Shibboleth 2 0 idp training basics and installation
1 / 34

Shibboleth 2.0 IdP Training: Basics and Installation - PowerPoint PPT Presentation

  • Uploaded on

Shibboleth 2.0 IdP Training: Basics and Installation. January, 2009. IdP Basics: Terms – SAML. S ecurity A ccess M arkup L anguage XML-based standard for authentication and authorization data interchange Identity Provider – producer of assertions Service Provider – consumer of assertions

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Shibboleth 2.0 IdP Training: Basics and Installation' - whitney-soto

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Shibboleth 2 0 idp training basics and installation
Shibboleth 2.0 IdP Training:Basics and Installation

  • January, 2009

Idp basics terms saml
IdP Basics: Terms – SAML

  • Security Access Markup Language

  • XML-based standard for authentication and authorization data interchange

  • Identity Provider – producer of assertions

  • Service Provider – consumer of assertions

  • Current Version: 2.0

  • Shibboleth 2.0 implements SAML 2.0

Idp basics terms entity id
IdP Basics: Terms – Entity ID

  • A unique URI for a Shibboleth Identity Provider (IdP) or Service Provider (SP)

  • The recommended format is a URL


  • InCommon Federation uses URNs:


Idp basics terms relying party
IdP Basics: Terms – Relying Party

  • The SAML peer to which the IdP is communicating with

  • The peer in most cases for an IdP is an SP

Idp basics terms profile
IdP Basics: Terms – Profile

  • A description of how to use SAML to accomplish a specific task

  • Profiles define the interface for SAML peers

Idp basics terms metadata
IdP Basics: Terms – Metadata

  • A description of the SAML features supported by a SAML entity

  • This includes the URLs for communicating with the entity

  • Shibboleth also uses this information to build technical trust between entities

Idp installation prerequisites
IdP Installation Prerequisites

  • Three basic prerequisites for installation:

    • Java Virtual Machine

    • Java Servlet Container

    • HTTP Listener

  • You should be comfortable installing software on your platform

Apache tomcat shibboleth prerequisites
Apache Tomcat Shibboleth Prerequisites

  • Set in TOMCAT_HOME/conf/server.xml

  • Turn off Apache Tomcat authentication (optional)

  • Set AJP listener to accept connections from localhost only

Lab shibboleth installation
Lab: Shibboleth Installation

  • Unzip the distribution archive

  • Run an install script

  • Answer questions

  • Deploy a WAR file

  • Restart Tomcat and verify the installation on port 8080

Shibboleth home shib home
Shibboleth Home (SHIB_HOME)

  • /opt/shibboleth-idp should contain

  • The Shibboleth documentation refers to this directory as SHIB_HOME

Shib home bin

  • Contains command line tools

  • aacli: attribute authority command line interface

  • version: returns the IdP version

Shib home conf

  • Contains the IdP’s configuration files:

  • We will cover most of these today

Shib home credentials

  • Credentials used by the IdP

  • The installer creates these:

    • idp.key (IdP key)

    • idp.crt (certificate)

    • idp.jks (keystore)

  • You can use this directory to store Federation certificates

Shib home lib

  • Copies of libraries in the WAR file that make up the IdP

  • Used by the command line tools

Shib home logs

  • Contains the IdP log files

    • idp-process.log*

    • idp-access.log

    • idp-audit.log

  • * Often referred to when troubleshooting

Shib home metadata

  • Contains metadata files

  • Files placed in this directory are not automatically loaded

Shib home war

  • Contains the IdP WAR file created by the installer

  • Note that we configured Apache Tomcat to run the IdP directly from the WAR file

Http listener
HTTP Listener

  • Apache Tomcat has a built-in HTTP listener and can be used as a standalone

  • Apache HTTPD is a web server often implemented as a HTTP listener for Tomcat

  • Using both can offer flexibility

    • And interface well with legacy components

Apache httpd and tomcat
Apache HTTPD and Tomcat

  • Use mod_proxy_ajp

  • Define VirtualHosts for the Shibboleth SAML profiles, which listen on ports 443 and optionally 8443

    • mod_proxy directive to connect to Tomcat

    • Certificate settings

    • Others as required (logging, etc.)

Lab apache httpd
Lab: Apache HTTPD

  • Configure Apache HTTPD as the HTTP listener for Apache Tomcat

  • mod_proxy_ajp has already been installed

  • Modify /etc/httpd/conf/httpd.conf

    • Add the ProxyPass for /idp

  • Restart Apache HTTPD


  • Configured using the logging.xml file

  • 5 Logging levels

    • ERROR

    • WARN

    • INFO

    • DEBUG

    • TRACE

Lab logging
Lab: Logging

  • Change the logging level of the edu.internet2.middleware.shibboleth logger and evaluate the difference in the logging messages

Metadata general
Metadata: General

  • Describes SAML features supported by the IdP and SP

  • Includes the URLs for communicating with the IdP and SP

  • Certificates for IdPs and SPs to trust each other

  • Federations will typically control and publish metadata

Metadata configuration
Metadata: Configuration

  • Metadata can be stored and loaded locally (use SHIB_HOME/metadata)

  • Metadata can also be loaded from a remote source

  • We will discuss both configurations

Metadata configuration1
Metadata: Configuration

  • Metadata is loaded into the IdP by metadata providers

  • Metadata providers are defined in the relying-party.xml file

  • A single metadata “container” provider is defined where you will define within it your metadata providers

Metadata defining a provider
Metadata: Defining a Provider

  • Metadata providers are defined using the <MetadataProvider> element

  • Every metadata provider must have a:

    • Unique ID using the id attribute

    • Type using the xsi:type attribute

  • Each type of metadata provider has its own set of configuration attributes

Metadata filesystem provider
Metadata: Filesystem Provider

  • The Filesystem metadata provider loads a metadata file from the local filesystem.

  • Use type definition:

    • xsi:type="FilesystemMetadataProvider"

  • Configuration attribute

    • metadataFile

Metadata file backed http provider
Metadata: File-backed HTTP Provider

  • Loads metadata via HTTP and backs it up to local file

  • Type definition:

    • xsi:type="FileBackedHTTPMetadataProvider"

  • Configuration attributes:

    • metadataURL

    • backingFile

Lab metadata providers
Lab: Metadata Providers

  • Define a file-backed HTTP metadata provider

Multiple metadata providers
Multiple Metadata Providers

  • The chaining metadata provider processes children metadata providers in the order they are defined

  • If the same entity is defined in more than one metadata provider, only the first definition found will be used

Metadata registration
Metadata Registration

  • Metadata must be shared between relying parties

  • Federations typically have a centralized registration process and systems

  • Register certificates and profiles

Lab metadata registration
Lab: Metadata Registration

  • Register your IdP so it can interact with the SP/DS in the lab


  • More information on IdP basics and installation can be found at: