|
|
| Line 10: |
Line 10: |
| | * [[Shibboleth Service Provider Installation|Service Provider Installation]] | | * [[Shibboleth Service Provider Installation|Service Provider Installation]] |
| | * [[Shibboleth Known Issues|Known Issues]] | | * [[Shibboleth Known Issues|Known Issues]] |
| − |
| |
| − |
| |
| − | == Service Provider Installation ==
| |
| − | The Shibboleth Service Provider (SP) is a stand-alone daemon running as a background process.
| |
| − |
| |
| − | To read the Shibboleth 2 release announcement, go to:
| |
| − |
| |
| − | http://shibboleth.internet2.edu/shib-v2.0.html
| |
| − |
| |
| − | To download the necessary software for Shibboleth 2 SP, go to the "Downloads" section. For the Linux RHEL RPMfiles, go down to the RPMS directory.
| |
| − |
| |
| − | '' Note that the instructions below make certain assumptions about version numbers for software packages and file names. These version numbers reflect the most recent versions available at the time of this writing. You may need to make minor adjustments during this process, depending on the versions that are available as you work through the installation. UNLESS NOTED OTHERWISE, YOU SHOULD ALWAYS USE THE LATEST VERSION OF EACH SOFTWARE PACKAGE AT THE TIME OF YOUR INSTALLATION. ''
| |
| − |
| |
| − | Download these files (version numbers may be slightly different):
| |
| − |
| |
| − | # log4shib-1.0-1.i386.rpm
| |
| − | # xerces-c-2.8.0-1.i386.rpm
| |
| − | # xml-security-c-1.4.0-1.i386.rpm
| |
| − | # xmltooling-1.0-6.i386.rpm
| |
| − | # opensaml-2.0-6.i386.rpm
| |
| − | # shibboleth-2.0-6.i386.rpm
| |
| − |
| |
| − | NOTE: To uninstall an old Shibboleth version, uninstall the above packages in reverse order, as given above. Use the rpm package command to uninstall:
| |
| − |
| |
| − | rpm -e -v <package-name>
| |
| − |
| |
| − | Official Shibboleth 2 installation instructions may be found at:
| |
| − |
| |
| − | https://spaces.internet2.edu/display/SHIB2/NativeSPLinuxInstall
| |
| − |
| |
| − | Follow the above official Shibboleth installation instructions carefully and fully, and then follow the detailed configuration instructions given below.
| |
| − |
| |
| − | Edit file /etc/shibboleth/shibboleth2.xml:
| |
| − |
| |
| − | * '''MetadataProvider-''' specify the URI to the http/xml metadata file. This file might not yet be available because 1) the metadata doesn't exist until there is at least 1 SP and 1 IDP deployed or 2) the file is not yet globally available. In these cases, either use a local xml file of your IDP metadata (built during the installation of your IDP) or a copy (if available) of the federation metadata file. Its URL is http://gfipm.net/metadata/gfipm-signed-metadata.xml.
| |
| − | * Change all instances of '''https://sp.example.org''' to your SP URL.
| |
| − | * Change all instances of '''https://idp.example.org''' to your IDP URL.
| |
| − | * Change all instances of '''https://ds.example.org/DS''' to your Discovery Service URL (note that your DS host may use http).
| |
| − | * The '''CredentialResolver''' section needs the service provider's certificate and key files added.
| |
| − | * '''SignatureMetadataFilter-''' provide the root certificate for the GFIPM CA.
| |
| − | * '''SessionInitiator''' - remove 'relayState="cookie"' to work around a known bug in v 2.0.
| |
| − |
| |
| − | Edit the file conf/attribute-map.xml so that it exports all GFIPM user attributes required by your Service Provider. For example:
| |
| − |
| |
| − | <!-- GFIPM 2.0 Attributes -->
| |
| − | <Attribute name="gfipm:2.0:user:LocalId" id="GfipmLocalId">
| |
| − | <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="true"/>
| |
| − | </Attribute>
| |
| − | <Attribute name="gfipm:2.0:user:GivenName" id="GfipmGivenName">
| |
| − | <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="true"/>
| |
| − | </Attribute>
| |
| − | <Attribute name="gfipm:2.0:user:SurName" id="GfipmSurName">
| |
| − | <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="true"/>
| |
| − | </Attribute>
| |
| − | <Attribute name="gfipm:2.0:user:EmailAddressText" id="GfipmEmailAddress">
| |
| − | <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="true"/>
| |
| − | </Attribute> ... <!-Snipped for brevity, but all relevant attributes would be included typically -->
| |
| − |
| |
| − | Failure to make this modification will cause the SP to receive no metadata, even though both the IDP and SP seem to be working (no error messages).
| |
| − |
| |
| − | Add participant SP public and private key certificates to '''/etc/shibboleth/ssl/.'''
| |
| − |
| |
| − | * cisanetsp.crt
| |
| − | * cisanetsp.key
| |
| − | * Also specify these filenames in file '''shibboleth2.xml''' in section CredentialResolver.
| |
| − |
| |
| − | Verify that file '''/etc/init.d/shibd''' looks correct (generally, it is correct as is).
| |
| − |
| |
| − | '''Logging output:'''
| |
| − |
| |
| − | * To get more details in the log output, modify file shibd.logger: (on line 2)
| |
| − | ** change: log4j.rootCategory=INFO, shibd_log
| |
| − | ** to: log4j.rootCategory=DEBUG, shibd_log
| |
| − |
| |
| − | * By default, log files are written to directory /var/log/shibboleth.
| |
| − |
| |
| − | To get the Shibboleth SP metadata file (to send to GTRI), use a browser to go to the following:
| |
| − |
| |
| − | * https://sp.cisanet.net/Shibboleth.sso/Metadata.
| |
| − |
| |
| − | Save to sp-metadata.xml and send to GTRI to incorporate into the GFIPM entities metadata.
| |
| − |
| |
| − | * The GFIPM entities metadata will be available at http://gfipm.net/metadata/gfipm-signed-metadata.xml.
| |
| − |
| |
| − | The installation should be complete at this point.
| |
| − |
| |
| − | To start or stop the Shibboleth process, use the script /etc/init.d/shibd:
| |
| − |
| |
| − | /etc/init.d/shibd start
| |
| − |
| |
| − | /etc/init.d/shibd stop
| |
| | | | |
| | | | |
The Shibboleth SP is typically installed on the Tomcat application server [Tomcat], which may be running behind the Apache httpd Web server. A connector is required to connect Apache and Tomcat.
