Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Published byNaomi Austin Modified over 9 years ago

Similar presentations

Presentation on theme: "Shibboleth 2.0 IdP Training: Basics and Installation January, 2009."— Presentation transcript:

1 Shibboleth 2.0 IdP Training: Basics and Installation January, 2009

2 IdP Basics: Terms – SAML Security Access Markup Language XML-based standard for authentication and authorization data interchange Identity Provider – producer of assertions Service Provider – consumer of assertions Current Version: 2.0 Shibboleth 2.0 implements SAML 2.0

3 IdP Basics: Terms – Entity ID A unique URI for a Shibboleth Identity Provider (IdP) or Service Provider (SP) The recommended format is a URL https://idp.colostate.edu/idp/shibboleth InCommon Federation uses URNs: urn:mace:incommon:colostate.edu

4 IdP Basics: Terms – Relying Party The SAML peer to which the IdP is communicating with The peer in most cases for an IdP is an SP

5 IdP Basics: Terms – Profile A description of how to use SAML to accomplish a specific task Profiles define the interface for SAML peers

6 IdP Basics: Terms – Metadata A description of the SAML features supported by a SAML entity This includes the URLs for communicating with the entity Shibboleth also uses this information to build technical trust between entities

7 IdP Installation Prerequisites Three basic prerequisites for installation: Java Virtual Machine Java Servlet Container HTTP Listener You should be comfortable installing software on your platform

8 IdP Installation Prerequisites PrerequisiteWhat we’re using Java Virtual MachineSun Java SE 6 Java Servlet ContainerApache Tomcat 6 HTTP ListenerApache HTTPD 2.2 + mod_proxy_ajp

9 Apache Tomcat Shibboleth Prerequisites Set in TOMCAT_HOME/conf/server.xml Turn off Apache Tomcat authentication (optional) Set AJP listener to accept connections from localhost only

10 Lab: Shibboleth Installation Unzip the distribution archive Run an install script Answer questions Deploy a WAR file Restart Tomcat and verify the installation on port 8080

11 Shibboleth Home (SHIB_HOME) /opt/shibboleth-idp should contain The Shibboleth documentation refers to this directory as SHIB_HOME binlogs confmetadata credentialswar lib

12 SHIB_HOME/bin Contains command line tools aacli: attribute authority command line interface version: returns the IdP version

13 SHIB_HOME/conf Contains the IdP’s configuration files: We will cover most of these today attribute-filter.xmllogging.xml attribute-resolver.xmllogin.config handler.xmlrelying-party.xml internal.xmlservice.xml

14 SHIB_HOME/credenti als Credentials used by the IdP The installer creates these: idp.key (IdP key) idp.crt (certificate) idp.jks (keystore) You can use this directory to store Federation certificates

15 SHIB_HOME/lib Copies of libraries in the WAR file that make up the IdP Used by the command line tools

16 SHIB_HOME/logs Contains the IdP log files idp-process.log* idp-access.log idp-audit.log * Often referred to when troubleshooting

17 SHIB_HOME/metadat a Contains metadata files Files placed in this directory are not automatically loaded

18 SHIB_HOME/war Contains the IdP WAR file created by the installer Note that we configured Apache Tomcat to run the IdP directly from the WAR file

19 HTTP Listener Apache Tomcat has a built-in HTTP listener and can be used as a standalone Apache HTTPD is a web server often implemented as a HTTP listener for Tomcat Using both can offer flexibility And interface well with legacy components

20 Apache HTTPD and Tomcat Use mod_proxy_ajp Define VirtualHosts for the Shibboleth SAML profiles, which listen on ports 443 and optionally 8443 mod_proxy directive to connect to Tomcat Certificate settings Others as required (logging, etc.)

