Deployment of Shibboleth Service Provider 2.0 on Debian 4.0

NoteFor general information about the deployment of Shibboleth within the SWITCHaai Federation, please consult the deployment section of the SWITCHaai website.

The example values used in this guide are:

www.example.org: The DNS name of the resource (Service Provider).
https://www.example.org/shibboleth: The provider Id of the Service Provider.

Note For convenience, you may decide to dynamically replace the example value with your actual service hostname () In cases where the service host name (e.g. elearning.example.org) is different from the system name (e.g. web-host27.example.org), one should always use the service hostname for URLs and the Service Provider's providerId/entityID.

Note The location of your custom configuration should be separated in the /etc/shibboleth2/ directory. It allows you to upgrade the Shibboleth Service Provider software without overwriting your existing configuration. When migrating from a Shibboleth Service Provider 1.x to 2.x, this way the two configurations are kept separate from each other.
It is recommended to create a symlink /opt/shibboleth-sp2, which points to the current Shibboleth Service Provider software relaese (e.g. shibboleth-sp-2.0). Installing/updating it this way, prevents you to adjust all the path references in the configuration files each time and allows you smoothly upgrades between new software releases/patches.

Before starting to build and configure the Shibboleth Sevice Provider, assure that the following prerequisites are met:

sudo: Allows to run commands as user with root privileges
Apache HTTP 2.2: sudo apt-get install apache2
For configuration, see at the Apache HTTP documentation in the references.
A proper certificate: For decrypting the assertions and/or provide an SSL connection to the resource, a certificate is required.
Please refer to http://www.switch.ch/aai/certificates/ for further information about certificates.
You can use the same certificate for Apache mod-ssl and for Shibboleth Service Provider.
OpenSSL: For working with x509 certificates
sudo apt-get install openssl
NTP: Servers running Shibboleth must have their system time synchronized in order to avoid clock-skew errors:
sudo apt-get install ntp
Shibboleth build environment: Since the Shibboleth Service Provider is implemented in C/C++, some C/C++ build tools are needed:
sudo apt-get install gcc g++ make
The Shibboleth service provider is linked against some external libraries. The needed header files and libraries are:
sudo apt-get install libssl0.9.8 libssl-dev
sudo apt-get install libcurl3 libcurl3-dev
sudo apt-get install apache2-threaded-dev

Define and create the build directory:

export MYBUILD=~/shibsp2.0-build
mkdir $MYBUILD

Download and extract the needed sources:

wget http://shibboleth.internet2.edu/downloads/log4shib/latest/log4shib-1.0.tar.gz -P $MYBUILD
wget http://mirror.switch.ch/mirror/apache/dist/xerces/c/sources/xerces-c-src_2_8_0.tar.gz -P $MYBUILD
wget http://xml.apache.org/security/dist/c-library/xml-security-c-1.4.0.tar.gz -P $MYBUILD
wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/latest/xmltooling-1.0.tar.gz -P $MYBUILD
wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/latest/opensaml-2.0.tar.gz -P $MYBUILD
wget http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/shibboleth-sp-2.0.tar.gz -P $MYBUILD

Note http://shibboleth.internet2.edu/downloads/ is replicated at http://mirror.switch.ch/ftp/mirror/shibboleth/

for f in $MYBUILD/*.tar.gz; do tar -xzvf $f -C $MYBUILD; done

Define some required environment variables. Just adjust SHIB_HOME if the target directory is somewhere else:

export SHIB_HOME=/opt/shibboleth-sp-2.0/
export XERCESCROOT=$MYBUILD/xerces-c-src_2_8_0/

Create the target directory:

sudo mkdir $SHIB_HOME

1. Log4Shib:

cd $MYBUILD/log4shib-1.0/
./configure --disable-static --disable-doxygen --prefix=$SHIB_HOME
make
sudo make install

2. XercesC:

cd $MYBUILD/xerces-c-src_2_8_0/src/xercesc/
./runConfigure -p linux -r pthread -P $SHIB_HOME
make
sudo env XERCESCROOT=$XERCESCROOT make install

3. XML-Security:

cd $MYBUILD/xml-security-c-1.4.0
./configure --without-xalan --prefix=$SHIB_HOME
make
sudo env XERCESCROOT=$XERCESCROOT make install

4. XML-Tooling:

cd $MYBUILD/xmltooling-1.0/
./configure --with-log4shib=$SHIB_HOME --prefix=$SHIB_HOME -C
make
sudo make install

5. OpenSAML:

cd $MYBUILD/opensaml-2.0/
./configure --prefix=$SHIB_HOME --with-log4shib=$SHIB_HOME -C
make 
sudo make install

