shibboleth 2 0 idp training basics and installation n.
Skip this Video
Download Presentation
Shibboleth 2.0 IdP Training: Basics and Installation

Loading in 2 Seconds...

play fullscreen
1 / 34

Shibboleth 2.0 IdP Training: Basics and Installation - PowerPoint PPT Presentation

  • Uploaded on

Shibboleth 2.0 IdP Training: Basics and Installation. January, 2009. IdP Basics: Terms – SAML. S ecurity A ccess M arkup L anguage XML-based standard for authentication and authorization data interchange Identity Provider – producer of assertions Service Provider – consumer of assertions

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Shibboleth 2.0 IdP Training: Basics and Installation' - whitney-soto

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
idp basics terms saml
IdP Basics: Terms – SAML
  • Security Access Markup Language
  • XML-based standard for authentication and authorization data interchange
  • Identity Provider – producer of assertions
  • Service Provider – consumer of assertions
  • Current Version: 2.0
  • Shibboleth 2.0 implements SAML 2.0
idp basics terms entity id
IdP Basics: Terms – Entity ID
  • A unique URI for a Shibboleth Identity Provider (IdP) or Service Provider (SP)
  • The recommended format is a URL
  • InCommon Federation uses URNs:
idp basics terms relying party
IdP Basics: Terms – Relying Party
  • The SAML peer to which the IdP is communicating with
  • The peer in most cases for an IdP is an SP
idp basics terms profile
IdP Basics: Terms – Profile
  • A description of how to use SAML to accomplish a specific task
  • Profiles define the interface for SAML peers
idp basics terms metadata
IdP Basics: Terms – Metadata
  • A description of the SAML features supported by a SAML entity
  • This includes the URLs for communicating with the entity
  • Shibboleth also uses this information to build technical trust between entities
idp installation prerequisites
IdP Installation Prerequisites
  • Three basic prerequisites for installation:
    • Java Virtual Machine
    • Java Servlet Container
    • HTTP Listener
  • You should be comfortable installing software on your platform
apache tomcat shibboleth prerequisites
Apache Tomcat Shibboleth Prerequisites
  • Set in TOMCAT_HOME/conf/server.xml
  • Turn off Apache Tomcat authentication (optional)
  • Set AJP listener to accept connections from localhost only
lab shibboleth installation
Lab: Shibboleth Installation
  • Unzip the distribution archive
  • Run an install script
  • Answer questions
  • Deploy a WAR file
  • Restart Tomcat and verify the installation on port 8080
shibboleth home shib home
Shibboleth Home (SHIB_HOME)
  • /opt/shibboleth-idp should contain
  • The Shibboleth documentation refers to this directory as SHIB_HOME
shib home bin
  • Contains command line tools
  • aacli: attribute authority command line interface
  • version: returns the IdP version
shib home conf
  • Contains the IdP’s configuration files:
  • We will cover most of these today
shib home credentials
  • Credentials used by the IdP
  • The installer creates these:
    • idp.key (IdP key)
    • idp.crt (certificate)
    • idp.jks (keystore)
  • You can use this directory to store Federation certificates
shib home lib
  • Copies of libraries in the WAR file that make up the IdP
  • Used by the command line tools
shib home logs
  • Contains the IdP log files
    • idp-process.log*
    • idp-access.log
    • idp-audit.log
  • * Often referred to when troubleshooting
shib home metadata
  • Contains metadata files
  • Files placed in this directory are not automatically loaded
shib home war
  • Contains the IdP WAR file created by the installer
  • Note that we configured Apache Tomcat to run the IdP directly from the WAR file
http listener
HTTP Listener
  • Apache Tomcat has a built-in HTTP listener and can be used as a standalone
  • Apache HTTPD is a web server often implemented as a HTTP listener for Tomcat
  • Using both can offer flexibility
    • And interface well with legacy components
apache httpd and tomcat
Apache HTTPD and Tomcat
  • Use mod_proxy_ajp
  • Define VirtualHosts for the Shibboleth SAML profiles, which listen on ports 443 and optionally 8443
    • mod_proxy directive to connect to Tomcat
    • Certificate settings
    • Others as required (logging, etc.)
lab apache httpd
Lab: Apache HTTPD
  • Configure Apache HTTPD as the HTTP listener for Apache Tomcat
  • mod_proxy_ajp has already been installed
  • Modify /etc/httpd/conf/httpd.conf
    • Add the ProxyPass for /idp
  • Restart Apache HTTPD
  • Configured using the logging.xml file
  • 5 Logging levels
    • ERROR
    • WARN
    • INFO
    • DEBUG
    • TRACE
lab logging
Lab: Logging
  • Change the logging level of the edu.internet2.middleware.shibboleth logger and evaluate the difference in the logging messages
metadata general
Metadata: General
  • Describes SAML features supported by the IdP and SP
  • Includes the URLs for communicating with the IdP and SP
  • Certificates for IdPs and SPs to trust each other
  • Federations will typically control and publish metadata
metadata configuration
Metadata: Configuration
  • Metadata can be stored and loaded locally (use SHIB_HOME/metadata)
  • Metadata can also be loaded from a remote source
  • We will discuss both configurations
metadata configuration1
Metadata: Configuration
  • Metadata is loaded into the IdP by metadata providers
  • Metadata providers are defined in the relying-party.xml file
  • A single metadata “container” provider is defined where you will define within it your metadata providers
metadata defining a provider
Metadata: Defining a Provider
  • Metadata providers are defined using the <MetadataProvider> element
  • Every metadata provider must have a:
    • Unique ID using the id attribute
    • Type using the xsi:type attribute
  • Each type of metadata provider has its own set of configuration attributes
metadata filesystem provider
Metadata: Filesystem Provider
  • The Filesystem metadata provider loads a metadata file from the local filesystem.
  • Use type definition:
    • xsi:type="FilesystemMetadataProvider"
  • Configuration attribute
    • metadataFile
metadata file backed http provider
Metadata: File-backed HTTP Provider
  • Loads metadata via HTTP and backs it up to local file
  • Type definition:
    • xsi:type="FileBackedHTTPMetadataProvider"
  • Configuration attributes:
    • metadataURL
    • backingFile
lab metadata providers
Lab: Metadata Providers
  • Define a file-backed HTTP metadata provider
multiple metadata providers
Multiple Metadata Providers
  • The chaining metadata provider processes children metadata providers in the order they are defined
  • If the same entity is defined in more than one metadata provider, only the first definition found will be used
metadata registration
Metadata Registration
  • Metadata must be shared between relying parties
  • Federations typically have a centralized registration process and systems
  • Register certificates and profiles
lab metadata registration
Lab: Metadata Registration
  • Register your IdP so it can interact with the SP/DS in the lab
  • More information on IdP basics and installation can be found at: