Version 12 (modified by 10 years ago) (diff) | ,
---|
Disclaimer
This documentation is provided as-is, should be read and executed carefully and you should know at all time what you are doing. In case of doubt, don’t follow the steps in this documentation and make your own, more appropriate, assumptions. In case you have further questions send them to clarind-devel@mailman.sfs.uni-tuebingen.de.
Sources to read
This document does not have as much priority for regular revision as the following documents. Please consult them and do not fully rely on the details in this document.
- Up-to-date information about the CLARIN Service Provider Federation (SPF): https://www.clarin.eu/spf
- Up-to-date information about the CLARIN IdP https://www.clarin.eu/content/clarin-identity-provider
- Generate the metadata and additional information: https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataForSP
- ApplicationDefaults tag and attributes: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplication
- SSO tag and attributes: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO
- MetadataProvider tag https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider
- Documentation of the DFN: https://www.aai.dfn.de/dokumentation/service-provider/konfiguration/
Step-by-step
Installation
Install Shibboleth daemon on your server in desirable (possibly through a standard OS package) way.
Configuration
attribute-map.xml
Edit the file attribute-map.xml
(usually located in the directory /etc/shibboleth
) and uncomment or add the following lines:
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn"> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/> <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/> <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
shibboleth2.xml
Edit shibboleth2.xml
(on Unix usually located in the directory /etc/shibboleth
):
- Add an
<ApplicationDefaults>
entry containing yourentityID
. TheentityID
is an arbitrary string in URI format identifying your SP (and letting others make some assumptions about who runs the SP):<ApplicationDefaults entityID="https://your-further-entity-id" REMOTE_USER="persistent-id">
- Add an
<SSO>
entry to the Session section with theentityID
of the CLARIN IdP and the link to the Discovery service:<SSO entityID="https://idp.clarin.eu" discoveryProtocol="SAMLDS" discoveryURL="https://catalog.clarin.eu/discojuice/idp.html"> SAML2 SAML1 </SSO>
- Edit the Errors element to let the user know who he or she may contact in case of an error:
<Errors supportContact="your-username@your-institution.com" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css" />
- Add or edit the
<MetadataProvider>
to the<ApplicationDefaults>
section:<MetadataProvider type="XML" uri="https://infra.clarin.eu/aai/prod_md_about_clarin_erics_idp.xml" backingFilePath="prod_md_about_clarin_erics_idp.xml" reloadInterval="7200">
httpd.conf
Edit the httpd.conf
(usually located in the dircetory /etc/apache2
):
- Add
AuthType shibboleth
andShibRequireSession On
so anDirectory
entry. It could look like this:<Directory /srv/www/htdocs> AuthType shibboleth ShibRequireSession On Require valid-user </Directory>
Shibboleth and Apache restart
After editing the three aforementioned files, remember to restart the Shibboleth daemon and the apache server for the changes to take effect.
metadata.xml (cp. [ssec:meta])
- Checkout the clarin-sp-metadata.xml from https://svn.clarin.eu/aai/.
- Get the metadata from your own server (https://yourserver/Shibboleth.sso/Metadata) (cp. [sssec:metaorig]) Correct the metadata (changing namespaces, etc. accordingly) (cp. [sssec:metacorr]).
- Open the clarin-sp-metadata.xml and go to the section for the metadata of your Shibboleth server or create one.
- Add your corrected metadata to the section.
- Execute check_saml_metadata.sh from subdirectory check-saml-metadata to validate the XML file.
- Commit the changes back to https://svn.clarin.eu/aai/.
- Wait for the next update (which should happen every hour, so it could take up to an hour until you can log in)
Appendix
attribute-map.xml, shibboleth2.xml, Metadata SP can be found attached to this page.
Metadata IDP
The global file can be found in the SVN you have to have access to anyway (https://svn.clarin.eu/aai/).
Attachments (5)
-
attribute-map.xml (3.0 KB) - added by 10 years ago.
Attribute Map XML for shibboleth configuration
-
httpd.conf (8.2 KB) - added by 10 years ago.
Apache configuration file for shibboleth configuration
-
metadata-clarin-format.xml (5.5 KB) - added by 10 years ago.
Clarin Idp Metadata Formated
-
metadata-generated.xml (4.1 KB) - added by 10 years ago.
Metedata of SP
-
shibboleth2.xml (5.7 KB) - added by 10 years ago.
Shibboleth configuration file
Download all attachments as: .zip