Friday, November 26, 2010

Short Description of Shibboleth SSO

Core center of Shibboleth SSO are two components

1) IDP –Identity provider – It is software which is installed on the Server M/C which behaves as IDP for the request coming from SP.

2) SP – Service Provider – It is software which is installed on the Server M/C (where site which is access by the end user is strike) which is used to make a call to IDP to get the authentication for the user call.

Q 1) How Shibboleth SSO Work ?

Flow

User (through Browser) à hit to SP M/C i.e. where site is hosted and SP software is installedàHaving said SP software installed means on that M/C Shibboleth Service is in running mode. àThis SP M/C i.e. SP service divert this call to the IDP M/C. à Inside IDP M/C (Where IDP software is installed) take the call and divert it to implementation of IDP and show the user login page. à Once the user get logged in he/she will be diverted first page.

Description:

1) Identity Provider:

a) Installation

- Download and install Java 1.5+, Tomcat 5.5 (core) and Apache 2.2+. Install Tomcat at /usr/local/tomcat. Avoid other distributions of Tomcat, such as from yum. Make sure the $JAVA_HOME environment variable points at the root of your JDK.

- Download the IdP .bin binary installer fromhttp://shibboleth.internet2.edu/downloads/shibboleth/idp/2.1.1/, unzip it, and move to that directory.

curl -O http://shibboleth.internet2.edu/downloads/shibboleth/idp/2.1.1/shibboleth-identityprovider-2.1.1-bin.zip

unzip shibboleth-identityprovider-2.1.1-bin.zip

cd identityprovider/

- Run sh install.sh. This is a new installation. Please use /usr/local/idp for your IdP directory.

sh install.sh

- Configure Apache by adding the following line to mod_proxy_ajp.conf or httpd.conf to pass requests for the IdP into Tomcat:

ProxyPass /idp/ ajp://localhost:8009/idp/

Enable Tomcat to run the IdP by endorsing additional libraries for XML processing.

cp endorsed/*.jar /usr/local/tomcat/common/endorsed/

- Add request.tomcatAuthentication="false" and Address="127.0.0.1" to Tomcat's /usr/local/tomcat/conf/server.xml port 8009 AJP13 connector so Apache can relay usernames to the IdP.

request.tomcatAuthentication="false" address="127.0.0.1" />

Define the following in httpd.conf or ssl.conf to front-end your IdP with basic authentication.

AuthType Basic

AuthName "My Identity Provider"

AuthUserFile /usr/local/idp/credentials/user.db

require valid-user

- Create a test user or two using the htpasswd command.

htpasswd -c /usr/local/idp/credentials/user.db spiderman

- Install the IdP into Tomcat.

cp /usr/local/idp/war/idp.war /usr/local/tomcat/webapps/

Note: Here we had used Apache as the request from SP may come from any server i.e. SP site may be hosted on any technology i.e. Perl, PHP, JAVA and on beck end of Apache server implementation of IDP (idp.war) is done on the Apache Tomcat.

2) Service Provider:

b) Installation

Take SP software set up for specified M/C i.e. if my site is hosted on TOMCAT on Window M/C then I Need SP Software for Window Machine. Choose the installation for above requirement fromhttps://spaces.internet2.edu/display/SHIB2/NativeSPWindowsApacheInstaller

Configuration:

This is the most important part of Shibboleth

Note: below given changes are done keeping in mind

IDP à Apache + Apache Tomcat

SP à Installed on Window M/C with Setup for Apache.

è Apache is installed on window M/C at path

C:\Program Files\Apache Software Foundation\Apache2.2\bin

è Tomcat is installed on Window M/C at path

C:\apache-tomcat-5.5.28\bin

è IDP software is installed at path

C:\opt\shibboleth-idp

è SP is installed on Window M/C at Path

C:\opt\shibboleth-sp

Following are the changed made into the respective file of the servers:

1) C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf

2) C:\apache-tomcat-5.5.28\conf\server.xml

3) C:\opt\shibboleth-idp\conf\relying-party.xml

4) C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml

Changes Description:

1) httpd.Conf

a) Listen 8443 https : to indicate Apache should listen to port 8443 for https protocol.

b) UseCanonicalName on : use to tell Apache to use basic name of the server rather than ip address.

c) LoadModule proxy_module modules/mod_proxy.so : use to tell apache to use proxy .so when requested.

d) LoadModule proxy_ajp_module modules/mod_proxy_ajp.so : use to tell apache to use proxy .so when ajp request comes.

e) LoadModule proxy_http_module modules/mod_proxy_http.so : use to tell apache to use proxy .so for http request.

f) ServerName servername:80 – indicating that Apache server is listening at port 80.

