Deploy Shibboleth Target 1.2.1 on Oracle AS 10g Web Server (Windows)

Author: Valery Tschopp <tschopp@switch.ch> - SWITCH
$Date: 2005/04/22 15:40:44 $
$Revision: 1.3 $

Introduction

This document shows you how to set up a Shibboleth Target 1.2.1a within the SWITCHaai Federation on a Windows 2003 Server running Oracle AS 10g HTTP Server (Apache). It complements the "Shibboleth Target Deployment Guide" of Internet2.

Note: For general information about the deployment of Shibboleth within the SWITCHaai Federation, please consult the Deployment section of our website.

Original Deployment Documentation

To configure your resource within another federation or for another platform either check our website or refer directly to the original Shibboleth Target Deployment Guide.

Before you start

Please make sure you have the following things ready:

Installation

Installation process of Shibboleth Target 1.2.1a

Execute the Windows Installer shibboleth-1.2.1a-win32.exe and follow the instructions

Note: In the following, we assume you have installed Shibboleth in D:\shibboleth\. If you have not, you will have to adapt the configuration file accordingly.

When you are done with the installation program

Patch the installed Shibboleth Target 1.2.1a

Unzip the special Oracle AS 10g package shibboleth-1.2.1a-win32-oracle-as10g.zip in the Shibboleth install directory D:\shibboleth

The zip file contains specially compiled Shibboleth components, recompiled against the Oracle AS 10g HTTP Server. The following files are installed and/or overwritten:

Update the Oracle AS 10g Process Management Configuration (opmn.xml)

Using the Oracle Enterprise Manager, modify the Process Management configuration to add the directory D:\shibboleth\lib in the PATH variable of the Oracle HTTP Server.

The Process Management configuration is stored in file: opmn.xml.

Add the <environment> XML block in the HTTP_Server <ias-component> entity as shown below:

...	
<ias-component id="HTTP_Server">
   <environment>
      <variable id="PATH" value="D:\shibboleth\lib" append="true"/>
   </environment>
   <process-type id="HTTP_Server" module-id="OHS">
      <module-data>
         <category id="start-parameters">
            <data id="start-mode" value="ssl-enabled"/>
         </category>
      </module-data>
      <process-set id="HTTP_Server" numprocs="1"/>
   </process-type>
</ias-component>
...

Then apply the change. The Service Oracle Process Manager should be restarted.

Configuration

Configure Shibboleth for your host (shibboleth.xml)

Configure the Shibboleth Target for your specific host. The main configuration file is D:\shibboleth\etc\shibboleth\shibboleth.xml.

Applications Entity

Sets the correct providerId in the <Applications> XML element. Replace {HOSTNAME} with the fully qualified domain name of your server (same as the certificate Common Name CN).
<Applications xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
     id="default"
     providerId="urn:mace:switch.ch:SWITCHaai:pilot:{HOSTNAME}">

Sessions Element

Check the <Sessions> XML element for the correct wayfURL:

<Sessions lifetime="7200" timeout="3600" checkAddress="true"
          wayfURL="https://wayf1.switch.ch/SWITCHaai/WAYF"
          shireURL="/Shibboleth.shire"
          shireSSL="true"/>

Errors Element

Sets the correct supportContact email address and your organization logo definition in the <Errors> XML element. The CSS and HTML error files specified in this element should be customized to reflect your organization look'n'feel.
<Errors shire="D:/shibboleth/etc/shibboleth/shireError.html"
        rm="D:/shibboleth/etc/shibboleth/rmError.html"
        access="D:/shibboleth/etc/shibboleth/accessError.html"
        supportContact="support@epfl.ch"
        logoLocation="/logo.gif"
        styleSheet="/styles.css"/>

Credentials Entity

Sets the correct credential private key and certificate for this server. Replace {HOSTNAME} with the fully qualified domain name of your server (same as the certificate Common Name CN).

<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
   <FileResolver Id="SWITCHpki">
      <Key format="PEM">
	 <Path>D:/shibboleth/etc/shibboleth/{HOSTNAME}.key</Path>
      </Key>
      <Certificate format="PEM">
	 <Path>D:/shibboleth/etc/shibboleth/{HOSTNAME}.crt</Path>
      </Certificate>
   </FileResolver>
</Credentials>

Configure the Oracle AS 10g HTTP Server (httpd.conf)

Edit the Apache server configuration file httpd.conf and add the the line below at the end of it. The ServerName directive should match your hostname.

...
ServerName {HOSTNAME}
...
##
# Shibboleth Target 1.2.1a
##
Include "D:\shibboleth\etc\shibboleth\apache_shibboleth.conf"

Then apply the change and restart the HTTP server.

This Shibboleth configuration apache_shibboleth.conf defines an Apache protected Location as follow:

<Location /aai>
    AuthType shibboleth
    ShibRequireSession On
    require valid-user
    AllowOverride None
</Location>

Shibboleth Attribute Requester (SHAR)

The Shibboleth Attribute Requester is installed as a Service and should start automatically.