| 1 | | = Disclaimer = |
| 2 | | |
| 3 | | This documentation is provided as-is, should be read and executed carefully and you should know at all time what you are doing. In case of doubt, don’t follow the steps in this documentation and make your own, more appropriate, assumptions. In case you have further questions send them to spf@clarin.eu. |
| 4 | | |
| 5 | | = Sources to read = |
| 6 | | This document does not have as much priority for regular revision as the following documents. Please consult them and do not fully rely on the details in this document. |
| 7 | | * Up-to-date information about the CLARIN Service Provider Federation (SPF): [https://www.clarin.eu/spf] |
| 8 | | * Up-to-date information about the CLARIN IdP [https://www.clarin.eu/content/clarin-identity-provider] |
| 9 | | * Generate the metadata and additional information: [https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataForSP] |
| 10 | | * !ApplicationDefaults tag and attributes: [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplication] |
| 11 | | * SSO tag and attributes: [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO] |
| 12 | | * !MetadataProvider tag [https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider] |
| 13 | | * Documentation of the DFN: [https://www.aai.dfn.de/dokumentation/service-provider/konfiguration/] |
| 14 | | |
| 15 | | = Step-by-step = |
| 16 | | |
| 17 | | == Installation == |
| 18 | | Install Shibboleth daemon on your server in desirable (possibly through a standard OS package) way. |
| 19 | | |
| 20 | | == Configuration == |
| 21 | | |
| 22 | | ==== attribute-map.xml ==== |
| 23 | | Edit the file `attribute-map.xml` (usually located in the directory `/etc/shibboleth`) and uncomment or add the following lines: |
| 24 | | {{{#!xml |
| 25 | | <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn"> |
| 26 | | <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> |
| 27 | | </Attribute> |
| 28 | | |
| 29 | | <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/> |
| 30 | | <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/> |
| 31 | | <Attribute name="urn:mace:dir:attribute-def:o" id="o"/> |
| 32 | | }}} |
| 33 | | |
| 34 | | ==== shibboleth2.xml ==== |
| 35 | | Edit `shibboleth2.xml` (on Unix usually located in the directory `/etc/shibboleth`): |
| 36 | | * Add an `<ApplicationDefaults>` entry containing your `entityID`. The `entityID` is an arbitrary string in URI format identifying your SP (and letting others make some assumptions about who runs the SP): |
| 37 | | {{{#!xml |
| 38 | | <ApplicationDefaults entityID="https://your-further-entity-id" |
| 39 | | REMOTE_USER="persistent-id"> |
| 40 | | }}} |
| 41 | | |
| 42 | | * Add an `<SSO>` entry to the Session section with the `entityID` of the CLARIN IdP and the link to the Discovery service: |
| 43 | | {{{#!xml |
| 44 | | <SSO entityID="https://idp.clarin.eu" discoveryProtocol="SAMLDS" |
| 45 | | discoveryURL="https://catalog.clarin.eu/discojuice/idp.html"> |
| 46 | | SAML2 SAML1 |
| 47 | | </SSO> |
| 48 | | }}} |
| 49 | | |
| 50 | | * Edit the Errors element to let the user know who he or she may contact in case of an error: |
| 51 | | {{{#!xml |
| 52 | | <Errors supportContact="your-username@your-institution.com" |
| 53 | | logoLocation="/shibboleth-sp/logo.jpg" |
| 54 | | styleSheet="/shibboleth-sp/main.css" /> |
| 55 | | }}} |
| 56 | | |
| 57 | | * Add or edit the `<MetadataProvider>` to the `<ApplicationDefaults>` section: |
| 58 | | {{{#!xml |
| 59 | | <MetadataProvider type="XML" uri="https://infra.clarin.eu/aai/prod_md_about_clarin_erics_idp.xml" |
| 60 | | backingFilePath="prod_md_about_clarin_erics_idp.xml" reloadInterval="7200"> |
| 61 | | }}} |
| 62 | | |
| 63 | | |
| 64 | | ==== httpd.conf ==== |
| 65 | | Edit the `httpd.conf` (usually located in the dircetory `/etc/apache2`): |
| 66 | | * Add `AuthType shibboleth` and `ShibRequireSession On` so an `Directory` entry. It could look like this: |
| 67 | | {{{#!xml |
| 68 | | <Directory /srv/www/htdocs> |
| 69 | | AuthType shibboleth |
| 70 | | ShibRequireSession On |
| 71 | | Require valid-user |
| 72 | | </Directory> |
| 73 | | }}} |
| 74 | | |
| 75 | | |
| 76 | | ==== Shibboleth and Apache restart ==== |
| 77 | | After editing the three aforementioned files, remember to restart the Shibboleth daemon and the apache server for the changes to take effect. |
| 78 | | |
| 79 | | ==== metadata.xml (cp. [ssec:meta]) ==== |
| 80 | | |
| 81 | | 1. Checkout the clarin-sp-metadata.xml from [https://svn.clarin.eu/aai/]. |
| 82 | | 1. Get the metadata from your own server (https://yourserver/Shibboleth.sso/Metadata) (cp. [sssec:metaorig]) Correct the metadata (changing namespaces, etc. accordingly) (cp. [sssec:metacorr]). |
| 83 | | 1. Open the clarin-sp-metadata.xml and go to the section for the metadata of your Shibboleth server or create one. |
| 84 | | 1. Add your corrected metadata to the section. |
| 85 | | 1. Execute check_saml_metadata.sh from subdirectory check-saml-metadata to validate the XML file. |
| 86 | | 1. Commit the changes back to [https://svn.clarin.eu/aai/]. |
| 87 | | 1. Wait for the next update (which should happen every hour, so it could take up to an hour until you can log in) |
| 88 | | |
| 89 | | = Appendix = |
| 90 | | |
| 91 | | attribute-map.xml, shibboleth2.xml, Metadata SP can be found attached to this page. |
| 92 | | |
| 93 | | == Metadata IDP == |
| 94 | | |
| 95 | | The global file can be found in the SVN you have to have access to anyway ([https://svn.clarin.eu/aai/]). |
| | 1 | This tutorial has been superseded by https://github.com/clarin-eric/SPF-tutorial |
