belnet r&e federation workshop shibboleth idp deployment belnet – mario vandaele brussels –...

Belnet R&E Federation WorkshopShibboleth IdP Deployment

Belnet – Mario Vandaele Brussels – 15 March 2012

2Workshop Belnet R&E Federation15.03.2012

Login – Linux / MacOSX

Start terminal

Login into your virtual machine

– With # being your assigned group number

Insert password

ssh student@idp#.ws.belnet.be

57ud3n7


Login – Windows

Login


Output


Login – sudo

The “student” account doesn’t have “root”

priviliges, so let’s temporarily enable them

Insert password

sudo su -

57ud3n7

Shibboleth IdP installation

Extract Shibboleth IdP archive in your local

source directory

Check content of Shibboleth directory


cd /home/student/workshopcp shibboleth-identityprovider-2.3.5-bin.zip /usr/local/srcunzip shibboleth-identityprovider-2.3.5-bin.zip

cd /usr/local/src/shibboleth-identityprovider-2.3.5ls -l



…-rwxrwxrwx 1 root root 11357 2011-06-02 05:25 LICENSE.txt-rwxrwxrwx 1 root root 896 2011-06-02 05:25 install.bat-rwxr-xr-x 1 root root 2511 2011-06-08 10:52 install.sh-rwxrwxrwx 1 root root 458 2011-06-08 10:52 cpappend.batdrwxrwxrwx 2 root root 4096 2011-06-19 17:35 docdrwxrwxrwx 5 root root 4096 2011-11-09 06:36 srcdrwxrwxrwx 2 root root 4096 2011-11-09 06:36 libdrwxrwxrwx 2 root root 4096 2011-11-09 06:36 endorsed…

Output



Some extra java classes, bundled into jar files,

required by Shibboleth must be endorsed by

our java servlet engine (tomcat)

Check content of the new directory

mkdir /usr/share/tomcat6/endorsed/cp ./endorsed/*.jar /usr/share/tomcat6/endorsed/

ls -l /usr/share/tomcat6/endorsed



Output…-r--r--r-- 1 root root 3176148 2012-03-01 15:31 xalan-2.7.1.jar-r--r--r-- 1 root root 278286 2012-03-01 15:31 serializer-2.10.0.jar-r--r--r-- 1 root root 84091 2012-03-01 15:31xml-resolver-1.2.jar-r--r--r-- 1 root root 220536 2012-03-01 15:31 xml-apis-2.10.0.jar-r--r--r-- 1 root root 1363159 2012-03-01 15:31 xercesImpl-2.10.0.jar…



(Optional) Pre-build preparation: check java

environment

Output

update-alternatives --config java

Selection Path Priority Status---------------------------------------------------------- 0 /usr/lib/jvm/java-6-openjdk/jre/bin/java 1061 auto mode 1 /opt/java/64/jre1.6.0_31/bin/java 1 manual mode 2 /usr/lib/jvm/java-6-openjdk/jre/bin/java 1061 manual mode 3 /usr/lib/jvm/java-6-sun/jre/bin/java 63 manual mode



(Optional) Pre-build preparation: set & check

JAVA_HOME

Pre-build preparation: set & check IDP_HOME

export JAVA_HOME=/usr/lib/jvm/java-6-sun/jreecho $JAVA_HOME

export IDP_HOME=/opt/shibboleth-idpecho $IDP_HOME

/usr/lib/jvm/java-6-sun/jre

/opt/shibboleth-idp

/export IDP_SRC=/usr/local/shibboleth-identityprovider-2.3.5



(Optional) Set IdPCertLifetime for self-signed

server certificate

– If you want to overrule the default lifetime of 20 years for the

self-signed certificate, you must set the environment variable

IdPCertLifetime to a value of your choice

– This server certificate is NOT the same as the CA issued

(TERENA) server certificate for HTTPS, so don’t use this one

in your web server configuration (Apache)

env IdPCertLifetime=3



Build the Shibboleth IdP web application and

provide input when requested by the script

– Installation directory = /opt/shibboleth-idp

– FQDM = idp#.ws.belnet.be• With # being your assigned group number

– Keystore password = 57ud3n7

cd $IDP_SRC./install.sh



Output (1/3)Buildfile: src/installer/resources/build.xml

install:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Where should the Shibboleth Identity Provider software be installed? [/opt/shibboleth-idp]

