HOME
 | UTORprotect |
DOCUMENTATION
 |
AMS/ROSI
 |
SERVICES
 |
CONTACT
Projects

Shibboleth Service Provider Installation and Configuration for EASI Development Staff

This site provides localized instructions to install and configure the Shibboleth service provider in the testbed environment. Use this site only when directed by ITS admins.

1. Install the SP software

First step is to get the Shibboleth Service Provider (SP) software running. Installation instructions can be found at:

https://wiki.shibboleth.net/confluence/display/SHIB2/Installation

The above site contains complete installation instructions for Linux and Windows platform servers. Get the SP software installed up to the point where the following URL works from your SP server:

https://localhost/Shibboleth.sso/Status

Notes:

  • SELinux should be disabled or in permissive mode unless you know what you are doing.
  • NTP or some other time synchronization mechanism must be operating.
  • To add using yum, create a file in /etc/yum.repos.d such as shib-sp.repo . Copy the repo file from the desired repository (see the above site for a selection). Then, 'yum install shibboleth' .
  • If you are moving a service provider from the testbed environment, please follow the instructions below carefully since there are a few changes from the previous configuration.

2. Configuration of shibboleth2.xml

shibboleth.xml is the main configuration file for the Shibboleth SP.

a) entityID
located in: <ApplicationDefaults>
format: https://sp.department_domain.utoronto.ca/unique_identifier
example: https://sp.math.utoronto.ca/calculus_tutorial

The entityID uniquely identifies the SP. It is in URL form and should be chosen with the expectation that it may eventually be used as a resolvable DNS name but does not need to be resolvable now. The domain name portion of the entityID is not required be the same as the DNS hostname of the SP. It is very important that the entityID not change over the lifetime of the service since it's value is used in the derivation of long term persistent user identifiers.

b) Session Initiaition (pointing to an IdP)

This configuration is used by the SP to determine what to do when there is no established session for the user eg. user authentication is required. It contains the name of the U of T Identity Provider (IdP) that will be used to establish a session with the user.

Add the following configuration under the <Sessions> object:

<!-- Default SessionInititator directs to

idp-easi.utoronto.ca (the EASI development IdP) -->

<SSO entityID="https://idp-easi.utoronto.ca/shibboleth">

SAML2

</SSO>

c) Metadata Configuration

This configuration is used by the SP to locate the SAML metadata which is the collection of shared configuration and security information used by all participants to create and process authentication and authorization information. Add the following configuration under the <MetadataProvider> object, comment out all other nested <MetadataProvider> blocks:

<!-- UofT Federation Metadata - served from sites.utoronto.ca --> <MetadataProvider type="XML" url="https://sites.utoronto.ca/security/UofT_testbed_metadata.xml" backingFilePath="/etc/shibboleth/UofT_testbed_metadata.xml" reloadInterval="3600">

<MetadataFilter type="RequireValidUntil" maxValidityInterval="5184000"/>


<MetadataFilter type="Signature" verifyName="false" certificate="/etc/shibboleth/utorauth_metadata_verify.crt"/>

</MetadataProvider>

Notes:

For Microsoft Windows OS, the backingFilePath value should be:

"c:/opt/shibboleth-sp/etc/shibboleth/UofT_testbed_metadata.xml"

d) Metadata Verification Certificate

Download the following certificate from here:

http://sites.utoronto.ca/security/projects/utorauth_metadata_verify.crt

and store it at the path:

/etc/shibboleth/utorauth_metadata_verify.crt

e) Completion

Metadata for the SP site needs to be created and installed in the internal federation file (specified in the MetadataProvider element above). You must submit the following information to the shibboleth operations team for this purpose:

    1. entityID
    2. Fully-qualified domain name of this service provider.
    3. The self-signed X.509 certificate automatically generated during the shibboleth software install (usually /etc/shibboleth/sp-cert.pem) .

You can submit this using the webform on the following site. Please send an email to auth.admin@utoronto.ca on completion.

https://auth-admin.utoronto.ca/shib/app/sp-request

f) Troubleshooting

See the following site for tips to solve problems:

http://sites.utoronto.ca/security/projects/sp-troubleshoot.htm

g) Authentication and Authorization

This development environment supplies only test data - no live UTORid information is available. Additions and changes to this data store can be made by email to: auth.admin@utoronto.ca

.

Back to the main page.


 

©2012 - University of Toronto Information + Technology Services, All Rights Reserved.