6. Shibboleth Service Provider:

cd $MYBUILD/shibboleth-2.0/
./configure --with-saml=$SHIB_HOME --enable-apache-22 --with-log4shib=$SHIB_HOME --prefix=$SHIB_HOME -C 
make
sudo make install

Create the file /etc/apache2/mods-available/shib.load:

# Load the shibboleth module

LoadModule mod_shib /opt/shibboleth-sp2/lib/shibboleth/mod_shib_22.so

Create the file /etc/apache2/mods-available/shib.conf:

# Global Configuration
# This is the XML file that contains all the global, non-apache-specific
# configuration.  Look at this file for most of your configuration parameters.
ShibConfig /etc/shibboleth2/shibboleth2.xml

# Used for example logo and style sheet in error templates.
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Allow from all
  </Location>
  Alias /shibboleth-sp/main.css /opt/shibboleth-sp2/share/doc/shibboleth/main.css
  Alias /shibboleth-sp/logo.jpg /opt/shibboleth-sp2/share/doc/shibboleth/logo.jpg
</IfModule>

Adjust the Apache configuration /etc/apache2/envvars:

...
...
# This file is generated from envvars-std.in
#
export LD_LIBRARY_PATH=/opt/shibboleth-sp2/lib

Enable the Shibboleth Apache module:

sudo a2enmod shib

Copy the distribution init script:

sudo cp $SHIB_HOME/etc/shibboleth/shibd-debian /etc/init.d/shibd

Adjust the init script:

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="Shibboleth 2 daemon"
NAME=shibd
SHIB_HOME=/opt/shibboleth-sp2/
SHIBSP_CONFIG=/etc/shibboleth2/shibboleth2.xml
LD_LIBRARY_PATH=/opt/shibboleth-sp2/lib
DAEMON=/opt/shibboleth-sp2/sbin/shibd
SCRIPTNAME=/etc/init.d/$NAME
PIDFILE=/var/run/$NAME.pid

...

Install the init script:

sudo chmod +x /etc/init.d/shibd
sudo update-rc.d shibd defaults

Warning This step is only needed if you do a fresh installation. In case of an update, these steps will overwrite the existing configuration files, which may not be what you want!

Copy the configuration files:

sudo mkdir /etc/shibboleth2
sudo cp $SHIB_HOME/etc/shibboleth/attribute-map.xml  /etc/shibboleth2/
sudo cp $SHIB_HOME/etc/shibboleth/attribute-policy.xml  /etc/shibboleth2/
sudo cp $SHIB_HOME/etc/shibboleth/native.logger  /etc/shibboleth2/
sudo cp $SHIB_HOME/etc/shibboleth/shibboleth2.xml  /etc/shibboleth2/
sudo cp $SHIB_HOME/etc/shibboleth/shibd.logger  /etc/shibboleth2/
sudo cp $SHIB_HOME/etc/shibboleth/syslog.logger  /etc/shibboleth2/

Donwload the certificate, which signs the metadata (trust anchor):

sudo wget http://www.switch.ch/aai/downloads/metadata.crt -P /etc/shibboleth2

Symlink the current installation:

sudo ln -sf $SHIB_HOME /opt/shibboleth-sp2

The main configuration of the Shibboleth Service Provider is done in /etc/shibboleth2/shibboleth2.xml
Adjust the custom values. Take the appropiate values for the resource configuration within the production federation (SWICTHaai) or the test federation (AAI Test).

Download the attribute map, where the attribute definition and its map to the HTTP-Header names are done:

sudo wget -nc http://www.switch.ch/aai/docs/shibboleth/SWITCH/2.0/sp/attribute-map.xml -P /etc/shibboleth2/

Warning If you get the message File `/etc/shibboleth2/attribute-map.xml' already there; not retrieving.', you have first to backup your current attribute-map.xml.

Note By default, Shibboleth 2.0 uses environment variables instead of HTTP headers to improve security. If you need the HTTP Headers (i.e. by using mod_jk) you have to set the Apache directive ShibUseHeaders On within your protected application. For further information, refer to the Internet 2 Shibbolet SP 2 documentation.

Download the attribute filtering policy (aka. AAP):

sudo wget -nc http://www.switch.ch/aai/docs/shibboleth/SWITCH/2.0/sp/attribute-policy.xml -P /etc/shibboleth2/

Warning If you get the message File `/etc/shibboleth2/attribute-policy.xml' already there; not retrieving.', you have first to backup your current attribute-policy.xml.

Define a redirect in the Apache virtual host section of the Service Provider, e.g. /etc/apache2/sites-enabled/www.example.org:

<VirtualHost www.example.org:443>
...

  Redirect seeother /shibboleth https://www.example.org/Shibboleth.sso/Metadata

</VirtualHost>

4.4 AAI Resource Registry

In order to activate your Service Provider within the federation you need to register it with the Resource Registry. The purpose of the Resource Registry is to have an up-to date list of all Identity Providers and Service Providers in the SWITCHaai Federation. (see the information about the Resource Registry).