g) #By siddhu for Shiboleth

Include C:/opt/shibboleth-sp/etc/shibboleth/apache22.config

h) #By siddhu for shibboleth

ProxyPass /idp/ ajp://localhost:8009/idp/ : this tell the apache server to divert the call from any request which contain /idp/ in url to ajp://localhost:8009/idp/ which is out Apache Tomcat running behind the Apache at IDP end on port 8009 to show the login screen to the user.

i)

AuthType Basic

AuthName "My Identity Provider"

AuthUserFile C:/opt/shibboleth-idp/credentials/user.db : this show the db where user credential is kept for Authetication.

require valid-user

2) server.xml : Telling apache server to redirect the response from Apache Tomcat at port 8009 to Apache on address 127.0.0.1 at 8443 port.

enableLookups="false" redirectPort="8443" protocol="AJP/1.3" request.tomcatAuthentication="false" address="127.0.0.1"/>

3) relying-party.xml:

The most important file that need to be configure at the IDP end . IDP of Shibboleth depends on the configuration of this file for all the request from SP.

Main parameter need to be taken into consideration while using relying-party.xml are

a) AnonymousRelyingParty :

This tag provide the relying party entityid address i.e. http://localhost/idp/shibboleth this entity id is the common between both IDP and SP.

b) DefaultRelyingParty :

defaultSigningCredentialRef="IdPCredential">

This tag provide the relying party entityid address i.e. http://localhost/idp/shibboleth this entity id is the common between both IDP and SP.

c) MetadataProvider:

metadataURL="http://localhost/Shibboleth.sso/Metadata"

backingFile="C:\opt\shibboleth-idp/metadata/local_testshib.xml">

this tag gives information that this IDP used FileBackedHTTPMetadataProvider means it take the values /metadata from the url i.e. metadataURL="http://localhost/Shibboleth.sso/Metadata"and store it at local on path backingFile="C:\opt\shibboleth-idp/metadata/local_testshib.xml">

here http://localhost/Shibboleth.sso/Metadata terms need to be common between the IDP and SP configuration. IDP and SP understand only this unique Entity ID.

d) Security: this show which key and certificate is used by the IDP to verify the data which is came from the SP.

C:\opt\shibboleth-idp/credentials/idp.key

C:\opt\shibboleth-idp/credentials/idp.crt

4) shibboleth2.xml

This is the most common and important file for configuration for the SP side of the shibboleth.

Main parameter need to be taken into consideration while using shibboleth2.xml are

a) ApplicationDefaults: here we will specify the name of Entity Id which should match to the name which we had given for configuration of IDP.

b) SessionInitiator : this tag maps the entityid and maintain a session. AssertionConsumerService tells which protocol is supported by this SP for the request coming from IDP i.e. SAML2 or SAML and which method POST or GET. Generally it is POST. Acl parameter indicate the address where the server is installed.

c) MetadataProvider: this MetadataProvider contains the information which should match with the MetadataProvider of the IDP MetadataProvider in C:\opt\shibboleth-idp\conf\relying-party.xml.

How to run the whole process

1) Make above all configuration changes

2) Start Shibboleth services from services.msc from the SP M/C indicating that all the request from the client or end user to this site hosted on this M/C is intercepted by this process.

3) Start Apache server using

C:\Program Files\Apache Software Foundation\Apache2.2\bin>httpd -D SSL -k start

4) Start Tomcat

Note Please refer to the following log for each above steps:

C:\Program Files\Apache Software Foundation\Apache2.2\logs\error.log

C:\opt\shibboleth-sp\var\log\shibboleth\native.log

C:\opt\shibboleth-sp\var\log\shibboleth\shibd.log

C:\opt\shibboleth-idp\logs\idp-process.log

Testing:

After doing the above 4 step check that all IDP and SP are running as per need:

-For Tomcat – this will give the root page of the tomcat indicating tomcat is running properly

http://localhost:8080/

-For Apache – this will give the root page for Apache server

http://localhost:8443/

- To check IDP – this will give ok as output indicating that IDP is installed and running properly.

http://localhost:8080/idp/profile/Status

- To check SP on Apache -- we will get xml as out put is example we can check for the EntityId

http://localhost:8443/Shibboleth.sso/Status http://localhost:8443/Shibboleth.sso/Session

-Finally Hit following url

http://localhost:8443/secure

or

http:localhost/secure

this will divert you to login screen which you had developed … enter the user id and password which you had created

====Files changes to configure Shibboleth IDP 2.1.0 with Shibboleth 2.3.1 for Local DB

