Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

1/22

InstallaShibbolethv3IdPonUbuntuLinux(version14.04LTS)

Author:PascalPanneels,Belnet-R&EFederationVersions:

- 1.0(27/10/2015):initialrelease,formatandcontentinspiredby:o Tuakiri’sIdPv3document(cfr.

https://tuakiri.ac.nz/confluence/display/Tuakiri/Installing+a+Shibboleth+3.x+IdP)o SWITCH’sShibbolethIdentityProvider(IdP)3InstallationGuide(cfr.

https://www.switch.ch/aai/guides/idp/installation/)- 1.1(07/12/2015):fixessomeproblemswithURLsgiveninthedocument(thankstoSteveColin

fromHECondorcet)

ForewordThisdocumentexplainshowtoinstallanidentityprovider(furtherreferredasIdP)basedonShibbolethmajorversion3.Asthemiddlewarehasbeencompletelyrewritten,Shibboleth’sdocumentsreferringtoversion2mayhavebecomedobsolete.Thereare2methodstoinstalltheversion3,eitherasanautomaticupgradeonaversion2instance,orasavanillainstallation.Itisthelastoptionthatwillbeexplainedhere.Automaticupgrademayworkbut,theobtainedsetupwillnotbecompatiblewithallthenewfeaturesofShibbolethversion3(astheclusteringofIdPforexample,theusersconsentsofattributes,etc).Youcanobtaineditworkingbytweakingthegeneratedconfigurationfiles,butitis,IMHO,ratherdifficultwithoutaverygoodknowledgeandunderstandingofShibboleth3.So,werecommendtoproceedtoafreshsetupsuchasdescribedinthisdocument.

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

2/22

Tableofcontent

0.Prerequisites........................................................................................................................................................................................31.Installationofrequiredsoftwares..............................................................................................................................................32.BasicShibbolethIdPinstallation.................................................................................................................................................32.1.Rationale.............................................................................................................................................................................................32.2.InstallShibbolethmiddlewareitself........................................................................................................................................42.3.ConfigureTomcatanddeploytheIdPWAR.........................................................................................................................42.4.ConfigureApache.............................................................................................................................................................................52.5.Setupthemetadataandthemetadataservice...................................................................................................................62.6.ConfiguretheLDAPAuthenticationservice.........................................................................................................................92.7.LinktheAttributeResolvertotheLDAPserver..................................................................................................................92.8.ConfiguretheAttributeResolver–definetheattributes............................................................................................102.9.ConfigureAttributesRelease...................................................................................................................................................14

3.RegistertheIdPintheBelnetFederation..............................................................................................................................153.1.Uploadyourmetadata...............................................................................................................................................................15

4.StartyourIdP.....................................................................................................................................................................................165.Advancedconfiguration................................................................................................................................................................175.1.Databases.........................................................................................................................................................................................175.2.Tweakingautomaticreloadtime..........................................................................................................................................195.3.ConfiguringSingleLogout........................................................................................................................................................195.4.Setuptheconsentmodule.........................................................................................................................................................205.5.DataSealerKeyRefreshing.......................................................................................................................................................215.6.CustomizationandBranding...................................................................................................................................................21

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

3/22

0.Prerequisites

Wesupposethatthefollowingrequirementsaremet:

- Hardware:themachinewouldhaveaminimumof2GBofRAMand20GBofHDDspace;itmaybeaphysicalofvirtualmachine.

- OperatingSystem:properlyinstalledUbuntuLinuxserverversion14.04LTSorabove;otherLinuxOSwouldworkbutarenotcoveredbythisdocument,butyoumayfindessentialtokeepyouontrackwiththeuseddistributioninyourinstitution.

- Network:o astaticIPpublicaddress(v4/v6);o anassociateddomainnameintheformatofidp.yourdomain.be;o adaptedfirewallrulestopermittraficflowsofTCPports80,443and8443;o noproxybetweenthemachineandtheNet(itmayresultinSSLfailures);o NTPsynchronized;mayusentp.belnet.beastimeserver.

- PublicX509servercertificate:issuedfortheallocatedservername;itcanbeobtainedviaourDCSserviceforexample;

- AccesstoaLDAPdirectory:accesstothepersonalaccountsofyourinsitutiontobeusedbytheIdP;youneedtohavefollowing:

o LDAPserverIP/hostnameandportnumber(ifnotdefault);o searchbase;o bindDNaccountforgenericreadqueries;o bindpasswordforthisaccount

- youareworkingundertherootaccountofyoursystem;ifnot,openaterminalandissuefollowingcommand:sudosu–

1.Installationofrequiredsoftwares

1. Apache,Java,Tomcat:(usedtomakeShibboleth’sbaseworks)

apt-getinstallapache2openjdk-7-jdktomcat7

2. InstallMySQLserver:(ie:usedtostoretheusersconsentswhenvisitingsites)

apt-getinstallmysql-clientmysql-server(OtherDB-likepostgresql-maybeinstalledbutwe’llonlycoverMySQL)

Thenotionofuser’sconsentswillbeexplainedlater.

2.BasicShibbolethIdPinstallation

2.1.RationaleToclarify,wewilldefinesomeshellvariablescontainingusefulshortcuts;toproceed,createafilenamed:/etc/profile.d/shib.shcontainingfollowingcontent:

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

4/22

IDP_VERSION="3.1.2"SHIB_HOME=/opt/shibboleth-idpSHIB_INST_HOME=/root/shibboleth-identity-provider-$IDP_VERSIONIDP_HOME=/opt/shibboleth-idpJAVA_HOME=/usrexportSHIB_HOMEIDP_HOMEJAVA_HOMESHIB_INST_HOMEIDP_VERSIONYoushouldadapttheIDP_VERSIONaccordingtothelatestreleaseyouwillinstallofcourse.Makethefileexecutableandlaunchitinyourterminal:chmod+x/etc/profile.d/shib.sh/etc/profiled.d/shib.sh

2.2.InstallShibbolethmiddlewareitself

- CheckthelatestversionofShibbolethonhttp://www.shibboleth.net/downloads/identity-provider/

- PreparetheinstallationandgetthelatestversionoftheIdP:

cd/rootwgethttp://www.shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-${IDP_VERSION}.tar.gztarxzfshibboleth-identity-provider-${IDP_VERSION}.tar.gzcd$SHIB_INST_HOME

- Launchtheinstaller:sh./bin/install.sh

- Youranswerstotheinstaller’squestionsshouldbeinspiredbythefollowing:o sourcedirectory:confirmthecurrentone(simplypressENTER);o installationdirectory:accept/opt/shibboleth-idp/;o hostname:theoneyou’vedefinedealierinyourDNS,suchasidp.yourdomain.be;o SAMLentityID:accepttheproposedone(ie:https://idp.yourdomain.be/idp/shibboleth);o attributescope:shouldbesettoyourdomain.be;o passphrasetoprotectthegeneratedkeystore:youmayleavethedefaultone(changeit);

ELABORATEONTHISPARTBEFOREPUBLISHING!!- Aftertherun,thewebapplicationwillbeinstalledin/opt/shibboleth-idp/war/idp.war.- SOMETHINGTOSAYOVERGENERATEDCERTIFICATESHEREBEFOREPUBLISHING!!

2.3.ConfigureTomcatanddeploytheIdPWAR

- Createafilein/etc/tomcat7/Catalina/localhost/idp.xmlcontainingfollowing:

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

5/22

<ContextdocBase="/opt/shibboleth-idp/war/idp.war"unpackWAR="false"swallowOutput="true"><Managerpathname=""/></Context>

- Definethecorrectconnectorsin/etc/tomcat7/server.xml:AddfollowingAJPone: <Connectorport="8009"address="127.0.0.1"protocol="AJP/1.3"enableLookups="false"tomcatAuthentication="false"/> Commenttheonesforport8080and8443byenclosingthemin<!--…-->.

- TweakTomcatsettingsformemoryusagetousesomethinglike1GBofRAMbyeditting/etc/defaults/tomcat7: JAVA_OPTS="-server-Djava.security.egd=file:/dev/./urandom-Xms768m-Xmx1024m"

- InstallamissingrequiredJavalibraryforShibbolethv3toproperlywork:apt-getinstalllibjstl1.1-java

2.4.ConfigureApacheTheconfigurationofApacherequiresfollowing:

- Listenonport443,8443Itis,inprinciple,alreadyOKaslongasyouhaveenabledmod_sslinApache;ifnot,enterfollowingcommand:a2enmodmod_ssl

- Setup2virtualhostsforyourIdP;Youmayusefollowingconfigurationasatemplateandputinafilesuchas/etc/apache2/site-available/idp.conf:<VirtualHost*:443>ServerNameidp.YOURDOMAIN.beServerAdminadmin@YOURDOMAIN.beCustomLog/var/log/apache2/idp.YOURDOMAIN.be.access.logcombinedErrorLog/var/log/apache2/idp.YOURDOMAIN.be.error.logSSLEngineOnSSLCipherSuiteHIGH:MEDIUM:!aNULL:!kRSA:!MD5:!RC4

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

6/22

SSLProtocolall-SSLv2-SSLv3SSLCertificateKeyFile/etc/ssl/private/idp.YOURDOMAIN.be.keySSLCertificateFile/etc/ssl/certs/idp.YOURDOMAIN.be.crtSSLCertificateChainFile/etc/ssl/certs/DigiCertCA.crtProxyPass/idpajp://localhost:8009/idpretry=5<Proxyajp://localhost:8009>Requireallgranted</Proxy></VirtualHost>

YoumaycreateasimilarconfigurationforVirtualHost:8443.Theaccesstoport8443(=usedbySOAPisnecessaryifyouusetheSingleLogoutfeature.Intheconfiguration,wesupposethatyou’veobtainedacertificatefromourcurrentprovider(DigiCert);you’dmodifytheSSLCertificateChainFileparameteraccordingtoyourproviderifitisadifferentoneofcourse.You’dreplacetheServerNamewiththeonethatfitsyoursandalsothewordYOURDOMAINwithyoursofcourse.Don’tforgettoenableyournewwebsite:a2ensiteidpa2ensiteidp8443

- RestartApachetomakethechangeseffective:serviceapache2restart

2.5.SetupthemetadataandthemetadataserviceInordertomakethefederationworking,weneedtodescribethenewIdPrelatedinformationsandpublishittoourFederation’spals.ItisdoneusingaXMLformattedfilecalledametadatafile.ThepublicationisdonebyBelnetafteruploadingthemetadatafiletotheFederationMetadatamanagerwebsite.WewillglueallthereceivedmetadatafilestogetherintheglobalfederationmetadatafilethatwillbevalidatedandsignedbyBelnetinorderforallparticipantstobeabletotrusttheverifiedsignatureofthedata.

- IdPmetadatafileThefileis/willbelocatedin$SHIB_HOME/metadata/idp-metadata.xmlHereisanexample:

<EntityDescriptorxmlns="urn:oasis:names:tc:SAML:2.0:metadata"xmlns:ds="http://www.w3.org/2000/09/xmldsig#"xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"xmlns:xml="http://www.w3.org/XML/1998/namespace"xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"entityID="https://idp.YOURDOMAIN.be/idp/shibboleth"><Extensions><mdrpi:RegistrationInforegistrationAuthority="http://federation.belnet.be/"registrationInstant="2012-03-27T12:00:00Z"><mdrpi:RegistrationPolicyxml:lang="en">http://federation.belnet.be/files/Belnet-metadata-registration-practice-statement.txt</mdrpi:RegistrationPolicy></mdrpi:RegistrationInfo></Extensions>

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

7/22

<IDPSSODescriptorprotocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocolurn:oasis:names:tc:SAML:1.1:protocolurn:mace:shibboleth:1.0">

