Guides: Debian GNU/Linux 5.0 with backports packages Debian GNU/Linux 5.0 from sources Linux with RPM packages Windows with IIS Solaris from sources Mac OS X with MacPorts  
  
URL: https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.3/sp/deployment/debian-lenny-source.html
Author: Halm Reusser - SWITCH
$Date: 2010-12-22 11:06:13 +0100 (Mi, 22 Dez 2010) $
$Revision: 1106 $
  

Deployment of Shibboleth Service Provider (SP) 2.3.1 on
Debian GNU/Linux 5.0 from sources

Table of contents

0. Introduction

Note For general information about the deployment of Shibboleth within the SWITCHaai Federation, please consult the deployment section of the SWITCHaai website.

This guide describes the installation & configuration of a Shibboleth Sevice Provider (SP) 2.3.1 on a Debian GNU/Linux 5.0 from sources. It covers the installation of the Shibboleth Webserver authentication module as well as the Shibboleth daemon and its configuration for the SWITCHaai federation.

For further information about Shibboleth Sevice Provider, take a look at the references.

Assumption

Before starting to install Shibboleth Sevice Provider, assure that the following prerequisites are met:
A proper certificate
For decrypting the assertions and/or provide an SSL connection to the resource, a certificate is required.
Please refer to http://www.switch.ch/aai/certificates/ for further information about certificates.
You can use the same certificate for the SSL webserver connection and for Shibboleth Service Provider.
It is also possible to create a self-signed certificate for communciation usage between the Shibboleth components.
If you need that opportunity, please follow the steps described below.

Known issues

Follwing issues are known and should be take into account when installing a Shibboleth Service Provider:
libcurl SSL/TLS support
Please be aware that the Shibboleth Service Provider requires that the libcurl library is linked against openssl and not gnutls.

1. Setup Profile

For convenience, you may decide to dynamically profile your setup by providing some information about your environment in the this step.

In which federation you will deploy your SP?
What is the FQDN of your service?
Define an unique identifier of your Service Provider, called entityID:
Note In cases where the service host name (e.g. elearning.example.org) is different from the system name (e.g. web-host27.example.org), one should always use the service hostname for URLs and the Service Provider's entityID.
Where should your Shibboleth configuration directory be?
Note The location of your custom configuration should be separated in the /etc/shibboleth/ directory. It allows you to upgrade the Shibboleth Service Provider software without overwriting your existing configuration. When migrating from a Shibboleth Service Provider 1.x to 2.x, this way the two configurations are kept separate from each other.
Where is your X509 key located?
Where is your X509 certificate located?
What is your installation directory?
What is your log directory?
What is the home URL of your resource?
What is the support contact of your resource?

1.1 Quick download configuration files

If you are in a hurry and know the whole setup process, you can download all relevant configuration files here:

2. Prerequisites

Before starting to build and configure the Shibboleth Sevice Provider, assure that the following prerequisites are met:
sudo
Allows to run commands as user with root privileges
Apache HTTP 2.2
sudo aptitude install apache2
For configuration, see at the Apache HTTP documentation in the references.
OpenSSL
For working with x509 certificates
sudo aptitude install openssl
NTP
Servers running Shibboleth must have their system time synchronized in order to avoid clock-skew errors:
sudo aptitude install ntp
Shibboleth build environment
Since the Shibboleth Service Provider is implemented in C/C++, some C/C++ build tools are needed:
sudo aptitude install gcc g++ make
The Shibboleth service provider is linked against some external libraries. The needed header files and libraries are:
sudo aptitude install libssl0.9.8 libssl-dev
sudo aptitude install libcurl3 libcurl3-dev
sudo aptitude install libxerces-c28 libxerces-c2-dev
sudo aptitude install libxml-security-c14 libxml-security-c-dev
sudo aptitude install apache2-threaded-dev