To register a resource:

Go to the AAI Resource Registry.
Log in via SWITCHaai|AAITest. Use your organisation account to get access. In case your organisation doesn't operate yet an AAI Identity Provider, please ask aai@switch.ch for an account.
Click on the tab Resource Administration
Click on Add a Resource Description
Click on Run Shibboleth 2.0 assistant
Fill out all forms that are marked incomplete. Some forms do not need to be filled out completely.
After you have completed all sections (they should all be marked as 'optional' or 'ok'), click on Submit for Approval. A Resource Registration Authority administrator then has to approve the Resource Description in order to make it active.

5. Run & Test

Test the configuration file:

sudo /opt/shibboleth-sp2/sbin/shibd -t -c /etc/shibboleth2/shibboleth2.xml

Start the Shibboleth deamon:

sudo /etc/init.d/shibd start

Restart Apache:

sudo /etc/init.d/apache2 restart

For testing purposes, there is the status URL https://www.example.org/Shibboleth.sso/Status, which returns information about the setup as an XML response.
For accessing the status URL, the accessing host has to be enabled in /etc/shibboleth2/shibboleth2.xml:

...
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
...

Warning If the acl attribute is removed, anyone is permited to access the status handler. Please consider, that the status handler can return some potentially sensitive information about your configuration.

Simple Test Resource

For a real test that shows if the Service Provider retrieves any attributes from an Identity Provider, you first must protect a resource, e.g. https://www.example.org/secure/. This can be accomplished by adding the following directives to the Apache site config, e.g. /etc/apache2/sites-enabled/www.example.org:

<VirtualHost www.example.org:443>
...

  <Location /secure>
    AuthType shibboleth
    ShibRequireSession On
    require valid-user
  </Location>

</VirtualHost>

Restart Apache:

sudo /etc/init.d/apache2 restart

NoteFurther information about protecting resources with Shibboleth can be found at SWITCHaai - How to protect a resource with Shibboleth access rules web page.

After restarting Apache, try to access: https://www.example.org/secure/, the authentication should be initiated and you should be redirected either to the WAYF or to an Identity Provider. Upon successful authentication, you will probably encounter a 404 (File not found) error, because there might be no /secure.
Anyway, if you can access https://www.example.org/Shibboleth.sso/Session to get information about the session like the issuer (IdP) and released attributes, this proofs the proper operation of the Service Provider.

If more testing is needed, e.g. to get the values of the released attributes, add a simple PHP script into the secure/ directory, like that index.php:

<html><body><pre>
<?php print_r($_SERVER); ?>
</pre></body></html>

This PHP script has to be placed in a Shibboleth protected directory (e.g. /secure from above). If successfully authenticated and authorized, you should see some environment variables contain your user attributes.

6. Troubleshooting

6.1 Logfiles

If some of the above tests are not successful, we recommend to do the following:

Scan the logfiles. They can be found at the path set in the property log4j.appender.native_log.fileName defined in /etc/shibboleth2/native.logger and the path log4j.appender.shibd_log.fileName set in /etc/shibboleth2/shibd.logger for WARN and ERROR messages.
Check /var/log/apache2/error.log and /var/log/apache2/access.log
Set the log level (log4j.rootCategory) of /etc/shibboleth2/native.logger and /etc/shibboleth2/shibd.logger to DEBUG. Once the problem is solved, don't forget to set it back to WARN or INFO to prevent your log files from growing too big.

Note To avoid a blow up of the logfiles, set the log level after debuging to an accurate level like WARN or INFO.

6.2 Common problems

Following is a list of common problems that you may check:

No log files are written: Check the permissions of the log files or the path for the log files set in /etc/shibboleth2/native.logger or /etc/shibboleth2/shibd.logger .
No attributes/Certificates problems: Check the Apache SSL certificate with the https://tools.switch.ch/certchaintest/ to make sure the full certificate chain up to the root CA certificate is attached to your certificate.

In case you don't understand or don't find the cause of the error, have a look at the Internet2 Shibboleth SP 2.0 - Common Errors web page.

7. References

--
$Id: deployment-sp-2.0-debian-4.0.html,v 1.8 2008/07/02 07:12:30 reusser Exp $

Deployment of Shibboleth Service Provider (SP) 2.0 on Debian GNU/Linux 4.0

Table of contents

1. Introduction

2. Prerequisites

3. Build & Installation

3.1 Source code download

3.2 Build

3.3 Install Shibboleth Apache module

3.4 Install Shibboleth daemon

3.5 Prepare your custom configuration

3.6 Download federation specific file

3.7 Define the current Shibboleth SP release

4. Configuration

4.1 Logging

4.2 Shibboleth service provider