<Extensions><shibmd:Scoperegexp="false">YOURDOMAIN.be</shibmd:Scope><mdui:UIInfoxmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"><mdui:DisplayNamexml:lang="en">YOUR_INSTITUTION_NAME</mdui:DisplayName><mdui:Descriptionxml:lang="en">INSTITUTIONISADOINGRESEARCHIN…</mdui:Description><mdui:Logoheight="16"width="16">https://www.YOURDMAIN.be/images/smallINSTITUTIONlogo.png</mdui:Logo><mdui:Logoheight="75"width="153">https://www.YOURDOMAIN.be/images/INSTITUTIONlogo.png</mdui:Logo></mdui:UIInfo><mdui:DiscoHintsxmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"><mdui:IPHint>YOURIPV4RANGE/24</mdui:IPHint><mdui:IPHint>YOURIPV6RANGE/48</mdui:IPHint><mdui:DomainHint>YOURDOMAIN.be</mdui:DomainHint><mdui:GeolocationHint>geo:50.825312,4.365471</mdui:GeolocationHint></mdui:DiscoHints></Extensions><KeyDescriptoruse="signing"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>…>>PASTEHEREYOURCERTIFICATE<<…</ds:X509Certificate></ds:X509Data></ds:KeyInfo></KeyDescriptor><ArtifactResolutionServiceBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"Location="https://idp.YOURDOMAIN.be:8443/idp/profile/SAML1/SOAP/ArtifactResolution"index="1"/><ArtifactResolutionServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"Location="https://idp.YOURDOMAIN.be:8443/idp/profile/SAML2/SOAP/ArtifactResolution"index="2"/><SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"Location="https://idp.YOURDOMAIN.be/idp/profile/SAML2/Redirect/SLO"/><SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Location="https://idp.YOURDOMAIN.be/idp/profile/SAML2/POST/SLO"/><SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"Location="https://idp.YOURDOMAIN.be/idp/profile/SAML2/POST-SimpleSign/SLO"/><SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"Location="https://idp.YOURDOMAIN.be:8443/idp/profile/SAML2/SOAP/SLO"/><NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><SingleSignOnServiceBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"Location="https://idp.YOURDOMAIN.be/idp/profile/Shibboleth/SSO"/><SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Location="https://idp.YOURDOMAIN.be/idp/profile/SAML2/POST/SSO"/><SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"Location="https://idp.YOURDOMAIN.be/idp/profile/SAML2/POST-SimpleSign/SSO"/><SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"Location="https://idp.YOURDOMAIN.be/idp/profile/SAML2/Redirect/SSO"/></IDPSSODescriptor><AttributeAuthorityDescriptorprotocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol"><Extensions><shibmd:Scoperegexp="false">YOURDOMAIN.be</shibmd:Scope></Extensions><KeyDescriptoruse="signing"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>…

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

8/22

>>PASTEHEREYOURCERTIFICATE<<…

</ds:X509Certificate></ds:X509Data></ds:KeyInfo></KeyDescriptor><AttributeServiceBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"Location="https://idp.YOURDOMAIN.be:8443/idp/profile/SAML1/SOAP/AttributeQuery"/><!--<AttributeServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"Location="https://idp.YOURDOMAIN.be:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>--></AttributeAuthorityDescriptor><Organization><OrganizationNamexml:lang="en"xmlns:xml="http://www.w3.org/XML/1998/namespace">YOURORGANISATION</OrganizationName><OrganizationDisplayNamexml:lang="en"xmlns:xml="http://www.w3.org/XML/1998/namespace">YOURORGANISATIONIdP</OrganizationDisplayName><OrganizationURLxml:lang="en"xmlns:xml="http://www.w3.org/XML/1998/namespace">http://www.YOURDOMAIN.be/</OrganizationURL></Organization><ContactPersoncontactType="technical"><GivenName>YOURORGANISATIONTechnicalStaff</GivenName><SurName>YOURORGANISATION</SurName><EmailAddress>mailto:admin@YOURDOMAIN.be</EmailAddress><TelephoneNumber>+32-1-11111111</TelephoneNumber></ContactPerson></EntityDescriptor>

Youmaydownloadthisfilefromhttp://federation.belnet.be/shib3/doc/metadata-example.xmlYou’dreplaceallthepartsinREDbyappropriatevaluesforyourowninstitution.ThepartinGREENismandatorytobepublishedineduGAIN’sfederation;itisworthtoleaveit.

- Uploadyourmetadatatoourmetadata’smanagerwebsiteGotofollowingURL:https://federation.belnet.be/re/md-mgmt/andfollowthe«uploadyourmetadata’s»instructions.

- ConfigurethemetadataserviceonyourIdPThereareseveralwaystoorganizetheneededinformation,butforsanitywe’vedecidedtosetupitasfollowing:wgethttp://federation.belnet.be/shib3/doc/metadata-example.xml

o renamethisfileto$SHIB_HOME/conf/metadata-example.xmlo editthefile$SHIB_HOME/conf/services.xml,locatesection

shibboleth.MetadataResolverResourcesandreplaceitbyfollowinglines:

<util:listid="shibboleth.MetadataResolverResources"><value>%{idp.home}/conf/metadata-example.xml</value>

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

9/22

<value>%{idp.home}/system/conf/metadata-providers-system.xml</value></util:list>

o thesetuprequiresthatyouhaveBelnetFederation’scertificatetovalidatethesignature

ofthepublishedmetadata;togetit,issuefollowingcommand:wgethttps://federation.belnet.be/newcertificate.federation.belnet.be.pem-O/opt/shibboleth-idp/conf/credentials/certificate.federation.belnet.be.crt

2.6.ConfiguretheLDAPAuthenticationservice

TherearedifferentwaystosetuptheauthenticationmechanisminShibboleth.WehavechoosenheretoexplainthewayLDAPisworking.LDAPwillbeusedforbothauthenticationandattributesresolving.Ofcourse,someadaptationswillbedoneaccordingyourownsettings.TosetupLDAPauthentication,simplyeditthe$SHIB_HOME/conf/ldap.propertiesfileandchangeparametersinRED:idp.authn.LDAP.authenticator=bindSearchAuthenticatoridp.authn.LDAP.ldapURL=ldap://YOURLDAPSERVER:389idp.authn.LDAP.useStartTLS=falseidp.authn.LDAP.useSSL=falseidp.authn.LDAP.returnAttributes=uid,cn,mailidp.authn.LDAP.baseDN=dc=YOURTLD,dc=beidp.authn.LDAP.subtreeSearch=trueidp.authn.LDAP.userFilter=(uid={user})idp.authn.LDAP.bindDN=cn=YOURCN,dc=YOURTLD,dc=beidp.authn.LDAP.bindDNCredential=YOURCREDENTIALidp.authn.LDAP.dnFormat=uid=%s,dc=YOURTLD,dc=beidp.authn.LDAP.sslConfig=jvmTrust

2.7.LinktheAttributeResolvertotheLDAPserverEditthefile$SHIB_HOME/conf/attribute-resolver-ldap.xmlandsetupfollowing:

o WeneedtodefineadataconnectortoyourLDAPserver:addfollowinginthefile:

<resolver:DataConnectorid="myLDAP"xsi:type="dc:LDAPDirectory"ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"baseDN="%{idp.attribute.resolver.LDAP.baseDN}"principal="%{idp.attribute.resolver.LDAP.bindDN}"principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"><!--useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">--><dc:FilterTemplate><![CDATA[%{idp.attribute.resolver.LDAP.searchFilter}]]></dc:FilterTemplate><!--<dc:StartTLSTrustCredentialid="LDAPtoIdPCredential"xsi:type="sec:X509ResourceBacked"><sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate></dc:StartTLSTrustCredential>--></resolver:DataConnector>

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

10/22

Itisnowbesttocopythisconfigurationsnippettothefile$SHIB_HOME/conf/attribute-resolver.xmlinstead.

2.8.ConfiguretheAttributeResolver–definetheattributesTheconfigurationfortheattributeswillalsobesetin$SHIB_HOME/conf/attribute-resolver.xml.Youmayfindsomeexamplesofdefinedattributesinthefollowingfiles:$SHIB_HOME/conf/attribute-resolver-full.xml$SHIB_HOME/conf/attribute-resolver-ldap.xml

LinkexistingLDAPattributesFindbelowanexampleofwhatweuseaccordingtosomeofourowndefineddata:<?xmlversion="1.0"encoding="UTF-8"?><resolver:AttributeResolverxmlns:resolver="urn:mace:shibboleth:2.0:resolver"xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"xmlns:sec="urn:mace:shibboleth:2.0:security"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="urn:mace:shibboleth:2.0:resolverhttp://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsdurn:mace:shibboleth:2.0:resolver:pchttp://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsdurn:mace:shibboleth:2.0:resolver:adhttp://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsdurn:mace:shibboleth:2.0:resolver:dchttp://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsdurn:mace:shibboleth:2.0:attribute:encoderhttp://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsdurn:mace:shibboleth:2.0:securityhttp://shibboleth.net/schema/idp/shibboleth-security.xsd"><!--Belnetcoreattributes--><!--Affiliation(eduPersonAffiliation)--><resolver:AttributeDefinitionxsi:type="ad:Mapped"id="eduPersonAffiliation"sourceAttributeID="eduPersonAffiliation"><resolver:Dependencyref="myLDAP"/><resolver:DisplayNamexml:lang="en">Affiliation</resolver:DisplayName><resolver:DisplayNamexml:lang="fr">Affiliation</resolver:DisplayName><resolver:DisplayDescriptionxml:lang="en">Affiliation:TypeofaffiliationwithHomeOrganization</resolver:DisplayDescription><resolver:DisplayDescriptionxml:lang="fr">Typed'affiliationdansl'organisation</resolver:DisplayDescription><resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:mace:dir:attribute-def:eduPersonAffiliation"/><resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"friendlyName="eduPersonAffiliation"/><ad:DefaultValuepassThru="true"/><ad:ValueMap><ad:ReturnValue>member</ad:ReturnValue><ad:SourceValue>staff|student|faculty|employee</ad:SourceValue></ad:ValueMap><ad:ValueMap><ad:ReturnValue>$1</ad:ReturnValue><ad:SourceValue>(staff|student|faculty|employee)</ad:SourceValue></ad:ValueMap></resolver:AttributeDefinition><!--Scopedaffiliation(eduPersonScopedAffiliation)--><resolver:AttributeDefinitionid="eduPersonScopedAffiliation"xsi:type="ad:Scoped"scope="%{idp.scope}"sourceAttributeID="eduPersonAffiliation">

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

11/22

<resolver:Dependencyref="eduPersonAffiliation"/>

<resolver:DisplayNamexml:lang="en">Affiliation</resolver:DisplayName><resolver:DisplayNamexml:lang="fr">Affiliation</resolver:DisplayName><resolver:DisplayDescriptionxml:lang="en">Affiliation:TypeofaffiliationwithHomeOrganization</resolver:DisplayDescription><resolver:DisplayDescriptionxml:lang="fr">Typed'affiliationdansl'organisation</resolver:DisplayDescription><resolver:AttributeEncoderxsi:type="enc:SAML1ScopedString"name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/><resolver:AttributeEncoderxsi:type="enc:SAML2ScopedString"name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"friendlyName="eduPersonScopedAffiliation"/></resolver:AttributeDefinition><!--E-mail--><resolver:AttributeDefinitionid="email"xsi:type="ad:Simple"sourceAttributeID="mail"><resolver:Dependencyref="myLDAP"/><resolver:DisplayNamexml:lang="en">E-mail</resolver:DisplayName><resolver:DisplayNamexml:lang="fr">Email</resolver:DisplayName><resolver:DisplayDescriptionxml:lang="en">E-Mail:Preferredaddressfore-mailtobesenttothisperson</resolver:DisplayDescription><resolver:DisplayDescriptionxml:lang="fr">Exemple:jean.martin@example.org</resolver:DisplayDescription><resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:mace:dir:attribute-def:mail"/><resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:0.9.2342.19200300.100.1.3"friendlyName="mail"/></resolver:AttributeDefinition><!--Givenname--><resolver:AttributeDefinitionid="givenName"xsi:type="ad:Simple"sourceAttributeID="givenName"><resolver:Dependencyref="myLDAP"/><resolver:DisplayNamexml:lang="en">Givenname</resolver:DisplayName><resolver:DisplayNamexml:lang="fr">Prénom</resolver:DisplayName><resolver:DisplayDescriptionxml:lang="en">Givennameofaperson</resolver:DisplayDescription><resolver:DisplayDescriptionxml:lang="fr">Prénomdel'utilisateur</resolver:DisplayDescription><resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:mace:dir:attribute-def:givenName"/><resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:2.5.4.42"friendlyName="givenName"/></resolver:AttributeDefinition><!--Surname--><resolver:AttributeDefinitionid="surname"xsi:type="ad:Simple"sourceAttributeID="sn"><resolver:Dependencyref="myLDAP"/><resolver:DisplayNamexml:lang="en">Surname</resolver:DisplayName><resolver:DisplayNamexml:lang="fr">Nomdefamille</resolver:DisplayName><resolver:DisplayDescriptionxml:lang="en">Surnameorfamilyname</resolver:DisplayDescription><resolver:DisplayDescriptionxml:lang="fr">Nomdefamilledel'utilisateur.</resolver:DisplayDescription><resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:mace:dir:attribute-def:sn"/><resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:2.5.4.4"friendlyName="sn"/></resolver:AttributeDefinition><!--TargetedID/PersistentID--><resolver:AttributeDefinitionid="eduPersonTargetedID"xsi:type="ad:SAML2NameID"sourceAttributeID="persistentID"nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"><resolver:Dependencyref="myStoredId"/><!--<resolver:Dependencyref="myLDAP"/>--><resolver:DisplayNamexml:lang="en">TargetedID</resolver:DisplayName><resolver:DisplayNamexml:lang="fr">TargetedID</resolver:DisplayName><resolver:DisplayDescriptionxml:lang="en">TargetedID:Auniqueidentifierforaperson,differentforeachserviceprovider.</resolver:DisplayDescription><resolver:DisplayDescriptionxml:lang="fr">TargetedID:Unidentifiantuniquedel'utilisateur,différentpourchaquefournisseurdeservice.</resolver:DisplayDescription><resolver:AttributeEncoderxsi:type="enc:SAML1XMLObject"name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"/><resolver:AttributeEncoderxsi:type="enc:SAML2XMLObject"name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"friendlyName="eduPersonTargetedID"/></resolver:AttributeDefinition><!--UniqueID--><resolver:AttributeDefinitionid="belnetEduPersonUniqueID"xsi:type="ad:Simple"sourceAttributeID="eduPersonPrincipalName"><resolver:Dependencyref="myLDAP"/><resolver:DisplayNamexml:lang="en">UniqueID</resolver:DisplayName><resolver:DisplayNamexml:lang="fr">IDunique</resolver:DisplayName><resolver:DisplayDescriptionxml:lang="en">UniqueID:Auniqueidentifierforaperson,mainlyforinter-institutionaluseridentification.</resolver:DisplayDescription><resolver:DisplayDescriptionxml:lang="fr">Identifiantuniquedel'utilisateurauseinsdel'AAI.</resolver:DisplayDescription>