3. Installation

3.1 Source code download

Define and create the build directory:
export MYBUILD=~/shibsp2.3.1-build
mkdir $MYBUILD
Download and extract the needed sources:
wget http://shibboleth.internet2.edu/downloads/log4shib/latest/log4shib-1.0.4.tar.gz -P $MYBUILD
wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/latest/xmltooling-1.3.3.tar.gz -P $MYBUILD
wget http://shibboleth.internet2.edu/downloads/opensaml/cpp/latest/opensaml-2.3.tar.gz -P $MYBUILD
wget http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/shibboleth-sp-2.3.1.tar.gz -P $MYBUILD
Note http://shibboleth.internet2.edu/downloads/ is replicated at http://mirror.switch.ch/ftp/mirror/shibboleth/
for f in $MYBUILD/*.tar.gz; do tar -xzvf $f -C $MYBUILD; done

3.2 Build

Define some required environment variables. Just adjust SHIB_HOME if the target directory is somewhere else:
export SHIB_HOME=/opt/shibboleth-sp-2.3.1/ 
Create the target directory:
sudo mkdir $SHIB_HOME
1. Log4Shib:
cd $MYBUILD/log4shib-1.0.4/
./configure --disable-static --disable-doxygen --prefix=$SHIB_HOME
make
sudo make install
2. XML-Tooling:
cd $MYBUILD/xmltooling-1.3.3/
./configure --with-log4shib=$SHIB_HOME --prefix=$SHIB_HOME -C
make
sudo make install
3. OpenSAML:
cd $MYBUILD/opensaml-2.3/
./configure --prefix=$SHIB_HOME --with-log4shib=$SHIB_HOME -C
make 
sudo make install
4. Shibboleth Service Provider:
cd $MYBUILD/shibboleth-2.3.1/
./configure --with-saml=$SHIB_HOME --enable-apache-22 --with-log4shib=$SHIB_HOME --with-xmltooling=$SHIB_HOME --prefix=$SHIB_HOME -C
make
sudo make install

3.3 Define the current Shibboleth SP release

Note It is recommended to create a symlink /opt/shibboleth-sp2/, which points to the current Shibboleth Service Provider software release (e.g. /opt/shibboleth-sp-2.3.1/ Installing/updating it this way, prevents you to adjust all the path references in the configuration files each time and allows you smoothly upgrades between new software releases/patches.
Symlink the current installation:
if [ -L /opt/shibboleth-sp2 ] ; then sudo rm /opt/shibboleth-sp2 ; fi;
sudo ln -sf $SHIB_HOME /opt/shibboleth-sp2

3.4 Install Shibboleth Apache module

Create the file /etc/apache2/mods-available/shib.load:
Create the file /etc/apache2/mods-available/shib.conf:
Adjust the Apache configuration /etc/apache2/envvars:
...
...
# This file is generated from envvars-std.in
#

export LD_LIBRARY_PATH=/opt/shibboleth-sp2/lib
Enable the Shibboleth Apache module:
sudo a2enmod shib

3.5 Install Shibboleth daemon

Copy the distribution init script:
sudo cp $SHIB_HOME/etc/shibboleth/shibd-debian /etc/init.d/shibd 
Adjust the init script:
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="Shibboleth 2 daemon"
NAME=shibd
SHIB_HOME=/opt/shibboleth-sp2/
SHIBSP_CONFIG=/etc/shibboleth/shibboleth2.xml
LD_LIBRARY_PATH=$SHIB_HOME/lib
DAEMON=$SHIB_HOME/sbin/shibd
SCRIPTNAME=/etc/init.d/$NAME
PIDFILE=/var/run/$NAME.pid

...
Install the init script:
sudo chmod +x /etc/init.d/shibd
sudo update-rc.d shibd defaults

3.6 Prepare your custom configuration

Warning This step is only needed if you do a fresh installation. In case of an update, these steps will overwrite the existing configuration files, which may not be what you want!
Copy some configuration files:
sudo mkdir /etc/shibboleth/ 

sudo cp $SHIB_HOME/etc/shibboleth/native.logger /etc/shibboleth/ 
sudo cp $SHIB_HOME/etc/shibboleth/shibd.logger /etc/shibboleth/ 
sudo cp $SHIB_HOME/etc/shibboleth/syslog.logger /etc/shibboleth/ 

3.7 Prepare logging directory

Note This step is only needed if you do a fresh installation. In case of an update these steps where already done.
Note The Shibboleth Apache module log (/etc/shibboleth/native.logger) runs by the Apache process and has to be writeable.
Create logging directory and set according permissions:
sudo mkdir -p /var/log/shibboleth/ 
sudo touch /var/log/shibboleth/shibd.log 
sudo touch /var/log/shibboleth/native.log 
sudo chgrp www-data /var/log/shibboleth/native.log 
sudo chmod g+w /var/log/shibboleth/native.log 

4. Configuration

4.1 Self-signed certificate generation

Note You can skip this if you are going to use a certificate from a well known CA or if you already created a self signed certificate in a previous installation.
Note Please consider that a self-signed certificate has to fulfil some requirements. Using the command below will respect those requirements.

