Howto: Create a virtual platform Shibboleth

(1)

CAROUX Félicien

NEMPONT Maxime

Promotion FI-2010

Howto:

Create a virtual platform

Shibboleth

Scientific & IT Project

2009-2010

Supervisor:

M. LANDRU Jacques

(Telecom Lille 1)

(2)

5. Final tests... 10 6. Bibliography... 1 7. Apendix ... 2 IDP: httpd.conf ... 2 IDP: logging.xml ... 3 IDP: ports.conf ... 6 IDP: relying-party.xml ... 7 IDP: ssl8443 ... 13 IDP’s metadata ... 17 SP: httpd.conf ... 19 SP: ports.conf ... 21 SP: shibboleth2.xml ... 22 SP: shibd.logger ... 28 SP: SP.crt... 29 SP: SP.key ... 30 SP’s metadata ... 31

(3)

CAROUX Félicien – NEMPONT Maxime Page 1

1. Create the work environment

1.1. Build a Debian image

#qemu -img create vmain.raw 5G

#kvm -hda vmain.raw -cdrom/home/user/Desktop/debian-5-03-i386-netinst.iso -boot d -m 1024

1.2. Run this image to install main packets

#kvm -hda vmain.raw -m 512 -name main

1.3. Java’s installation

First, we must install the non-free repository. Edit the sources.list to add the keyword “non-free” after this sentence: “deb http://ftp.fr/debian / lenny main”

#nano /etc/apt/sources.list

<…>

deb http://ftp.fr/debian / lenny main non-free

After that, we can update the aptitude package and begin the Java’s installation. #aptitude update

#aptitude install sun-java6-jre sun-java6-jdk

It’s necessary to fix a JAVA_HOME variable environment. To do this, add the following line “export JAVA_HOME=/usr/lib/jvm/java-6-sun/” in /home/user/.bashrc.

#nano /home/user/.bashrc

<…>

export JAVA_HOME=/usr/lib/jvm/java-6-sun/

1.4. Apache’s installation

In a Shibboleth configuration, Apache manages SSL and the certificates. Use the following command to install Apache.

#aptitude install apache2

1.5. SSH’s installation

We use SSH to transfer files (like metadata) between the virtual machines. Use the following command to install SSH.

(4)

CAROUX Félicien – NEMPONT Maxime Page 2 #aptitude install ssh

1.6. Create 2 images

In our topology, we use 2 virtual images, one for each kind of server (IDP & SP). These 2 virtual images are in a qcow2 format (write-only). They take information from a mother image (vmain.raw). vmain.raw is in read-only.

#kvm-img create -b vmain.raw -f qcow2 IDP #kvm-img create -b vmain.raw -f qcow2 SP

2. IDP’s installation & basic configurations

2.1. Run the IDP image

#kvm -hda -IDP -m 512 -name IDP

2.2. Tomcat’s installation

In a Shibboleth configuration, Tomcat manages the IDP stack.

First, download the core file here: http://tomcat.apache.org/download-55.cgi After that use the following commands to install correctly Tomcat.

#tar xzf apache-tomcat-5.5.28.tar.gz

#mv apache-tomcat-5.5.28 /usr/local/tomcat #adduser tomcat

#chown -R tomcat /usr/local/tomcat

It’s necessary to fix a CATALINA_HOME. To do this, add the following line “export CATALINA_HOME=/usr/local/tomcat” in /home/user/.bashrc.

#nano /home/user/.bashrc

<…>

export CATALINA_HOME=/usr/local/tomcat

2.3. Shibboleth’s installation

First, download the shibboleth’s file for the IDP here:

http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/

Unzip the downloaded file. Then, in this folder, run the script install.sh to install the shibboleth stack.

#unzip shibboleth-identityprovider-2.1.5-bin.zip #sh install.sh

(5)

CAROUX Félicien – NEMPONT Maxime Page 3 In our configuration, the path install was /usr/local/idp and the hostname was the private IP address of our IDP(The IP address that we will fix after).

2.4. Tomcat’s configuration

We copy libraries used for the servlet Java IDP to work in the Tomcat’s librairies folder. #cp /home/user/Desktop/shibboleth-identityprovider-2.1.5/endorsed/*

/usr/local/tomcat/common/endorsed/

Add request.tomcatAuthentication="false" and Address="127.0.0.1" to Tomcat's /usr/local/tomcat/conf/server.xml port 8009 AJP13 connector so Apache can relay usernames to the IdP.

#nano /usr/local/tomcat/conf/server.xml

<…>

Thanks to a browser, we can use a graphical user interface to manage the modules of Tomcat (Management link in the web interface). But first, we must edit the following file:

#nano /usr/local/tomcat/conf/tomcat-users.xml.

<…>

<tomcat-users>

Now, we create a XML file used for deploy automatically the IDP stack without copy out the archive “.war” in the folder webapps/ of Tomcat. This method avoids cashing problems wrongly managed by Tomcat.

