhost'. This ensures that someone cannot guess at
+the root password from the network.
+Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
+Success.
+By default, MySQL comes with a database named 'test' that
+anyone can access. This is also intended only for testing,
+and should be removed before moving into a production
+environment.
+Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
+ - Dropping test database...
+Success.
+ - Removing privileges on test database...
+Success.
+Reloading the privilege tables will ensure that all changes
+made so far will take effect immediately.
+Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
+Success.
+All done!
+```
+   * log in to your MySQL Server:
+     ```mysql -u root -p```
+```sql
+    SET NAMES 'utf8';
+    SET CHARACTER SET utf8;
+    CREATE DATABASE IF NOT EXISTS shibboleth CHARACTER SET=utf8;
+    GRANT ALL PRIVILEGES ON shibboleth.* TO root@localhost IDENTIFIED BY '##ROOT-DB-PASSWORD##';
+    GRANT ALL PRIVILEGES ON shibboleth.* TO ##USERNAME##@localhost IDENTIFIED BY '##PASSWORD##';
+    FLUSH PRIVILEGES;
+    USE shibboleth;
+    CREATE TABLE IF NOT EXISTS shibpid
+    (
+    localEntity VARCHAR(255) NOT NULL,
+    peerEntity VARCHAR(255) NOT NULL,
+    persistentId VARCHAR(50) NOT NULL,
+    principalName VARCHAR(50) NOT NULL,
+    localId VARCHAR(50) NOT NULL,
+    peerProvidedId VARCHAR(50) NULL,
+    creationDate TIMESTAMP NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
+    deactivationDate TIMESTAMP NULL default NULL,
+    PRIMARY KEY (localEntity, peerEntity, persistentId)
+    );
+    CREATE TABLE IF NOT EXISTS StorageRecords
+    (
+    context VARCHAR(255) NOT NULL,
+    id VARCHAR(255) NOT NULL,
+    expires BIGINT(20) DEFAULT NULL,
+    value LONGTEXT NOT NULL,
+    version BIGINT(20) NOT NULL,
+    PRIMARY KEY (context, id)
+    );
+    quit
+```
+   * Restart mysql service:
+     ```service mysql restart```
+. Enable the generation of the ```persistent-id``` (this replace the deprecated attribute *eduPersonTargetedID*)
+  *
+   {{{
+   vim /opt/shibboleth-idp/conf/saml-nameid.properties```
+   (the *sourceAttribute* MUST BE an attribute, or a list of comma-separated attributes, that uniquely identify the subject of the generated ```persistent-id```. It MUST BE: **Stable**, **Permanent** and **Not-reassignable**)
+     ```xml
+     idp.persistentId.sourceAttribute = uid
+     ...
+     idp.persistentId.salt = ### result of 'openssl rand -base64 36'###
+     ...
+     idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator
+     ...
+     idp.persistentId.dataSource = MyDataSource
+     ...
+     idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
+     ```
+   * Enable the **SAML2PersistentGenerator**:
+   *
+   {{{
+   vim /opt/shibboleth-idp/conf/saml-nameid.xml```
+     Remove the comment from the line containing:
+     ```xml
+     <ref bean="shibboleth.SAML2PersistentGenerator" />
+     ```
+   *
+   {{{
+   vim /opt/shibboleth-idp/conf/c14n/subject-c14n.xml```
+     Remove the comment to the bean called "**c14n/SAML2Persistent**".
