Guides: Debian GNU/Linux 5.0 with backports packages Debian GNU/Linux 5.0 from sources Linux with RPM packages Windows with IIS Solaris from sources Mac OS X with MacPorts  
  
URL: https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.3/sp/deployment/mac-ports.html
Author: Halm Reusser - SWITCH
$Date: 2010-12-22 11:06:13 +0100 (Mi, 22 Dez 2010) $
$Revision: 1106 $
  

Deployment of Shibboleth Service Provider (SP) 2.3.1 on
Mac OS X with MacPorts

Table of contents

0. Introduction

Note For general information about the deployment of Shibboleth within the SWITCHaai Federation, please consult the deployment section of the SWITCHaai website.

This guide describes the installation & configuration of a Shibboleth Sevice Provider (SP) 2.3.1 on a Mac OS X with MacPorts. It covers the installation of the Shibboleth Webserver authentication module as well as the Shibboleth daemon and its configuration for the SWITCHaai federation.

For further information about Shibboleth Sevice Provider, take a look at the references.

Assumption

Before starting to install Shibboleth Sevice Provider, assure that the following prerequisites are met:
A proper certificate
For decrypting the assertions and/or provide an SSL connection to the resource, a certificate is required.
Please refer to http://www.switch.ch/aai/certificates/ for further information about certificates.
You can use the same certificate for the SSL webserver connection and for Shibboleth Service Provider.
It is also possible to create a self-signed certificate for communciation usage between the Shibboleth components.
If you need that opportunity, please follow the steps described below.

Known issues

Follwing issues are known and should be take into account when installing a Shibboleth Service Provider:
libcurl SSL/TLS support
Please be aware that the Shibboleth Service Provider requires that the libcurl library is linked against openssl and not gnutls.

1. Setup Profile

For convenience, you may decide to dynamically profile your setup by providing some information about your environment in the this step.

In which federation you will deploy your SP?
What is the FQDN of your service?
Define an unique identifier of your Service Provider, called entityID:
Note In cases where the service host name (e.g. elearning.example.org) is different from the system name (e.g. web-host27.example.org), one should always use the service hostname for URLs and the Service Provider's entityID.
Where should your Shibboleth configuration directory be?
Note The location of your custom configuration should be separated in the /opt/local/etc/shibboleth/ directory. It allows you to upgrade the Shibboleth Service Provider software without overwriting your existing configuration. When migrating from a Shibboleth Service Provider 1.x to 2.x, this way the two configurations are kept separate from each other.
Where is your X509 key located?
Where is your X509 certificate located?
What is your installation directory?
What is your log directory?
What is the home URL of your resource?
What is the support contact of your resource?

1.1 Quick download configuration files

If you are in a hurry and know the whole setup process, you can download all relevant configuration files here:

2. Prerequisites

Before starting to build and configure the Shibboleth Sevice Provider, assure that the following prerequisites are met:
Apache HTTP 2.2
For configuration, see at the Apache HTTP documentation in the references.
NTP
Servers running Shibboleth must have their system time synchronized in order to avoid clock-skew errors:
MacPorts build environment
MacPorts is a software package similar to the BSD ports facility that uses descriptors called Portfiles to download and install open source packages. Project website: http://www.macports.org/.

3. Installation

Please follow the instructions on https://spaces.internet2.edu/display/SHIB2/NativeSPMacPortInstallation or listed below.

Warning If you are using Mac OS X Leopard (10.5), there are some issues with the core foundation libraries, which have a weird logging behavior.
Please follow these instructions to patch the xerces-c library, before you run port install shibboleth:
mkdir -p ports/shibboleth/xercesc/files
curl https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.3/sp/deployment/download/xerces-c-nocf.diff -o ports/shibboleth/xercesc/files/xerces-c-nocf.diff 
echo "patch.pre_args  -p1" >> ports/shibboleth/xercesc/Portfile
echo "patchfiles xerces-c-nocf.diff" >> ports/shibboleth/xercesc/Portfile
\n"); $stop = strpos($raw, "\n
\n", $start); $content = substr($raw, $start, $stop-$start) . "

4. Configuration

4.1 Self-signed certificate generation

Note You can skip this if you are going to use a certificate from a well known CA or if you already created a self signed certificate in a previous installation.
Note Please consider that a self-signed certificate has to fulfil some requirements. Using the command below will respect those requirements.

