IdP Basics & Installation. © 2010 SWITCH 2 Current Environment Network Java Tomcat LDAP –Create apacheDS run directory mkdir /var/run/apacheds/default.

Slides:



Advertisements
Similar presentations
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Advertisements

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Lesson 17: Configuring Security Policies
20-753: Fundamentals of Web Programming 1 Lecture 11: Web Server Case Study Fundamentals of Web Programming Lecture 11: Web Server Case Study.
Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
DT211/3 Internet Application Development Web Servers.
Tomcat Configuration A Very, Very, Very Brief Overview.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
APACHE SERVER By Innovationframes.com »
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Using Opal to deploy a real scientific application as a Web service Sriram Krishnan
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Belnet R&E Federation Workshop Shibboleth IdP Deployment Belnet – Mario Vandaele Brussels – 15 March 2012.
Back to content Final Presentation Mr. Phay Sok Thea, class “2B”, group 3, Networking Topic: Mail Client “Outlook Express” *At the end of the presentation.
SWITCHaai Team Introduction to Shibboleth.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Attribute Resolution. 2 © 2010 SWITCH Terms: Attribute A piece of information about a user. Each attribute has a unique ID and has zero of more values.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
9/15/2015© 2008 Raymond P. Jefferis IIILect Application Layer.
Tutorial 1 Getting Started with Adobe Dreamweaver CS3
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
Tomcat Spencer Uresk. Notes This is a training NOT a presentation Please ask questions This is being recorded
SchwartzGBIF Nodes III29 April 2003 DiGIR Portal Installation And Configuration.
CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES LECTURE 5_1 George Koutsogiannakis/ Summer
Implementing Network Access Protection
Integrating with UCSF’s Shibboleth system
Guidelines for Homework 6. Getting Started Homework 6 requires that you complete Homework 5. –All of HW5 must run on the GridFarm. –HW6 may run elsewhere.
System logging and monitoring
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Otomo End User SSO - TOI March 2014 Otomo 10.5 – End User SSO Support.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
SOAP Web Services Tim Carver MRC HGMP-RC Hinxton Cambridge, UK.
Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,
Shibboleth and IIS Integration Tips, Tricks, Alternatives
Ant & Jar Ant – Java-based build tool Jar – pkzip archive, that contains metadata (a manifest file) that the JRE understands.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
J.P. Wellisch, CERN/EP/SFT SCRAM Information on SCRAM J.P. Wellisch, C. Williams, S. Ashby.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
1 G52IWS: Example Web-services Chris Greenhalgh. 2 Contents Software requirements AXIS web service run-time components Getting started with Jetty & AXIS.
® IBM Software Group © 2006 IBM Corporation Rational Asset Manager v7.2 Using Scripting Tutorial for using command line and scripting using Ant Tasks Carlos.
Module 6: Administering Reporting Services. Overview Server Administration Performance and Reliability Monitoring Database Administration Security Administration.
Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC.
SOAP, Web Service, WSDL Week 14 Web site:
Product Training Program
Training Objectives About D2F Download Installation Configuration
HMA Identity Management Status
LOCO Extract – Transform - Load
ETL Job Scheduler Job Database Server User Interface Scheduler
Lab 1 introduction, debrief
Identity Federations - Installation and operation
IIS.
What’s changed in the Shibboleth 1.2 Origin
Configuring Internet-related services
Introduction to JBoss application server
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

IdP Basics & Installation

© 2010 SWITCH 2 Current Environment Network Java Tomcat LDAP –Create apacheDS run directory mkdir /var/run/apacheds/default –Change permission to world writeable chmod a+w /var/run/apacheds/default

© 2010 SWITCH 3 Terms: Entity ID A unique identifier for a identity provider (IdP) or service provider (SP) In shibboleth 2 the recommended format is a URL idp: sp:

© 2010 SWITCH 4 Terms: Relying Party The SAML peer to which the IdP is communicating. In all existing cases, the relying party of the IdP is always an SP. Some very advanced cases allow one IdP to be a relying party to another IdP.

© 2010 SWITCH 5 Terms: Binding A description of how a SAML message is attached to an underlying transport protocol, such as http or smtp. For example: If the message is sent over HTTP what HTTP headers need to be set, what are the URL or form parameter names, etc.

© 2010 SWITCH 6 Terms: Profile A description of how to use SAML, over a specific binding, to accomplish a specific task (e.g. Single Signon) in an interoperable manner. Profiles are the finest grained unit of interoperability within SAML.

© 2010 SWITCH 7 Terms: Metadata A description of the SAML features supported by a SAML entity. Most importantly this includes the URLs for communicating with an entity. Shibboleth also uses this information to build technical trust between entities.

