Shibboleth Identity Provider Installation
Go back |
---|
The Shibboleth Identity Provider (IDP) is a standard Java Web application based on the Servlet 2.4 specification.
The official Shibboleth installation instructions are brief and lacking in some details. They are available from the Shibboleth Web site at:
https://spaces.internet2.edu/display/SHIB2/IdPInstall
You must follow the above instructions to install Shibboleth. Additional Shibboleth installation instructions with more descriptive details are provided below for your convenience. You should follow both sets of instructions simultaneously.
Note that the instructions below make certain assumptions about version numbers for software packages and file names. These version numbers reflect the most recent versions available at the time of this writing. You may need to make minor adjustments during this process, depending on the versions that are available as you work through the installation. UNLESS NOTED OTHERWISE, YOU SHOULD ALWAYS USE THE LATEST VERSION OF EACH SOFTWARE PACKAGE AT THE TIME OF YOUR INSTALLATION.
Download file shibboleth-idp-2.1.2-bin.zip as directed and unzip the file (it will unzip into the directory ./identityprovider). Follow the official Shibboleth installation instructions above and install Shibboleth IDP into the following directory:
/opt/shibboleth-idp-2.1.2 (or a directory of your choice).
The following is the output of running the ANT script to install the files:
- ./ant.sh
Buildfile: build.xml
install:
Is this a new installation? Answering yes will overwrite your current configuration. [yes|no]
yes
Where should the Shibboleth Identity Provider software be installed? [default: /opt/shibboleth-idp-2.1.2]
What is the hostname of the Shibboleth Identity Provider server? [default: idp.example.org]
idp.cisanet.net
A keystore is about to be generated for you. Please enter a password that will be used to protect it.
XXXXXXXX
Updating property file: /home/gtri/downloads2/identityprovider/install.properties
Created dir: /opt/shibboleth-idp-2.1.2/bin
Created dir: /opt/shibboleth-idp-2.1.2/conf
Created dir: /opt/shibboleth-idp-2.1.2/credentials
Created dir: /opt/shibboleth-idp-2.1.2/lib
Created dir: /opt/shibboleth-idp-2.1.2/lib/endorsed
Created dir: /opt/shibboleth-idp-2.1.2/logs
Created dir: /opt/shibboleth-idp-2.1.2/metadata
Created dir: /opt/shibboleth-idp-2.1.2/war
Generating signing and encryption key, certificate, and keystore.
Copying 5 files to /opt/shibboleth-idp-2.1.2/bin
Copying 8 files to /opt/shibboleth-idp-2.1.2/conf
Copying 1 file to /opt/shibboleth-idp-2.1.2/metadata
Copying 38 files to /opt/shibboleth-idp-2.1.2/lib
Copying 4 files to /opt/shibboleth-idp-2.1.2/lib/endorsed
Copying 1 file to /home/gtri/downloads2/identityprovider/build/WEB-INF
JARs are never empty, they contain at least a manifest file
Building jar: /opt/shibboleth-idp-2.1.2/war/idp.war
BUILD SUCCESSFUL
After the installation, further configuration operations are required as follows.
Note: Some file names contain a version number (2.0.2 or 1.5, etc.). In some cases, you may find files with a later version than listed here. Unless otherwise noted, you should use the later versions.
Create required link:
cd /opt
ln -s shibboleth-idp-2.1.2 shib-idp
Edit file /opt/ shib-idp/conf/relying-party.xml:
- Modify MetadataProvider of type FileBackedHTTPMetadataProvider to retrieve the metadata from http://gfipm.net/metadata/gfipm-signed-metadata.xml.
- Modify security:Credential to refer to the correct key and crt files.
- Uncomment and modify security:TrustEngine to refer to the correct GFIPM CA crt file.
Edit file conf/attribute-filter.xml:
- Add <AttributeFilterPolicy id="releaseGFIPM"> ... for GFIPMAssertion-1.0.
Edit file conf/attribute-resolver.xml:
- Get a new, slimmer version from GTRI and edit it.
- Modify resolver:DataConnector to use CISA's LDAP directory.
Create file gfipm/dsml2gfipm_cisanet.xsl.
Create all files in gfipm/xsd.
Take the following files from Conn2.0.2b.zip and copy them to /opt/shib-idp/lib:
- castor-1.0.jar
- castor-1.0-srcgen-ant-task.jar
- castor-1.0-xml.jar
Take the following file (33298 bytes, dated Feb 20, 2008 15:56) and copy it to /opt/shib-idp/lib:
- gfipm-shib-trunk-jdk-1.5.jar
Note that the above four files also need to be copied to directory /opt/tomcat5/CISAIDP/Webapps/idp/WEB-INF/lib
Additionally, files in ./credentials and ./metadata need to be configured from certificate files set up during your Web server configuration. If you would like information on how to install or configure an Apache Web server and/or Tomcat servlet engine with Shibboleth, please contact gfipm-support@lists.gatech.edu to request available instructions.
Create directory and change ownership to the tomcat user:
cd /opt/shib-idp
mkdir users
chown -R tomcat:tomcat.
Testing the IDP
The basic method for testing the Shibboleth IDP is to use the status URL, which is of the form:
https://FQDN/idp/profile/Status
where FQDN is your IDP machine's fully qualified domain name. If it is working, it will show a Web page with a simple
ok
in the Web browser. If it is not working, it will show one of several error messages (and also check the log files as described below).
There are two sets of log files that you can monitor:
- Tomcat servlet engine log files:
These are typically located in the [Tomcat_Install_Dir]/logs/ directory. There are several log files in this directory, but the main file is usually named catalina.out.
If a different Java servlet container than Tomcat is used, the log files should be in that particular container's log directory.
- Shibboleth IDP log files:
These are typically located in the [IDP_Install_Directory]/logs/ directory. The file idp-process.log (or similar) is relevant for tracing operations in a minimal IDP installation. The idp-access.log and idp-audit.log files are generally relevant only on fully functional systems.
Go back |
---|