For creating a self signed certificate follow these steps:

cd /opt/local/etc/shibboleth/    
/opt/local/etc/shibboleth/keygen.sh -h sp.example.org -y 3 -e https://sp.example.org/shibboleth    

4.2 Logging

The Shibboleth Apache module log is configured by /opt/local/etc/shibboleth/native.logger
The Shibboleth daemon and the transaction log are configured by /opt/local/etc/shibboleth/shibd.logger

4.3 Shibboleth service provider

The main configuration of the Shibboleth Service Provider is done in /opt/local/etc/shibboleth/shibboleth2.xml:
Download the attribute map, where the attribute definition and its map to the HTTP-Header names are done:
sudo wget -nc https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.3/sp/deployment/download/attribute-map.xml -P /opt/local/etc/shibboleth/
Warning In case of an update, you should backup your /opt/local/etc/shibboleth/attribute-map.xml first!
Note By default, Shibboleth 2.x uses environment variables instead of HTTP headers to improve security. If you need the HTTP Headers (i.e. by using mod_jk) you have to set the Apache directive ShibUseHeaders On within your protected application. For further information, refer to the Internet 2 Shibbolet SP 2 documentation.
Download the attribute filtering policy (aka. AAP):
sudo wget -nc  https://help.switch.ch/aai/docs/shibboleth/SWITCH/2.3/sp/deployment/download/attribute-policy.xml -P /opt/local/etc/shibboleth/
Warning In case of an update, you should backup your /opt/local/etc/shibboleth/attribute-policy.xml first!

4.4 Download federation specific file

Donwload the trust anchor of the metadata signature:
sudo wget http://ca.aai.switch.ch/SWITCHaaiRootCA.crt.pem -P /opt/local/etc/shibboleth/

Compare the certificate fingerprint with the fingerprint of the SWITCHaai Root CA certificate shown on https://www.switch.ch/pki/aai/:

openssl x509 -in /opt/local/etc/shibboleth/SWITCHaaiRootCA.crt.pem -fingerprint -sha1 -noout
SHA1 Fingerprint=3C:E2:5A:E0:9D:B4:BB:2B:FD:33:3C:22:80:39:F7:FC:4A:F9:2C:E9

4.5 Enable metadata access at entityID URL

It is recommened to enable at the entityID URL (https://sp.example.org/shibboleth) access to the metadata of the Service Provider.

Define a redirect in the Apache virtual host section of the Service Provider, e.g. /etc/apache2/sites-enabled/sp.example.org:
<VirtualHost sp.example.org:443>

...

  Redirect seeother /shibboleth https://sp.example.org/Shibboleth.sso/Metadata

</VirtualHost>

5. Run & Test

Test the configuration file:
sudo /opt/local/sbin/shibd -t -c /opt/local/etc/shibboleth/shibboleth2.xml
Note If the output is only one line containing this:
overall configuration is loadable, check console for non-fatal problems
It is alright.
Start the Shibboleth daemon:
sudo launchctl load -Fw /Library/LaunchDaemons/org.macports.shibd.plist
Test configuration and restart Apache:
sudo apachectl configtest
sudo apachectl restart 
For testing purposes, there is the status URL https://sp.example.org/Shibboleth.sso/Status, which returns information about the setup as an XML response.
For accessing the status URL, the accessing host has to be enabled in /opt/local/etc/shibboleth/shibboleth2.xml:
...
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
...
Warning If the acl attribute is removed, anyone is permited to access the status handler. Please consider, that the status handler can return some potentially sensitive information about your configuration.

AAI Resource Registry

In order to activate your Service Provider within the federation you need to register it with the Resource Registry.
The purpose of the Resource Registry is to have an up-to date list of all Identity Providers and Service Providers in the SWITCHaai Federation.
(See the information about the Resource Registry).

