wiki:ShibbolethConfig
Last modified 10 years ago Last modified on 04/15/08 16:28:03

Notes on Building and Testing the Shibboleth 2.0 SP on openSUSE 10.3

You should start by reading the Shibboleth 2.0 documentation. The documentation is much improved and despite the warnings, the source tarball build is straight forward and necessary for developing extensions to the SP. The main point to watch for is to set ownership of /opt/shibboleth-sp to yourself so can build and configure without needing to be root. You'll still need to be root to restart the web server (sudo /etc/init.d/apache2 restart is your friend), but it's safer to explore the SP parts without those privileges.

NOTE: if you are planning on just running the SP on a supported platform (RHAT[4|5]), then use the prebuilt binaries from the shib site. If you are using SUSE, you'll need to build from source.

Wishlist: get doxygen source docs online so they can be browsed.

Build the SP

Start by downloaded all source tarballs to $HOME/dist.

Set up your build environment

Make sure you have apache2-dev, openssl-dev, and curl-dev installed from YaST.

Create directories to contain the SP tarballs and unpacked sources

mkdir -p $HOME/dist/shibsp2 $HOME/src/shibsp2

Create the install target directory and change ownership to your user id and group id:

sudo mkdir /opt/shibboleth-sp
# get your username
id -un
# and group name
id -gn
# manually insert into the following command
sudo chown <username>.<groupname> /opt/shibboleth-sp

To begin building the SP, start a sub-shell and set your PATH to just the core path. This is a good development habit and ensures you don't rope unintentional components into your build.

bash
PATH=/bin:/usr/bin

Review the Native SP Linux Install notes.

Build lib4shib

Review the latest lib4shib compentent instructions and download:

cd ~/dist/shibsp2/
wget http://shibboleth.internet2.edu/downloads/log4shib/latest/log4shib-1.0.tar.gz

Unpack to your source build area:

cd ~/src/shibsp2/
tar -xzf ~/dist/shibsp2/log4shib-1.0.tar.gz
cd log4shib-1.0

Run the configure, make, make install

./configure --disable-static --disable-doxygen --prefix=/opt/shibboleth-sp
make
make install

Build Xerces-C

Review the Xerces component instructions and download:

cd ~/dist/shibsp2
wget http://www.gtlib.gatech.edu/pub/apache/xerces/c/xerces-c-src-current.tar.gz

Build the Xerces-C library. Note, that the xerces install was a little from the other elements in that you have to cd down to a few dir levels to get to the src dir to build and also remember to set the XERCESCROOT.

cd ~/src/shibsp2
tar -xzf ~/dist/shibsp2/xerces-c-src-current.tar.gz
cd xerces-c-src_2_8_0/src/xercesc

Build it:

export XERCESCROOT=$HOME/src/shibsp2/xerces-c-src_2_8_0/
./runConfigure -p linux -r pthread -P /opt/shibboleth-sp
make
make install

Build XML-Security-C

Read the component instructions and download. Note that this library is only available from the Apache project site. This isn't immediately obvious on the project install intrux.

cd ~/dist/shibsp2/
wget http://xml.apache.org/security/dist/c-library/xml-security-c-1.4.0.tar.gz

Unpack XML-Security-C:

cd ~/src/shibsp2/
tar -xzf ~/dist/shibsp2/xml-security-c-1.4.0.tar.gz
cd xml-security-c-1.4.0

Build it:

./configure --without-xalan --prefix=/opt/shibboleth-sp
make
make install

Build XMLTooling-C

Read the component instructions and download:

cd ~/dist/shibsp2
wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/latest/xmltooling-1.0.tar.gz

Unpack it:

cd ~/src/shibsp2
tar -xzf ~/dist/shibsp2/xmltooling-1.0.tar.gz
cd xmltooling-1.0

Build it:

./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
make
make install

Build OpenSAML-C

Read the component instructions and download:

cd ~/dist/shibsp2
wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/latest/opensaml-2.0.tar.gz

Unpack it:

cd ~/src/shibsp2
tar -xzf ~/dist/shibsp2/opensaml-2.0.tar.gz
cd opensaml-2.0

Build it:

./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
make
make install

Build Shibboleth 2.0 SP

Read the ShibSP Source build instructions and download:

cd ~/dist/shibsp2
wget http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/shibboleth-sp-2.0.tar.gz

Unpack it:

cd ~/src/shibsp2
tar -xzf ~/dist/shibsp2/shibboleth-sp-2.0.tar.gz
cd shibboleth-sp-2.0

Build it:

./configure --with-log4shib=/opt/shibboleth-sp --prefix=/opt/shibboleth-sp -C
make
make install

This completes the build sequence. Now your ready to integrate with Apache and test.

Configure Apache

Be sure to read the Basic Configuration steps with the following adjustments for openSUSE 10.3.

You don't need to worry about setting the LD_LIBRARY_PATH variable.

On openSUSE, you can get a basic working configuration for Apache in place with the following commands run as root.

Turn on change tracking for the /etc/sysconfig/apache2 configuration file:

cd /etc/sysconfig
mkdir RCS
ci -l apache2
# type "start"
# press enter
# type "." (a single period)
# press enter

Copy the Shibboleth configuration file to the apache configuration directory.

cp /opt/shibboleth-sp/etc/shibboleth/apache22.config /etc/apache2/conf.d/shibsp2.conf

Edit /etc/sysconfig/apache2 and turn on SSL configuraton support by adding SSL to the APACHE_SERVER_FLAGS.

