Configure Shibboleth Service Provider on Ubuntu 16

Shibboleth

Environments

Ubuntu 16
Apache 2
Shibboleth 2

Get Apache ready for Shibboleth

Make sure Apache is installed, otherwise, run:

1
sudo apt-get install apache2

Enable ssl:

1
sudo a2enmod ssl

Activate the SSL Virtual Host:

1
sudo a2ensite default-ssl.conf

Creating a self-signed SSL certificate:

1
2
sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Add Shibboleth protected application/service for testing

1
sudo mkdir /var/www/myservice

Create index page:

1
sudo nano /var/www/myservice/index.html

Add content to index.html, e.g.

1
2
3
4
5
<html>
<body>
Shibboleth protected service
</body>
</html>

Install Shibboleth

1
2
3
sudo apt-get install libapache2-mod-shib2
sudo a2enmod auth_basic
sudo a2enmod shib2

Set up a Shibboleth certificate:

1
sudo shib-keygen -h localhost

Check certificate:

1
openssl x509 -text -noout -in /etc/shibboleth/sp-cert.pem

Edit /etc/shibboleth/shibboleth2.xml. Make sure backup the original file before editing!

Actually, by providing the hostname, testshib.org can generate a sample configuration, e.g. shibboleth2.xml for you automatically at:

https://www.testshib.org/configure.html

Sample content below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800">
<ApplicationDefaults entityID="https://localhost/shibboleth" REMOTE_USER="eppn">
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true">
<SSO entityID="https://idp.testshib.org/idp/shibboleth"> SAML2 SAML1 </SSO>
<Logout>SAML2 Local</Logout>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="[email protected]" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml" backingFilePath="testshib-two-idp-metadata.xml" reloadInterval="180000"/>
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

Add protected service into Apache configuration

Edit /etc/apache2/sites-available/default-ssl.conf with content:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin [email protected]
ServerName localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Alias /myservice/ /var/www/myservice/
<Location /myservice/>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Location>
</VirtualHost>
</IfModule>

Start Shibboleth service

1
sudo service shibd start

You may want to enable Shibboleth at startup:

1
sudo systemctl enable shibd

Test Shibboleth SP:
https://localhost/Shibboleth.sso/DiscoFeed

Download Metadata:
https://FQDN/Shibboleth.sso/Metadata

NB: Status page may NOT work, e.g. https://localhost/Shibboleth.sso/Status may returns 403 Error.

Now accessing https://localhost/myservice/ will redirect you to testshib site.

Upload SP metadata on https://www.testshib.org/register.html

Now you should be redirected to TestShib login page.

Enter the default name/password and you will be redirected back to your secure service page, e.g. /myservice/index.html (/var/www/myservice/index.html)

Further configuration

Allow access only to users from www.XYZ.com (On Apache 2.4)

1
2
3
4
5
<Location /myservice/>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shib-attr affiliation ~ ^[email protected]\.XYZ\.com$
</Location>

Allow access to specified user

1
2
3
4
5
<Location /myservice/>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require user [email protected]
</Location>
Share