1. Belnet R&E Federation Workshop Shibboleth IdP Deployment Belnet – Mario Vandaele Brussels – 15 March 2012

2. 2Workshop Belnet R&E Federation15.03.2012 Login – Linux / MacOSX Start terminal Login into your virtual machine – With # being your assigned group number Insert password ssh student@idp#.ws.belnet.be 57ud3n7

3. 3Workshop Belnet R&E Federation15.03.2012 Login – Windows

4. Login 4Workshop Belnet R&E Federation15.03.2012 Output

5. 5Workshop Belnet R&E Federation15.03.2012 Login – sudo The “student” account doesn’t have “root” priviliges, so let’s temporarily enable them Insert password sudo su - 57ud3n7

6. Shibboleth IdP installation Extract Shibboleth IdP archive in your local source directory Check content of Shibboleth directory 6Workshop Belnet R&E Federation15.03.2012 cd /home/student/workshop cp shibboleth-identityprovider-2.3.5-bin.zip /usr/local/src unzip shibboleth-identityprovider-2.3.5-bin.zip cd /usr/local/src/shibboleth-identityprovider-2.3.5 ls -l

7. Shibboleth IdP installation 7Workshop Belnet R&E Federation15.03.2012 … -rwxrwxrwx 1 root root 11357 2011-06-02 05:25 LICENSE.txt -rwxrwxrwx 1 root root 896 2011-06-02 05:25 install.bat -rwxr-xr-x 1 root root 2511 2011-06-08 10:52 install.sh -rwxrwxrwx 1 root root 458 2011-06-08 10:52 cpappend.bat drwxrwxrwx 2 root root 4096 2011-06-19 17:35 doc drwxrwxrwx 5 root root 4096 2011-11-09 06:36 src drwxrwxrwx 2 root root 4096 2011-11-09 06:36 lib drwxrwxrwx 2 root root 4096 2011-11-09 06:36 endorsed … Output

8. Shibboleth IdP installation 8Workshop Belnet R&E Federation15.03.2012 Some extra java classes, bundled into jar files, required by Shibboleth must be endorsed by our java servlet engine (tomcat) Check content of the new directory mkdir /usr/share/tomcat6/endorsed/ cp./endorsed/*.jar /usr/share/tomcat6/endorsed/ ls -l /usr/share/tomcat6/endorsed

9. Shibboleth IdP installation 9Workshop Belnet R&E Federation15.03.2012 Output … -r--r--r-- 1 root root 3176148 2012-03-01 15:31 xalan-2.7.1.jar -r--r--r-- 1 root root 278286 2012-03-01 15:31 serializer-2.10.0.jar -r--r--r-- 1 root root 84091 2012-03-01 15:31 xml-resolver-1.2.jar -r--r--r-- 1 root root 220536 2012-03-01 15:31 xml-apis-2.10.0.jar -r--r--r-- 1 root root 1363159 2012-03-01 15:31 xercesImpl-2.10.0.jar …

10. Shibboleth IdP installation 10Workshop Belnet R&E Federation15.03.2012 (Optional) Pre-build preparation: check java environment Output update-alternatives --config java Selection PathPriority Status ---------------------------------------------------------- 0/usr/lib/jvm/java-6-openjdk/jre/bin/java 1061 auto mode 1/opt/java/64/jre1.6.0_31/bin/java 1 manual mode 2/usr/lib/jvm/java-6-openjdk/jre/bin/java 1061 manual mode 3 /usr/lib/jvm/java-6-sun/jre/bin/java 63 manual mode

11. Shibboleth IdP installation 11Workshop Belnet R&E Federation15.03.2012 (Optional) Pre-build preparation: set & check JAVA_HOME Pre-build preparation: set & check IDP_HOME export JAVA_HOME=/usr/lib/jvm/java-6-sun/jre echo $JAVA_HOME export IDP_HOME=/opt/shibboleth-idp echo $IDP_HOME /usr/lib/jvm/java-6-sun/jre /opt/shibboleth-idp /export IDP_SRC=/usr/local/shibboleth-identityprovider-2.3.5