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

12/22

<resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:mace:belnet.be:attribute-def:belnetEduPersonUniqueID"/>

<resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:2.16.756.1.2.5.1.1.1"friendlyName="belnetEduPersonUniqueID"/></resolver:AttributeDefinition><!--A"copy"oftheUniqueIDwhichisusedforNameIDgenerationNotethatthereisnoAttributeEncoderonpurpose,asotherwisetheattributewouldbereleasedautomaticallyalongsidethepersistentID(NameIDgenerationtakesplaceaftertheattributefilteringstep).--><resolver:AttributeDefinitionid="%{idp.persistentId.sourceAttribute}"xsi:type="ad:Simple"sourceAttributeID="belnetEduPersonUniqueID"><resolver:Dependencyref="eduPersonPrincipalName"/></resolver:AttributeDefinition></resolver:AttributeResolver>

Definestaticattributes(optional)TheseattributesareusedforexampletodefineacommonattributesforallthepersonsinyourLDAP,withouthavingtoexplicitelydefineitinaLDAPfield.Ifyouneedsome,hereishowtodoit.FollowingexampleisusedtoexporttheschacHomeOrgusedbyourcurrentcertificatesprovider:<resolver:DataConnectorid="staticSchac"xsi:type="dc:Static"><dc:Attributeid="schacHomeOrg"><dc:Value>belnet.be</dc:Value></dc:Attribute></resolver:DataConnector>

Anddon’tforgettoaddthedefinitionfortheschacHomeOrgfieldaswell:<resolver:AttributeDefinitionid="schacHomeOrg"xsi:type="ad:Simple"sourceAttributeID="schacHomeOrg"><resolver:Dependencyref="staticSchac"/><resolver:AttributeEncoderxsi:type="enc:SAML1String"name="urn:oid:1.3.6.1.4.1.25178.1.2.9"/><resolver:AttributeEncoderxsi:type="enc:SAML2String"name="urn:oid:1.3.6.1.4.1.25178.1.2.9"friendlyName="schacHomeOrganization"/></resolver:AttributeDefinition>

Youmay,ofcourse,definemorethanonestaticattribute(thenitshouldbenicertorenametheidschacHomeOrgbysomethingmoregenericsuchasMyStaticAttributes…

DefineeduPersonTargetedIDattributeTheattributeisusedtouniquelyidentifyauserwhenvisitingaSP,eachvalueistiedtotheSPandthusdifferentwhenauservisitsanotherSP.Thevaluecanbecalculatedontheflyasahash(usingComputeIDconnector),orstoredinadatabase(throughStoreIDconnector).WeprefereusingtheStoreIDconnectorandstorethevalueinadatabaseasit:

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

13/22

- allowskeepingtrackofthevaluesissued(sitesvisitedbyeachuser);- makespossibletopreservethevalueswhenredeployingtheIdP(iftheentityIDchangesforexample);

- allowstorevokeindividualvaluesifaparticularuserwantstodiscontinuehisidentityataparticularsite.

Toproceedfollownextrules:

1. Addfollowingattributedefinitionintothe$SHIB_INST/conf/attribute-resolver.xml:

<resolver:AttributeDefinitionxsi:type="ad:SAML2NameID"id="eduPersonTargetedID"nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"sourceAttributeID="computedID"><resolver:Dependencyref="StoredIDConnector"/><resolver:DisplayNamexml:lang="en">TargetedID(opaqueper-serviceusername)</resolver:DisplayName><resolver:AttributeEncoderxsi:type="enc:SAML1XMLObject"name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"/><resolver:AttributeEncoderxsi:type="enc:SAML2XMLObject"name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"friendlyName="eduPersonTargetedID"/></resolver:AttributeDefinition>

2. Addfollowingconnectordefinition(intothesamefile):

<resolver:DataConnectorid="StoredIDConnector"xsi:type="dc:StoredId"sourceAttributeID="uid"salt="SALT-SALT-SALT"generatedAttributeID="computedID"><resolver:Dependencyref="myLDAP"/><dc:ApplicationManagedConnectionjdbcDriver="com.mysql.jdbc.Driver"jdbcURL="jdbc:mysql://localhost/idp_db?autoReconnect=true&amp;sessionVariables=wait_timeout=31536000"jdbcUserName="idp_admin"jdbcPassword="PASSWORD"/></resolver:DataConnector>

Ofcourse,youneedtoadaptwhatismentionedinREDtoyourownconfiguration.(seefurtheronhowtosetupMySQL).