What is the fully qualified hostname of the Shibboleth Identity Provider server? [idp.example.org]

idp#.ws.belnet.be



Output (2/3)A keystore is about to be generated for you. Please enter a password that will be used to protect it.57ud3n7Updating property file: /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer/resources/install.propertiesCreated dir: /opt/shibboleth-idpCreated dir: /opt/shibboleth-idp/binCreated dir: /opt/shibboleth-idp/confCreated dir: /opt/shibboleth-idp/credentialsCreated dir: /opt/shibboleth-idp/libCreated dir: /opt/shibboleth-idp/lib/endorsedCreated dir: /opt/shibboleth-idp/logsCreated dir: /opt/shibboleth-idp/metadataCreated dir: /opt/shibboleth-idp/warGenerating signing and encryption key, certificate, and keystore.



Output (3/3)Copying 5 files to /opt/shibboleth-idp/binCopying 8 files to /opt/shibboleth-idp/confCopying 1 file to /opt/shibboleth-idp/metadataCopying 51 files to /opt/shibboleth-idp/libCopying 5 files to /opt/shibboleth-idp/lib/endorsedCopying 1 file to /usr/local/src/shibboleth-identityprovider-2.3.5/src/installerBuilding war: /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer/idp.warCopying 1 file to /opt/shibboleth-idp/warDeleting: /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer/web.xmlDeleting: /usr/local/src/shibboleth-identityprovider-2.3.5/src/installer/idp.warBUILD SUCCESSFUL



Check content of IDP_HOME

Output

ls -l $IDP_HOME

drwxr-xr-x 2 root root 4096 2012-03-02 13:42 bindrwxr-xr-x 2 root root 4096 2012-03-02 13:42 confdrwxr-xr-x 2 root root 4096 2012-03-02 13:42 credentialsdrwxr-xr-x 3 root root 4096 2012-03-02 13:42 libdrwxr-xr-x 2 root root 4096 2012-03-02 13:42 logsdrwxr-xr-x 2 root root 4096 2012-03-02 13:42 metadatadrwxr-xr-x 2 root root 4096 2012-03-02 13:42 war



IDP/bin command line tools

– aacli.sh: attribute authority cli to simulate attribute resolving

and filtering

– version.sh: provides the version of Shibboleth IdP

-rw-r--r-- 1 root root 1045 2011-06-08 10:52 aacli.bat-rwxr-xr-x 1 root root 1118 2011-06-08 10:52 aacli.sh-rw-r--r-- 1 root root 445 2011-06-08 10:52 cpappend.bat-rw-r--r-- 1 root root 895 2011-06-08 10:52 version.bat-rwxr-xr-x 1 root root 1043 2011-06-08 10:52 version.sh

ls -l $IDP_HOME/bin



IDP_HOME/conf configuration files

-rw-r--r-- 1 root root 3468 2011-10-09 07:34 attribute-filter.xml-rw-r--r-- 1 root root 22171 2011-10-09 07:38 attribute-resolver.xml-rw-r--r-- 1 root root 6442 2011-10-09 07:41 handler.xml-rw-r--r-- 1 root root 12069 2011-10-09 07:41 internal.xml-rw-r--r-- 1 root root 3108 2011-06-08 10:52 logging.xml-rw-r--r-- 1 root root 1631 2011-07-11 14:13 login.config-rw-r--r-- 1 root root 14134 2011-10-09 07:37 relying-party.xml-rw-r--r-- 1 root root 3892 2011-10-09 07:44 service.xml

ls -l $IDP_HOME/bin



IDP_HOME/credentials private keys & public certificate & keystore

– The private key (idp.key) is used for signing SAML messages

– The public key (idp.crt) is published via the metadata and can

be used to encrypt SAML messages from the SP to the IdP

– different from credentials used for HTTPS Apache

configuration uses CA issued server certificates

-rw-r--r-- 1 root root 1200 2012-03-02 13:42 idp.crt-rw-r--r-- 1 root root 2214 2012-03-02 13:42 idp.jks-rw-r--r-- 1 root root 1679 2012-03-02 13:42 idp.key

ls -l $IDP_HOME/credentials



IDP_HOME/credentials private keys & public

certificate & keystore– For this workshop we have generated self-signed credentials

which are already present in the federation metadata

cp /home/student/workshop/idp.key $IDP_HOME/credentials/cp /home/student/workshop/idp.crt $IDP_HOME/credentials/



IDP_HOME/lib

– Contains all java libraries (jar-files) which make up the IdP

– These files are copies of those present in the war-file

– Only used by the command line tools

– Java libraries < JAR < WAR < EAR

-rw-r--r-- 1 root root 62983 2011-07-18 06:11 activation-1.1.jar…-rw-r--r-- 1 root root 623568 2011-10-23 16:36 xmltooling-1.3.3.jar

ls -l $IDP_HOME/lib



IDP/logs

– To be configured in logging.xml

– Process log: detailed description of IdP processing requests

– Access log: record of all clients which connect to IdP

– Audit log: record of all information sent out by IdP

– Soon audit logging will be available on SP side as well

ls -l $IDP_HOME/logs…



IDP_HOME/metadata

– Default location where local metadata and backups of remote

metadata files are stored

– The IdP does not automatically load any metadata IdP

must be explicitly told where to look for metadata relying-

party.xml

-rw-r--r-- 1 root root 5499 2011-06-08 10:52 idp-metadata.xml

ls -l $IDP_HOME/metadata



IDP_HOME/war

– The actual file used by Tomcat the deploy the IdP web

application

– Tomcat must be told where to find the war-file

-rw-r--r-- 1 root root 16613597 2012-03-02 13:42 idp.war

ls -l $IDP_HOME/war



Context descriptor for IdP in Tomcat– Create file /etc/tomcat6/Catalina/localhost/idp.xml where idp

will be the path

– Workshop specific:

<Context docBase="/opt/shibboleth-idp/war/idp.war"privileged="true"antiResourceLocking="false"antiJARLocking="false"unpackWAR="false"swallowOutput="true" />

cd /home/student/workshop/cp catalina-idp.xml /etc/tomcat6/Catalina/localhost/idp.xmlcp idp-workshop.war /opt/shibboleth-idp/war/idp.war

Tomcat Configuration


Define communication ports between Tomcat

and Apache– Configure /etc/tomcat6/server.xml

– Put in comment connector on port 8080

… 

<Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" redirectPort="8443" enableLookups="false" />…

vim /etc/tomcat6/server.xml

Tomcat Configuration


Restart tomcat and check listening port/etc/init.d/tomcat6 restart * Stopping Tomcat servlet engine tomcat6 [ OK ] * Starting Tomcat servlet engine tomcat6 [ OK ]netstat –nlActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8009 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 127.0.0.1:8005 :::* LISTEN

CA-issued Server Certificate


Request server certificate: https://dcs.belnet.be

– Workshop specific: The chain file comodo-chain.pem is

already present in /etc/ssl/certs/ don’t forget to download

and install this chain certificate when requesting your IdP

server certificate for your own environment

cd /home/student/workshopcp idp#.ws.belnet.be.key /etc/ssl/private/cp idp#.ws.belnet.be.pem /etc/ssl/certs/

https://dcs.belnet.be/

Apache configuration


Create specific configuration file for IdP– Create file /etc/apache2/sites-available/idp