#nano /usr/local/tomcat/conf/Catalina/localhost/idp.xml

<Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false"

antiJARLocking="false" unpackWAR="false" />

2.5. Apache’s configuration

Then, we create a test user using the htpasswd command. #htpasswd -c /usr/local/idp/credentials/user.db NameUser

(6)

CAROUX Félicien – NEMPONT Maxime Page 4 After that, define the following in /etc/apache2/httpd.conf to front-end your IDP with basic authentication.

#nano /etc/apache2/httpd.conf

<…>

<Location /idp/Authn/RemoteUser> AuthType Basic

AuthName "Our IDP"

AuthUserFile /usr/local/idp/credentials/user.db require valid-user

</Location>

Add the following line to httpd.conf to pass requests for the IDP into Tomcat: #nano /etc/apache2/httpd.conf

<…>

ProxyPass /idp/ ajp:// 127.0.0.1:8009/idp/

ProxyPass /jsp-examples/ ajp://127.0.0.1:8009/jsp-examples/

Apache manages SSL and the certificates. To configure that, edit the /etc/apache2/httpd.conf. In our configuration, we use the following options:

#nano /etc/apache2/httpd.conf <…> SSLCertificate /usr/local/idp/credentials/idp.crt SSLCertificateKeyFile /usr/local/idp/credentials/idp.key SSLVerifyClient optional_no_ca SSLVerifyDepth 10

To resolve some permission issues, edit /etc/apache2/mods-available/proxy.conf and comment the line Deny from all.

#nano /etc/apache2/mods-available/proxy.conf

<…>

#Deny from all

To work in our configuration, Apache needs some modules. Enable these mods with the following commands.

/etc/apache2/mods-available# a2enmod proxy /etc/apache2/mods-available# a2enmod proxy_ajp /etc/apache2/mods-available# a2enmod ssl

(7)

CAROUX Félicien – NEMPONT Maxime Page 5 You can check if the mods are correctly enabled. To do this, check if you see the mods in /etc/apache2/mods-enabled

After that, copy /etc/apache2/sites-available/default-ssl and change the listening port (in the new file, from 443 to 8443). We have already set the SSLCertificate, so don’t forget to comment all SSLCertificate in this file.

#cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/ssl8443 #nano /etc/apache2/sites-available/ssl8443 <…> <Virtualhost _default_ :8443> <…> #SSLCertificateFile #SSLCertificateKeyFile

Edit too the following file to change the value of the listening port. #nano /etc/apache2/ports.conf

<…>

Listen 8443

Enable the configured site.

/etc/apache2/mods-available#a2ensite default-ssl /etc/apache2/mods-available#a2ensite ssl8443

2.6. First tests

Restart Apache and start Tomcat thanks to the following commands. #/etc/init.d/apache2 restart

/usr/local/tomcat/bin# su tomcat -c “sh startup.sh”

Thanks to a browser, you can test Tomcat (if it’s work) with this link : http://127.0.0.1:8080/ You can manage the different stack (like IDP) with the “tomcat manager link”.

For example, you can check with the tomcat manager link (and with the user created before) if the IDP works.

The following link http://127.0.0.1:8080/idp/profile/Status can confirm (Warning: Shibboleth’s links are Case sensitive).

You can test too the ports redirection. To do this, consult the page

(8)

CAROUX Félicien – NEMPONT Maxime Page 6

3. SP’s installation

3.1. Run the SP image

#kvm -hda -SP -m 512 -name SP

3.2. Shibboleth’s installation

#aptitude install libapache2-mod-shib2

4. Our virtual topology

To create this virtual topology, we use the Brctl method (Ethernet bridge). To do this, we must configure the host machine and the 2 virtual machines as follow:

Host machine :

#nano /etc/network/interfaces

<…>

# The loopback network interface auto lo eth0 br0

iface lo inet loopback

# The primary network interface allow-hotplug eth0

iface eth0 inet dhcp iface br0 inet static pre-up brctl addbr br0 address 192.168.0.254 netmask 255.255.255.0 broadcast 192.168.0.255

(9)

CAROUX Félicien – NEMPONT Maxime Page 7 Virtual machine (IDP):

#nano /etc/network/interfaces

<…>

# The loopback network interface auto lo eth0

iface lo inet loopback

# The primary network interface allow-hotplug eth0

iface eth0 inet dhcp iface br0 inet static address 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.254

Use the following command to restart the network configuration on each machine. #/etc/init.d/networking/ restart

4.1. IDP’s configuration with our virtual topology

First launch the IDP with the following command

#kvm -hda IDP -m 512 -name IDP -net nic,macaddr=DE:AD:BE:EF:85:26 -net tap In our topology, Shibboleth runs in a “push-method”

To configure this method, edit /usr/local/idp/conf/relying-party.xml and change the values of signResponses and signAssertions.

#nano /usr/local/idp/conf/relying-party.xml <…> <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" includeAttributeStatement="false" assertionLifetime="300000" signResponses="always" signAssertions="always" />

(10)

CAROUX Félicien – NEMPONT Maxime Page 8 To work, Shibboleth needs metadata. We configure the IDP to find the SP’s metadata. We consider for the moment that the SP’s metadata are on the IDP’s Desktop. Add the following configuration in /usr/local/idp/conf/relying-party.xml. #nano /usr/local/idp/conf/relying-party.xml <…> <MetadataProvider xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" id="Mymetadata" metadataFile="/home/user/Desktop/SPMetadata"> <…>

Generate the IDP’s metadata thanks to the following link and save it for example in the Desktop:

http://127.0.0.1/idp/profile/Metadata/SAML Run the SP image as follow:

#kvm -hda SP -m 512 -name SP -net nic,macaddr=DE:AD:BE:EF:21:60 -net tap Then, use SSH on IDP to transfer the metadata

#scp /home/user/Desktop/SAML 192.168.0.2:/home/user/Desktop/IdpMetadata

4.2. SP’s configuration with our virtual topology

First, configure Apache to create one secured location by shibboleth. #nano /etc/apache2/httpd.conf

<…>

<IfModule mod_alias.c> <Location /shibboleth-sp> Allow from all

</Location>

Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg </IfModule> SSLCertificateFile /etc/shibboleth/SP.crt SSLCertificateKeyFile /etc/shibboleth/SP.key SSLVerifyClient optional_no_ca SSLverifyDepth 10 <Location /secure> AuthType shibboleth ShibRequireSession On Require valid-user </Location> ServerName 192.168.0.2

(11)

CAROUX Félicien – NEMPONT Maxime Page 9 Observe, we use the SP’s certificate and key.

By default, the SP’s installation doesn’t provide a key and a certificate. So we must generate them as follow.

#openssl genrsa -out SP.key 1024

#openssl req -new -key SP.key -out SP.csr

#openssl x509 -req -days 365 -in SP.csr -signkey SP.key -out SP.crt #rm SP.csr

To finish with Apache, enable the sites and mods that we are using and don’t forget to restart Apache.

#a2ensite default-ssl #a2enmod ssl

#/etc/init.d/shibd restart

Now, let’s configure the shibboleth stack for the SP. In /etc/shibboleth/, there are a lot of XML files to configure shibboleth as we want. For example, we can quote the attribute-filter.xml and attribute-resolver.xml, dedicated to the attributes’ management.

In our primary configuration, the main file is etc/shibboleth/shibboleth2.xml. Edit this file and change the values of the host name, the entityID and the homeURL.

#nano /etc/shibboleth/shibboleth2.xml

<…>

<…>

<ApplicationDefaults id="default" policyId="default" entityID="https://192.168.0.2/SP"

homeURL="https://192.168.0.2/index.html" … >

<…>

Change the value of the entityID in the SessionInitiator tag. #nano /etc/shibboleth/shibboleth2.xml

<…>

(12)

CAROUX Félicien – NEMPONT Maxime Page 10 Thanks to the following sentence that we add, shibboleth will able to load the IDP’s metadata.

<…>

Don’t forget too in this file, to change the values of key and certificate to allow shibboleth to load correct key and certificate.

<…>

<CredentialResolver type="File" key="SP.key" certificate="SP.crt"/> Then, restart shibboleth with this command:

#/etc/init.d/shibd restart

Generate the SP’s metadata thanks to the following link and save it for example in the Desktop:

http://127.0.0.1/Shibboleth.sso/Metadata Then, use SSH on SP to transfer the metadata.

#scp /home/user/Desktop/Metadata 192.168.0.1:/home/user/Desktop/SPMetadata To test the service provider, create finally a HTML file in /var/www/secure. #cd /var/www/

#mkdir /secure

#nano /secure/index.html

5. Final tests

Check if shibboleth works correctly thanks to this link : https://192.168.0.2/secure.

In a correct run, the website asks you an authentication. Observe, no authentication is asked you when you access to the Apache’s default page https://192.168.0.2/index.html. It’s normal because only the /secure, it’s secured by shibboleth.

For more information about the shibboleth session, you can go with your browser to the following link: https://192.168.0.2/Shibboleth.sso/Session

For more details on the shibboleth’s exchange, you can check the logs. On the SP

(13)

CAROUX Félicien – NEMPONT Maxime Page 11 On the IDP

#tail –f /usr/local/idp/logs/idp-process.log

Of course, we can configure the level of logs by editing the following files (change values on “DEBUG”):

On IDP,

#nano /usr/local/idp/conf/logging.xml On SP,

(14)

6. Bibliography

Virtual environment: http://www.linux-kvm.org http://www.lefinnois.net/wp/index.php/2007/10/13/debian-et-machine-virtuelle-kvm/ Shibboleth:

Course book “GAEL : Guide de l’Authentification en Environnements Libres” – M. Jacques Landru – TELECOM LILLE 1