1) C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.confListen 8443 httpsUseCanonicalName on
LoadModule proxy_module modules/mod_proxy.soLoadModule proxy_ajp_module modules/mod_proxy_ajp.soLoadModule proxy_http_module modules/mod_proxy_http.soLoadModule ssl_module modules/mod_ssl.soServerName servername:80
#By siddhu for ShibolethInclude C:/opt/shibboleth-sp/etc/shibboleth/apache22.config
#By siddhu for shibbolethProxyPass /idp/ ajp://localhost:8009/idp/ AuthType Basic AuthName "My Identity Provider" AuthUserFile C:/opt/shibboleth-idp/credentials/user.db require valid-user
2) C:\apache-tomcat-5.5.28\conf\server.xml
3) C:\opt\shibboleth-idp\conf\relying-party.xml

4) C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml
5) C:\opt\shibboleth-idp\conf\handler.xml
/Metadata/SAML -- Uncommented this line urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
6) C:\opt\shibboleth-sp\var\run\shibboleth\local_testshib-two-idp-metadata.xml
8) finally if you get message as service registered but not singed then Modify File local_testshib-two-idp-metadata.xml at C:\opt\shibboleth-sp\var\run\shibboleth\local_testshib-two-idp-metadata.xml from C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xmland copied the value of idp.crt into the local_testshib-two-idp-metadata.xml and problem solved.

8) Create a secure folder inside Apache Server and put your first page.C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\secure
i.e. C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\secure\index.html

==For Log -- Check this

C:\Program Files\Apache Software Foundation\Apache2.2\logs\error.log

C:\opt\shibboleth-sp\var\log\shibboleth\native.log

C:\opt\shibboleth-idp\logs\idp-process.log



======Files changes to configure LDAP for Shibboleth IDP 2.2.0 and Shibboleth SP 2.3.1

1) C:\opt\shibboleth-idp\conf\login.config

edu.vt.middleware.ldap.jaas.LdapLoginModule required

host="localhost"

port="10389"

base="ou=users"

userField="uid";

2) C:\opt\shibboleth-idp\conf\handler.xml


jaasConfigurationLocation="file://C:\opt\shibboleth-idp/conf/login.config" authenticationDuration="720">

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

3) C:\opt\shibboleth-idp\conf\logging.xml

4) C:\opt\shibboleth-idp\conf\relying-party.xml


defaultSigningCredentialRef="IdPCredential" />

defaultSigningCredentialRef="IdPCredential"

defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">

includeAttributeStatement="true"

assertionLifetime="PT5M"

assertionProxyCount="0"

signResponses="conditional"

signAssertions="never"

encryptAssertions="conditional"

encryptNameIds="conditional" />

assertionLifetime="PT5M"

assertionProxyCount="0"

signResponses="conditional"

signAssertions="never"

encryptAssertions="conditional"

encryptNameIds="conditional" />

signResponses="conditional"

signAssertions="never"

encryptAssertions="conditional"

encryptNameIds="conditional" />

metadataURL="http://localhost/Shibboleth.sso/Metadata"

backingFile="C:/opt/shibboleth-idp/metadata/local_testshib.xml">


5) C:\opt\shibboleth-idp\conf\attribute-resolver.xml


ldapURL="ldap://localhost:10389"

baseDN="ou=system"

principal="uid=admin,ou=system"

principalCredential="secret"

lowercaseAttributeNames="true">

(uid=$requestContext.principalName)

]]>

6) C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml

7) C:\apache-tomcat-5.5.28\webapps\idp\login.jsp -- No Change

8) C:\apache-tomcat-5.5.28\webapps\idp\WEB-INF\web.xml -- No Change

9) C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf

Listen 80

Listen 8443 https

UseCanonicalName on

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule ssl_module modules/mod_ssl.so

ServerName servername:80

#By siddhu for Shiboleth

Include C:/opt/shibboleth-sp/etc/shibboleth/apache22.config


ProxyPass /idp/ ajp://localhost:8009/idp/

AuthType Basic

AuthName "My Identity Provider"

require valid-user



10) Created a File local_testshib.xml by hitting http://localhost/Shibboleth.sso/Metadata of metadataURL="http://localhost/Shibboleth.sso/Metadata"

inside relying-party.xml and copy/download the output File into the location with name local_testshib.xml

C:\opt\shibboleth-idp\metadata\local_testshib.xml



(11) finally if you get message as service registered but not singed then Modify File local_testshib-two-idp-metadata.xml at C:\opt\shibboleth-sp\var\run\shibboleth\local_testshib-two-idp-metadata.xml from C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml

and copied the value of idp.crt into the local_testshib-two-idp-metadata.xml and problem solved.


No comments: