wiki:ServiceProviderFederation/Archive/SP configuration guide

Context Navigation

Version 12 (modified by Sander Maijers, 10 years ago) (diff)
--

Disclaimer

This documentation is provided as-is, should be read and executed carefully and you should know at all time what you are doing. In case of doubt, don’t follow the steps in this documentation and make your own, more appropriate, assumptions. In case you have further questions send them to clarind-devel@mailman.sfs.uni-tuebingen.de.

Sources to read

This document does not have as much priority for regular revision as the following documents. Please consult them and do not fully rely on the details in this document.

Up-to-date information about the CLARIN Service Provider Federation (SPF): https://www.clarin.eu/spf
Up-to-date information about the CLARIN IdP https://www.clarin.eu/content/clarin-identity-provider
Generate the metadata and additional information: https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataForSP
ApplicationDefaults tag and attributes: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplication
SSO tag and attributes: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO
MetadataProvider tag https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider
Documentation of the DFN: https://www.aai.dfn.de/dokumentation/service-provider/konfiguration/

Step-by-step

Installation

Install Shibboleth daemon on your server in desirable (possibly through a standard OS package) way.

Configuration

attribute-map.xml

Edit the file attribute-map.xml (usually located in the directory /etc/shibboleth) and uncomment or add the following lines:

<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
    <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>

<Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
<Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
<Attribute name="urn:mace:dir:attribute-def:o" id="o"/>

shibboleth2.xml

Edit shibboleth2.xml (on Unix usually located in the directory /etc/shibboleth):

Add an <ApplicationDefaults> entry containing your entityID. The entityID is an arbitrary string in URI format identifying your SP (and letting others make some assumptions about who runs the SP):
```
<ApplicationDefaults entityID="https://your-further-entity-id" 
                     REMOTE_USER="persistent-id">
```

Add an <SSO> entry to the Session section with the entityID of the CLARIN IdP and the link to the Discovery service:

<SSO entityID="https://idp.clarin.eu" discoveryProtocol="SAMLDS" 
     discoveryURL="https://catalog.clarin.eu/discojuice/idp.html">
     SAML2 SAML1
</SSO>

Edit the Errors element to let the user know who he or she may contact in case of an error:

<Errors supportContact="your-username@your-institution.com"
        logoLocation="/shibboleth-sp/logo.jpg"
        styleSheet="/shibboleth-sp/main.css" />

Add or edit the <MetadataProvider> to the <ApplicationDefaults> section:

<MetadataProvider type="XML" uri="https://infra.clarin.eu/aai/prod_md_about_clarin_erics_idp.xml"
              backingFilePath="prod_md_about_clarin_erics_idp.xml" reloadInterval="7200">

httpd.conf

Edit the httpd.conf (usually located in the dircetory /etc/apache2):

Add AuthType shibboleth and ShibRequireSession On so an Directory entry. It could look like this:

<Directory /srv/www/htdocs>
    AuthType shibboleth
    ShibRequireSession On
    Require valid-user
</Directory>

Shibboleth and Apache restart

After editing the three aforementioned files, remember to restart the Shibboleth daemon and the apache server for the changes to take effect.

metadata.xml (cp. [ssec:meta])

Checkout the clarin-sp-metadata.xml from https://svn.clarin.eu/aai/.
Get the metadata from your own server (https://yourserver/Shibboleth.sso/Metadata) (cp. [sssec:metaorig]) Correct the metadata (changing namespaces, etc. accordingly) (cp. [sssec:metacorr]).
Open the clarin-sp-metadata.xml and go to the section for the metadata of your Shibboleth server or create one.
Add your corrected metadata to the section.
Execute check_saml_metadata.sh from subdirectory check-saml-metadata to validate the XML file.
Commit the changes back to https://svn.clarin.eu/aai/.
Wait for the next update (which should happen every hour, so it could take up to an hour until you can log in)

Appendix

attribute-map.xml, shibboleth2.xml, Metadata SP can be found attached to this page.

Metadata IDP

The global file can be found in the SVN you have to have access to anyway (https://svn.clarin.eu/aai/).

Attachments (5)

attribute-map.xml (3.0 KB) - added by Thomas Kisler 10 years ago. Attribute Map XML for shibboleth configuration
httpd.conf (8.2 KB) - added by Thomas Kisler 10 years ago. Apache configuration file for shibboleth configuration
metadata-clarin-format.xml (5.5 KB) - added by Thomas Kisler 10 years ago. Clarin Idp Metadata Formated
metadata-generated.xml (4.1 KB) - added by Thomas Kisler 10 years ago. Metedata of SP
shibboleth2.xml (5.7 KB) - added by Thomas Kisler 10 years ago. Shibboleth configuration file

Download all attachments as: .zip

Download in other formats:

Plain Text