Course on how to turn web-based services into Service Providers of Identity Federations

Course on how to transform your application into a federated service. The program for this course covers the installation and configuration (basic and advanced) of the Shibboleth SP. The course will in clude hands-on exercises that allow participants to experience soon ease and speed of implementation of the SSO.

Course requirements For the exercise you need to have your own computer and you should be able to run a Linux virtual machine on VirtualBox. Additional instructions that allow you to properly prepare your PC will be part of the course description on the course platform.

This matherial includes a set of handson sessions referenced from the video lessons. For all the sessions in the specific folder, a script implementing the solution is present.

The hands on sessions are the following:

01_SESSION: installation and base configuration of an SP

This exercise will request to install and configure Shibboleth SP to protect the resources into a specific folder on Apache. The main steps to be followed to execute this exercise are:

• install required packages, on Ubuntu execute

  apt-get install libapache2-mod-shib2 apache2 ntp php5 openssl
  

• download the metadata signer certificate from the URL provided by the federation operators

  wget https://sp.lab.unimo.it/metadata-signer.crt -O /etc/shibboleth/metadata-signer.crt
  

• copy SP certificates from the files provided within this repo

  cp /home/testuser/SP_COURSE/01_SESSION/shibboleth/sp-*.pem /etc/shibboleth
  

• edit the file /etc/shibboleth/shibboleth2.xml by specifying:
  • entityID="https://sp1.local/shibboleth"
  • <SSO entityID="https://idp-corso.irccs.garr.it/idp/shibboleth"
  • configure the MetadataProvider to download the metadata file from the URL provided by the federation operator
• download the metadata from the URL provided by the federation operator and change ownership

  https://sp.lab.unimo.it/rr3/signedmetadata/federation/fed-corso/metadata.xml -O signed-test-metadata.xml
  chown _shibd._shibd signed-test-metadata.xml
  

• test shibboleth configuration

  shibd -t
  

• modify apache2 configuration editing file /etc/apache2/sites-enabled/service_provider.conf and protecting the intranet location
• restert services to apply modifications

  service shibd restart
  service apache2 restart
  

02_SESSION - application example PHP

This exercise will request to create a sample PHP application to test parameter passing after Shibboleth login. The main steps to be followed to execute this exercise are:

• edit /etc/shibboleth/attribute-map.xml file and uncomment all commented parts
• create a sample PHP application in /var/www/html/intranet/sample.php with the content in course slide matherial
• restert services to apply modifications

  service shibd restart
  

03_SESSION - application example Python/CGI

This exercise will request to create a sample CGI/Python application to test parameter passing after Shibboleth login. The main steps to be followed to execute this exercise are:

• create a sample CGI/Python application in /var/www/html/intranet/sample.py with the content in course slide matherial
• make the script executable

  chmod +x /var/www/html/intranet/sample.py
  

• check the the CGI module is already enabled in Apache2

  a2enmod mod_cgi
  

• restart services to apply modifications

  service apache2 restart
  service shibd restart
  

04_SESSION application example Java

This exercise will request to create a sample Java application to test parameter passing after Shibboleth login. The main steps to be followed to execute this exercise are:

• install missing packages, in particular install tomcat7

  apt-get install tomcat7
  

• modify file /etc/shibboleth/shibboleth2.xml to add attributePrefix="AJP_" in ApplicationDefaults tag.
• modify tomcat configuration to enable AJP connector on port 8009, the connector must be enable din /etc/tomcat7/server.xml file and must have tomcatAuthentication="false" parameter set
• modify the apache configuration in file /etc/apache2/sites-available/service_provider.conf by specifying:

  <Location /SPCourse>
    AuthType shibboleth
    ShibRequestSetting requireSession true
    Require shib-session
  </Location>
  
  ProxyPass        /SPCourse ajp://localhost:8009/SPCourse
  ProxyPassReverse /SPCourse ajp://localhost:8009/SPCourse
  

• deploy war application to tomcat server

  cp /home/testuser/SP_COURSE/04_SESSION/tomcat7/SPCourse.war /var/lib/tomcat7/webapps/
  

• restart services to apply modifications

  service shibd restart
  service apache2 restart
  service tomcat7 restart
  

05_SESSION application example Lazy Session

This exercise will configure a lazy session page on a PHP application. The main steps to be followed to execute this exercise are:

• modify the apache configuration in file /etc/apache2/sites-available/service_provider.conf by specifying:

  <Location /lazy.php>
  

AuthType shibboleth
ShibRequestSetting requireSession false
Require shibboleth
 </Location>
 ```

• create a sample lazy session page in PHP in the file /var/www/html/lazy.py with the content from the course slides matherial
• restart services to apply modifications

  service apache2 restart
  service shibd restart
  

06_SESSION configuring multiple virtualhost

This exercise will configure an SP serving multiple virtual hosts on the same server. The main steps to be followed to execute this exercise are:

• configure multiple virtual hosts in apache2
• download on your PC the SP metadata obtained from https://sp1.local/Shibboleth.sso/MetadataProvider
• edit the downloaded metadata file by adding a new Assertion Consumer Service (ACS) with protocol HTTP-POST and with hostname sp2.local
• share the new metadata file with the federation operators to receive it and share to all trusted entries.

07_SESSION access control configuration in Apache

This exercise will permit to configure access control rules inside Apache. The main steps to be followed to execute this exercise are:

• you can check the affiliation attribute for your user visiting https://sp1.local/Shibboleth.sso/Session after a successful Shibboleth login
• create a page /var/www/html/affiliation_staff.html with a static content, this page will be used as an example and shown only to users with staff affilitation
• modify the apache configuration in file /etc/apache2/sites-available/service_provider.conf by specifying:

  <Location /affiliation_staff.html>
      AuthType shibboleth
      ShibRequestSetting requireSession true
      Require shib-attr affiliation staff@irccs.garr.it
  </Location>
  

• restart services to apply modifications

  service apache2 restart
  service shibd restart
  

08_SESSION access control configuration in the SP

This exercise will permit to configure access control rules inside Apache. The main steps to be followed to execute this exercise are:

• you can check the affiliation attribute for your user visiting https://sp1.local/Shibboleth.sso/Session after a successful Shibboleth login
• create a page /var/www-sp2.local/html/affiliation_staff.html with a static content, this page will be used as an example and shown only to users with staff affilitation
• modify the apache configuration in file /etc/apache2/sites-available/sp2.local.conf by specifying:

  <Location />
      AuthType shibboleth
      Require shibboleth
  </Location>
  

• modify the shibboleth SP configuration in file /etc/shibboleth2.xml by specifying:

  <RequestMapper type="Native">
     <RequestMap>
          <Host name="sp2.local">
             <Path name="intranet/intranet.html" authType="shibboleth" requireSession="true" />
             <Path name="affiliation_staff.html" authType="shibboleth" requireSession="true">
                 <AccessControl>
                     <Rule require="affiliation">staff@irccs.garr.it</Rule>
                 </AccessControl>
             </Path>
          </Host>
      </RequestMap>
  </RequestMapper>
  

• restart services to apply modifications

  service apache2 restart
  service shibd restart
  

09_SESSION configuring a centralized DS

This exercise will permit to configure the SP to authenticate with a centralized Discovery Service. The main steps to be followed to execute this exercise are:

• modify the shibboleth SP configuration in file /etc/shibboleth2.xml by specifying:

  <SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.idem-test.garr.it/WAYF">
      SAML2 SAML1
  </SSO>
  

• restart services to apply modifications

  service apache2 restart
  service shibd restart
  

10_SESSION configuring an embedded DS

This exercise will permit to configure the SP to authenticate with an embedded Discovery Service. The main steps to be followed to execute this exercise are:

• install the Shibboleth embedded DS

  cp shibboleth-embedded-ds-1.0.2.tar.gz /usr/local/src
  cd /usr/local/src ; tar -zxf shibboleth-embedded-ds-1.0.2.tar.gz
  cd shibboleth-embedded-ds-1.0.2 ; make install
  

• edit the apache site configurationf or shibboleth ds in /etc/apache2/sites-available/shibboleth-ds.conf

  <IfModule mod_alias.c>
      <Location /shibboleth-ds>
          Allow from all
      </Location>
      Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js
      Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js
      Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css
      Alias /shibboleth-ds/index.html /etc/shibboleth-ds/index.html
  </IfModule>
  

• enable shibboleth-ds site in apache configuration

  a2ensite shibboleth-ds.conf
  

• modify the shibboleth SP configuration in file /etc/shibboleth2.xml by specifying:

  <SSO discoveryProtocol="SAMLDS" discoveryURL="https://sp1.local/shibboleth-ds/index.html">
     SAML2 SAML1
  </SSO>
  
  ...
  
  <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
  

• restart services to apply modifications

  service apache2 restart
  service shibd restart