12. Shibboleth IdP installation 12Workshop Belnet R&E Federation15.03.2012 (Optional) Set IdPCertLifetime for self-signed server certificate – If you want to overrule the default lifetime of 20 years for the self-signed certificate, you must set the environment variable IdPCertLifetime to a value of your choice – This server certificate is NOT the same as the CA issued (TERENA) server certificate for HTTPS, so don’t use this one in your web server configuration (Apache) env IdPCertLifetime=3

13. Shibboleth IdP installation 13Workshop Belnet R&E Federation15.03.2012 Build the Shibboleth IdP web application and provide input when requested by the script – Installation directory = /opt/shibboleth-idp – FQDM = idp#.ws.belnet.be With # being your assigned group number – Keystore password = 57ud3n7 cd $IDP_SRC./install.sh

14. Shibboleth IdP installation 14Workshop Belnet R&E Federation15.03.2012 Output (1/3) Buildfile: src/installer/resources/build.xml install: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp] What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org] idp#.ws.belnet.be

15. Shibboleth IdP installation 15Workshop Belnet R&E Federation15.03.2012 Output (2/3) A keystore is about to be generated for you. Please enter a password that will be used to protect it. 57ud3n7 Updating property file: /usr/local/src/shibboleth-identityprovider- 2.3.5/src/installer/resources/install.properties Created dir: /opt/shibboleth-idp Created dir: /opt/shibboleth-idp/bin Created dir: /opt/shibboleth-idp/conf Created dir: /opt/shibboleth-idp/credentials Created dir: /opt/shibboleth-idp/lib Created dir: /opt/shibboleth-idp/lib/endorsed Created dir: /opt/shibboleth-idp/logs Created dir: /opt/shibboleth-idp/metadata Created dir: /opt/shibboleth-idp/war Generating signing and encryption key, certificate, and keystore.

16. Shibboleth IdP installation 16Workshop Belnet R&E Federation15.03.2012 Output (3/3) Copying 5 files to /opt/shibboleth-idp/bin Copying 8 files to /opt/shibboleth-idp/conf Copying 1 file to /opt/shibboleth-idp/metadata Copying 51 files to /opt/shibboleth-idp/lib Copying 5 files to /opt/shibboleth-idp/lib/endorsed Copying 1 file to /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer Building war: /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer/idp.war Copying 1 file to /opt/shibboleth-idp/war Deleting: /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer/web.xml Deleting: /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer/idp.war BUILD SUCCESSFUL

17. Shibboleth IdP installation 17Workshop Belnet R&E Federation15.03.2012 Check content of IDP_HOME Output ls -l $IDP_HOME drwxr-xr-x 2 root root 4096 2012-03-02 13:42 bin drwxr-xr-x 2 root root 4096 2012-03-02 13:42 conf drwxr-xr-x 2 root root 4096 2012-03-02 13:42 credentials drwxr-xr-x 3 root root 4096 2012-03-02 13:42 lib drwxr-xr-x 2 root root 4096 2012-03-02 13:42 logs drwxr-xr-x 2 root root 4096 2012-03-02 13:42 metadata drwxr-xr-x 2 root root 4096 2012-03-02 13:42 war

18. Shibboleth IdP installation 18Workshop Belnet R&E Federation15.03.2012 IDP/bin  command line tools – aacli.sh: attribute authority cli to simulate attribute resolving and filtering – version.sh: provides the version of Shibboleth IdP -rw-r--r-- 1 root root 1045 2011-06-08 10:52 aacli.bat -rwxr-xr-x 1 root root 1118 2011-06-08 10:52 aacli.sh -rw-r--r-- 1 root root 445 2011-06-08 10:52 cpappend.bat -rw-r--r-- 1 root root 895 2011-06-08 10:52 version.bat -rwxr-xr-x 1 root root 1043 2011-06-08 10:52 version.sh ls -l $IDP_HOME/bin

19. Shibboleth IdP installation 19Workshop Belnet R&E Federation15.03.2012 IDP_HOME/conf  configuration files -rw-r--r-- 1 root root 3468 2011-10-09 07:34 attribute-filter.xml -rw-r--r-- 1 root root 22171 2011-10-09 07:38 attribute-resolver.xml -rw-r--r-- 1 root root 6442 2011-10-09 07:41 handler.xml -rw-r--r-- 1 root root 12069 2011-10-09 07:41 internal.xml -rw-r--r-- 1 root root 3108 2011-06-08 10:52 logging.xml -rw-r--r-- 1 root root 1631 2011-07-11 14:13 login.config -rw-r--r-- 1 root root 14134 2011-10-09 07:37 relying-party.xml -rw-r--r-- 1 root root 3892 2011-10-09 07:44 service.xml ls -l $IDP_HOME/bin

