Shibboleth Configuration from 100,000 Feet, in 15 Minutes or Less! Steve Thorpe Systems Programmer / Analyst MCNC
Helpful Skill Sets Include Basic Knowledge Of: Your OS: Linux or Windows Experience using command line on your OS Know how to find and use log files to troubleshoot issues with applications on your OS Tomcat / Apache / Java XML LDAP, specifically your LDAP Authentication, how it works at your campus, and familiarity with single sign-on concepts Virtual Machine environment (such as VMware)
IdP and SP Software Components - Lots of Distributed Pieces!
High Level Flow Among SP / DS / IdP Source: https://spaces.internet2.edu/display/shibinstallfest/shibboleth+workshop+series+-+linux+identity+provider+%28centos+6.2%29
SP Recognizes IdPs Via Metadata Source: https://spaces.internet2.edu/display/shibinstallfest/shibboleth+workshop+series+-+linux+service+provider+%28centos+6.2%29
IdP Recognizes SPs Via Metadata relying-party.xml MetadataProvider Source: https://spaces.internet2.edu/display/shibinstallfest/shibboleth+workshop+series+-+linux+service+provider+%28centos+6.2%29
Example from InCommon Metadata : : glosizf1o435/+ckfwxqsmbihvv5tma3zrcycri1chgezqrcxl0fmzlsr+vady/tfbvojqi8psub SMxNkZectePTBjVj1Qeb4hmG8jRv/fwy1Iw6OFH8RKny8nQaO5mOe/fF/swEsMVU9TDpvLIgbhTw np7nhfotgaxf5wg8wa== </ds:x509certificate> </ds:x509data> </ds:keyinfo> </ds:signature> <!-- The Ohio State University --> <EntityDescriptor entityid="https://carmenwiki.osu.edu/shibboleth" xmlns="urn:oasis:names:tc:saml:2.0:metadata"> <Extensions xmlns:mdattr="urn:oasis:names:tc:saml:metadata:attribute"> <mdattr:entityattributes xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> <saml:attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:attributevalue>http://id.incommon.org/category/research-and-scholarship</saml:attributevalue> </saml:attribute> <saml:attribute Name="http://id.incommon.org/attribute/entity/category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:attributevalue>http://id.incommon.org/category/research-and-scholarship</saml:attributevalue> </saml:attribute> </mdattr:entityattributes> </Extensions> <SPSSODescriptor protocolsupportenumeration="urn:oasis:names:tc:saml:1.1:protocol urn:oasis:names:tc:saml:2.0:protocol"> <md:extensions xmlns:md="urn:oasis:names:tc:saml:2.0:metadata"> <DiscoveryResponse xmlns="urn:oasis:names:tc:saml:profiles:sso:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://carmenwiki.osu.edu/Shibboleth.sso/Login" index="1"/> <DiscoveryResponse xmlns="urn:oasis:names:tc:saml:profiles:sso:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://carmenwiki.it.ohio-state.edu/Shibboleth.sso/ Login" index="2"/> <DiscoveryResponse xmlns="urn:oasis:names:tc:saml:profiles:sso:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://carmenwiki.osu.edu/Shibboleth.sso/Clear" index="3"/> <DiscoveryResponse xmlns="urn:oasis:names:tc:saml:profiles:sso:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://carmenwiki.it.ohio-state.edu/Shibboleth.sso/ Clear" index="4"/> <mdui:uiinfo xmlns:mdui="urn:oasis:names:tc:saml:metadata:ui"> : : <mdui:displayname xml:lang="en">carmenwiki</mdui:displayname> <mdui:description xml:lang="en">enterprise Wiki Service at the Ohio State University.</mdui:Description> <mdui:informationurl xml:lang="en">http://cio.osu.edu/services/getbusinessservice.php?id=f8f7fc290a0a3c0501c355b8e1430015</mdui:informationurl> <mdui:privacystatementurl xml:lang="en">https://carmenwiki.osu.edu/x/jyleaq</mdui:privacystatementurl> <mdui:logo height="85" width="141" xml:lang="en">https://carmenwiki.osu.edu/download/attachments/9666561/global.logo</mdui:logo> </mdui:uiinfo> </md:extensions> Source: http://wayf.incommonfederation.org/incommon/incommon-metadata.xml
Identity Provider Config Files login.config: Configuration for the Username/Password authentication mechanism. Does incoming user have valid credential? relying-party.xml: Configures how the IdP processes messages that are received. Who do you recognize, and who do you want to trust? attribute-resolver.xml: Configures attribute collection, transformation, and encoding. Where do you find a user's attribute values? attribute-filter.xml: Configures the release of attributes to SP's. Who do you share which attributes with? logging.xml: Configuration of the IdP's logging system. Why the heck is my IdP not working? etc.
Service Provider Config Files shibboleth2.xml - the main Shibboleth config file o o o o What protocols does the SP support? What address(es) to find SP at Who do I recognize, who do I trust? How to handle IdP Discovery problem attribute-map.xml Which attributes is SP looking for? shibd.conf Tells Apache which content on your site to protect by Shib etc.
Config File Confusion The Little Details Matter! (and can drive you batty) Source: Bill French's post on the "Stop Reinventing The Wheel" Blog <http:// www.stopreinventingthewheel. com/srtw/viewfullpost.aspx? PostPK=40> <http:// www.stopreinventingthewheel. com/srtw/uploadedimages/ Shibboleth/ FileRelationships.pdf>
A Couple Examples MCNC's Test SP https://sp-test-01.mcnc.org Rockingham Unique UserIds https://cacti.mcnc.org/cacti/graph.php?action=view&local_graph_id=8808&rra_id=all
2013 Shibboleth Training Workshop? InCommon is planning on four two-day training workshops during 2013 o Covers IdP and SP o Hands-on lab exercises InCommon is seeking host venues Is there any interest among this audience?
For Further Information To find course content, Google "spaces shibboleth workshop series" To learn about InCommon's upcoming Shibboleth workshops: http:// www.incommon.org/educate/shibboleth/
Questions/Comments? Please visit the MCNC Table at IIPS Steve Thorpe thorpe@mcnc.org 919-248-1161