wiki:ServiceProviderFederation/Archive/SP configuration guide

Context Navigation

Version 7 (modified by Oliver Schonefeld, 10 years ago) (diff)
--

Disclaimer

This documentation is provided as-is, should be read and executed carefully and you should know at all time what you are doing. In case of doubt, don’t follow the steps in this documentation and make your own, more appropriate, assumptions. In case you have further questions send them to Clarind-devel@mailman.sfs.uni-tuebingen.de.

Sources to read

This document does not have as much priority for regular revision as the following documents. Please consult them and do not fully rely on the details in this document.

Up-to-date information about the CLARIN Service Provider Federation (SPF): https://www.clarin.eu/spf
Up-to-date information about the CLARIN IdP: https://www.clarin.eu/content/clarin-identity-provider
Generate the metadata and additional information: https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataForSP
ApplicationDefaults? tag and attributes: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplication
SSO tag and attributes: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO
MetadataProvider? tag https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider
Documentation of the DFN: https://www.aai.dfn.de/dokumentation/service-provider/konfiguration/

Step-by-step

Installation

Install Shibboleth daemon on your server in desirable or standard way.

Configuration

attribute-map.xml

Edit attribute-map.xml in /etc/shibboleth/. Uncomment or add the following lines:

<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
    <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>

<Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
<Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
<Attribute name="urn:mace:dir:attribute-def:o" id="o"/>

shibboleth2.xml

Edit shibboleth2.xml in /etc/shibboleth/:

Add an ApplicationDefaults entry containing your entityID (a randomly chosen string, mostly in the format of an URL letting you make some assumptions about who runs the SP):

<ApplicationDefaults entityID="https://sp.phonetik.uni-muenchen.de" 
                     REMOTE_USER="persistent-id">

Add an SSO entry to the Session section with the entityID of the clarin IDP and the link to the discovery service:

<SSO entityID="https://idp.clarin.eu" discoveryProtocol="SAMLDS" 
     discoveryURL="http://catalog.clarin.eu/discojuice/idp.html">
     SAML2 SAML1
</SSO>

Edit the errors section to let the user know who he or she may contact on error:

<Errors supportContact="your-username@your-insitution.com"
        logoLocation="/shibboleth-sp/logo.jpg"
        styleSheet="/shibboleth-sp/main.css" />

Add or edit the MetadataProvider to the ApplicationDefaults section:

<MetadataProvider type="Chaining">
    <MetadataProvider type="XML" 
                      uri="https://infra.clarin.eu/aai/prod_md_about_spf_sps.xml"
                      backingFilePath="prod_md_about_spf_sps.xml" 
                      reloadInterval="7200">
    </MetadataProvider>
</MetadataProvider>

OS: this does not really make sense. Whey would an SP metadata about other SPs? It needs to know the metadata of the IDPs, it's supposed to talk to.

httpd.conf

Edit the httpd.conf in /etc/apache2/:

Add “AuthType? shibboleth” and “ShibRequireSession? On” so an Directory entry could look like this

<Directory /srv/www/htdocs>
    AuthType shibboleth
    ShibRequireSession On
    Require valid-user
</Directory>

Shibboleth and Apache restart

After editing the three aforementioned files, remember to restart the Shibboleth daemon and the apache server for the changes to take effect.

metadata.xml (cp. [ssec:meta])

Checkout the clarin-sp-metadata.xml from https://svn.clarin.eu/aai/ ;
Get the metadata from your own server (https://yourserver/Shibboleth.sso/Metadata) (cp. [sssec:metaorig]) Correct the metadata (changing namespaces, etc. accordingly) (cp. [sssec:metacorr])
Open the clarin-sp-metadata.xml and go to the section for the metadata of your Shibboleth server or create one.
Add your corrected metadata to the section
Execute check_saml_metadata.sh from subdirectory check-saml-metadata to validate the XML file.
Commit the changes back to the svn server
Wait for the next update process (which should happen every hour, so it could take up to an hour until you can log in)

Appendix

attribute-map.xml, shibboleth2.xml, Metadata SP can be found attached to this page.

Metadata IDP

The global file can be found in the SVN you have to have access to anyway (https://svn.clarin.eu/aai/).

Attachments (5)

attribute-map.xml (3.0 KB) - added by Thomas Kisler 10 years ago. Attribute Map XML for shibboleth configuration
httpd.conf (8.2 KB) - added by Thomas Kisler 10 years ago. Apache configuration file for shibboleth configuration
metadata-clarin-format.xml (5.5 KB) - added by Thomas Kisler 10 years ago. Clarin Idp Metadata Formated
metadata-generated.xml (4.1 KB) - added by Thomas Kisler 10 years ago. Metedata of SP
shibboleth2.xml (5.7 KB) - added by Thomas Kisler 10 years ago. Shibboleth configuration file

Download all attachments as: .zip

Download in other formats:

Plain Text