20. Shibboleth IdP installation 20Workshop Belnet R&E Federation15.03.2012 IDP_HOME/credentials  private keys & public certificate & keystore – The private key (idp.key) is used for signing SAML messages – The public key (idp.crt) is published via the metadata and can be used to encrypt SAML messages from the SP to the IdP – different from credentials used for HTTPS  Apache configuration uses CA issued server certificates -rw-r--r-- 1 root root 1200 2012-03-02 13:42 idp.crt -rw-r--r-- 1 root root 2214 2012-03-02 13:42 idp.jks -rw-r--r-- 1 root root 1679 2012-03-02 13:42 idp.key ls -l $IDP_HOME/credentials

21. Shibboleth IdP installation 21Workshop Belnet R&E Federation15.03.2012 IDP_HOME/credentials  private keys & public certificate & keystore – For this workshop we have generated self-signed credentials which are already present in the federation metadata cp /home/student/workshop/idp.key $IDP_HOME/credentials/ cp /home/student/workshop/idp.crt $IDP_HOME/credentials/

22. Shibboleth IdP installation 22Workshop Belnet R&E Federation15.03.2012 IDP_HOME/lib – Contains all java libraries (jar-files) which make up the IdP – These files are copies of those present in the war-file – Only used by the command line tools – Java libraries < JAR < WAR < EAR -rw-r--r-- 1 root root 62983 2011-07-18 06:11 activation-1.1.jar … -rw-r--r-- 1 root root 623568 2011-10-23 16:36 xmltooling-1.3.3.jar ls -l $IDP_HOME/lib

23. Shibboleth IdP installation 23Workshop Belnet R&E Federation15.03.2012 IDP/logs – To be configured in logging.xml – Process log: detailed description of IdP processing requests – Access log: record of all clients which connect to IdP – Audit log: record of all information sent out by IdP – Soon audit logging will be available on SP side as well ls -l $IDP_HOME/logs …

24. Shibboleth IdP installation 24Workshop Belnet R&E Federation15.03.2012 IDP_HOME/metadata – Default location where local metadata and backups of remote metadata files are stored – The IdP does not automatically load any metadata  IdP must be explicitly told where to look for metadata  relying-party.xml -rw-r--r-- 1 root root 5499 2011-06-08 10:52 idp-metadata.xml ls -l $IDP_HOME/metadata

25. Shibboleth IdP installation 25Workshop Belnet R&E Federation15.03.2012 IDP_HOME/war – The actual file used by Tomcat the deploy the IdP web application – Tomcat must be told where to find the war-file -rw-r--r-- 1 root root 16613597 2012-03-02 13:42 idp.war ls -l $IDP_HOME/war

26. Shibboleth IdP installation 26Workshop Belnet R&E Federation15.03.2012 Context descriptor for IdP in Tomcat – Create file /etc/tomcat6/Catalina/localhost/idp.xml where idp will be the path – Workshop specific: <Context docBase="/opt/shibboleth-idp/war/idp.war" privileged="true" antiResourceLocking="false" antiJARLocking="false" unpackWAR="false" swallowOutput="true" /> cd /home/student/workshop/ cp catalina-idp.xml /etc/tomcat6/Catalina/localhost/idp.xml cp idp-workshop.war /opt/shibboleth-idp/war/idp.war

27. Tomcat Configuration 27Workshop Belnet R&E Federation15.03.2012 Define communication ports between Tomcat and Apache – Configure /etc/tomcat6/server.xml – Put in comment connector on port 8080 … … vim /etc/tomcat6/server.xml

28. Tomcat Configuration 28Workshop Belnet R&E Federation15.03.2012 Restart tomcat and check listening port /etc/init.d/tomcat6 restart * Stopping Tomcat servlet engine tomcat6 [ OK ] * Starting Tomcat servlet engine tomcat6 [ OK ] netstat –nl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8009 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 127.0.0.1:8005 :::* LISTEN

