File: libapache2-mod-shib2.README.Debian

package info (click to toggle)
shibboleth-sp2 2.6.0%2Bdfsg1-4%2Bdeb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 7,896 kB
  • sloc: cpp: 39,404; sh: 11,726; makefile: 866; xml: 371; ansic: 35
file content (155 lines) | stat: -rw-r--r-- 7,135 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
                        Shibboleth 2 SP for Debian

Introduction

  This package provides the Shibboleth Apache module and accompanying
  daemon for a service provider.  In Shibboleth terminology, this is a web
  server serving some content that should be secured via Shibboleth.  In
  order for someone to access protected content from a Shibboleth SP, they
  will have to authenticate to a Shibboleth IdP (Identity Provider),
  either one that the Shibboleth SP points to directly or one that is part
  of a federation that is trusted by the Shibboleth SP.

Installation and Configuration

  The following instructions assume use of the Apache 2.4 access
  restriction syntax.  If you are still using the earlier Allow/Deny
  directives, you may need to use "Allow from all" instead of or in
  addition to "Require all granted".

  After installing this package, the module is enabled but not properly
  configured.  At least some manual configuration will be required before
  the module can be used, such as creating a certificate for the SP to use
  to authenticate to IdPs.

  To generate a self-signed certificate for the Shibboleth SP, run
  shib-keygen.  See its manual page for more information.  This may or may
  not be what you want to do depending on which federation you plan on
  joining; some federations may want you to follow other procedures for
  generating a certificate.

  If you use a restrictive Apache configuration that denies access to all
  URLs by default, you will need to grant access to any authenticated
  Shibboleth client to the /Shibboleth.sso URL.  For example:

    <Location "/Shibboleth.sso">
        AuthType None
        Require all granted
    </Location>

  The default error messages from Shibboleth are located in
  /etc/shibboleth/*.html.  The paths to those error messages are
  configured in /etc/shibboleth/shibboleth2.xml in the <Errors> tag.  If
  you customize them, you may want to copy them somewhere else and change
  /etc/shibboleth/shibboleth2.xml to point to the new locations.  Also in
  that <Errors> tag you can set the URLs to the logo and style sheet used
  by the default errors.  If you want to use the default URL (under
  /shibboleth-sp), add this to your Apache configuration:

    <Location /shibboleth-sp>
        AuthType None
        Require all granted
    </Location>
    Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css

  For Shibboleth to work properly, you will need to extensively customize
  /etc/shibboleth/shibboleth2.xml for your site.  In particular, the
  <ApplicationDefaults> section will have to be customized for the
  federations your SP will trust and the <CredentialResolver> section of
  <Applications> needs to list the credentials that your SP will use to
  authenticate when communicating with IdPs.  Your local site may provide
  a standard shibboleth2.xml for you to use.

  Finally, you will want to protect some web content with Shibboleth.  The
  most basic configuration is:

    <Location /secure>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        Require shib-session
    </Location>

  for some <Location>, <Directory>, or <Files> block.  You can also put
  similar code in an .htaccess file.  This will require authorization
  using the default federation defined in /etc/shibboleth/shibboleth2.xml.

Changes in Debian Package

  The WS-Trust.xsd schema, which is needed if you use the ADFS support
  and turn on schema validation, was removed from the Debian package for
  license reasons.  To enable it again, do the following:

    1. Download the original source from
       http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/

    2. Extract schemas/WS-Trust.xsd to some convenient location, for
       example to /etc/shibboleth/WS-Trust.xsd.

    3. Copy /usr/share/xml/shibboleth/catalog.xml into /etc/shibboleth.

    4. Uncomment the WS-Trust line and set its uri attribute:
       <system systemId="http://schemas.xmlsoap.org/ws/2005/02/trust"
               uri="/etc/shibboleth/WS-Trust.xsd"/>

    5. Edit /etc/default/shibd to contain
       DAEMON_OPTS="$DAEMON_OPTS -x /etc/shibboleth/catalog.xml:/usr/share/xml/opensaml/saml20-catalog.xml:/usr/share/xml/xmltooling/catalog.xml"

    6. Restart the Shibboleth daemon: service shibd restart.

Testing with TestShib

  If you don't have a local Shibboleth Federation you can easily join but
  want to test your Shibboleth installation, you can use the TestShib
  federation (which exists primarily for this purpose).  To do this, use
  the following instructions (but test them against the details on the
  testshib.org web pages in case anything has changed):

  1. Run shib-keygen to generate a certificate for your new SAML entity.

  2. Set the entityID attribute in the ApplicationDefaults element of
     shibboleth2.xml to a value like https://your.service.tld/shibboleth;
     it needn't be resolvable, though that might come handy later, see
     https://wiki.shibboleth.net/confluence/display/CONCEPT/EntityNaming.

  3. Run a2enmod shib2 && apache2ctl restart && service shibd restart.

  4. Go to <http://testshib.org/>, click on Register, and follow the
     instructions to obtain your SP metadata and upload it under a unique
     name.

  5. Now select Configure, scroll down to Service Provider Configuration,
     choose Other for the platform, enter the hostname of your web server,
     and click on Create Me.  Save the resulting configuration file as
     /etc/shibboleth/shibboleth2.xml.

  6. Create some part of your web site that's protected with Shibboleth as
     described above, restart Apache with apache2ctl restart, restart
     shibd with service shibd restart, and then go to that URL.  You
     should be redirected to idp.testshib.org, and after logging in with
     one of the offered identities, redirected back to your
     protected page.  The best test page to use is a CGI script that
     prints out the environment; you can then confirm that you see the
     Shibboleth attributes as environment variables.  If this doesn't work
     immediately, wait a few minutes and try again; sometimes the
     testshib.org metadata takes a little bit to update.

  These directions should work as of Jan 2016, but note that the
  testshib.org service may have changed since then.  TestShib is useful
  *only* for testing, not for any production use.  Those of us who have
  worked on the Debian package are not affiliated with testshib.org, just
  personally find it useful, and make no guarantees that it will work
  properly.  You should read over the shibboleth2.xml file that you
  download from testshib.org before using it to make sure that there's
  nothing strange in it.

  If the above instructions don't work or there are changes in the
  TestShib service, please file a bug against the Debian
  libapache2-mod-shib2 package and let us know.

Further Information

  For further installation information, see:

    https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration

 -- Ferenc W√°gner <wferi@niif.hu>, Tue, 26 Jan 2016 21:08:43 +0100