“push-method” : https://federation.renater.fr/faq/shibboleth First How-to : https://testshib.org/testshib-two/install.jsp Second How-to :

http://www-public.int-evry.fr/~procacci/wiki/bin/view/Documentations/ShibSPv2#2%20Installation Third How-to : https://federation.cru.fr/doc/support-tp-idp.pdf

Official shibboleth site : https://spaces.internet2.edu/display/SHIB2/Home

(15)

7. Apendix

IDP: httpd.conf

<Location /idp/Authn/RemoteUser> AuthType Basic

AuthName "My Identity Provider"

AuthUserFile /usr/local/idp/credentials/user.db require valid-user

</Location>

ProxyPass /idp/ ajp://127.0.0.1:8009/idp/

ProxyPass /jsp-examples/ ajp://127.0.0.1:8009/jsp-examples/ SSLCertificateFile /usr/local/idp/credentials/idp.crt

SSLCertificateKeyFile /usr/local/idp/credentials/idp.key SSLVerifyClient optional_no_ca

(16)

IDP: logging.xml

<?xml version="1.0" encoding="UTF-8"?> <configuration> <!--

Loggers define indicate which packages/categories are logged, at which level, and to which appender.

Levels: OFF, ERROR, WARN, INFO, DEBUG, TRACE, ALL -->

<logger name="edu.internet2.middleware.shibboleth"> <level value="DEBUG" />

</logger>

<logger name="org.opensaml">

<logger name="edu.vt.middleware.ldap"> <level value="WARN"/>

</logger>

<logger name="PROTOCOL_MESSAGE"> <level value="DEBUG" /> </logger> <!--

Normally you should not edit below this point. These default configurations are sufficient for

almost every system. -->

<!--

Logging appenders define where and how logging messages are logged. --> <appender name="IDP_ACCESS" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>/usr/local/idp/logs/idp-access.log</File> <ImmediateFlush>true</ImmediateFlush> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <FileNamePattern>/usr/local/idp/logs/idp-access-%d{yyyy-MM-dd}.log</FileNamePattern>

(17)

</rollingPolicy> <layout class="ch.qos.logback.classic.PatternLayout"> <Pattern>%msg%n</Pattern> </layout> </appender> <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>/usr/local/idp/logs/idp-audit.log</File> <ImmediateFlush>true</ImmediateFlush> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <FileNamePattern>/usr/local/idp/logs/idp-audit-%d{yyyy-MM-dd}.log</FileNamePattern> </rollingPolicy> <layout class="ch.qos.logback.classic.PatternLayout"> <Pattern>%msg%n</Pattern> </layout> </appender> <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>/usr/local/idp/logs/idp-process.log</File>

<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <FileNamePattern>/usr/local/idp/logs/idp-process-%d{yyyy-MM-dd}.log</FileNamePattern> </rollingPolicy> <layout class="ch.qos.logback.classic.PatternLayout">

<Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern>

<!--

Two MDC variables are available for authenticated users: 'idpSessionID' and 'principalName'.

You may include these the data in the logging pattern by means of %mdc{NAME} You may include the thread ID by means of %t

-->

<!--

<Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - [%t:%mdc{principalName}] - %msg%n</Pattern>

(18)

--> </layout> </appender> <logger name="Shibboleth-Access"> <level value="ALL" /> <appender-ref ref="IDP_ACCESS" /> </logger> <logger name="Shibboleth-Audit"> <level value="ALL" /> <appender-ref ref="IDP_AUDIT" /> </logger> <logger name="org.springframework"> <level value="OFF" /> </logger> <logger name="org.apache.catalina"> <level value="ERROR" /> </logger> <root> <level value="ERROR" /> <appender-ref ref="IDP_PROCESS" /> </root> </configuration>

(19)

IDP: ports.conf

# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in

# /etc/apache2/sites-enabled/000-default

# This is also true if you have upgraded from before 2.2.9-3 (i.e. from

# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and # README.Debian.gz

NameVirtualHost *:80 Listen 80

# SSL name based virtual hosts are not yet supported, therefore no # NameVirtualHost statement here

Listen 8443 Listen 443 </IfModule>

(20)

IDP: relying-party.xml

<?xml version="1.0" encoding="UTF-8"?> <!--

This file is an EXAMPLE configuration file.

This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a

particular relying party should be signed. It also includes metadata provider and credential definitions used

when answering requests to a relying party. --> <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party" xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml" xmlns:metadata="urn:mace:shibboleth:2.0:metadata" xmlns:resource="urn:mace:shibboleth:2.0:resource" xmlns:security="urn:mace:shibboleth:2.0:security" xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml" xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">

<AnonymousRelyingParty provider="https://192.168.0.1/idp/shibboleth" defaultSigningCredentialRef="IdPCredential" /> <DefaultRelyingParty provider="https://192.168.0.1/idp/shibboleth" defaultSigningCredentialRef="IdPCredential"> <!--

Each attribute in these profiles configuration is set to its default value, that is, the values that would be in effect if those attributes were not present. We list them here so that people are aware of them (since they seem reluctant to read the documentation).