– Replace [#] with your assigned group number– Press [ESC]– :%s/\[#\]/your number/g

cd /home/student/workshopcp apache-your-idp-site-config /etc/apache2/sites-available/idpvim /etc/apache2/sites-available/idp



Two important sections in configuration file:– Virtual host listening on port 443:

• TERENA SSL certificate• AJP connector to Tomcat

– Virtual host listening on port 8443:• Self-signed certificate• SSL client authentication to identify SP’s (based on trust in

metadata)• AJP connector to Tomcat



Enable the IdP configuration file

Enable ssl_mod

Enable ajp_mod

a2ensite idp

a2enmod ssl

a2enmod proxy_ajp



Check & restart Apache

Syntax OK

apache2ctl -t

apache2ctl -k restartnetstat -nl

Shibboleth IdP Configuration


Set IdP directory & file permissionschown tomcat6 $IDP_HOME/metadatachown tomcat6 $IDP_HOME/logs chown -R tomcat6 $IDP_HOME/credentialschmod 750 $IDP_HOME/credentialscd $IDP_HOME/credentialschmod 440 idp.key chmod 644 idp.crt



Download R&E Test Federation certificate

– The Test Federation metadata is signed with this certificate, so

your IdP can check the authenticity during download

– Workshop specific: certificate.federation.belnet.be.pem is

already present in /etc/ssl/certs/

– Don’t forget to also put the TERENA chain file in /etc/ssl/certs/

cd $IDP_HOME/credentialswget https://federation.belnet.be/certificate.federation.belnet.be.pem



Create IdP metadata file– The IdP must be made aware of it’s own identity


– Fill in your organization information, which is required for

Belnet R&E Federation

ls -l $IDP_HOME/metadata

cp /home/student/workshop/idp-metadata.xml $IDP_HOME/metadata/idp-metadata.xmlvim $IDP_HOME/metadata/idp-metadata.xml

Configure the Relying Party elements

IdP’s own metadata configuration

– No changes required

vim $IDP_HOME/conf/relying-party.xml

 <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:ResourceBackedMetadataProvider"> <metadata:MetadataResource xsi:type="resource:FilesystemResource" xmlns="urn:mace:shibboleth:2.0:metadata" file="/opt/shibboleth-idp/metadata/idp-medata.xml"/> </metadata:MetadataProvider>



Security configuration for IdP

–No changes required

<security:Credential id="IdPCredential" xsi:type="security:X509Filesystem"> <security:PrivateKey>/opt/shibboleth-idp/credentials/idp.key</security:PrivateKey> <security:Certificate>/opt/shibboleth-idp/credentials/idp.crt</security:Certificate> </security:Credential>



Metadata configuration – Test Federation <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider" metadataURL="https://federation.belnet.be/testfederation-metadata.xml” backingFile="/opt/shibboleth-idp/metadata/testfederation-metadata.xml"> <metadata:MetadataFilter xsi:type="metadata:ChainingFilter"> <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil" maxValidityInterval=”P10D" /> <metadata:MetadataFilter xsi:type="metadata:SignatureValidation" trustEngineRef="shibboleth.MetadataTrustEngine" requireSignedMetadata="true" /> <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList"> <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole> </metadata:MetadataFilter> </metadata:MetadataFilter> </metadata:MetadataProvider>

Security configuration – Test Federation

– Uncomment this trust engine

– Location of the Test Federation certificate used by IdP to validate

the Test Federation metadata during download



<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem"> <security:Certificate>/opt/shibboleth-idp/credentials/certificate.federation.belnet.be.pem</security:Certificate> </security:Credential> </security:TrustEngine>



Set log-level to DEBUG

– Replace INFO, ERROR, WARN by DEBUG

vim $IDP_HOME/conf/logging.xml

User Authentication


Define what user authentication mechanism will be

used– Define username and password mechanism in

IDP_HOME/conf/handler.xml

– Take out of comment and put in comment Login Handler “RemoteUser”