+     ```xml
+     <ref bean="c14n/SAML2Persistent" />
+     ```
+. Enable **JPAStorageService** for the **StorageService** of the user consent:
+ *
+   {{{
+   vim /opt/shibboleth-idp/conf/global.xml``` and add this piece of code to the tail before the ending \</beans\>:
+     ```xml
+     <!-- A DataSource bean suitable for use in the idp.persistentId.dataSource property. -->
+     <bean id="MyDataSource" class="org.apache.commons.dbcp.BasicDataSource"
+           p:driverClassName="com.mysql.jdbc.Driver"
+           p:url="jdbc:mysql://localhost:3306/shibboleth?autoReconnect=true"
+           p:username="##USER_DB_NAME##"
+           p:password="##PASSWORD##"
+           p:maxActive="10"
+           p:maxIdle="5"
+           p:maxWait="15000"
+           p:testOnBorrow="true"
+           p:validationQuery="select 1"
+           p:validationQueryTimeout="5" />
+     <bean id="shibboleth.JPAStorageService" class="org.opensaml.storage.impl.JPAStorageService"
+           p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"
+           c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory"/>
+     <bean id="shibboleth.JPAStorageService.entityManagerFactory"
+           class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
+           <property name="packagesToScan" value="org.opensaml.storage.impl"/>
+           <property name="dataSource" ref="MyDataSource"/>
+           <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter"/>
+           <property name="jpaDialect">
+             <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
+           </property>
+     </bean>
+     <bean id="shibboleth.JPAStorageService.JPAVendorAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
+           <property name="database" value="MYSQL" />
+     </bean>
+     ```
+     (and modify the "**USER_DB_NAME**" and "**PASSWORD**" for your "**shibboleth**" DB)
+   * Modify the IdP configuration file:
+   *
+   {{{
+   vim /opt/shibboleth-idp/conf/idp.properties```
+       ```xml
+       idp.session.StorageService = shibboleth.JPAStorageService
+       idp.consent.StorageService = shibboleth.JPAStorageService
+       idp.replayCache.StorageService = shibboleth.JPAStorageService
+       idp.artifact.StorageService = shibboleth.JPAStorageService
+       # Track information about SPs logged into
+       idp.session.trackSPSessions = true
+       # Support lookup by SP for SAML logout
+       idp.session.secondaryServiceIndex = true
+       ```
+       (This will indicate to IdP to store the data collected by User Consent into the "**StorageRecords**" table)
+. Connect the openLDAP to the IdP to allow the authentication of the users:
+    * use ```openssl x509 -outform der -in /etc/ssl/certs/ldap_server.pem -out /opt/shibboleth-idp/credentials/ldap_server.crt``` to load the ldap certificate.
+    If you host ldap in a seperate machine, copy the ldap_server.crt to  ```/opt/shibboleth-idp/credentials```
+  *
+   {{{
+   vim /opt/shibboleth-idp/conf/ldap.properties```
+     * Solution 1: LDAP + STARTTLS:
+       ```xml
+       idp.authn.LDAP.authenticator = bindSearchAuthenticator
+       idp.authn.LDAP.ldapURL = ldap://ldap.example.org:389
+       idp.authn.LDAP.useStartTLS = true
+       idp.authn.LDAP.useSSL = false
+       idp.authn.LDAP.sslConfig = certificateTrust
+       idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
+       idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org
+       idp.authn.LDAP.userFilter = (uid={user})
+       idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=org
+       idp.authn.LDAP.bindDNCredential = ###LDAP_ADMIN_PASSWORD###
+       idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
+       ```
+     * Solution 2: LDAP + TLS:
+       ```xml
+       idp.authn.LDAP.authenticator = bindSearchAuthenticator
+       idp.authn.LDAP.ldapURL = ldaps://ldap.example.org:636
+       idp.authn.LDAP.useStartTLS = false
+       idp.authn.LDAP.useSSL = true
+       idp.authn.LDAP.sslConfig = certificateTrust
+       idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt
+       idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org
+       idp.authn.LDAP.userFilter = (uid={user})
+       idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=org
+       idp.authn.LDAP.bindDNCredential = ###LDAP_ADMIN_PASSWORD###
+       idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
+       ```
+     * Solution 3: plain LDAP
+       ```xml
+       idp.authn.LDAP.authenticator = bindSearchAuthenticator
+       idp.authn.LDAP.ldapURL = ldap://ldap.example.org:389
+       idp.authn.LDAP.useStartTLS = false
+       idp.authn.LDAP.useSSL = false
+       idp.authn.LDAP.baseDN = ou=people,dc=example,dc=org
+       idp.authn.LDAP.userFilter = (uid={user})
+       idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=org