(21)

--> <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" includeAttributeStatement="false" assertionLifetime="300000" signResponses="always" signAssertions="always" /> <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" assertionLifetime="300000" signResponses="conditional" signAssertions="never" /> <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" signResponses="conditional" signAssertions="never" /> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" assertionLifetime="300000" assertionProxyCount="0" signResponses="conditional" signAssertions="never" encryptAssertions="conditional" encryptNameIds="never" /> <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" assertionLifetime="300000" assertionProxyCount="0" signResponses="conditional" signAssertions="never" encryptAssertions="conditional" encryptNameIds="never" /> <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" signResponses="conditional" signAssertions="never" encryptAssertions="conditional" encryptNameIds="never"/> </DefaultRelyingParty>

(22)

<!--

<MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" metadataURL="http://example.org/metadata.xml" backingFile="/usr/local/idp/metadata/some-metadata.xml"> <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata"> <MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata" maxValidityInterval="604800" /> <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata" trustEngineRef="shibboleth.MetadataTrustEngine" requireSignedMetadata="true" /> <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata"> <RetainedRole>samlmd:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataFilter> </MetadataProvider> --> </MetadataProvider>

<security:Credential id="IdPCredential" xsi:type="security:X509Filesystem"> <security:PrivateKey>/usr/local/idp/credentials/idp.key</security:PrivateKey> <security:Certificate>/usr/local/idp/credentials/idp.crt</security:Certificate> </security:Credential>

(23)

<!--

The following trust engines and rules control every aspect of security related to incoming messages.

Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the

security policies establish a set of checks that an incoming message must pass in order to be considered

secure. Naturally some of these checks require the validation of the tokens evaluated by the trust

engines and so you'll see some rules that reference the declared trust engines. --> <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:SignatureChaining"> <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature" metadataProviderRef="ShibbolethMetadata" /> <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature" metadataProviderRef="ShibbolethMetadata" /> </security:TrustEngine> <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining"> <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey" metadataProviderRef="ShibbolethMetadata" /> <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential" metadataProviderRef="ShibbolethMetadata" /> </security:TrustEngine> <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">

<security:Rule xsi:type="samlsec:IssueInstant" required="false"/> <security:Rule xsi:type="samlsec:MandatoryIssuer"/>

</security:SecurityPolicy>

(24)

<security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType"> <security:Rule xsi:type="samlsec:Replay"/> <security:Rule xsi:type="samlsec:IssueInstant"/> <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" /> <security:Rule xsi:type="samlsec:MandatoryIssuer"/> <security:Rule xsi:type="security:MandatoryMessageAuthentication" /> </security:SecurityPolicy> <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType"> <security:Rule xsi:type="samlsec:Replay"/> <security:Rule xsi:type="samlsec:IssueInstant"/> <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" /> <security:Rule xsi:type="samlsec:MandatoryIssuer"/> <security:Rule xsi:type="security:MandatoryMessageAuthentication" /> </security:SecurityPolicy> <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType"> <security:Rule xsi:type="samlsec:Replay"/> <security:Rule xsi:type="samlsec:IssueInstant"/> <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/> <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="samlsec:MandatoryIssuer"/> </security:SecurityPolicy> <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType"> <security:Rule xsi:type="samlsec:Replay"/> <security:Rule xsi:type="samlsec:IssueInstant"/> <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />

(25)

<security:Rule xsi:type="samlsec:MandatoryIssuer"/> <security:Rule xsi:type="security:MandatoryMessageAuthentication" /> </security:SecurityPolicy> <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType"> <security:Rule xsi:type="samlsec:Replay"/> <security:Rule xsi:type="samlsec:IssueInstant"/> <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" /> <security:Rule xsi:type="samlsec:MandatoryIssuer"/> <security:Rule xsi:type="security:MandatoryMessageAuthentication" /> </security:SecurityPolicy> <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType"> <security:Rule xsi:type="samlsec:Replay"/> <security:Rule xsi:type="samlsec:IssueInstant"/> <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" /> <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" /> <security:Rule xsi:type="samlsec:MandatoryIssuer"/> <security:Rule xsi:type="security:MandatoryMessageAuthentication" /> </security:SecurityPolicy> </RelyingPartyGroup>

(26)

IDP: ssl8443

<IfModule mod_ssl.c> <VirtualHost _default_:8443> ServerAdmin webmaster@localhost DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/>

Options Indexes FollowSymLinks MultiViews AllowOverride None

Order allow,deny allow from all </Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin">

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny

Allow from all </Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit, # alert, emerg.