 <ph:LoginHandler xsi:type="ph:UsernamePassword" jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod> </ph:LoginHandler>

User Authentication


Report correct authentication method with SSO

–Add reportPreviousSessionAuthnMethod=“true”

–Report previous session authentication method whenever SSO

is used

 <ph:LoginHandler xsi:type="ph:PreviousSession” reportPreviousSessionAuthnMethod=“true”> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod> </ph:LoginHandler>

User Authentication


Define JAAS LDAP authentication – Configure JAAS in IDP_HOME/conf/login.config

– Edit the LDAP section and remove comments

– See Shibboleth wiki

edu.vt.middleware.ldap.jaas.LdapLoginModule required ldapUrl="ldap://ldap.ws.belnet.be:389" baseDn="dc=belnet,dc=be" bindDn="cn=idp,dc=belnet,dc=be" bindCredential="workshop" ssl="false" userFilter="uid={0}" subtreeSearch="true";

vim $IDP_HOME/conf/login.config

Attribute Resolving


Define how IdP will search for user attributes– Configure LDAP access in “Data Connector” section of

IDP_HOME/conf/attribute-resolver.xml

 <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldap://ldap.ws.belnet.be" baseDN="dc=belnet,dc=be" principal="cn=idp,dc=belnet,dc=be" searchScope="SUBTREE" principalCredential="workshop"> <dc:FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </dc:FilterTemplate> </resolver:DataConnector>

cp /home/student/workshop/attribute-resolver.xml $IDP_HOME/conf/

Basic Attributes Configuration


Mapping of SAML attributes to LDAP attributes– Configure in “Attribute Definitions” section of

IDP_HOME/conf/attribute-resolver.xml

– Warning! The Belnet R&E Federation requires the eduPerson

schema extension:

– Platform specific instructions: https://spaces.internet2.edu/dis

play/macedir/LDIFs

https://spaces.internet2.edu/display/macedir/LDIFs

https://spaces.internet2.edu/display/macedir/LDIFs

Basic Attribute Filter Policy Configuration


Release all known attributes to all SP (1/2)– Add content to IDP_HOME/conf/attribute-filter.xml

<AttributeFilterPolicy id="releaseToAll"> <PolicyRequirementRule xsi:type="basic:ANY" /> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="uid"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="commonName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="organizationalUnit"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonNickname"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule>

Basic Attribute Filter Policy Configuration


Release all known attributes to all SP (2/2) <AttributeRule attributeID="eduPersonOrgDN"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrimaryAffiliation"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="organizationName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="preferredLanguage"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonEntitlement"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="surname"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy>

Test IdP Attributes


Test Resolver

• Test Resolver & Filter

cd $IDP_HOME/bin./aacli.sh –configDir $IDP_HOME/conf/ --principal ‘student#@ws.belnet.be’

cd $IDP_HOME/bin./aacli.sh –configDir $IDP_HOME/conf/ --principal ‘student#@ws.belnet.be’ –requester ‘https://sptest.ws.belnet.be/shibboleth-sp’

Registration IdP metadata


• Get your IdP metadata:– https://idp#.ws.belnet.be/profile/Metadata/SAML

• Surf to Belnet R&E Federation management – https://federation.belnet.be

– Login with username student & password workshop

– Submit the IdP metadata

– Wait till Admin has accepted & reloaded metadata

• Restart tomcat

* Stopping Tomcat servlet engine tomcat6 [OK] * Starting Tomcat servlet engine tomcat6 [OK]

/etc/init.d/tomcat6 restart

https://idp/#.ws.belnet.be/profile/Metadata/SAML



https://federation.belnet.be/

belnet r&e federation workshop shibboleth idp deployment belnet – mario vandaele brussels –...

Documents