Changes between Version 2 and Version 3 of spiam2018


Ignore:
Timestamp:
Sep 4, 2018, 5:35:11 AM (7 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • spiam2018

    v2 v3  
    264264wget https://LEARN-Test-federation/signning-key.pem
    265265}}}
    266 
    267 
    268 12. Edit ```shibboleth2.xml``` opportunely:
    269    * ```vim /etc/shibboleth/shibboleth2.xml```
    270 
    271      ```bash
     26612. Edit `shibboleth2.xml` opportunely:
     267*
     268{{{
     269vim /etc/shibboleth/shibboleth2.xml
     270}}}
     271{{{
    272272     ...
    273273     <ApplicationDefaults entityID="https://sp.YOUR-DOMAIN/shibboleth"
     
    286286           <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
    287287     </MetadataProvider>
    288      ```
     288}}}
    28928913. Create SP metadata credentials:
    290    * ```/usr/sbin/shib-keygen```
    291    * ```shibd -t /etc/shibboleth/shibboleth2.xml``` (Check Shibboleth configuration)
    292 
     290*
     291{{{
     292/usr/sbin/shib-keygen
     293}}}
     294*
     295{{{
     296shibd -t /etc/shibboleth/shibboleth2.xml
     297}}}
     298(Check Shibboleth configuration)
    29329914. Enable Shibboleth Apache2 configuration:
    294    * ```a2enmod shib2```
    295    * ```systemctl reload apache2.service ```
    296 
     300*
     301{{{
     302a2enmod shib2
     303}}}
     304*
     305{{{
     306systemctl reload apache2.service
     307}}}
    29730815. Now you are able to reach your Shibboleth SP Metadata on:
    298    * ```https://sp.YOUR-DOMAIN/Shibboleth.sso/Metadata```
    299    (change ```sp.YOUR-DOMAIN``` to you SP full qualified domain name)
    300 
     309*
     310{{{
     311https://sp.YOUR-DOMAIN/Shibboleth.sso/Metadata
     312}}}
     313(change `sp.YOUR-DOMAIN` to you SP full qualified domain name)
    30131416. Register you SP on LEARN test federation:
    302    * Go to ```https://fr-training.ac.lk/rr3/providers/sp_registration``` and continue registration with pasting the content of your metadata file
    303 
    304 
    305 ### Configure an example federated resouce "secure"
    306 
     315* Go to `https://fr-training.ac.lk/rr3/providers/sp_registration` and continue registration with pasting the content of your metadata file
     316=== Configure an example federated resouce "secure" ===
    30731717. Create the Apache2 configuration for the application:
    308    * ```sudo su -```
    309 
    310    * ```vim /etc/apache2/site-available/secure.conf```
    311  
    312      ```bash
     318*
     319{{{
     320sudo su -
     321}}}
     322*
     323{{{
     324vim /etc/apache2/site-available/secure.conf
     325}}}
     326{{{
    313327     RedirectMatch    ^/$  /secure
    314328
     
    318332       require valid-user
    319333     </Location>
    320      ```
    321 
    322 18. Create the "```secure```" application into the DocumentRoot:
    323    * ```mkdir /var/www/html/secure```
    324 
    325    * ```vim /var/www/html/secure/index.php```
    326 
    327      ```html
     334}}}
     33518. Create the "`secure`" application into the DocumentRoot:
     336*
     337{{{
     338mkdir /var/www/html/secure
     339}}}
     340*
     341{{{
     342vim /var/www/html/secure/index.php
     343}}}
     344{{{
    328345     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    329346     <html>
     
    351368       </body>
    352369     </html>
    353      ```
    354 
     370}}}
    35537119. Install needed packages:
    356    * ```apt istall libapache2-mod-php```
    357 
    358    * ```systemctl restart apache2.service```
    359 
    360 
    361 ### Enable Attribute Support on Shibboleth SP
    362 20. Enable attribute by remove comment from the related content into "```/etc/shibboleth/attribute-map.xml```"
    363     Disable First deprecated/incorrect version of ```persistent-id``` from ```attribute-map.xml```
     372*
     373{{{
     374apt istall libapache2-mod-php
     375}}}
     376*
     377systemctl restart apache2.service
     378}}}
     379=== Enable Attribute Support on Shibboleth SP ===
     38020. Enable attribute by remove comment from the related content into "`/etc/shibboleth/attribute-map.xml`" Disable First deprecated/incorrect version of `persistent-id` from `attribute-map.xml`
    364381   
    365 ### Enable Single Logout
    366 
    367 21. Change <Logout> element in /etc/shibboleth/shibboleth2.xml. They get passed as attributes to the SAML2 LogoutInitiator that gets created by the Logout element.  The fully unfolded configuration with settings identical to default is:
    368 ```xml
     382=== Enable Single Logout ===
     38321. Change <Logout> element in /etc/shibboleth/shibboleth2.xml. They get passed as attributes to the SAML2 logoutInitiator that gets created by the Logout element.  The fully unfolded configuration with settings identical to default is:
     384{{{
    369385<Logout asynchronous="true" outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
    370386  SAML2 Local
    371387</Logout>
    372 ```
     388}}}
    373389Setting asynchronous="false" would make the flow return back to the SP (this otherwise only happens for the SOAP binding which cannot be done asynchronously).
    374390