29. CA-issued Server Certificate 29Workshop Belnet R&E Federation15.03.2012 Request server certificate: https://dcs.belnet.behttps://dcs.belnet.be – Workshop specific: The chain file comodo-chain.pem is already present in /etc/ssl/certs/  don’t forget to download and install this chain certificate when requesting your IdP server certificate for your own environment cd /home/student/workshop cp idp#.ws.belnet.be.key /etc/ssl/private/ cp idp#.ws.belnet.be.pem /etc/ssl/certs/

30. Apache configuration 30Workshop Belnet R&E Federation15.03.2012 Create specific configuration file for IdP – Create file /etc/apache2/sites-available/idp – Workshop specific: – Replace [#] with your assigned group number – Press [ESC] – :%s/\[#\]/your number/g cd /home/student/workshop cp apache-your-idp-site-config /etc/apache2/sites-available/idp vim /etc/apache2/sites-available/idp

31. Apache configuration 31Workshop Belnet R&E Federation15.03.2012 Two important sections in configuration file: – Virtual host listening on port 443: TERENA SSL certificate AJP connector to Tomcat – Virtual host listening on port 8443: Self-signed certificate SSL client authentication to identify SP’s (based on trust in metadata) AJP connector to Tomcat

32. Apache configuration 32Workshop Belnet R&E Federation15.03.2012 Enable the IdP configuration file Enable ssl_mod Enable ajp_mod a2ensite idp a2enmod ssl a2enmod proxy_ajp

33. Apache configuration 33Workshop Belnet R&E Federation15.03.2012 Check & restart Apache Syntax OK apache2ctl -t apache2ctl -k restart netstat -nl

34. Shibboleth IdP Configuration 34Workshop Belnet R&E Federation15.03.2012 Set IdP directory & file permissions chown tomcat6 $IDP_HOME/metadata chown tomcat6 $IDP_HOME/logs chown -R tomcat6 $IDP_HOME/credentials chmod 750 $IDP_HOME/credentials cd $IDP_HOME/credentials chmod 440 idp.key chmod 644 idp.crt

35. Shibboleth IdP Configuration 35Workshop Belnet R&E Federation15.03.2012 Download R&E Test Federation certificate – The Test Federation metadata is signed with this certificate, so your IdP can check the authenticity during download – Workshop specific: certificate.federation.belnet.be.pem is already present in /etc/ssl/certs/ – Don’t forget to also put the TERENA chain file in /etc/ssl/certs/ cd $IDP_HOME/credentials wget https://federation.belnet.be/ certificate.federation.belnet.be.pem

36. Shibboleth IdP Configuration 36Workshop Belnet R&E Federation15.03.2012 Create IdP metadata file – The IdP must be made aware of it’s own identity – Workshop specific: – Fill in your organization information, which is required for Belnet R&E Federation ls -l $IDP_HOME/metadata cp /home/student/workshop/idp-metadata.xml $IDP_HOME/metadata/idp- metadata.xml vim $IDP_HOME/metadata/idp-metadata.xml

37. Shibboleth IdP Configuration 37Workshop Belnet R&E Federation15.03.2012 Configure the Relying Party elements IdP’s own metadata configuration – No changes required vim $IDP_HOME/conf/relying-party.xml <metadata:MetadataResource xsi:type="resource:FilesystemResource" xmlns="urn:mace:shibboleth:2.0:metadata" file="/opt/shibboleth-idp/metadata/idp-medata.xml"/>

38. Shibboleth IdP Configuration 38Workshop Belnet R&E Federation15.03.2012 Security configuration for IdP – No changes required /opt/shibboleth-idp/credentials/idp.key /opt/shibboleth-idp/credentials/idp.crt

39. Shibboleth IdP Configuration 39Workshop Belnet R&E Federation15.03.2012 Metadata configuration – Test Federation <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider" metadataURL="https://federation.belnet.be/testfederation-metadata.xml” backingFile="/opt/shibboleth-idp/metadata/testfederation-metadata.xml"> <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil" maxValidityInterval=”P10D" /> <metadata:MetadataFilter xsi:type="metadata:SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" requireSignedMetadata="true" /> samlmd:SPSSODescriptor

