Shibboleth 2 0 idp training basics and installation
This presentation is the property of its rightful owner.
Sponsored Links
1 / 34

Shibboleth 2.0 IdP Training: Basics and Installation PowerPoint PPT Presentation


  • 47 Views
  • Uploaded on
  • Presentation posted in: General

Shibboleth 2.0 IdP Training: Basics and Installation. January, 2009. IdP Basics: Terms – SAML. S ecurity A ccess M arkup L anguage XML-based standard for authentication and authorization data interchange Identity Provider – producer of assertions Service Provider – consumer of assertions

Download Presentation

Shibboleth 2.0 IdP Training: Basics and Installation

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Shibboleth 2 0 idp training basics and installation

Shibboleth 2.0 IdP Training:Basics and Installation

  • January, 2009


Idp basics terms saml

IdP Basics: Terms – SAML

  • Security Access Markup Language

  • XML-based standard for authentication and authorization data interchange

  • Identity Provider – producer of assertions

  • Service Provider – consumer of assertions

  • Current Version: 2.0

  • Shibboleth 2.0 implements SAML 2.0


Idp basics terms entity id

IdP Basics: Terms – Entity ID

  • A unique URI for a Shibboleth Identity Provider (IdP) or Service Provider (SP)

  • The recommended format is a URL

    • https://idp.colostate.edu/idp/shibboleth

  • InCommon Federation uses URNs:

    • urn:mace:incommon:colostate.edu


Idp basics terms relying party

IdP Basics: Terms – Relying Party

  • The SAML peer to which the IdP is communicating with

  • The peer in most cases for an IdP is an SP


Idp basics terms profile

IdP Basics: Terms – Profile

  • A description of how to use SAML to accomplish a specific task

  • Profiles define the interface for SAML peers


Idp basics terms metadata

IdP Basics: Terms – Metadata

  • A description of the SAML features supported by a SAML entity

  • This includes the URLs for communicating with the entity

  • Shibboleth also uses this information to build technical trust between entities


Idp installation prerequisites

IdP Installation Prerequisites

  • Three basic prerequisites for installation:

    • Java Virtual Machine

    • Java Servlet Container

    • HTTP Listener

  • You should be comfortable installing software on your platform


Idp installation prerequisites1

IdP Installation Prerequisites


Apache tomcat shibboleth prerequisites

Apache Tomcat Shibboleth Prerequisites

  • Set in TOMCAT_HOME/conf/server.xml

  • Turn off Apache Tomcat authentication (optional)

  • Set AJP listener to accept connections from localhost only


Lab shibboleth installation

Lab: Shibboleth Installation

  • Unzip the distribution archive

  • Run an install script

  • Answer questions

  • Deploy a WAR file

  • Restart Tomcat and verify the installation on port 8080


Shibboleth home shib home

Shibboleth Home (SHIB_HOME)

  • /opt/shibboleth-idp should contain

  • The Shibboleth documentation refers to this directory as SHIB_HOME


Shib home bin

SHIB_HOME/bin

  • Contains command line tools

  • aacli: attribute authority command line interface

  • version: returns the IdP version


Shib home conf

SHIB_HOME/conf

  • Contains the IdP’s configuration files:

  • We will cover most of these today


Shib home credentials

SHIB_HOME/credentials

  • Credentials used by the IdP

  • The installer creates these:

    • idp.key (IdP key)

    • idp.crt (certificate)

    • idp.jks (keystore)

  • You can use this directory to store Federation certificates


Shib home lib

SHIB_HOME/lib

  • Copies of libraries in the WAR file that make up the IdP

  • Used by the command line tools


Shib home logs

SHIB_HOME/logs

  • Contains the IdP log files

    • idp-process.log*

    • idp-access.log

    • idp-audit.log

  • * Often referred to when troubleshooting


Shib home metadata

SHIB_HOME/metadata

  • Contains metadata files

  • Files placed in this directory are not automatically loaded


Shib home war

SHIB_HOME/war

  • Contains the IdP WAR file created by the installer

  • Note that we configured Apache Tomcat to run the IdP directly from the WAR file


Http listener

HTTP Listener

  • Apache Tomcat has a built-in HTTP listener and can be used as a standalone

  • Apache HTTPD is a web server often implemented as a HTTP listener for Tomcat

  • Using both can offer flexibility

    • And interface well with legacy components


Apache httpd and tomcat

Apache HTTPD and Tomcat

  • Use mod_proxy_ajp

  • Define VirtualHosts for the Shibboleth SAML profiles, which listen on ports 443 and optionally 8443

    • mod_proxy directive to connect to Tomcat

    • Certificate settings

    • Others as required (logging, etc.)


Lab apache httpd

Lab: Apache HTTPD

  • Configure Apache HTTPD as the HTTP listener for Apache Tomcat

  • mod_proxy_ajp has already been installed

  • Modify /etc/httpd/conf/httpd.conf

    • Add the ProxyPass for /idp

  • Restart Apache HTTPD


Logging

Logging

  • Configured using the logging.xml file

  • 5 Logging levels

    • ERROR

    • WARN

    • INFO

    • DEBUG

    • TRACE


Lab logging

Lab: Logging

  • Change the logging level of the edu.internet2.middleware.shibboleth logger and evaluate the difference in the logging messages


Metadata general

Metadata: General

  • Describes SAML features supported by the IdP and SP

  • Includes the URLs for communicating with the IdP and SP

  • Certificates for IdPs and SPs to trust each other

  • Federations will typically control and publish metadata


Metadata configuration

Metadata: Configuration

  • Metadata can be stored and loaded locally (use SHIB_HOME/metadata)

  • Metadata can also be loaded from a remote source

  • We will discuss both configurations


Metadata configuration1

Metadata: Configuration

  • Metadata is loaded into the IdP by metadata providers

  • Metadata providers are defined in the relying-party.xml file

  • A single metadata “container” provider is defined where you will define within it your metadata providers


Metadata defining a provider

Metadata: Defining a Provider

  • Metadata providers are defined using the <MetadataProvider> element

  • Every metadata provider must have a:

    • Unique ID using the id attribute

    • Type using the xsi:type attribute

  • Each type of metadata provider has its own set of configuration attributes


Metadata filesystem provider

Metadata: Filesystem Provider

  • The Filesystem metadata provider loads a metadata file from the local filesystem.

  • Use type definition:

    • xsi:type="FilesystemMetadataProvider"

  • Configuration attribute

    • metadataFile


Metadata file backed http provider

Metadata: File-backed HTTP Provider

  • Loads metadata via HTTP and backs it up to local file

  • Type definition:

    • xsi:type="FileBackedHTTPMetadataProvider"

  • Configuration attributes:

    • metadataURL

    • backingFile


Lab metadata providers

Lab: Metadata Providers

  • Define a file-backed HTTP metadata provider


Multiple metadata providers

Multiple Metadata Providers

  • The chaining metadata provider processes children metadata providers in the order they are defined

  • If the same entity is defined in more than one metadata provider, only the first definition found will be used


Metadata registration

Metadata Registration

  • Metadata must be shared between relying parties

  • Federations typically have a centralized registration process and systems

  • Register certificates and profiles


Lab metadata registration

Lab: Metadata Registration

  • Register your IdP so it can interact with the SP/DS in the lab


References

References

  • More information on IdP basics and installation can be found at:

  • https://spaces.internet2.edu/display/SHIB2/Installation


  • Login