Installing and Configuring the Shibboleth Identity Provider in Ubuntu.
What is the Shibboleth Identity Provider?
The Shibboleth identity provider is responsible for user authentication and providing users’ information to the Service Provider (SP). It is located at the home organization, which is the organization which maintains the user’s account.
Let’s install and configure the Shibboleth IdP.
Prerequisites.
- Install Java
- Install Tomcat
sudo apt-get install tomcat8 tomcat8-adminAdd the following configuration to the etc/profile
export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jreexport CATALINA_HOME=/var/lib/tomcat8
Issue
source /etc/profileor log off and on again for these variables to take effect.
Edit $CATALINA_HOME/conf/tomcat-users.xml and add the following between the <tomcat-users> tags to enable access to the Tomcat Manager web site.
<role rolename="manager-gui"/>
<user username="admin" password="secret" roles="manager-gui"/>Modify the Tomcat memory restriction from 128m to 1500m in /etc/defaults/tomcat8 .
Restart Tomcat
sudo service tomcat8 restartTo check whether tomcat running properly open http://localhost/manager. Localhost is your hostname.
You will see this page loaded in your browser. Then click on manager webapp link.
Give the user name and password that you added in the tomcat-users.xml file. Here username is “admin” and password is “secret”.
Then you will be directed to a page like following.
Installing and Configuring Shibboleth IdP
You need to download the shibboleth IdP. You can find the latest IdP version here.
To install the IdP issue
sudo -E bin/install.shYou have to provide installation source, Installation folder, Hostname. Entity ID, Attribute Scope and some passwords. Here I use defaults.
Source (Distribution) Directory: /home/Downloads/shibboleth-identity-provider-3.4.6
Installation Directory: /opt/shibboleth-idp
Hostname: idp.shibboleth.com
SAML EntityID: https://idp.shibboleth.com/idp/shibboleth
Attribute Scope: localhost
Backchannel PKCS12 Password: your password
Re-enter password: your password
Cookie Encryption Key Password: your password
Re-enter password: your passwordYou will need the SAML EntityID when you install Shibboleth SP.
Change the owner of the installation to tomcat8:
sudo chown -R tomcat8 /opt/shibboleth-idpModify the /opt/shibboleth-idp/conf/access-control.xml and add your network and number of bits in CIDR notation.
eg. {'10.0.0.0/24', 127.0.0.1/32'}
There are 2 ways to deploy Shibboleth IdP on Tomcat
Method 1
open a text editor and create $CATALINA_HOME/conf/Catalina/localhost/idp.xml and add the following content to it.
<Context docBase="/opt/shibboleth-idp/war/idp.war"
privileged="true"
antiResourceLocking="false"
swallowOutput="true"/>Method 2
In the WAR file to deploy section of the tomcat Web Application Manager, browse the IDPvar file location /opt/shibboleth-idp/war/idp.war and deploy it.
You can check the status of the IdP by Issuing the following commands.
cd /opt/shibboleth-idp/edit-webapp/WEB-INF/libsudo curl -O https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jarsudo chown tomcat8 jstl-1.2.jarcd /opt/shibboleth-idpsudo -E bin/build.sh
Open http://localhost:8080/idp/status in your browser. You will see the status of the server.
Now you have successfully configured the Shibboleth Identity Provider.