+       idp.authn.LDAP.bindDNCredential = ###LDAP_ADMIN_PASSWORD###
+       ```
+       (If you decide to use the Solution 3, you have to remove (or comment out) the following code from your Attribute Resolver file:
+       ```xml
+       </dc:FilterTemplate>
+       <!--
+       <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked">
+         <sec:Certificate>%
+           {idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate>
+         </dc:StartTLSTrustCredential>
+       -->
+       </resolver:DataConnector>
+       ```
+       **UTILITY FOR OPENLDAP ADMINISTRATOR:**
+         *
+   {{{
+   ldapsearch -H ldap:// -x -b "dc=example,dc=it" -LLL dn```
+           * the baseDN ==> ```ou=people, dc=example,dc=org``` (branch containing the registered users)
+           * the bindDN ==> ```cn=admin,dc=example,dc=org``` (distinguished name for the user that can made queries on the LDAP)
+. Enrich IDP logs with the authentication error occurred on LDAP:
+ *
+   {{{
+   vim /opt/shibboleth-idp/conf/logback.xml```
+     ```xml
+     <!-- Logs LDAP related messages -->
+     <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/>
+     <!-- Logs on LDAP user authentication -->
+     <logger name="org.ldaptive.auth.Authenticator" level="INFO" />
+     ```
+. Build the **attribute-resolver.xml** to define which attributes your IdP can manage. Here you can find the **attribute-resolver-v1-LEARN.xml** provided by LEARN:
+    * Download the attribute resolver provided by LEARN:
+      ```wget https://fr-training.ac.lk/attribute-resolver-v1-LEARN.xml -O /opt/shibboleth-idp/conf/attribute-resolver-v1-LEARN.xml```
+    * Modify ```services.xml``` file:
+      ```vim /opt/shibboleth-idp/conf/services.xml```
+      ```xml
+      <value>%{idp.home}/conf/attribute-resolver.xml</value>
+      ```
+      must become:
+      ```xml
+      <value>%{idp.home}/conf/attribute-resolver-v1-LEARN.xml</value>
+      ```
+    * Configure the LDAP Data Connector to be compliant to the values put on ```ldap.properties```. (See above suggestions)
+    * Restart Tomcat8:
+      ```service tomcat8 restart```
+. Enable the SAML2 support by changing the ```idp-metadata.xml``` and disabling the SAML v1.x deprecated support:
+  *
+   {{{
+   vim /opt/shibboleth-idp/metadata/metadata.xml```
+      ```bash
+      <IDPSSODescriptor> SECTION:
+        – From the list of "protocolSupportEnumeration" remove:
+          - urn:oasis:names:tc:SAML:1.1:protocol
+          - urn:mace:shibboleth:1.0
+        – Remove the endpoint:
+          <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.YOUR-DOMAIN:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
+          (and modify the index value of the next one to “1”)
+        – Remove the endpoint:
+          <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+        – Replace the endpoint:
+          <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+          with:
+          <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
+          (because the IdP installed with this guide releases persistent SAML NameIDs)
+        - Remove the endpoint:
+          <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.YOUR-DOMAIN/idp/profile/Shibboleth/SSO"/>
+        - Remove all ":8443" from the existing URL (such port is not used anymore)
+        - Uncomment SingleLogoutService:
+          <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://identity.thilinapathirana.xyz/idp/profile/SAML2/Redirect/SLO"/>
+          <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://identity.thilinapathirana.xyz/idp/profile/SAML2/POST/SLO"/>
+          <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://identity.thilinapathirana.xyz/idp/profile/SAML2/POST-SimpleSign/SLO"/>
+          <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://identity.thilinapathirana.xyz/idp/profile/SAML2/SOAP/SLO"/>
+      <AttributeAuthorityDescriptor> Section:
+        – From the list "protocolSupportEnumeration" replace the value of:
+          - urn:oasis:names:tc:SAML:1.1:protocol
+          with
+          - urn:oasis:names:tc:SAML:2.0:protocol
+        - Remove the comment from:
+          <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.YOUR-DOMAIN/idp/profile/SAML2/SOAP/AttributeQuery"/>
+        - Remove the endpoint:
+          <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.YOUR-DOMAIN:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
+        - Remove all ":8443" from the existing URL (such port is not used anymore)
+      ```
+. Obtain your IdP metadata here:
+    *  ```https://idp.YOUR-DOMAIN/idp/shibboleth```
+. Register you IdP on the test Federation:
+  *
+   {{{
+   https://fr-training.ac.lk/```
+    > For production enviornments please use `https://fr.ac.lk`, Also make sure to remove `-training` from all urls.