For creating a self signed certificate follow these steps:

cd /etc/shibboleth/    
sudo sh /opt/shibboleth-sp-2.3.1/etc/shibboleth/keygen.sh -h sp.example.org -y 3 -e https://sp.example.org/shibboleth    

4.2 Logging

The Shibboleth Apache module log is configured by /etc/shibboleth/native.logger
The Shibboleth daemon and the transaction log are configured by /etc/shibboleth/shibd.logger

4.3 Shibboleth service provider

The main configuration of the Shibboleth Service Provider is done in /etc/shibboleth/shibboleth2.xml:
Download the attribute map, where the attribute definition and its map to the HTTP-Header names are done:
sudo wget -nc https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.3/sp/deployment/download/attribute-map.xml -P /etc/shibboleth/
Warning In case of an update, you should backup your /etc/shibboleth/attribute-map.xml first!
Note By default, Shibboleth 2.x uses environment variables instead of HTTP headers to improve security. If you need the HTTP Headers (i.e. by using mod_jk) you have to set the Apache directive ShibUseHeaders On within your protected application. For further information, refer to the Internet 2 Shibbolet SP 2 documentation.
Download the attribute filtering policy (aka. AAP):
sudo wget -nc  https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.3/sp/deployment/download/attribute-policy.xml -P /etc/shibboleth/
Warning In case of an update, you should backup your /etc/shibboleth/attribute-policy.xml first!

4.4 Download federation specific file

Donwload the trust anchor of the metadata signature:
sudo wget http://ca.aai.switch.ch/SWITCHaaiRootCA.crt.pem -P /etc/shibboleth/

Compare the certificate fingerprint with the fingerprint of the SWITCHaai Root CA certificate shown on https://www.switch.ch/pki/aai/:

openssl x509 -in /etc/shibboleth/SWITCHaaiRootCA.crt.pem -fingerprint -sha1 -noout
SHA1 Fingerprint=3C:E2:5A:E0:9D:B4:BB:2B:FD:33:3C:22:80:39:F7:FC:4A:F9:2C:E9

4.5 Enable metadata access at entityID URL

It is recommened to enable at the entityID URL (https://sp.example.org/shibboleth) access to the metadata of the Service Provider.

Define a redirect in the Apache virtual host section of the Service Provider, e.g. /etc/apache2/sites-enabled/sp.example.org:
<VirtualHost sp.example.org:443>

...

  Redirect seeother /shibboleth https://sp.example.org/Shibboleth.sso/Metadata

</VirtualHost>

5. Run & Test

Test the configuration file:
sudo /opt/shibboleth-sp2/sbin/shibd -t -c /etc/shibboleth/shibboleth2.xml
Note If the output is only one line containing this:
overall configuration is loadable, check console for non-fatal problems
It is alright.
Start the Shibboleth daemon:
sudo /etc/init.d/shibd start
Test configuration and restart Apache:
sudo apache2ctl configtest
sudo apache2ctl restart 
For testing purposes, there is the status URL https://sp.example.org/Shibboleth.sso/Status, which returns information about the setup as an XML response.
For accessing the status URL, the accessing host has to be enabled in /etc/shibboleth/shibboleth2.xml:
...
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
...
Warning If the acl attribute is removed, anyone is permited to access the status handler. Please consider, that the status handler can return some potentially sensitive information about your configuration.

AAI Resource Registry

In order to activate your Service Provider within the federation you need to register it with the Resource Registry.
The purpose of the Resource Registry is to have an up-to date list of all Identity Providers and Service Providers in the SWITCHaai Federation.
(See the information about the Resource Registry).

