Shibboleth Service Provider Installation and Configuration for EASI Development Staff
This site provides localized instructions to install and configure the Shibboleth service provider in the testbed environment. Use this site only when directed by ITS admins.
1. Install the SP software First step is to get the Shibboleth Service Provider (SP) software running. Installation instructions can be found at:
https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
The above site contains complete installation instructions for Linux and Windows platform servers. Get the SP software installed up to the point where the following URL works from your SP server:
https://localhost/Shibboleth.sso/Status
Notes:
- SELinux should be disabled or in permissive mode unless you know what you are doing.
- NTP or some other time synchronization mechanism must be operating.
- To add using yum, create a file in /etc/yum.repos.d such as shib-sp.repo . Copy the repo file from the desired repository (see the above site for a selection). Then, 'yum install shibboleth' .
- If you are moving a service provider from the testbed environment, please follow the instructions below carefully since there are a few changes from the previous configuration.
2. Configuration of shibboleth2.xml
shibboleth.xml is the main configuration file for the Shibboleth SP.
a) entityID
located in: |
|
<ApplicationDefaults> |
format: |
|
https://sp.department_domain.utoronto.ca/unique_identifier |
example: |
|
https://sp.math.utoronto.ca/calculus_tutorial |
The entityID uniquely identifies the SP. It is in URL form and should be chosen with the expectation that it may eventually be used as a resolvable DNS name but does not need to be resolvable now. The domain name portion of the entityID is not required be the same as the DNS hostname of the SP. It is very important that the entityID not change over the lifetime of the service since it's value is used in the derivation of long term persistent user identifiers.
b) Session Initiaition (pointing to an IdP)
This configuration is used by the SP to determine what to do when there is no established session for the user eg. user authentication is required. It contains the name of the U of T Identity Provider (IdP) that will be used to establish a session with the user.
Add the following configuration under the <Sessions> object:
<!-- Default SessionInititator directs to
idp-easi.utoronto.ca (the EASI development IdP) -->
<SSO entityID="https://idp-easi.utoronto.ca/shibboleth">
SAML2
</SSO>
c) Metadata Configuration
This configuration is used by the SP to locate the SAML metadata which is the collection of shared configuration and security information used by all participants to create and process authentication and authorization information. Add the following configuration under the <MetadataProvider> object, comment out all other nested <MetadataProvider> blocks:
<!-- UofT Federation Metadata - served from sites.utoronto.ca --> <MetadataProvider type="XML" url="https://sites.utoronto.ca/security/UofT_testbed_metadata.xml" backingFilePath="/etc/shibboleth/UofT_testbed_metadata.xml" reloadInterval="3600">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="5184000"/>
<MetadataFilter type="Signature" verifyName="false" certificate="/etc/shibboleth/utorauth_metadata_verify.crt"/> </MetadataProvider>
Notes:
For Microsoft Windows OS, the backingFilePath value should be:
"c:/opt/shibboleth-sp/etc/shibboleth/UofT_testbed_metadata.xml" d) Metadata Verification Certificate
Download the following certificate from here:
http://sites.utoronto.ca/security/projects/utorauth_metadata_verify.crt
and store it at the path:
/etc/shibboleth/utorauth_metadata_verify.crt e) Completion
Metadata for the SP site needs to be created and installed in the internal federation file (specified in the MetadataProvider element above). You must submit the following information to the shibboleth operations team for this purpose:
- entityID
- Fully-qualified domain name of this service provider.
- The self-signed X.509 certificate automatically generated during the shibboleth software install (usually /etc/shibboleth/sp-cert.pem) .
You can submit this using the webform on the following site. Please send an email to auth.admin@utoronto.ca on completion.
https://auth-admin.utoronto.ca/shib/app/sp-request
f) Troubleshooting
See the following site for tips to solve problems:
http://sites.utoronto.ca/security/projects/sp-troubleshoot.htm
g) Authentication and Authorization
This development environment supplies only test data - no live UTORid information is available. Additions and changes to this data store can be made by email to: auth.admin@utoronto.ca
.
Back to the main page.
|