3. SetupMySQLdatabaseandthetabletostorethevalues:

o asMySQLhasbeenalreadyinstalled,createtheusertoadministerit:§ mysql–uroot–p(ßenterthemysqlrootpasswordwhenasked)§ createuser‘idp_admin’@’localhost’identifiedby‘PASSWORD’;§ grantallprivilegesonidp_db.*to‘idp_admin’@’localhost’;

o createthedatabaseandtheneededtable:

§ mysql–uidp_admin–p(ßenterthe‘PASSWORD’whenasked)§ createdatabaseidp_db;§ useidp_db;§ CreatethetableshibpidwiththefollowingDDLcode(comingfrom

https://wiki.shibboleth.net/confluence/display/SHIB2/StoredIDDataConnectorDDL):

CREATETABLEIFNOTEXISTSshibpid(localEntityTEXTNOTNULL,peerEntityTEXTNOTNULL,principalNameVARCHAR(255)NOTNULLDEFAULT'',localIdVARCHAR(255)NOTNULL,persistentIdVARCHAR(36)NOTNULL,peerProvidedIdVARCHAR(255)DEFAULTNULL,creationDatetimestampNOTNULLDEFAULTCURRENT_TIMESTAMP,deactivationDateTIMESTAMPNULLDEFAULTNULL,KEYpersistentId(persistentId),

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

14/22

KEYpersistentId_2(persistentId,deactivationDate),KEYlocalEntity(localEntity(16),peerEntity(16),localId),KEYlocalEntity_2(localEntity(16),peerEntity(16),localId,deactivationDate))ENGINE=MyISAMDEFAULTCHARSET=utf8;

§ Addfollowingbean’sdefinitionin$SHIB_INST/conf/global.xml:

<beanid="shibboleth.JPAStorageService.DataSource"class="org.apache.tomcat.jdbc.pool.DataSource"destroy-method="close"lazy-init="true"p:driverClassName="com.mysql.jdbc.Driver"p:url="jdbc:mysql://localhost:3306/idp_db?autoReconnect=true&amp;sessionVariables=wait_timeout=31536000"p:validationQuery="SELECT1;"p:username="IDP_ADMIN"p:password="PASSWORD"/>

§ saltvaluemaybegeneratedbyfollowingcommand:

opensslrand–base644242isthelengthofthegeneratedbase64string;maybeadjustedtoyourownneeds.SimplyreplacethevalueSALT-SALT-SALTbytherandomlybase64generatedstring.

2.9.ConfigureAttributesRelease

- Youneedtoeditthefile$SHIB_INST/conf/attribute-filter.xml.- ItisimportanttohaveapolicyforeachSPyouwillletyourIdPconnectto,specifyingtheneeded

attributestobereleasetoit.- TheattributesaregivenusingtheirfriendlyIDasdefinedinthe$SHIB_INST/conf/attribute-

resolver.xmlfileearlier.- DocumentationofpolicymaybefoundonfollowingURL:

https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterConfiguration- FindherebelowanexamplerelatedtoourFileSenderservice:

<!--policyrequirementrulethatindicatesthispolicyisonlyusedforrequestsfromhttps://filesender.belnet.be--><afp:AttributeFilterPolicyid="release_to_filesender"><afp:PolicyRequirementRulexsi:type="basic:AttributeRequesterString"value="https://filesender.belnet.be"/><afp:AttributeRuleattributeID="uid"><afp:PermitValueRulexsi:type="basic:ANY"/></afp:AttributeRule><afp:AttributeRuleattributeID="eduPersonEntitlement"><afp:PermitValueRulexsi:type="basic:ANY"/></afp:AttributeRule><afp:AttributeRuleattributeID="organizationName"><afp:PermitValueRulexsi:type="basic:ANY"/></afp:AttributeRule><afp:AttributeRuleattributeID="preferredLanguage"><afp:PermitValueRulexsi:type="basic:ANY"/>

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

15/22

</afp:AttributeRule> <afp:AttributeRuleattributeID="eduPersonPrincipalName"><afp:PermitValueRulexsi:type="basic:ANY"/></afp:AttributeRule><afp:AttributeRuleattributeID="commonName"><afp:PermitValueRulexsi:type="basic:ANY"/></afp:AttributeRule><afp:AttributeRuleattributeID="mail"><afp:PermitValueRulexsi:type="basic:ANY"/></afp:AttributeRule></afp:AttributeFilterPolicy>

3.RegistertheIdPintheBelnetFederation

Youneedtopostyourmetadataonourmetadataregistrationwebsitetoletusdeploythenewglobalmetadataincludingyours.

3.1.Uploadyourmetadata

- Openyourwebbrowserandopenfollowingwebsite:https://federation.belnet.be/re/md-mgmt/

- You’llbeautomaticallyredirectedtoourcustomersIdP;youshouldlogininusingthecredentials

you’vereceivedafterhavingregisteredyourinstitutionfortheFederationservice.- Inthemenu,select«uploadametadata»;- Eitherdoacopy-pasteofthecontentofyourmetadatafileorclickonthebutton«browse»to

selectthefileyouwanttoupload;- Clickthebutton«Load,checkandupdate».- Ifeverythingisvalidatedbyouronlinechecker,you’llarriveonthenextpage;otherwise,thesite

mentionsinredthetheerrorithadencountered;fixitandreproceedwiththeupload;youmayadjustitdirectlyinthetextboxonthesiteifyouwant;

- Onthelastscreen,clickthecheckbox«I’mauthorizedtouploadformyinsitution»andclicktheuploadbutton.Atthatmoment,thefilehasbeenrecordedandthefederationtechnicalteamhasreceivedanemailtowarnthatanewmetadatahasbeenreceived.AnengineerfromBelnetwillprocessthenewmetadata,adjustthefederationwhereitneedstobelocatedandrecreatethefederation’sglobalmetadata.Thisisnotanautomatictask,someonewillprocessyourrequestassoonaspossible.

