  • Shibboleth 2.0 IdP Training:Basics and InstallationJanuary, 2009

  • IdP Basics: Terms SAMLSecurity Access Markup LanguageXML-based standard for authentication and authorization data interchangeIdentity Provider producer of assertionsService Provider consumer of assertionsCurrent Version: 2.0Shibboleth 2.0 implements SAML 2.0

  • IdP Basics: Terms Entity IDA unique URI for a Shibboleth Identity Provider (IdP) or Service Provider (SP)The recommended format is a URLhttps://idp.colostate.edu/idp/shibbolethInCommon Federation uses URNs:urn:mace:incommon:colostate.edu

  • IdP Basics: Terms Relying PartyThe SAML peer to which the IdP is communicating withThe peer in most cases for an IdP is an SP

  • IdP Basics: Terms ProfileA description of how to use SAML to accomplish a specific taskProfiles define the interface for SAML peers

  • IdP Basics: Terms MetadataA description of the SAML features supported by a SAML entityThis includes the URLs for communicating with the entityShibboleth also uses this information to build technical trust between entities

  • IdP Installation PrerequisitesThree basic prerequisites for installation:Java Virtual MachineJava Servlet ContainerHTTP ListenerYou should be comfortable installing software on your platform

    PrerequisiteWhat were usingJava Virtual MachineSun Java SE 6Java Servlet ContainerApache Tomcat 6HTTP ListenerApache HTTPD 2.2 + mod_proxy_ajp

  • Apache Tomcat Shibboleth PrerequisitesSet in TOMCAT_HOME/conf/server.xmlTurn off Apache Tomcat authentication (optional)Set AJP listener to accept connections from localhost only

  • Lab: Shibboleth InstallationUnzip the distribution archiveRun an install scriptAnswer questionsDeploy a WAR fileRestart Tomcat and verify the installation on port 8080

  • Shibboleth Home (SHIB_HOME)/opt/shibboleth-idp should contain

  • SHIB_HOME/binContains command line toolsaacli: attribute authority command line interfaceversion: returns the IdP version

  • SHIB_HOME/confContains the IdPs configuration files:

  • SHIB_HOME/credentialsCredentials used by the IdPThe installer creates these:idp.key (IdP key)idp.crt (certificate)idp.jks (keystore)You can use this directory to store Federation certificates

  • SHIB_HOME/libCopies of libraries in the WAR file that make up the IdPUsed by the command line tools

  • SHIB_HOME/logsContains the IdP log filesidp-process.log*idp-access.logidp-audit.log

  • SHIB_HOME/metadataContains metadata filesFiles placed in this directory are not automatically loaded

  • SHIB_HOME/warContains the IdP WAR file created by the installerNote that we configured Apache Tomcat to run the IdP directly from the WAR file

  • HTTP ListenerApache Tomcat has a built-in HTTP listener and can be used as a standaloneApache HTTPD is a web server often implemented as a HTTP listener for TomcatUsing both can offer flexibilityAnd interface well with legacy components

  • Apache HTTPD and TomcatUse mod_proxy_ajpDefine VirtualHosts for the Shibboleth SAML profiles, which listen on ports 443 and optionally 8443mod_proxy directive to connect to TomcatCertificate settingsOthers as required (logging, etc.)

  • Lab: Apache HTTPDConfigure Apache HTTPD as the HTTP listener for Apache Tomcatmod_proxy_ajp has already been installedModify /etc/httpd/conf/httpd.confAdd the ProxyPass for /idpRestart Apache HTTPD

  • LoggingConfigured using the logging.xml file5 Logging levelsERRORWARNINFODEBUGTRACE

  • Lab: LoggingChange the logging level of the edu.internet2.middleware.shibboleth logger and evaluate the difference in the logging messages

  • Metadata: GeneralDescribes SAML features supported by the IdP and SPIncludes the URLs for communicating with the IdP and SPCertificates for IdPs and SPs to trust each otherFederations will typically control and publish metadata

  • Metadata: ConfigurationMetadata can be stored and loaded locally (use SHIB_HOME/metadata)Metadata can also be loaded from a remote sourceWe will discuss both configurations

  • Metadata: ConfigurationMetadata is loaded into the IdP by metadata providersMetadata providers are defined in the relying-party.xml fileA single metadata container provider is defined where you will define within it your metadata providers

  • Metadata: Defining a ProviderMetadata providers are defined using the elementEvery metadata provider must have a:Unique ID using the id attributeType using the xsi:type attributeEach type of metadata provider has its own set of configuration attributes

  • Metadata: Filesystem ProviderThe Filesystem metadata provider loads a metadata file from the local filesystem.Use type definition:xsi:type="FilesystemMetadataProvider"Configuration attributemetadataFile

  • Metadata: File-backed HTTP ProviderLoads metadata via HTTP and backs it up to local fileType definition:xsi:type="FileBackedHTTPMetadataProvider"Configuration attributes:metadataURLbackingFile

  • Lab: Metadata ProvidersDefine a file-backed HTTP metadata provider

  • Multiple Metadata ProvidersThe chaining metadata provider processes children metadata providers in the order they are definedIf the same entity is defined in more than one metadata provider, only the first definition found will be used

  • Metadata RegistrationMetadata must be shared between relying partiesFederations typically have a centralized registration process and systemsRegister certificates and profiles

  • Lab: Metadata RegistrationRegister your IdP so it can interact with the SP/DS in the lab

  • ReferencesMore information on IdP basics and installation can be found at:


    IdP basics and installationhttps://spaces.internet2.edu/display/SHIB2/Installation

    IdP prerequisites and installationhttps://spaces.internet2.edu/display/SHIB2/IdPInstall