LogLevel warn

CustomLog /var/log/apache2/ssl_access.log combined Alias /doc/ "/usr/share/doc/"

Options Indexes MultiViews FollowSymLinks AllowOverride None

Order deny,allow Deny from all

Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory>

# SSL Engine Switch:

# Enable/Disable SSL for this virtual host. SSLEngine on

# A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See

(27)

# If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed.

#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Server Certificate Chain:

# Point SSLCertificateChainFile at a file containing the

# concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively

# the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience.

#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt # Certificate Authority (CA):

# Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided

# Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/

#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL):

# Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded)

# Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided

# Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/

#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type):

# Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require

#SSLVerifyDepth 10 # Access Control:

# With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details.

#<Location />

(28)

# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#</Location>

# SSL Engine Options:

# Set various options for the SSL engine. # o FakeBasicAuth:

# Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate.

# Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'.

# o ExportCertData:

# This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client

# authentication is used). This can be used to import the certificates # into CGI scripts.

# o StdEnvVars:

# This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only.

# o StrictRequire:

# This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied

# and no other module can change it. # o OptRenegotiate:

# This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context.

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments:

# The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables:

# o ssl-unclean-shutdown:

# This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates

(29)

# the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert.

# o ssl-accurate-shutdown:

# This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly.

# Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable

# keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this.

BrowserMatch ".*MSIE.*" \

nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost>

(30)

IDP’s metadata

<?xml version="1.0" encoding="UTF-8"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://192.168.0.1/idp/shibboleth" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"><Extensions><shibmd:Scope regexp="false">0.1</shibmd:Scope></Extensions><KeyDescriptor><ds:KeyInfo><ds:X509 Data><ds:X509Certificate>MIIDFzCCAf+gAwIBAgIUJFoRhZM+TMUKaqRoRJ4vUHRyV gowDQYJKoZIhvcNAQEF BQAwFjEUMBIGA1UEAxMLMTkyLjE2OC4wLjEwHhcNMDkxMTIzMTU0NTE1WhcN Mjkx MTIzMTU0NTE1WjAWMRQwEgYDVQQDEwsxOTIuMTY4LjAuMTCCASIwDQYJKoZ IhvcN AQEBBQADggEPADCCAQoCggEBALZhnktNTzAk3Ax5hw0bjZwntnZkD/bUWGQZ691r Cuh6MKnamkmDt1mYN47LET4iZD/EkSwNI6G6ZeoboRAAA2J1vutyYmJasyWK1eyH pd8wjFbWUQWwK3BpNJQC6dOa6MAmI/BdiVKq1ckhC6pyipYLhi110KYc9YrMtog0 msUHUe5L7MSdwdwW3jgJUjgMyslUp1tE0n4wXnEmF+z9GxgVnFeGXU4KSH/kbeUm xC9w6PrSW9tkOPuIv2QvnHch0LeB7fMdpF73TsYZd4gsEZdZpamW8ZPN5NMK1gEJ lHYfHaHWISAk7FFaEU+75qkjTtEsU7Sh2dkwqqAbGtd7bdECAwEAAaNdMFswOgYD VR0RBDMwMYILMTkyLjE2OC4wLjGGImh0dHBzOi8vMTkyLjE2OC4wLjEvaWRwL3N o aWJib2xldGgwHQYDVR0OBBYEFL0mWrs/k409iTLIqpJr+Ndaa45LMA0GCSqGSIb3 DQEBBQUAA4IBAQCeyDO6S+sHEt7iXuAnmndIKa4BgKHePl01ePdE4PyNx0qqH/E0 fwnHTo1M/itlRn5M9heFuwfnXiMYeXjGg6eBx7+AUNFP4/b+/vbuuWolA/y4nhVF 6tBwLKpQZIkupfqfBdx7d9MbWVQ9oxleScWzZyVc3j/rriqqTKi8BHoUrm2bd+gj /IgYFZSi0ESbPkf5pLhAxFeZQpWxwZ6QqdnJsiVaaHvSh6Bha6etxTjbN5NOpQFh RxlXrOxY2/6U0fyNPsAXr65RYS2Mt8uH618tm3hqjUnpSvfxp0O8fsnQZGAvsWmd XUrfThTGvZjng82kzzCGYXQguy/t7Pa3rsRl</ds:X509Certificate></ds:X509Data></ds:Ke yInfo></KeyDescriptor><ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://192.168.0.1:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/><ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://192.168.0.1:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/><NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat><Na meIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://192.168.0.1/idp/profile/Shibboleth/SSO"/><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://192.168.0.1/idp/profile/SAML2/POST/SSO"/><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://192.168.0.1/idp/profile/SAML2/POST-SimpleSign/SSO"/><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

(31)

