Edit WYSIWYGattachfile Attach PDF Raw View►More Actions▼More Actions


Restore topic to revision: You will be able to review the topic before saving it to a new revision

Copy text and form data to a new topic (no attachments will be copied though).
Name of copy:
You will be able to review the copied topic before saving

Rename/move topic... scans links in all public webs (recommended)
Rename/move topic... scans links in ShibAuth web only
Delete topic... scans links in all public webs (recommended)
Delete topic... scans links in ShibAuth web only

Revision Date Username Comment
918 Dec 2013 - 08:49EvaYoung(minor) Added link to U Washington instructions for configuring multiple web sites. 
818 Dec 2012 - 08:56BrianDunnettechanging "should NOT need minimal changes" to "should need ONLY minimal changes" 
708 Oct 2012 - 10:11ChristopherBongaartsmajor surgery - notably, updated to prefer 2.4 syntax 
619 Dec 2011 - 20:37CraigGjerdingen 
505 Dec 2011 - 15:42AaronZirbes 
411 Jul 2011 - 15:47ChristopherBongaartsreverse order of sso/sessioninitatior and add warning that SSO comes first

escape non-wikiword applicationoverride 
313 Apr 2011 - 16:13LindaDick 
228 Jan 2011 - 10:30AaronZirbes 
118 Oct 2010 - 12:16AaronZirbes(minor)  

Render style:     Context:


 History: r9 < r8 < r7 < r6 < r5
You are here: UMWiki>ShibAuth Web>Shibboleth2Xml (18 Dec 2013, EvaYoung)

Configuring the Shibboleth SP XML file, shibboleth2.xml

Overview

In this file you are telling Shibboleth a few key peices of information so it knows how to authenticate your users. Those items are

  • Your Entity ID. This is how your SP will identify itself to the IdP and how the IdP will know what metadata to send you
  • The location of the U of MN IdP
  • The location of the Metadata provider (also the U of MN IdP)
  • The location of your SSL Certificate
  • The name of your server and any virtual hosts
  • Your contact information (Errors supportContact specifically)
  • Any URLs you would like Shibboleth to secure (required for IIS only)

warning For most sites, you should need only minimal changes to the delivered shibboleth2.xml file to get things working. There are a lot of options in this file, and most of them are only necessary for complex installations. Yours probably isn't. For best results, always start with the existing shibboleth2.xml file! The official Shib wiki documents what is most likely to need changing. Use the following in conjunction with, not instead of, the official documentation, or you will make your life needlessly harder.

Good instructions for configuring a shibboleth SP with multiple websites are available at the University of Washington wiki here.

In Process (i.e. web server integration) configuration (IIS Only)

  • Tell Shib what the IIS site ID number(s) you are securing:

    <InProcess logger="native.logger">
        <ISAPI normalizeRequest="true" safeHeaderNames="true">
            <!--
            Maps IIS Instance ID values to the host scheme/name/port. The name is
            required so that the proper <Host> in the request map above is found without
            having to cover every possible DNS/IP combination the user might enter.
            -->
            <Site id="1" name="www.dept.umn.edu" />
            <!--
            When the port and scheme are omitted, the HTTP request's port and scheme are used.
            If these are wrong because of virtualization, they can be explicitly set here to
            ensure proper redirect generation.
            -->
            <Site id="42" name="app.dept.umn.edu" scheme="https" port="443"/>
        </ISAPI>
    </InProcess>

Request Mapper (required for IIS only)

  • You may need a sub entry for virtual hosts if you are using more than one host per SP. Note that the RequestMapper? is recommended only for IIS; for Apache the preferred mechanism is to use httpd.conf/.htaccess directives.