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

16/22

4.StartyourIdP- first,makesureallthefilesunder$SHIB_INSTareownedbyTomcat:

chown–Rtomcat:tomcat$SHIB_INST

- StartMySQL,TomcatandApache:

servicemysqldstartservicetomcat7startserviceapache2start

Totestit,youmay:

- checkthestatusoftheIdPitselfbypointingyourwebbrowsertofollowingURL:https://idp.yourdomain/idp/statusIfyourIdPisrunning,youwillseeastatuspagewithsomeinformations(someinfosoveryoursystem,forhowlongyourIdPisup,etc.)Itisprobablyworthtodisablethiskindofpagewhengoinginproductionasitgivesyoualotofinformationoveryourhardwarearchitecture,kernelversion,javaversion,Shibbolethversion,etc.Alltheinformationmaybeusedbymalicioushackerstotrytoexploitorabuseyoursystem.Whatyoucoulddotoprotectyourserveris:

o edit$SHIB_INST/conf/idp.propertiesandsetupanaccesspolicyinfollowingentry:

idp.status.accessPolicy=AccessByIPAddress

o edit$SHIB_INST/conf/access-control.xmlanddefinethepolicyitself:

<util:mapid="shibboleth.AccessControlPolicies"> <entrykey="AccessByIPAddress"> <beanparent="shibboleth.IPRangeAccessControl" p:allowedRanges="#{{'127.0.0.1/32','::1/128','YOURNET/24'"/> </entry> </util:map>

andadapttoyourownpreferences.

- connecttoapeculiarSPwhereyoumayauthenticateusingyourIdP,forexampleourattributesreflectortestsite:https://sptest.belnet.be

ifyousucceedconnecting,yourIdPisreadytogo!

- ExaminecontentofthelogfilesofyourIdP:

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

17/22

Lookinto$SHIB_INST/logs/idp-process.logandcheckforerrorifany.Ofcourse,youwouldhaveenabledproperloggingin$SHIB_INST/conf/logback.xml.

5.AdvancedconfigurationShibbolethv3comeswithalotofnewfeaturesandimprovements.

5.1.DatabasesAmongthem,thereisnowtheabilitytostoresomeinformations(likeusersconsentstoreleaseattributesforpeculiarSP)inamorepersistentwayusingdatabases.Bydefault,storageisdoneusingwebcookiesonclientside(validtilltheendofthesessionandthendiscarded)orinserver’smemory(lostwhenserviceisrestarted).ThefollowingdescribeshowtoconfigureadatabasestorageusingJPA(JavaPersistenceAPI).Aspreviouslymentioned,weassumethatyouwillbeusingMySQLDBandTomcatJDBC(JavaDataBaseConnectivity).Tosetupthestorageservice,followthesesteps(someofthemwerealreadycoveredearlierinthisdocument):

- connectasroottoMySQLserver:mysql–uroot–p

- Createadatabaseincludingadefinedadminuser:

createdatabaseidp_db;createuser‘idp_admin’@’localhost’identifiedby‘IDP_ADMIN_PASSWORD’;grantallprivilegesonidp_db.*to‘idp_admin’@’localhost’;

youmaychangetheREDtermstowhateverfitsbestforyourownsetup.

- Createatable‘StorageRecords’:

CREATETABLE`StorageRecords`(`context`varchar(255)NOTNULL,`id`varchar(255)NOTNULL,`expires`bigint(20)DEFAULTNULL,`value`longtextNOTNULL,`version`bigint(20)NOTNULL,PRIMARYKEY(`context`,`id`));

- Addthefollowingbeansin$SHIB_INST/conf/global.xml:

o shibboleth.JPAStorageServiceo shibboleth.JPAStorageService.EntityManagerFactoryo shibboleth.JPAStorageService.JPAVendorAdapter

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

18/22

o shibboleth.JPAStorageService.DataSource

Hereareexamplesofallthebeansdefinitions:<beanid="shibboleth.JPAStorageService"class="org.opensaml.storage.impl.JPAStorageService"p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory"/><beanid="shibboleth.JPAStorageService.entityManagerFactory"class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"><propertyname="packagesToScan"value="org.opensaml.storage.impl"/><!--<propertyname="dataSource"ref="shibboleth.PostgreSQLDataSource"/>--><propertyname="dataSource"ref="shibboleth.JPAStorageService.DataSource"/><propertyname="jpaVendorAdapter"ref="shibboleth.JPAStorageService.JPAVendorAdapter"/><propertyname="jpaDialect"><beanclass="org.springframework.orm.jpa.vendor.HibernateJpaDialect"/></property></bean><beanid="shibboleth.JPAStorageService.JPAVendorAdapter"class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"><propertyname="database"value="MYSQL"/></bean><beanid="shibboleth.JPAStorageService.DataSource"class="org.apache.tomcat.jdbc.pool.DataSource"destroy-method="close"lazy-init="true"p:driverClassName="com.mysql.jdbc.Driver"p:url="jdbc:mysql://localhost:3306/idp_db?autoReconnect=true&amp;sessionVariables=wait_timeout=31536000"p:validationQuery="SELECT1;"p:username="idp_admin"p:password="IDP_ADMIN_PASSWORD"/>

Don’tforgettoinstalltheJavadriverforMySQL(ifnotdonealready):apt-getinstalllibmysql-java

- Editthe$SHIB_INST/conf/idp.propertiesfileandadjustfollowingparameterstousethe

shibboleth.JPAStorageService:

- idp.session.StorageService=shibboleth.JPAStorageService- idp.consent.StorageService=shibboleth.JPAStorageService- idp.replayCache.StorageService=shibboleth.JPAStorageService- idp.artifact.StorageService=shibboleth.JPAStorageService

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

19/22

5.2.Tweakingautomaticreloadtime

Thedefaultin$SHIB_INST/conf/services.propertiesfilemakesmostservicesreloadtheirconfigurationevery15minutes.Thisissufficientforaproductionserver.However,duringsetup,itcanbeeasiertolowerthetimetoseemorequicklythechanges;forexample,toreloadtheattributeresolverconfigurationmoreoftenwhenplayingwithmappingsyoucouldset:idp.service.attribute.resolver.checkInterval=PT5S

tohaveareloadevery5seconds…Havealookinthefiletotweakthesettings.

5.3.ConfiguringSingleLogoutShibbolethIdPsupportsaminimalistimplementationofSingleLogOut(SLO)sinceversion2.4.0,nothingmorehasbeenaddedinv3.