Location="https://192.168.0.1/idp/profile/SAML2/Redirect/SSO"/></IDPSSODescriptor><At tributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol"><Extensions><shibmd:Scope regexp="false">0.1</shibmd:Scope></Extensions><KeyDescriptor><ds:KeyInfo><ds:X509 Data><ds:X509Certificate>MIIDFzCCAf+gAwIBAgIUJFoRhZM+TMUKaqRoRJ4vUHRyV gowDQYJKoZIhvcNAQEF BQAwFjEUMBIGA1UEAxMLMTkyLjE2OC4wLjEwHhcNMDkxMTIzMTU0NTE1WhcN Mjkx MTIzMTU0NTE1WjAWMRQwEgYDVQQDEwsxOTIuMTY4LjAuMTCCASIwDQYJKoZ IhvcN AQEBBQADggEPADCCAQoCggEBALZhnktNTzAk3Ax5hw0bjZwntnZkD/bUWGQZ691r Cuh6MKnamkmDt1mYN47LET4iZD/EkSwNI6G6ZeoboRAAA2J1vutyYmJasyWK1eyH pd8wjFbWUQWwK3BpNJQC6dOa6MAmI/BdiVKq1ckhC6pyipYLhi110KYc9YrMtog0 msUHUe5L7MSdwdwW3jgJUjgMyslUp1tE0n4wXnEmF+z9GxgVnFeGXU4KSH/kbeUm xC9w6PrSW9tkOPuIv2QvnHch0LeB7fMdpF73TsYZd4gsEZdZpamW8ZPN5NMK1gEJ lHYfHaHWISAk7FFaEU+75qkjTtEsU7Sh2dkwqqAbGtd7bdECAwEAAaNdMFswOgYD VR0RBDMwMYILMTkyLjE2OC4wLjGGImh0dHBzOi8vMTkyLjE2OC4wLjEvaWRwL3N o aWJib2xldGgwHQYDVR0OBBYEFL0mWrs/k409iTLIqpJr+Ndaa45LMA0GCSqGSIb3 DQEBBQUAA4IBAQCeyDO6S+sHEt7iXuAnmndIKa4BgKHePl01ePdE4PyNx0qqH/E0 fwnHTo1M/itlRn5M9heFuwfnXiMYeXjGg6eBx7+AUNFP4/b+/vbuuWolA/y4nhVF 6tBwLKpQZIkupfqfBdx7d9MbWVQ9oxleScWzZyVc3j/rriqqTKi8BHoUrm2bd+gj /IgYFZSi0ESbPkf5pLhAxFeZQpWxwZ6QqdnJsiVaaHvSh6Bha6etxTjbN5NOpQFh RxlXrOxY2/6U0fyNPsAXr65RYS2Mt8uH618tm3hqjUnpSvfxp0O8fsnQZGAvsWmd XUrfThTGvZjng82kzzCGYXQguy/t7Pa3rsRl</ds:X509Certificate></ds:X509Data></ds:Ke yInfo></KeyDescriptor><AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://192.168.0.1:8443/idp/profile/SAML1/SOAP/AttributeQuery"/><AttributeS ervice Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://192.168.0.1:8443/idp/profile/SAML2/SOAP/AttributeQuery"/><NameIDF ormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat><NameIDFormat>urn:oasis :names:tc:SAML:2.0:nameid-format:transient</NameIDFormat></AttributeAuthorityDescriptor></EntityDescriptor>

(32)

SP: httpd.conf

UseCanonicalName On

# RPM installations on platforms with a conf.d directory will # result in this file being copied into that directory for you. # For non-RPM installs, you can add this file to your # configuration using an Include command in httpd.conf ######

## SHIB Config ######

#

# Load the SHIBBOLETH module #

LoadModule mod_shib /usr/lib/apache2/modules/mod_shib_22.so #

# Used for example logo and style sheet in error templates. #

<IfModule mod_alias.c> <Location /shibboleth-sp> Allow from all

</Location>

Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg </IfModule>

#

# Configure the module for content #

# You can now do most of this in shibboleth.xml using the RequestMap # but you MUST enable AuthType shibboleth for the module to process # any requests, and there MUST be a require command as well. To # enable Shibboleth but not specify any session/access requirements # use "require shibboleth".

#SSLCertificateFile /etc/pki/tls/certs/server.crt #SSLCertificateKeyFile /etc/pki/tls/private/server.key #SSLCACertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateFile /etc/shibboleth/SP.crt SSLCertificateKeyFile /etc/shibboleth/SP.key SSLVerifyClient optional_no_ca SSLverifyDepth 10 <Location /secure> AuthType shibboleth ShibRequireSession On

(33)

#ShibRequestSetting requireSession 1 Require valid-user

</Location>

(34)

SP: ports.conf

# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in

# /etc/apache2/sites-enabled/000-default

# This is also true if you have upgraded from before 2.2.9-3 (i.e. from

# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and # README.Debian.gz

NameVirtualHost *:80 Listen 80

# SSL name based virtual hosts are not yet supported, therefore no # NameVirtualHost statement here

Listen 443 </IfModule>

(35)

SP: shibboleth2.xml

<OutOfProcess logger="shibd.logger">

<!--

-->

</OutOfProcess>

<InProcess logger="native.logger">

<ISAPI normalizeRequest="true"> <!--

Maps IIS Instance ID values to the host scheme/name/port/sslport. The name is required so that the proper <Host> in the request map above is found without having to cover every possible DNS/IP combination the user might enter. The port and scheme can usually be omitted, so the HTTP request's port and scheme will be used.

-->

</InProcess>

<UnixListener address="shibd.sock"/>

<! This set of components stores sessions and other persistent data in daemon memory. -->

<!--

(36)

DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=sh ibboleth;APP=Shibboleth </ConnectionString> </StorageService>

<RequestMap applicationId="default"> <!--

The example requires a session for documents in /secure on the containing host with http and

https on the default ports. Note that the name and port in the <Host> elements MUST match

Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element below.

-->

<!--

-->

</RequestMap> </RequestMapper> <!--

The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. Resource requests are mapped by the RequestMapper to an applicationId that

points into to this section. -->

<ApplicationDefaults id="default" policyId="default" entityID="https://192.168.0.2/SP"

homeURL="https://192.168.0.2/index.html" REMOTE_USER="eppn persistent-id targeted-id" signing="false" encryption="false"

> <!--

Controls session lifetimes, address checks, cookie handling, and the protocol handlers. You MUST supply an effectively unique handlerURL value for each of your

(37)

The value can be a relative path, a URL with no hostname (https:///path) or a full URL. The system can compute a relative value based on the virtual host. Using

handlerSSL="true"

will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"

in that case. Note that while we default checkAddress to "false", this has a negative impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.

-->

<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/Shibboleth.sso" handlerSSL="false"

exportLocation="http://localhost/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7">

<!--

SessionInitiators handle session requests and relay them to a Discovery page, or to an IdP if possible. Automatic session setup will use the default or first element (or requireSessionWith can specify a specific id to use).

-->

</SessionInitiator>

<SessionInitiator type="Chaining" Location="/DS" id="DS" relayState="cookie"> <SessionInitiator type="SAML2" defaultACSIndex="1"

template="bindingTemplate.html"/>

<!--

(38)

such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes are used when sessions are initiated to determine how to tell the IdP where and how to return the response.

-->

<md:AssertionConsumerService Location="/SAML2/POST" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/> <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/> <md:AssertionConsumerService Location="/SAML2/ECP" index="4" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>

<md:AssertionConsumerService Location="/SAML/POST" index="5" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/> <md:AssertionConsumerService Location="/SAML/Artifact" index="6" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">

</LogoutInitiator>

<md:SingleLogoutService Location="/SLO/SOAP" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/> <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

<md:ManageNameIDService Location="/NIM/SOAP" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/> <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

(39)

<!--

md:ArtifactResolutionService locations resolve artifacts issued when using the SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP. -->

<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

<!--

You should customize these pages! You can add attributes with values that can be plugged

into your templates. You can remove the access attribute to cause the module to return a standard 403 Forbidden error code if authorization fails, and then customize that

condition

using your web server. --> <Errors session="sessionError.html" metadata="metadataError.html" access="accessError.html" ssl="sslError.html" localLogout="localLogout.html" globalLogout="globalLogout.html" supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>

<!--

(40)

<!--

</MetadataProvider>

<TrustEngine type="Chaining">

<AttributeExtractor type="XML" path="attribute-map.xml"/>

<AttributeResolver type="Query"/>

<AttributeFilter type="XML" path="attribute-policy.xml"/>

<!-- <ApplicationOverride id="admin"

entityID="https://admin.example.org/shibboleth"/> --> </ApplicationDefaults>

<SecurityPolicies>

</SecurityPolicies> </SPConfig>

Howto: Create a virtual platform Shibboleth

CAROUX Félicien

NEMPONT Maxime

Promotion FI-2010

Howto:

Create a virtual platform

Shibboleth

Scientific & IT Project

2009-2010

Supervisor:

M. LANDRU Jacques

(Telecom Lille 1)

Table of contents

1. Create the work environment

1.1.

Build a Debian image

1.2.

Run this image to install main packets

1.3.

Java’s installation

1.4.

Apache’s installation

1.5.

SSH’s installation

1.6.

Create 2 images

2. IDP’s installation & basic configurations

2.1.

Run the IDP image

2.2.

Tomcat’s installation

2.3.

Shibboleth’s installation

2.4.

Tomcat’s configuration

2.5.

Apache’s configuration

2.6.

First tests

3. SP’s installation

3.1.

Run the SP image

3.2.

Shibboleth’s installation

4. Our virtual topology

4.1.

IDP’s configuration with our virtual topology

4.2.

SP’s configuration with our virtual topology

5. Final tests

6. Bibliography

7. Apendix

IDP: httpd.conf

IDP: logging.xml

IDP: ports.conf

IDP: relying-party.xml

IDP: ssl8443

IDP’s metadata

SP: httpd.conf

SP: ports.conf

SP: shibboleth2.xml