This guide will help you configure Shibboleth for Asset Bank using Apache on a debian Wheezy server.
Install and enable shibboleth apache module
apt-get install libapache2-mod-shib2
a2enmod shib2
apache2ctl restart
Configuration
Shibboleth Configuration
Edit /etc/shibboleth/shibboleth2.xml
Find and edit the ApplicationDefaults or create an ApplicationOverride with the following (replace the first tag name with ApplicationOverride if you are creating an override):
<ApplicationDefaults entityID="http://my.assetbank.domain/shibboleth" REMOTE_USER="eppn persistent-id targeted-id" attributePrefix="AJP_" homeURL="http://my.assetbank.domain/asset-bank/action/ssoAuthenticate" >
<CredentialResolver type="File" key="/etc/ssl/shibboleth/sp-key.pem" certificate="/etc/ssl/shibboleth/sp-cert.pem"/>
<Sessions lifetime="28800" timeout="600" checkAddress="false" relayState="cookie" handlerSSL="false">
Create a private key and certificate
You can use the recommended keygen.sh even though it's not included in Wheezy:
cd /etc/ssl/shibboleth wget https://raw.githubusercontent.com/craigpg/shibboleth-sp2/master/configs/keygen.sh chmod +x keygen.sh ./keygen.sh rm keygen.sh
Note: once generated, the sp-key.pem and sp-cert.pem may need to be manually moved into /etc/ssl/shibboleth if they are not saved there automatically.
Apache configuration
Make sure that Asset Bank is not accessible through another virtualhost or through tomcat directly. Shibboleth authentication is enabled at the apache level. Add the following in a preferably SSL-enabled virtualhost:
ProxyPass /asset-bank/ ajp://localhost:8009/asset-bank/ retry=0 <Location /asset-bank> AuthType shibboleth require shibboleth </Location>
Asset Bank Configuration
Edit your ApplicationSettings.properties file and make sure these settings have the correct values
sso-enabled=true sso-plugin-class=ShibbolethSSOPlugin
import-remote-users-on-the-fly=true
update-remote-users-on-sso-login=true
update-remote-users-groups-on-sso-login=true
Copy ShibbolethSSOSettings-standard.properties to ShibbolethSSOSettings.properties and edit it according to your Identity Provider metadata
# Username parameter is required username=login # Following are optional, but will enhance user profile on first SSO login display-name=cn email=email forename=firstName surname=lastName
memberof=memberOf
From version 3.1638.8 you can also set the shibboleth endpoint if it's not configured in your base domain. This is used for logout actions.
# Endpoint is the absolute path to the Shibboleth instance. This URL should end with Shibboleth.sso # If this is not populated, it will default to the base domain appended with Shibboleth.sso # eg. http://my.assetbank.com/Shibboleth.sso # endpoint=
Restart required services
You need to restart Asset Bank, the Shibboleth service and apache.
service tomcat6 restart apache2ctl -t apache2ctl restart service shibd restart
Test your configuration
You can test the configuration by following the instructions detailed at http://www.testshib.org/register.html
Comments
0 comments
Please sign in to leave a comment.