© 2010 SWITCH 8 Installation 1.unzip /opt/installfest/distro/shibboleth-identityprovider-2.*-bin.zip 2.cd shibboleth-identityprovider-2.* 3.chmod +x install.sh 4../install.sh a.use /opt/shibboleth-idp as your shib home directory b.enter your hostname: idp#.example.org c.enter password for your password 5.cp -r endorsed /opt/tomcat/

© 2010 SWITCH 9 Tomcat Deployment 1.Create the file /opt/tomcat/conf/Catalina/localhost/idp.xml with the contents: 2.Start Tomcat with $ tomcatStart 3.Test your install

© 2010 SWITCH 10 SHIB_HOME /opt/shibboleth-idp should now contain: –bin –conf –credentials –lib –logs –metadata –war The Shibboleth documentation refers to this directory as SHIB_HOME

© 2010 SWITCH 11 SHIB_HOME/bin Contains command line tools aacli: Attribute authority command line interface allows you to simulate an attribute query/release version: Provides the version of the IdP

© 2010 SWITCH 12 SHIB_HOME/conf The IdP’s configuration files. We’ll cover most as we go through the course. We will not cover service.xml or internal.xml as these control advanced features.

© 2010 SWITCH 13 SHIB_HOME/credentials Credentials used by the IdP. By default the IdP’s generated key (idp.key), cert (idp.crt) and a keystore (idp.jks) containing both are put here. Good location to place things like trust anchor X.509 certs, cached CRLs, etc.

© 2010 SWITCH 14 SHIB_HOME/lib The libraries (jars) that make up the IdP. These are copies of those that occur in the IdP WAR file and are only used by the command line tools.

© 2010 SWITCH 15 SHIB_HOME/logs Location of the Shibboleth log files. process log: detailed description the IdP processing requests access log: record of all the clients that connect to the idP audit log: record of all information sent out from the IdP

© 2010 SWITCH 16 SHIB_HOME/metadata Default location where various metadata files are stored. The IdP does not automatically load any metadata. Metadata read from a file, or stored backup copies of remote metadata are usually put in this directory.

© 2010 SWITCH 17 SHIB_HOME/war The location of the IdP WAR file created by the installer. We point Tomcat to this file, instead of copying it to Tomcat, so that we don’t forget to copy new WARs if we rebuild the IdP (to add an extension, for example) or run into problems with Tomcat’s file caching mechanisms.

© 2010 SWITCH 18 Now some sleight of hand cp /opt/installfest/idps/idp#/idp.* /opt/shibboleth-idp/credentials cp /opt/installfest/sps/sp#/*.xml /opt/shibboleth-idp/metadata

© 2010 SWITCH 19 Logging: Configuration Logging configuration is controlled by the logging.xml config file Log messages belong in a hierarchal category; most correspond to Java package names Log messages have 5 levels: TRACE, DEBUG, INFO, WARN, ERROR

© 2010 SWITCH 20 Logging: Configuration Look at the IdP process log. Note how the messages are all info messages. Edit logging.xml and the change the logging level for the logger edu.internet2.middleware.shibboleth to DEBUG Restart the IdP and look at the process log again. The IdP will pick up change to logging.xml every 5 minutes.

© 2010 SWITCH 21 Metadata: Goals Load metadata for local SPs from the filesystem Load metadata for the “class” SPs from a remote location

© 2010 SWITCH 22 Metadata: Configuration Metadata is loaded in to the IdP by metadata providers. Metadata providers are configured in the relying- party.xml file This file may only contain one top-level provider. By default the top level provider is a chaining provider that contains other metadata providers and uses them in the order defined.

© 2010 SWITCH 23 Metadata: Provider Config Metadata providers are configured using element Every metadata provider has a: –unique ID given by the id attribute –type given by the xsi:type attribute Each type of metadata provider has its own set of configuration options

© 2010 SWITCH 24 Metadata: Filesystem Provider The filesystem metadata provider reads a metadata file from the local filesystem. Type attribute value: –FilesystemMetadataProvider Configuration attribute: –metadataFile gives the path to the metadata file

© 2010 SWITCH 25 Metadata: Local Metadata In relying-party.xml add the following to the existing chaining metadata provider: <MetadataProvider id=”sp#" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata” metadataFile=”/opt/shibboleth-idp/metadata/sp#-metadata.xml” />

© 2010 SWITCH 26 Metadata: Local Metadata Define an additional metadata provider that loads metadata from: /opt/shibboleth-idp/metadata/altsp#-metadata.xml

© 2010 SWITCH 27 Metadata: File-backed HTTP Provider Loads metadata via HTTP and backs it up to a local file Type attribute value: –FileBackedHTTPMetadataProvider Configuration Attributes: –metadataURL : HTTP URL of metadata file –backingFile : location of the backup file In production metadata signatures should be required and validated.

© 2010 SWITCH 28 Metadata: Remote Metadata In the relying-party.xml add the following to the current chaining provider: <MetadataProvider id=“testsp1” xsi:type="FileBackedHTTPMetadataProvider” xmlns="urn:mace:shibboleth:2.0:metadata” metadataURL=“ backingFile=”/opt/shibboleth-idp/metadata/testsp1.xml”/>

© 2010 SWITCH 29 Metadata: Remote Metadata Define an additional metadata provider that loads metadata from and stores it to /opt/shibboleth-idp/metadata/testsp2.xml

© 2010 SWITCH 30 Metadata: Watchout The chaining metadata provider looks up relying party information in its children in the order they are defined. If two child providers load different metadata for the same entity only the first description will ever be used by the IdP. No attempt to merge the data is made.