Installing and Configuring the Shibboleth Service Provider in Ubuntu.
What is the Shibboleth Service Provider?
The Shibboleth service provider is responsible for protecting an online resource and consuming information from the Identity Provider (IdP). It is located at the resource organization.
Prerequisites.
- Apache webserver should be correctly installed. If not you can install or update using following commands.
sudo apt install apache2sudo apt-get update
Restart the Apache server
sudo systemctl restart apache2Log on to http://localhost and see whether it loads the Apache2 Ubuntu Default Page.
If you want to configure apache2 with ssl you can do it as follow.
Enable ssl using the following command.
sudo a2enmod sslEnable ssl virtual host.
sudo a2ensite default-ssl.confCreate a self-signed certificate(SSL).
sudo mkdir /etc/apache2/sslsudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crtUse relevant parameters when creating the certificates.
When you provide the Common name you need to provide the domain name. In my case idp.shibboleth.com.
Country Name (2 letter code) [AU]:your country code
State or Province Name (full name) [Some-State]:your state
Locality Name (eg, city) []:your city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:your organization unit
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:your_email@domain.comInstalling and Configuring Shibboleth SP
Install the Shibboleth Service Provider Apache module.
sudo apt-get install libapache2-mod-shib2
sudo a2enmod auth_basic
sudo a2enmod shib2Sometimes you might be asked to install some other files while installing ibapache2-mod-shib2. Install them also.
sudo shib-keygen -h localhostsudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout /etc/shibboleth/sp-key.pem -out /etc/shibboleth/sp-cert.pem
Open our service provider configuration file
sudo nano /etc/shibboleth/shibboleth2.xmlAdd the following configurations to it.
In the <ApplicationDefaults> tag, provide an entityID. In my case I add as https://idp.shibboleth.com/sp/shibbolethIn the <Sessions> tag, change handlerSSL to true and cookieProps to httpsIn the <SSO> tag change the entityID value to the same value as your IdP’s entityID. (You provides this when you install the shibboleth IdP. If you haven't install the shibboleth IdP yet you have to install it.) I used https://idp.shibboleth.com/idp/shibboleth as my EntityID of the IdP. In the Status reporting service <Handler> tag, add your IP address to the acl value. My IP address is "10.100.5.245/24". So in the xml file add acl="10.100.5.245/24 127.0.1.1 ::1"In the <Errors> tag, change the supportContact to something sensibleInclude the <MetadataProvider> as <MetadataProvider type="XML"
file="idp-metadata.xml"/>
Save the shibboleth2.xml file.
You can find my shibboleth2.xml file here.
Copy the IDP metadata file to the /etc/shibboleth directory.
sudo cp /opt/shibboleth-idp/metadata/idp-metadata.xml /etc/shibboleth/Now restart the shibboleth SP.
sudo service shibd restartYou can check whether we have installed and configured shibboleth SP correctly by pointing the web browser to
https://idp.shibboleth.com/Shibboleth.sso/Status
If any error occurs you can check the error log.
sudo cat /var/log/shibboleth/shibd.logBy this we have configured Shibboleth SP for the Shibboleth IdP. We can confirm it by pointing the web browser to
https://localhost/Shibboleth.sso/LoginIt will load and error but if the following error page is prompted then we have done the configuration correctly.
When I am configuring Shibboleth SP, the above page did not appear. So I had to change
<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=”https://idp.shibboleth.com/idp/profile/SAML2/Redirect/SSO"/>
into
<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=”http://idp.shibboleth.com:8080/idp/profile/SAML2/Redirect/SSO"/>
in idp-metadata file in following places
/opt/shibboleth-idp/metadata/idp-metadata.xml
/etc/shibboleth/where IdP can be accessed without ssl.
Then the above page appeared.