    <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
    <RequestMapper type="Native">
        <RequestMap applicationId="default">
            <!--
            The example requires a session for documents in /secure on the containing host with http and
            https on the default ports. Note that the name and port in the <Host> elements MUST match
            Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
            below.
            -->
            <Host name="www.dept.umn.edu">
                <Path name="secure" authType="shibboleth" requireSession="true"/>
            </Host>
            <!-- Example of a second vhost mapped to a different applicationId. -->
            <!--
            <Host name="app.dept.umn.edu" applicationId="admin" authType="shibboleth" requireSession="true"/>
            -->
        </RequestMap>
    </RequestMapper>

Another example:

    <RequestMapper type="Native">
        <RequestMap applicationId="default">
            <!--
            The example requires a session for documents in /secure on the containing host with http and
            https on the default ports. Note that the name and port in the <Host> elements MUST match
            Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
            below.
            This one also protects "/secret", "/locked/down", and "/black/ops".
            -->

            <Host name="www.dept.umn.edu" redirectToSSL="443">
                <Path name="secure" authType="shibboleth" requireSession="true"/>
                <Path name="secret" authType="shibboleth" requireSession="true"/>
                <Path name="locked/down" authType="shibboleth" requireSession="true"/>
                <Path name="black/ops" authType="shibboleth" requireSession="true"/>
            </Host>
        </RequestMap>
    </RequestMapper>

Application Defaults

  • You'll need to change the entityID and add the homeURL attribute if you don't have it. The homeURL attribute is where requests will be sent if there is any problem or state is lost in the middle of a Shib login.
<ApplicationDefaults id="default" policyId="default"
   entityID="https://www.dept.umn.edu/shibboleth/default"
   homeURL="https://www.dept.umn.edu/"
   REMOTE_USER="eppn persistent-id targeted-id"
   signing="false" encryption="false">

Sessions

  • Set checkAddress to true if you can. Note that if you are likely to have users from outside the university, you might want to leave this false to avoid login problems for users behind NATs that rotate requests among an outbound pool (e.g. HCMC).
<Sessions lifetime="28800" timeout="3600" checkAddress="true"
   handlerURL="/Shibboleth.sso" handlerSSL="false"
   exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
   idpHistory="false" idpHistoryDays="7">

SSO and Logout, for shibd 2.4.x

For shibd version 2.4.x, use the following. (Thanks to young041@umn.edu for this update)
  • Add the U of MN Shib IdP here (test first, production later)
    <SSO entityID="https://idp-test.shib.umn.edu/idp/shibboleth">
                  SAML2
    </SSO>
    
    <!-- Local-only logout. Our IdP does not support SAML2 logout yet. -->
    <Logout>Local</Logout>
    

Note that the SSO element needs to precede any SessionInitiators you have defined (and in general you shouldn't need to mix them, the SSO element is like a macro that expands to the 2.3 SessionInitiators).

Errors and Contact Information

  • At least customize the email address. You should also customize the html error pages.
    <Errors supportContact="help@dept.umn.edu"
       logoLocation="/shibboleth-sp/logo.jpg"
       styleSheet="/shibboleth-sp/main.css"/>
    

Metadata Provider

  • This again will point to the U of MN IdP. Note that you can have as many MetadataProviders as you want, so you can load metadata for the test and production UMN IdPs simulataneously. Which one is actually used depends on the SSO (or SessionInitiator) elements.

<MetadataProvider type="XML" uri="https://idp2.shib.umn.edu/metadata.xml"
   backingFilePath="prod-umn-metadata.xml" reloadInterval="7200">
</MetadataProvider>
<MetadataProvider type="XML" uri="https://idp-test.shib.umn.edu/metadata.xml"
   backingFilePath="prod-umn-metadata.xml" reloadInterval="7200">
</MetadataProvider>

Credential Resolver

  • This will tell the SP where your SSL public and private keys are for opening the encryption channel. Normally these are generated for you as part of the installation, so you shouldn't need to change this.
<CredentialResolver type="File" key="/etc/shibboleth/shibboleth.dept.umn.edu.key" certificate="/etc/shibboleth/shibboleth.dept.umn.edu.crt"/>
  • On Windows, this will read something like:
            <CredentialResolver type="File" key="c:\opt\shibboleth-sp\etc\shibboleth\shibboleth.dept.umn.edu.key" certificate="c:\opt\shibboleth-sp\etc\shibboleth\shibboleth.dept.umn.edu.crt" />
    

ApplicationOverride

<ApplicationOverride id="customApp" entityID="https://www.dept.umn.edu/shibboleth/alternate" homeURL="https://app.dept.umn.edu"/>

Putting it all together.

When we put it all together, we get a full sample shibboleth2.xml file.

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    logger="syslog.logger" clockSkew="180">

    <!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
    <OutOfProcess logger="shibd.logger" />
    
    <!-- The InProcess section conrains settings affecting web server modules/filters. -->
    <InProcess logger="native.logger" />

    <!-- Only one listener can be defined, to connect in-process modules to shibd. -->
    <UnixListener address="shibd.sock"/>
    <!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
    
    <!-- This set of components stores sessions and other persistent data in daemon memory. -->
    <StorageService type="Memory" id="mem" cleanupInterval="900"/>
    <SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
    <ReplayCache StorageService="mem"/>
    <ArtifactMap artifactTTL="180"/>

    <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
    <RequestMapper type="Native">
        <RequestMap applicationId="default">
            <Host name="www.dept.umn.edu">
                <Path name="secure" authType="shibboleth" requireSession="true"/>
            </Host>
        </RequestMap>
    </RequestMapper>

    <!--
    The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
    Resource requests are mapped by the RequestMapper to an applicationId that
    points into to this section.
    -->
    <ApplicationDefaults id="default" policyId="default"
        entityID="https://www.dept.umn.edu/shibboleth/default"
      homeURL="https://www.dept.umn.edu/"
        REMOTE_USER="eppn persistent-id targeted-id"
        signing="false" encryption="false">

        <!--
        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
        You MUST supply an effectively unique handlerURL value for each of your applications.
        The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
        The system can compute a relative value based on the virtual host. Using handlerSSL="true"
        will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
        in that case. Note that while we default checkAddress to "false", this has a negative
        impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
        -->
        <Sessions lifetime="28800" timeout="3600" checkAddress="true"
            handlerURL="/Shibboleth.sso" handlerSSL="false"
            exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
            idpHistory="false" idpHistoryDays="7">
            
            <!-- UMN Production Shib IdP -->
            <!-- Commented out for testing
            <SSO entityID="https://idp2.shib.umn.edu/idp/shibboleth">
              SAML2
            </SSO>
            -->

            <!-- UMN Testing Shib IdP -->
            <SSO entityID="https://idp-test.shib.umn.edu/idp/shibboleth">
              SAML2
            </SSO>

            <!-- Local-only logout. Our IdP does not support SAML2 logout yet. -->
            <Logout>Local</Logout>

            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

        </Sessions>

        <!--
        Allows overriding of error template filenames. You can also add attributes with values
        that can be plugged into the templates.
        -->
        <Errors supportContact="help@dept.umn.edu"
            logoLocation="/shibboleth-sp/logo.jpg"
            styleSheet="/shibboleth-sp/main.css"/>
        
        <!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
        <!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->

        <!-- Chains together all your metadata sources. -->
        <MetadataProvider type="Chaining">
       <!-- UMN Production metadata -->
            <MetadataProvider type="XML" uri="https://idp2.shib.umn.edu/metadata.xml"
                 backingFilePath="prod-umn-metadata.xml" reloadInterval="7200">
            </MetadataProvider>
            
            <!-- UMN Test metadata -->
            <MetadataProvider type="XML" uri="https://idp-test.shib.umn.edu/metadata.xml"
                 backingFilePath="test-umn-metadata.xml" reloadInterval="7200">
            </MetadataProvider>

        </MetadataProvider>

        <!-- Chain the two built-in trust engines together. -->
        <TrustEngine type="Chaining">
            <TrustEngine type="ExplicitKey"/>
            <TrustEngine type="PKIX"/>
        </TrustEngine>

        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
        
        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <!-- Simple file-based resolver for using a single keypair. -->
        <CredentialResolver type="File" key="/etc/shibboleth/shibboleth.dept.umn.edu.key" certificate="/etc/shibboleth/shibboleth.dept.umn.edu.crt"/>

    </ApplicationDefaults>
    
     <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>

-- ChristopherBongaarts - 08 Oct 2012

Topic revision: r9 - 18 Dec 2013 - 08:49:01 - EvaYoung
 
UMWiki UMWiki
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding UMWiki? Send feedback