Shibboleth installation and deployment
1 / 14

- PowerPoint PPT Presentation

  • Updated On :

Shibboleth: Installation and Deployment. Scott Cantor ([email protected]) July 29, 2002. Installation: Packaging. Alpha 1 and 2 are binary distributions. Source was made public in late July: Alpha 2.5 will probably be binary with source.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - mab

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Installation packaging
Installation: Packaging

  • Alpha 1 and 2 are binary distributions.

  • Source was made public in late July:


  • Alpha 2.5 will probably be binary with source.

  • Beta 1 should support “./configure; make; make install” for autoconf platforms and Visual Studio on Windows.

  • Even with better packaging, manual installation of servlets and Apache modules will be needed.

Installation general
Installation: General

  • Solaris 2.x and Linux

  • Current Basic Requirements:

    Apache 1.3.26, mod_ssl 2.8.10, OpenSSL 0.9.6, Sun JDK 1.3.1, Jakarta Tomcat 3.3.1

  • Binaries distributed as a tarball:

    $ cd /usr/local

    $ tar xvfz shib_alpha2_linux_rh72.tar.gz

  • Deploy Guide:


Installation general1
Installation: General

  • Both origins and targets need:

    • SSL-enabled Apache server, equipped with a certificate signed by a club-approved CA

    • Jakarta Tomcat servlet engine with AJP 1.3 connector (mod_jk)

  • All the servlets are packaged together in a single deployment archive (shibboleth.war) that can be copied into tomcat/webapps, auto-expanded, and configured

Installation origin site
Installation: Origin Site

  • Install additional supporting components:

    • User handles can be stored in-memory or in MySQL

    • User attributes can be accessed in LDAP or a restricted set (EPPN and affiliation=member) can be “echoed” by the AA

  • Back-end interfaces will be refined over time to simplify pluggable implementations, and use standard Java APIs like JNDI when possible

Deployment origin site
Deployment: Origin Site

  • Choose a name for your site, probably your best known top-level domain.

  • This name will be part of your club application and is configured into the HS and AA servlets (web.xml).

  • Special Note: Alpha-2 targets will reject attributes like EPPN if the “scope” doesn’t match the site name. This will be more flexible later.

Deployment origin site pki requirements
Deployment: Origin SitePKI Requirements

  • The web server’s SSL certificate will protect both the HS and AA servlets.

  • The AA servlet path is configured to support client certificate authentication:

    <Location "/shibboleth/AA">

    SSLVerifyClient optional

    SSLOptions +ExportCertData


  • The allowable client CAs are specified:

    SSLCACertificateFile /usr/local/shib/etc/ca-bundle.crt

Deployment origin site pki requirements1
Deployment: Origin SitePKI Requirements

  • The HS servlet must digitally sign its messages using a key and certificate valid for digital signature creation, signed by a club-approved CA.

  • Alpha-2 uses a Java keystore, which allows self-generation of a key and certificate request with the keytool command (see deploy guide).

  • The hostname of your HS is the first field in the certificate request.

  • Using the SSL server key is possible, but requires some custom Java code to import/export a private key.

Deployment origin site club application
Deployment: Origin SiteClub Application

  • Target sites are given a “registry” of trusted origin sites to protect them from rogue users.

  • Once names are chosen, provide the following in an e-mail (address in deploy guide):

    • Site Name

    • Complete Handle Service servlet URL

    • The HS hostname (went into the certificate CN)

    • Aliases/shorthand for your institution (used by WAYF)

Shibbolization cookbook for origin sites
Shibbolization Cookbook forOrigin Sites

  • Apply to the club as an origin site

    • currently an e-mail message with basic site information

  • Choose any web server that can host Java Servlet and JSP applications via Tomcat

  • Deploy a HS behind web initial sign-on

    • requires a club-trusted certificate usable for signing

    • web server must also use SSL if handling passwords

    • can store handles in-memory or in MySQL

    • beta version should use a “handle in cookie” design

Shibbolization cookbook for origin sites1
Shibbolization Cookbook forOrigin Sites

  • Deploy an AA in conjunction with the HS

    • supports two attribute “contexts”, LDAP and Echo

  • Install AA plugins for attributes (Java API)

    • preconfigured with classes for eduPerson attributes

  • Establish default ARPs for community

    • alpha-2 comes preconfigured to release everything, hides ARP tools

    • alpha-2.5 expected to begin exposing ARP interface

    • early GUI development beginning

Shibbolization cookbook for destination sites
Shibbolization Cookbook for Destination Sites

  • Choose any web server (as long as it’s Apache 1.3.x, but others to follow)

  • Equip it with the SHIRE and SHAR modules

    • SHIRE is a Java servlet for the time being, so Tomcat is required

    • SHAR/RM are combined into mod_shib

  • Install SHAR plugins for attributes (C++ API)

    • mod_eduPerson provided

Rm and application integration
RM and Application Integration

  • mod_shib currently provides flexible .htaccess processing.

  • Attributes can be mapped to Require rules and to HTTP headers, including REMOTE_USER.

  • Existing basic-auth sites can be “hijacked” to use Shibboleth.

Existing applications from most to least integrated
Existing Applications(from most to least integrated)

  • Shibbolize the application and unify intra-campus and inter-campus users

  • Add a second URL tree for inter-campus users

  • Use a Shibbolized proxy server

  • (The latter two might also require code changes or attribute mapping. This is all much simpler for static content.)