Create a virtual host for SSL service

cd /etc/apache2/vhosts.d
cp vhost-ssl.template `hostname`-ssl.conf

Edit this new config file. Uncomment the ServerName directive and change www.example.com to your hostname.

Create a default, self-signed certificate according to the instructions in /etc/sysconfig/apache2's section on MOD_SSL:

cd /usr/share/doc/packages/apache2
./certificate.sh
# Accept all defaults by just pressing enter
# Excpet on the "passphrase for key" option, choose "n"

Apache will need to write to a log directory located under /opt/shibboleth-sp by default. Rather than changing the default, simply allow Apache to write to this space:

chmod o+wt /opt/shibboleth-sp/var/log/httpd 

Note: the t in the permissions makes it so only the file owner can delete it. This may be overkill for a development environment.

Restart Apache

/etc/init.d/apache2 restart

As your ordinary user account, start the shibd process:

cd /opt/shibboleth-sp
/opt/shibboleth-sp/sbin/shibd &

Connect to the URL https://localhost/Shibboleth.sso/Status, you should see an XML document that reports

<Status>
 <OK/>
</Status>

Near the end.

This should take care of your basic needs for apache and testing the SP.

Configure TestShib

The next stage of configuration involves configuring the SP to use the TestShib? service as an IdP.

Please read over the notes on the shib wiki: https://spaces.internet2.edu/display/SHIB2/NativeSPInitialTesting

Goto: https://www.testshib.org/testshib-two

Login in.

Register a service provider.

In the form, choose the name of your host from the hostname command.

Uncheck "Check domain name validity" if you are behind a firewall.

Follow the remaining instructions

Note: if your using Konqueror you may have trouble during the configuration file download. Simply cut-n-paste the url and use wget or use a different browser:

cd /etc/shibboleth-sp/etc/shibboleth
cp shibboleth.xml shibboleth.xml-orig
wget --no-check-certificate -O shibboleth2.xml 'url from browser in single quotes'

Restart apache (as root) and shibd (as yourself).

You should now be able to access http://hostname/secure.

This should redirect you to the testshib login, and then back to your system. The resulting 404 error indicates success (ie. you successfully authenticated and are authorized to see a page which does not exist).

Make a "secure" directory and put in a test php script:

mkdir /srv/www/htdocs/secure

Instead of the fancy php script from switch, just use the following:

<?php phpinfo(); ?>

Save this as the index.php file in the secure directory.

There are some problems with the default attribute map and policy files that prevent seeing the full list of attributes released by test shib. But these basic tests should get at least "entitlement" and unscoped affiliation.

To get the rest of the attributes, apply the following patches the attribute-mapper.xml and attribute-policy.xml files.

In the attribute-map.xml file, insert the following before the comment '<-- Some more eduPerson attributes...'.

    <!-- working with testshib -->
    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>


    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
    <Attribute name="urn:oid:2.5.4.12" id="title"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>

For the attribute-policy.xml file replace

            <afp:PermitValueRule xsi:type="AND">
                <RuleReference ref="eduPersonAffiliationValues"/>
                <RuleReference ref="ScopingRules"/>
            </afp:PermitValueRule>

with

            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>

Then delete the lines:

        <afp:AttributeRule attributeID="eppn">
            <afp:PermitValueRuleReference ref="ScopingRules"/>
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="targeted-id">
            <afp:PermitValueRuleReference ref="ScopingRules"/>
        </afp:AttributeRule>

Note: It would be nice to do this as a patch, but the following is producing a patch error. It's likely some shell special characters. Needs debugging.

cd /opt/shibboleth-sp/etc/shibboleth
patch -b attribute-map.xml << EOF
*** attribute-map.xml.dist      2008-04-12 05:40:00.000000000 -0500
--- attribute-map.xml.working   2008-04-12 09:31:50.000000000 -0500
***************
*** 42,48 ****
      <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
          <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
      </Attribute>
!
      <!-- Some more eduPerson attributes, uncomment these to use them... -->
      <!--
      <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
--- 42,79 ----
      <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
          <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
      </Attribute>
!
!     <!-- working with testshib -->
!     <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id=
! "primary-affiliation">
!         <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false
! "/>
!     </Attribute>
!
!     <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
!         <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
!     </Attribute>
!
!     <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
!     <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
!     <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
!     <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
!     <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
!     <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
!     <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
!
!
!     <Attribute name="urn:oid:2.5.4.3" id="cn"/>
!     <Attribute name="urn:oid:2.5.4.4" id="sn"/>
!     <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
!     <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
!     <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
!     <Attribute name="urn:oid:2.5.4.12" id="title"/>
!     <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
!
!
!
!
      <!-- Some more eduPerson attributes, uncomment these to use them... -->
      <!--
      <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
EOF

After fixing these two files you should be able to see all the attributes released by test shib in the phpinfo() output. This should also provide an SP configuration you can use for application development by either sticking your app in the secure folder or by extending the RequestMap? configuration in shibboleth.xml.