To register a resource:
  1. Go to the AAI Resource Registry.
  2. Log in via SWITCHaai|AAITest. Use your organisation account to get access. In case your organisation doesn't operate yet an AAI Identity Provider, please ask aai@switch.ch for an account.
  3. Click on the tab Resource Administration
  4. Click on Add a Resource Description
  5. Click on Run Shibboleth 2.x assistant
  6. Fill out all forms that are marked incomplete. Some forms do not need to be filled out completely.
  7. After you have completed all sections (they should all be marked as 'optional' or 'ok'), click on Submit for Approval.
    A Resource Registration Authority administrator then has to approve the Resource Description in order to make it active.

Simple Test Resource

For a real test that shows if the Service Provider retrieves any attributes from an Identity Provider, you first must protect a resource,
e.g. https://sp.example.org/secure/.
This can be accomplished by adding the following directives to the Apache site config,
e.g. /etc/apache2/sites-enabled/sp.example.org:
<VirtualHost sp.example.org:443>
...

  <Location /secure>

    AuthType shibboleth
    ShibRequireSession On
    require valid-user
  </Location>

</VirtualHost>
Restart Apache:
sudo apache2ctl restart 
Note Further information about protecting resources with Shibboleth can be found at SWITCHaai - How to protect a resource with Shibboleth access rules web page.

After restarting Apache, try to access: https://sp.example.org/secure/, the authentication should be initiated and you should be redirected either to the WAYF or to an Identity Provider.
Upon successful authentication, you will probably encounter a 404 (File not found) error, because there might be no /secure.
Anyway, if you can access https://sp.example.org/Shibboleth.sso/Session to get information about the session like the issuer (IdP) and released attributes, this proofs the proper operation of the Service Provider.

If more testing is needed, e.g. to get the values of the released attributes, add a simple PHP script into the secure/ directory, like that index.php:
<html><body><pre>
<?php print_r($_SERVER); ?>
</pre></body></html>
This PHP script has to be placed in a Shibboleth protected directory (e.g. /secure from above). If successfully authenticated and authorized, you should see some environment variables contain your user attributes.

6. Troubleshooting

6.1 Logfiles

If some of the above tests are not successful, we recommend to do the following:

Note To avoid a blow up of the logfiles, set the log level after debuging to an accurate level like WARN or INFO.

6.2 Common problems

Following is a list of common problems that you may check:
No log files are written
Check the permissions of the log files or the path for the log files set in /opt/local/etc/shibboleth/native.logger or /opt/local/etc/shibboleth/shibd.logger .
No attributes/Certificates problems
Check the Apache SSL certificate with the https://tools.switch.ch/certchaintest/ to make sure the full certificate chain up to the root CA certificate is attached to your certificate.

In case you don't understand or don't find the cause of the error, have a look at the Internet2 Shibboleth SP 2.x - Common Errors web page.

7. Productionalization

Some good practices according Service Provider productionalization:

BEST CURRENT PRACTICES for operating a SWITCHaai Service Provider
The document describes best current practices for operating a Service Provider (SP) within the SWITCHaai federation in production use. It is meant to cover service management and operational related aspects as well as the technical infrastructure for successfully operating an SP.
Subscribe to the SWITCHaai mailing lists
Important information about the SWITCHaai federation are distributed by the AAI-Operations mailing list. Therefore the administrator of the Service Provider should subscribe to the list.
News and announcements are sent by the AAI-Announce mailing list. You might subscribe to it as well.
Customizing error pages
The error pages and messages can be configured in /opt/local/etc/shibboleth/shibboleth2.xml:
<Errors
  session="sessionError.html"
  metadata="metadataError.html"
  access="accessError.html"
  ssl="sslError.html"
  localLogout="localLogout.html"
  globalLogout="globalLogout.html"
  supportContact="aai@example.org"
  logoLocation="http://www.switch.ch/aai/design/images/SWITCHaai.gif"
  styleSheet="http://www.switch.ch/aai/design/shib-error.css"/>
Adjust at minimum the logoLocation and styleSheet. You may want to fully customize the html pages.
Note See https://wiki.shibboleth.net/confluence/display/SHIB2/Productionalization, section Service Provider for more information.

8. References

--
$Id: index.php 1106 2010-12-22 10:06:13Z reusser $