- itispossibletoterminatethesessionattheIdP,sonofurtherSPsessionscanbeestablished;- itispossibletoinitiatelogoutattheSPlevelwheretheuserhasasessionestablished.TheSPcan

sendanSLOmessagetotheIdPandterminatethesessionaswell.- buttheIdPwillnotpropagatetheSLOtoanyadditionalSP.- bydefault,theSLOmessagefromtheSPisasynchronousandtheflowendsattheIdPLogout

page.- theIdPlogoutpagedisplaysthelistofSPtheuserhasaccessedduringhisIdPsessionandinform

theuserthattheonlysecurewaytocloseallthesessionsistoclosehiswebbrowser.- asynchronouslogoutprocessbetweenIdPandSPisalsopossible,wheretheIdPsendsbacka

SLOtotheSPthatwillconfirmthatbothSPandIdPsessionshavebeenterminated.So,thebestwaytosafelyterminateasessionis,fortheuser,toclosehiswebbrowser…Butanyway,herearethestepsneededtosetupSLOonyourIdP:(1)

- Edit$SHIB_INST/conf/idp.propertiesandadjust/addfollowingstatements:idp.session.trackSPSessions=trueidp.session.secondaryServiceIndex=trueidp.logout.elaboration=true

- EnabletheJPAstoragefeaturetostoresessioninformation(ifusingmemorystorage,information

islostonservicerestartandifusingthedefaultcookiestorageonclientside,logoutfunctionalitydoesn’twork),soaddfollowingstatement:idp.session.StorageService=shibboleth.JPAStorageService IfnotenablingpreviousJPAservice,youshouldatleastenabletheinservermemorystoragetomakeSLOworking:idp.session.StorageService=shibboleth.StorageService

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

20/22

- AdjustthedurationforstoringtheSPsessionstomatchthedefaultonesoftheSP:idp.session.defaultSPlifetime=PT8Hidp.session.slop=P1D

(2)

- CustomizetheLogoutpage(seefurtherforthecustomizationofdisplayedpages).

(3)

- Registerfollowingend-pointsasSingleLogoutServiceinyourIdP’sMetadata(don’tforgettouploadittotheBelnet’sFederationMetadatamangerwebsite):

urn:oasis:names:tc:SAML:2.0:bindings:SOAP https://idp.yourdomain:8443/idp/profile/SAML2/SOAP/SLO

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect https://idp.yourdomain/idp/profile/SAML2/Redirect/SLO

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST https://idp.yourdomain/idp/profile/SAML2/POST/SLO

Adjustthenameofyourserveraccordinglytoyourownsetup.

5.4.SetuptheconsentmoduleAttentionhasbeenfocusedonprivacyandprotectionofthedeliveredattributesinShibbolethv3.Evenifitisnotsomethingobliged,we’vefoundthatitwasimportanttoactivatethisfunctionalityasmoreandmorepersonalattributesarestoredorexchangedonwebservices.TheserviceinShibbolethv3iscalledtheconsentmodule.WhenauserlogsinforthefirsttimeonaSP,theIdPwillaskhimifheagreestoreleasetheaskedlistofattributestotheSP.Theusermayormaynotauthorizeit.Itwillbestoredinadatabaseforacertaintime.Herearetheparameterstoeditin$SHIB_INST/conf/idp.properties:

- checkforvaluechanges:idp.consent.compareValue=true

- configureserversidestorageindatabase:

idp.consent.StorageService=shibboleth.JPAStorageService

- unlimitthenumberofstoredconsentrecords:

idp.consent.maxStoredRecords=-1

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

21/22

- followingmaybeletasisorchangeaccordingtoyourpreferences:

o idp.consent.storageRecordLifetime=P1Yo idp.consent.allowDoNotRemember=trueo idp.consent.allowGlobal=trueo idp.consent.allowPerAttribute=false

- youmaychangetheorderinwhichtheattributearerenderedonscreentotheuser;thisisdone

asapropertyin$SHIB_INST/conf/idp.properties:idp.consent.attributeOrder=commonName,displayName,…

YoumayfindmoreinformationsonShibboleth’sconsentmoduleonhttps://wiki.shibboleth.net/confluence/display/IDP30/ConsentConfiguration

5.5.DataSealerKeyRefreshingTheIdPusesencryptionbasedonAESalgorithmtoencryptclient-sidestorage(cookies)usingasecretkey.Thiskeyneedstobeperiodicallyrefreshed.TheIdPwillbeconfiguredtokeepanumberofpastkeys(defaultis30).Newinformationisencryptedwiththenewerkey.Anyolderinformationencryptedwitholderkeymaystillbedecryptedaslongasthekeyisstillretained.IfyouhaveconfiguredDataBasestorage,youmayskipthisstep;orherwiseforclient-sidecookiestorage,itisrecommendedtoproceedtokeyrenewal.Todoso,youmayaddacronjoblikefollowing:143***IDP_HOME=/opt/shibboleth-idpJAVA_HOME=/usr/opt/shibboleth-idp/bin/seckeygen.sh--versionfile/opt/shibboleth-idp/credentials/sealer.kver--storefile/opt/shibboleth-idp/credentials/sealer.jks--storepassCHANGEME--aliassecretAdjustREDwordwiththepasswordyouhavedefinedin$SHIB_INST/conf/credential.properties:idp.sealer.password=CHANGEME

5.6.CustomizationandBrandingInordertocustomizeyourIdPpage,youneedtoeditsomeconfigurationfilestoadaptittothelookandfeelofyourinstitutionincludingyourinstitution’sname,yourinstitution’slogo,etc.PreviousversionofShibbolethwerebasedonJSPfilescontainedinaWARfile.Whileitisstillavailable,Shibbolethv3reliesonanotherkindofconfigurationfile,andspecificallytoatemplatetoolcalledVelocity.(seehttps://velocity.apache.org/engine/releases/velocity-1.5/user-guide.htmlforreferences)OneoftheadvantageofVelocityisthatyoudon’thavetorebuildaWARfileeachtimeyoumodifysomethinginadynamicpage.

Insta l l a Shibbolethv3 IdPonUbuntuL inux (vers ion14.04LTS)

22/22

Thetemplatesfilesarelocatedin$SHIB_INST/views/.

Therearealotofmessagesthatcanconfiguredaswellin$SHIB_INST/messages/.TheonlyelementsthatstillneedtobeintheWARfilearetheimages,staticHTML,andCSS.AfteryouhavemodifiedimagesorCSS,don’tforgettoregeneratetheWARfilebyexecutingfollowingcommand:$SHIB_INST/bin/build.shservicetomcat7restart