Version 7 (modified by 10 years ago) (diff) | ,
---|
Disclaimer
This documentation is provided as-is, should be read and executed carefully and you should know at all time what you are doing. In case of doubt, don’t follow the steps in this documentation and make your own, more appropriate, assumptions. In case you have further questions send them to Clarind-devel@mailman.sfs.uni-tuebingen.de.
Sources to read
This document does not have as much priority for regular revision as the following documents. Please consult them and do not fully rely on the details in this document.
- Up-to-date information about the CLARIN Service Provider Federation (SPF): https://www.clarin.eu/spf
- Up-to-date information about the CLARIN IdP: https://www.clarin.eu/content/clarin-identity-provider
- Generate the metadata and additional information: https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataForSP
- ApplicationDefaults? tag and attributes: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplication
- SSO tag and attributes: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO
- MetadataProvider? tag https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider
- Documentation of the DFN: https://www.aai.dfn.de/dokumentation/service-provider/konfiguration/
Step-by-step
Installation
Install Shibboleth daemon on your server in desirable or standard way.
Configuration
attribute-map.xml
Edit attribute-map.xml in /etc/shibboleth/. Uncomment or add the following lines:
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn"> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/> <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/> <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
shibboleth2.xml
Edit shibboleth2.xml in /etc/shibboleth/:
- Add an ApplicationDefaults entry containing your entityID (a randomly chosen string, mostly in the format of an URL letting you make some assumptions about who runs the SP):
<ApplicationDefaults entityID="https://sp.phonetik.uni-muenchen.de" REMOTE_USER="persistent-id">
- Add an SSO entry to the Session section with the entityID of the clarin IDP and the link to the discovery service:
<SSO entityID="https://idp.clarin.eu" discoveryProtocol="SAMLDS" discoveryURL="http://catalog.clarin.eu/discojuice/idp.html"> SAML2 SAML1 </SSO>
- Edit the errors section to let the user know who he or she may contact on error:
<Errors supportContact="your-username@your-insitution.com" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css" />
- Add or edit the MetadataProvider to the ApplicationDefaults section:
<MetadataProvider type="Chaining"> <MetadataProvider type="XML" uri="https://infra.clarin.eu/aai/prod_md_about_spf_sps.xml" backingFilePath="prod_md_about_spf_sps.xml" reloadInterval="7200"> </MetadataProvider> </MetadataProvider>
OS: this does not really make sense. Whey would an SP metadata about other SPs? It needs to know the metadata of the IDPs, it's supposed to talk to.
httpd.conf
Edit the httpd.conf in /etc/apache2/:
- Add “AuthType? shibboleth” and “ShibRequireSession? On” so an Directory entry could look like this
<Directory /srv/www/htdocs> AuthType shibboleth ShibRequireSession On Require valid-user </Directory>
Shibboleth and Apache restart
After editing the three aforementioned files, remember to restart the Shibboleth daemon and the apache server for the changes to take effect.
metadata.xml (cp. [ssec:meta])
- Checkout the clarin-sp-metadata.xml from https://svn.clarin.eu/aai/ ;
- Get the metadata from your own server (https://yourserver/Shibboleth.sso/Metadata) (cp. [sssec:metaorig]) Correct the metadata (changing namespaces, etc. accordingly) (cp. [sssec:metacorr])
- Open the clarin-sp-metadata.xml and go to the section for the metadata of your Shibboleth server or create one.
- Add your corrected metadata to the section
- Execute check_saml_metadata.sh from subdirectory check-saml-metadata to validate the XML file.
- Commit the changes back to the svn server
- Wait for the next update process (which should happen every hour, so it could take up to an hour until you can log in)
Appendix
attribute-map.xml, shibboleth2.xml, Metadata SP can be found attached to this page.
Metadata IDP
The global file can be found in the SVN you have to have access to anyway (https://svn.clarin.eu/aai/).
Attachments (5)
-
attribute-map.xml (3.0 KB) - added by 10 years ago.
Attribute Map XML for shibboleth configuration
-
httpd.conf (8.2 KB) - added by 10 years ago.
Apache configuration file for shibboleth configuration
-
metadata-clarin-format.xml (5.5 KB) - added by 10 years ago.
Clarin Idp Metadata Formated
-
metadata-generated.xml (4.1 KB) - added by 10 years ago.
Metedata of SP
-
shibboleth2.xml (5.7 KB) - added by 10 years ago.
Shibboleth configuration file
Download all attachments as: .zip