+. Configure the IdP to retrieve the Federation Metadata:
+  *
+   {{{
+   cd /opt/shibboleth-idp/conf```
+  *
+   {{{
+   vim metadata-providers.xml```
+      ```xml
+      <MetadataProvider
+            id="HTTPMD-LEARN-Federation"
+            xsi:type="FileBackedHTTPMetadataProvider"
+            backingFile="%{idp.home}/metadata/test-metadata.xml"
+            metadataURL="http://fr-training.ac.lk/rr3/metadata/federation/FR-training/metadata.xml">
+            <!--
+                Verify the signature on the root element of the metadata aggregate
+                using a trusted metadata signing certificate.
+            -->
+            <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/metadata/federation-cert.pem"/>
+            <!--
+                Require a validUntil XML attribute on the root element and
+                make sure its value is no more than 10 days into the future.
+            -->
+            <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P10D"/>
+            <!-- Consume all SP metadata in the aggregate -->
+            <MetadataFilter xsi:type="EntityRoleWhiteList">
+              <RetainedRole>md:SPSSODescriptor</RetainedRole>
+            </MetadataFilter>
+      </MetadataProvider>
+      ```
+    * Retrive the Federation Certificate used to verify its signed metadata:
+    *  ```wget https://fr-training.ac.lk/metadata-signer -O /opt/shibboleth-idp/metadata/federation-cert.pem```
+. Reload service with id ```shibboleth.MetadataResolverService``` to retrieve the Federation Metadata:
+    *  ```cd /opt/shibboleth-idp/bin```
+    *  ```./reload-service.sh -id shibboleth.MetadataResolverService```
+. The day after the Federation Operators approval you, check if you can login with your IdP on the following services:
+    * https://sp-training.ac.lk/secure   (Service Provider provided for testing the LEARN Training Federation)
+    * https://sp-test.learn.ac.lk/secure (Service Provider provided for testing the LEARN Production Federation)
+### Configure Attribute Filters to release the mandatory attributes to the default IDEM Resources:
+. Make sure that you have the "```tmp/httpClientCache```" used by "```shibboleth.FileCachingHttpClient```":
+  *
+   {{{
+   mkdir -p /opt/shibboleth-idp/tmp/httpClientCache ; chown tomcat8 /opt/shibboleth-idp/tmp/httpClientCache```
+. Modify your ```services.xml```:
+  *
+   {{{
+   vim /opt/shibboleth-idp/conf/services.xml```
+      ```xml
+      <bean id="Default-Filter" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
+            c:client-ref="shibboleth.FileCachingHttpClient"
+            c:url="https://fr-training.ac.lk/attribute-filter-LEARN-Default.xml"
+            c:backingFile="%{idp.home}/conf/attribute-filter-LEARN-Default.xml"/>
+      <bean id="Production-Filter" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
+            c:client-ref="shibboleth.FileCachingHttpClient"
+            c:url="https://fr-training.ac.lk/attribute-filter-LEARN-Production.xml"
+            c:backingFile="%{idp.home}/conf/attribute-filter-LEARN-Production.xml"/>
+      ...
+      <util:list id ="shibboleth.AttributeFilterResources">
+         <value>%{idp.home}/conf/attribute-filter.xml</value>
+         <ref bean="Default-Filter"/>
+         <ref bean="Production-Filter"/>
+       </util:list>
+      ```
+. Reload service with id ```shibboleth.AttributeFilterService``` to refresh the Attribute Filter followed by the IdP:
+    *  ```cd /opt/shibboleth-idp/bin```
+    *  ```./reload-service.sh -id shibboleth.AttributeFilterService```
+### Appendix: Useful logs to find problems
+. Tomcat 8 Logs:
+ *
+   {{{
+   cd /var/log/tomcat8```
+ *
+   {{{
+   vim catalina.out```
+. Shibboleth IdP Logs:
+ *
+   {{{
+   cd /opt/shibboleth-idp/logs```
+   * **Audit Log:** ```vim idp-audit.log```
+   * **Consent Log:** ```vim idp-consent-audit.log```
+   * **Warn Log:** ```vim idp-warn.log```
+   * **Process Log:** ```vim idp-process.log```