21 Lab: Apache HTTPD Configure Apache HTTPD as the HTTP listener for Apache Tomcat mod_proxy_ajp has already been installed Modify /etc/httpd/conf/httpd.conf Add the ProxyPass for /idp Restart Apache HTTPD

22 Logging Configured using the logging.xml file 5 Logging levels ERROR WARN INFO DEBUG TRACE

23 Lab: Logging Change the logging level of the edu.internet2.middleware.shibboleth logger and evaluate the difference in the logging messages

24 Metadata: General Describes SAML features supported by the IdP and SP Includes the URLs for communicating with the IdP and SP Certificates for IdPs and SPs to trust each other Federations will typically control and publish metadata

25 Metadata: Configuration Metadata can be stored and loaded locally (use SHIB_HOME/metadata) Metadata can also be loaded from a remote source We will discuss both configurations

26 Metadata: Configuration Metadata is loaded into the IdP by metadata providers Metadata providers are defined in the relying-party.xml file A single metadata “container” provider is defined where you will define within it your metadata providers

27 Metadata: Defining a Provider Metadata providers are defined using the element Every metadata provider must have a: Unique ID using the id attribute Type using the xsi:type attribute Each type of metadata provider has its own set of configuration attributes

28 Metadata: Filesystem Provider The Filesystem metadata provider loads a metadata file from the local filesystem. Use type definition: xsi:type="FilesystemMetadataP rovider" Configuration attribute metadataFile

29 Metadata: File-backed HTTP Provider Loads metadata via HTTP and backs it up to local file Type definition: xsi:type="FileBackedHTTPMetadataProvider" Configuration attributes: metadataURL backingFile

30 Lab: Metadata Providers Define a file-backed HTTP metadata provider

31 Multiple Metadata Providers The chaining metadata provider processes children metadata providers in the order they are defined If the same entity is defined in more than one metadata provider, only the first definition found will be used

32 Metadata Registration Metadata must be shared between relying parties Federations typically have a centralized registration process and systems Register certificates and profiles

33 Lab: Metadata Registration Register your IdP so it can interact with the SP/DS in the lab

34 References More information on IdP basics and installation can be found at: https://spaces.internet2.edu/display/SHIB2/Inst allation

Download ppt "Shibboleth 2.0 IdP Training: Basics and Installation January, 2009."

Similar presentations

Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
IdP Basics & Installation. © 2010 SWITCH 2 Current Environment Network Java Tomcat LDAP –Create apacheDS run directory mkdir /var/run/apacheds/default.

IdP Basics & Installation. © 2010 SWITCH 2 Current Environment Network Java Tomcat LDAP –Create apacheDS run directory mkdir /var/run/apacheds/default.
Implementing and Administering AD FS

Implementing and Administering AD FS
20-753: Fundamentals of Web Programming 1 Lecture 11: Web Server Case Study Fundamentals of Web Programming Lecture 11: Web Server Case Study.

20-753: Fundamentals of Web Programming 1 Lecture 11: Web Server Case Study Fundamentals of Web Programming Lecture 11: Web Server Case Study.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Scale Up Access to your 4GL Application using Web Services

Scale Up Access to your 4GL Application using Web Services
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.

Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.
Tomcat Configuration A Very, Very, Very Brief Overview.

Tomcat Configuration A Very, Very, Very Brief Overview.
Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.

Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Tomcat Celsina Bignoli History of Tomcat Tomcat is the result of the integration of two groups of developers. – JServ, an open source.

Tomcat Celsina Bignoli History of Tomcat Tomcat is the result of the integration of two groups of developers. – JServ, an open source.
Talend 5.4 Architecture Adam Pemble Talend Professional Services.

Talend 5.4 Architecture Adam Pemble Talend Professional Services.
Hyrax Installation and Customization Dan Holloway James Gallagher.

Hyrax Installation and Customization Dan Holloway James Gallagher.
Using Opal to deploy a real scientific application as a Web service Sriram Krishnan

Using Opal to deploy a real scientific application as a Web service Sriram Krishnan
Mobile Tech Architecture Overview Phil Sirigiano Technical Services 3/4/2015.

Mobile Tech Architecture Overview Phil Sirigiano Technical Services 3/4/2015.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Belnet R&E Federation Workshop Shibboleth IdP Deployment Belnet – Mario Vandaele Brussels – 15 March 2012.

Belnet R&E Federation Workshop Shibboleth IdP Deployment Belnet – Mario Vandaele Brussels – 15 March 2012.
Module 14: Configuring Print Resources and Printing Pools.

Module 14: Configuring Print Resources and Printing Pools.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.

Similar presentations

Ads by Google