Shibboleth - Random

Table of contents:

Configuration

All configuration files which are located in /opt/shibboleth-idp or /opt/jetty. The only exception is Java which was installed in /usr/java/jre1.8.0_121 and PostgreSQL in /var/lib/pgsql/data/

/opt/shibboleth-idp/conf

  • services.xml - This file was edited to allow Edugate to manage our Attribute Filter release. The item “shibboleth.AttributeFilterResources” consumes the Bean “FileBackedEduGateAttributeFilter” and downloads the filter list provided by Edugate instead of requiring Shibboleth to be manually updated for every single IdP.
  • saml-nameid.xml - This file was edited to allow the IdP to automatically generate Persistent-IDs for SAML 2.0 and store them in the PostgreSQL DB.
  • saml-nameid.properties - This file was edited to provide global settings for the Persistent-IDs generation.
  • metadata-providers.xml - This file was edited to declare the metadata sources which the IdP will consume. At time of writing there are three metadata files Edugate, Moodle and EZProxy.
  • attribute-filter.xml - This files was edited to declare which attributes are allowed to be released by the IdP. The IdP is also consuming the AttributeFilter files from Edugate which contains a list of all IdP/SP members. This file can be used to for local SPs which are not part of Edugate yet ie Moodle. Ideally we should manage all attribute-filter rules from the Edugate portal only.
  • idp.properties - This file was edited to change the ‘scope’ variable to x.x, it also contains information about the IdP encryption certificates used by SAML and should not be modified.
  • ldap.properties - This file was edited to allow Shibboleth to authenticate users against the student domain using LDAPS. All details about authenticators, credentials and certificates are detailed there. attribute-resolver.xml - This file was edited to include all the attributes the IdP need to resolve. This includes attributes originated from LDAP, static, PostgreSQL and from other attributes(aliases).

Packages installed

  • Postgresql-9.2.18 - Data source used to store Persistent-IDs.
  • Commons-pool2-2.4.2 - Apache Commons dependency in order to use the PostgreSQL connector.
  • Commons-dbcp2-2.1.1 - Apache Commons dependency in order to use the PostgreSQL connector.
  • Java JRE 1.8.0_121 - That was the latest available version at time of deployment.
  • CentOS 7.2 - That was the latest available version at time of deployment.
  • Jetty 9.3 - That was the latest available version at time of deployment.
  • Shibboleth IdP 3.3 - That was the latest available version at time of deployment.
  • Raptor ICA 1.2.3 - That was the latest available version at time of deployment.

Troubleshooting LDAPS certificate

Verify:

vim /opt/shibboleth-idp/conf/ldap.properties

Compare the certificate on the server:

vim /opt/shibboleth-idp//credentials/ldap-server.crt
BEGIN CERTIFICATE-----
xxxxx
END CERTIFICATE-----

With the output of the one retrieved:

openssl s_client -connect x.x.x:636

IdP Operation

Restarting Shibboleth ~0.5minutes: Jetty and all services within them including all metadata files, LDAP, filters, etc.

systemctl restart shibboleth-idp

This URL allows you to check the individual status of each service provided by the Shibboleth IdP. This includes LDAP, Filters, resolvers, metadata, web service, etc.

https://x.x.x/idp/status

This URL allows the download of the IdP’s metadataMight need to run export JAVA_HOME=/usr/java/jre1.8.0_121/ before

https://x.x.x/idp/shibboleth

Restarting individual components:

https://x.x.x/idp/profile/admin/reload-service?id=shibboleth.AttributeResolverService
https://x.x.x/idp/profile/admin/reload-service?id=shibboleth.LoggingService
https://x.x.x/idp/profile/admin/reload-service?id=shibboleth.ReloadableAccessControlService
https://x.x.x/idp/profile/admin/reload-service?id=shibboleth.MetadataResolverService
https://x.x.x/idp/profile/admin/reload-service?id=shibboleth.RelyingPartyResolverService
https://x.x.x/idp/profile/admin/reload-service?id=shibboleth.NameIdentifierGenerationService
https://x.x.x/idp/profile/admin/reload-service?id=shibboleth.AttributeFilterService

SP Operation

*Get SP metadata:

https://x.x.x/Shibboleth.sso/Metadata

Get SP session status and attributes released:

https://x.x.x/Shibboleth.sso/Session

Customizing Layout

Rebuild WAR file:

/opt/shibboleth-idp/bin# ./build.sh 

Might need to run export JAVA_HOME=/usr/java/jre1.8.0_121/ before

Changing login and logout page doesn’t required restart/reload:

/opt/shibboleth-idp/views/logout.vm
/opt/shibboleth-idp/views/login.vm

If editing CSS needs to be done on those three locations all together followed by a WAR file rebuild:

/opt/shibboleth-idp/edit-webapp/css/main2.css
/opt/shibboleth-idp/webapp/css/main2.css
/opt/shibboleth-idp/views/css/main2.css

Sources:

  • https://technical.edugain.org/entities - Check the status of any IdP member.
  • https://technical.edugain.org/status - Check the status of any federation member.
  • https://sp.testshib.org/ - Use the Testshib Service Provider to perform tests against any IdP member. We are consuming their metadata and our metadata was already uploaded to it, but it is periodically purged on their end so it needs to be uploaded again if you are going to perform a test. In order to do that access https://www.testshib.org/register.html and upload our metadata which can be obtained accessing https://x.x.x/idp/shibboleth
  • https://edugate.heanet.ie/Whoami/ - This is a SP provided by HEAnet which works similarly to Testshib, it lists all federation members and allow them to authenticate against their IdPs. After the authentication process the SP will show all the attributes which were released by the institution. They can be manually configured at the local Shibboleth(attribute-filter.xml) level or via Edugate itself.
  • https://edugate.heanet.ie/rr3/ - This is the Edugate Resource Registry page, it is used to manage all settings related to IdPs and SPs. Most of the metadata’s XML is parsed on a web front end which allows institutions to modify it easily. You must be aware that this modification will affect the metadata which is consumed by the Edugate and Edugain members, but won’t modify your metadata maintained in house on your IdP, available at https://x.x.x/idp/shibboleth. That local metadata should be manually updated. A few useful parameters can be altered on the Edugate RR, this includes Logo, Description, Location, Contacts, etc. some parameters can be modified, but are submitted for approval ie Scopes.
  • https://spaces.internet2.edu/pages/viewpage.action?pageId=49841792 - This article provides a step-by-step guide describing how to deploy a Shibboleth 3.3 IdP on Red Hat(We used CentOS). and Jetty 9.3.
  • http://www.testshib.org/ - This website allows the administrator to test an IdP and/or SP.
  • https://www.switch.ch/aai/guides/idp/installation/ - This article provides steps to configure Shibboleth for the Switch federation, but the part we are insterested is how to configure PostgreSQL for Persistent-ID generation.
  • https://wiki.shibboleth.net/confluence/display/IDP30/Home - This website was used as a reference guide most of the time as it doesn’t provide clear configuration steps in order to put things together.
  • http://shibboleth.1660669.n2.nabble.com/ - This is the main Shibboleth mailing list. Most of the topics are highly advanced and before you submit a question do your background research.
  • https://www.unicon.net/about/blogs/ldap-tlsssl-config-shibboleth-idp-explained - This article was used to help configuring Shibboleth to use LDAPS.
  • https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc - This article was used to help enabling LDAPS on our domain as it is not enabled by default.