40. Shibboleth IdP Configuration 40Workshop Belnet R&E Federation15.03.2012 Security configuration – Test Federation – Uncomment this trust engine – Location of the Test Federation certificate used by IdP to validate the Test Federation metadata during download /opt/shibboleth- idp/credentials/ certificate.federation.belnet.be.pem

41. Shibboleth IdP Configuration 41Workshop Belnet R&E Federation15.03.2012 Set log-level to DEBUG – Replace INFO, ERROR, WARN by DEBUG vim $IDP_HOME/conf/logging.xml

42. User Authentication 42Workshop Belnet R&E Federation15.03.2012 Define what user authentication mechanism will be used – Define username and password mechanism in IDP_HOME/conf/handler.xml – Take out of comment and put in comment Login Handler “RemoteUser” <ph:LoginHandler xsi:type="ph:UsernamePassword" jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

43. User Authentication 43Workshop Belnet R&E Federation15.03.2012 Report correct authentication method with SSO – Add reportPreviousSessionAuthnMethod=“true” – Report previous session authentication method whenever SSO is used <!-- Removal of this login handler will disable SSO support, that is it will require the user to authenticate on every request. --> urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession

44. User Authentication 44Workshop Belnet R&E Federation15.03.2012 Define JAAS LDAP authentication – Configure JAAS in IDP_HOME/conf/login.config – Edit the LDAP section and remove comments – See Shibboleth wiki edu.vt.middleware.ldap.jaas.LdapLoginModule required ldapUrl="ldap://ldap.ws.belnet.be:389" baseDn="dc=belnet,dc=be" bindDn="cn=idp,dc=belnet,dc=be" bindCredential="workshop" ssl="false" userFilter="uid={0}" subtreeSearch="true"; vim $IDP_HOME/conf/login.config

45. Attribute Resolving 45Workshop Belnet R&E Federation15.03.2012 Define how IdP will search for user attributes – Configure LDAP access in “Data Connector” section of IDP_HOME/conf/attribute-resolver.xml <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldap://ldap.ws.belnet.be" baseDN="dc=belnet,dc=be" principal="cn=idp,dc=belnet,dc=be" searchScope="SUBTREE" principalCredential="workshop"> <![CDATA[ (uid=$requestContext.principalName) ]]> cp /home/student/workshop/attribute-resolver.xml $IDP_HOME/conf/

46. Basic Attributes Configuration 46Workshop Belnet R&E Federation15.03.2012 Mapping of SAML attributes to LDAP attributes – Configure in “Attribute Definitions” section of IDP_HOME/conf/attribute-resolver.xml – Warning! The Belnet R&E Federation requires the eduPerson schema extension: – Platform specific instructions: https://spaces.internet2.edu/display/macedir/LDIFs Platform specific instructions: https://spaces.internet2.edu/display/macedir/LDIFs

47. Basic Attribute Filter Policy Configuration 47Workshop Belnet R&E Federation15.03.2012 Release all known attributes to all SP (1/2) – Add content to IDP_HOME/conf/attribute-filter.xml

48. Basic Attribute Filter Policy Configuration 48Workshop Belnet R&E Federation15.03.2012 Release all known attributes to all SP (2/2)

49. Test IdP Attributes 49Workshop Belnet R&E Federation15.03.2012 Test Resolver Test Resolver & Filter cd $IDP_HOME/bin./aacli.sh –configDir $IDP_HOME/conf/ --principal ‘student#@ws.belnet.be’ cd $IDP_HOME/bin./aacli.sh –configDir $IDP_HOME/conf/ --principal ‘student#@ws.belnet.be’ –requester ‘https://sptest.ws.belnet.be/shibboleth-sp’

50. Registration IdP metadata 50Workshop Belnet R&E Federation15.03.2012 Get your IdP metadata: – https://idp#.ws.belnet.be/profile/Metadata/SAML https://idp#.ws.belnet.be/profile/Metadata/SAML Surf to Belnet R&E Federation management – https://federation.belnet.be https://federation.belnet.be – Login with username student & password workshop – Submit the IdP metadata – Wait till Admin has accepted & reloaded metadata Restart tomcat * Stopping Tomcat servlet engine tomcat6[OK] * Starting Tomcat servlet engine tomcat6[OK] /etc/init.d/tomcat6 restart