To register a resource:
  1. Go to the AAI Resource Registry.
  2. Log in via SWITCHaai|AAITest. Use your organisation account to get access. In case your organisation doesn't operate yet an AAI Identity Provider, please ask aai@switch.ch for an account.
  3. Click on the tab Resource Administration
  4. Click on Add a Resource Description
  5. Click on Run Shibboleth 2.x assistant
  6. Fill out all forms that are marked incomplete. Some forms do not need to be filled out completely.
  7. After you have completed all sections (they should all be marked as 'optional' or 'ok'), click on Submit for Approval.
    A Resource Registration Authority administrator then has to approve the Resource Description in order to make it active.

Simple Test Resource

For a real test that shows if the Service Provider retrieves any attributes from an Identity Provider, you first must protect a resource,
e.g. https://sp.example.org/secure/.
This can be accomplished by adding the following directives to the Apache site config,
e.g. /etc/apache2/sites-enabled/sp.example.org:
<VirtualHost sp.example.org:443>
...

  <Location /secure>

    AuthType shibboleth
    ShibRequireSession On
    require valid-user
  </Location>

</VirtualHost>
Restart Apache:
sudo apache2ctl restart 
Note Further information about protecting resources with Shibboleth can be found at SWITCHaai - How to protect a resource with Shibboleth access rules web page.

After restarting Apache, try to access: https://sp.example.org/secure/, the authentication should be initiated and you should be redirected either to the WAYF or to an Identity Provider.
Upon successful authentication, you will probably encounter a 404 (File not found) error, because there might be no /secure.
Anyway, if you can access https://sp.example.org/Shibboleth.sso/Session to get information about the session like the issuer (IdP) and released attributes, this proofs the proper operation of the Service Provider.

If more testing is needed, e.g. to get the values of the released attributes, add a simple PHP script into the secure/ directory, like that index.php:
<html><body><pre>
<?php print_r($_SERVER); ?>
</pre></body></html>
This PHP script has to be placed in a Shibboleth protected directory (e.g. /secure from above). If successfully authenticated and authorized, you should see some environment variables contain your user attributes.

6. Troubleshooting

6.1 Logfiles

If some of the above tests are not successful, we recommend to do the following:

Note To avoid a blow up of the logfiles, set the log level after debuging to an accurate level like WARN or INFO.

6.2 Common problems

Following is a list of common problems that you may check:
No log files are written
Check the permissions of the log files or the path for the log files set in /etc/shibboleth/native.logger or /etc/shibboleth/shibd.logger .
No attributes/Certificates problems
Check the Apache SSL certificate with the https://tools.switch.ch/certchaintest/ to make sure the full certificate chain up to the root CA certificate is attached to your certificate.

In case you don't understand or don't find the cause of the error, have a look at the Internet2 Shibboleth SP 2.x - Common Errors web page.

7. Productionalization

Some good practices according Service Provider productionalization:

BEST CURRENT PRACTICES for operating a SWITCHaai Service Provider
The document describes best current practices for operating a Service Provider (SP) within the SWITCHaai federation in production use. It is meant to cover service management and operational related aspects as well as the technical infrastructure for successfully operating an SP.
Subscribe to the SWITCHaai mailing lists
Important information about the SWITCHaai federation are distributed by the AAI-Operations mailing list. Therefore the administrator of the Service Provider should subscribe to the list.
News and announcements are sent by the AAI-Announce mailing list. You might subscribe to it as well.
Customizing error pages
The error pages and messages can be configured in /etc/shibboleth/shibboleth2.xml:
<Errors
  session="sessionError.html"
  metadata="metadataError.html"
  access="accessError.html"
  ssl="sslError.html"
  localLogout="localLogout.html"
  globalLogout="globalLogout.html"
  supportContact="aai@example.org"
  logoLocation="http://www.switch.ch/aai/design/images/SWITCHaai.gif"
  styleSheet="http://www.switch.ch/aai/design/shib-error.css"/>
Adjust at minimum the logoLocation and styleSheet. You may want to fully customize the html pages.
Note See https://wiki.shibboleth.net/confluence/display/SHIB2/Productionalization, section Service Provider for more information.

8. References

--
$Id: index.php 1106 2010-12-22 10:06:13Z reusser $