Shibboleth Setup on Suse Linux 10

Shibboleth Identity Provider Setup on Linux

This document explains how to install the identity provider of Shibboleth using apache webserver and tomcat. It is assumed that apache webserver and Java are already installed on your machine. The Java version I’m using is version 5. It is also assumed that you’re using Linux.

Environment

Setup the environment variables for JAVA_HOME, JRE_HOME, and ANT_HOME. These variables point to the location of Java, Java's JRE, and ANT home directories or location of their install directory. In your .bash_profile, do the following (these are my locations - yours will be the same or different; change them appropriately!):

export JAVA_HOME=/opt/java

export JRE_HOME=$JAVA_HOME/jre

export ANT_HOME=/opt/ant

Add these lines to your PATH variable:

export PATH=$PATH:$JAVA_HOME/bin:$JRE_HOME/exe:$ANT_HOME/bin

Finally, activate your .bash_profile by doing this:

. ~/.bash_profile

If tomcat is not already loaded on your machine, you'll need to download and install it. I am using version 5.5 and it works with Shibboleth. I haven't tested any other versions. This is the source version. I like it because it will be customized to my machine and I know exactly where all the files are.

wget ftp://apache.mirrors.tds.net/pub/apache.org/tomcat/tomcat-5/v5.5.23/src/apache-tomcat-5.5.23-src.tar.gz ~

gunzip ~/apache-tomcat-5.5.23-src.tar.gz

tar -xf apache-tomcat-5.5.23-src.tar

cd apache-tomcat-5.5.23

ant

Depending on how fast your computer is, this part will take a while as it downloads and builds tomcat.

cd build

cp -pr build /opt/tomcat

Next, create the tomcat user and group and then change the ownership of /opt/tomcat.

groupadd tomcat

useradd -g tomcat tomcat

chown -R tomcat.tomcat /opt/tomcat

Set up a manager role for tomcat and be sure to change all of the default passwords!

cd /opt/tomcat/conf

Edit the tomcat-users.xml file

In between the <tomcat-users>...</tomcat-users> fields, add these lines:

Save the file

Start tomcat.

cd /opt/tomcat/bin

./catalina.sh start

If you want tomcat to startup at boot time, then create a shell script called tomcat (or whatever) and put in /etc/init.d. This is a simple file. Here’s the source. Change items in red to suit your system. Once the file is created, you need to make it executable (chmod 700 /etc/init.d/tomcat).

#!/bin/sh
# Tomcat Startup Script
CATALINA_HOME=/opt/tomcat; export CATALINA_HOME
JAVA_HOME=/opt/java; export JAVA_HOME
TOMCAT_OWNER=tomcat; export TOMCAT_OWNER
start() {
echo -n "Starting Tomcat: "
su $TOMCAT_OWNER -c $CATALINA_HOME/bin/startup.sh
sleep 2
}
stop() {
echo -n "Stopping Tomcat: "
su $TOMCAT_OWNER -c $CATALINA_HOME/bin/shutdown.sh
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage: tomcat {start|stop|restart}"
exit
esac

To activate for booting and shutdown (works only in Linux and RedHat/Fedora), perform the command below. This will add tomcat to run-levels 3 and 5.

chkconfig --add /etc/init.d/tomcat

Firewall (Linux) and Router

Configure iptables to accept these ports. These should be set in the *filter section.

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

iptables –A INPUT -p tcp -m tcp --dport 8009 -j ACCEPT

iptables –A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT

iptables –A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT

iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

iptables –A OUTPUT -p tcp -m tcp --dport 8009 -j ACCEPT

iptables –A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT

iptables –A OUTPUT -p tcp -m tcp --dport 8443 -j ACCEPT

The router must also forward these ports to the internal IP of the machine that will host Shibboleth. It is assumed you already know how to do this since not all routers do the same thing.

mod_jk.so

Shibboleth requires the mod_jk.so library for Apache. If you don't already have it, do the following:

wget ~

Rename the file to mod_jk.so

Copy to /opt/apache/modules (or wherever your apache modules are located at)

Get and Install Shibboleth

Download Shibboleth and install it:

wget ~

cd ~

gunzip shibboleth-idp-1.3.2.tar.gz

tar -xf shibboleth-idp-1.3.2.tar

These files xercesImpl.jar, xml-apis.jar, and xmlParserAPIs.jar must be replaced because the supplied versions from Sun is not suitable for Shibboleth.

cp /opt/shibboleth-1.3.2-install/endorsed/*.jar /opt/tomcat/common/endorsed

Install Shibboleth.

cd shibboleth-idp-1.3.2

./ant

The results of the installation are as follows. I went with the default. This will also copy the war file to /opt/tomcat/webapps. The Shibboleth IDP will be installed in /usr/local/shibboleth-idp.

Buildfile: build.xml

init:

install.init:

install:

Do you want to install the Shibboleth Identity Provider? [Y,n]

What name do you want to use for the Identity Provider web application? [default: shibboleth-idp]

init:

install.init:

install.idp:

Deploying the java web application. Do you want to install it directly onto the filesystem or use the tomcat manager application?

1) filesystem

2) manager (default)

init:

install.init:

install.idp.filesystem.prompt:

Select a home directory for the Shibboleth Identity Provider [default: /usr/local/shibboleth-idp]

Enter tomcat home directory [default: /opt/tomcat]

init:

install.init:

compile:

ext-invoke:

build-util:

install.url:

package-idp:

Copying 1 file to /root/shibboleth-1.3.2-install/webAppConfig

ext-invoke:

Building war: /root/shibboleth-1.3.2-install/dist/shibboleth-idp.war

Deleting: /root/shibboleth-1.3.2-install/webAppConfig/idp.xml

install.idp.filesystem:

Copying 1 file to /opt/tomcat/webapps

init:

install.init:

install.idp.buildHome:

ext-invoke:

savePropertyFile:

Updating property file: /root/shibboleth-1.3.2-install/build.properties

BUILD SUCCESSFUL

Total time: 16 seconds

Tomcat and Apache Configuration Setup

The following shows how to setup Apache and Tomcat so that Shibboleth will work with them.
Modify server.xml in /opt/tomcat/conf/ to look like the following:

<Connector port="8009"

request.tomcatAuthentication="false"

address="127.0.0.1"

enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

Add the following to the end of httpd.conf

<IfModule!mod_jk.c>

LoadModule jk_module /etc/httpd/modules/mod_jk.so

JkWorkersFile /etc/httpd/conf/jk/workers.properties

JkLogFile /var/log/httpd/mod_jk.log

JkLogLevel debug

JkMount /shibboleth-idp/* ajp13

JkMount /shibboleth/* ajp13

JkMount /shibboleth ajp13

JkMount /jsp-examples/* ajp13

</IfModule>

# This is for apache to use basic built-in authentication

AuthType Basic

AuthName "Villain Verification Service (VVS)"

AuthUserFile /opt/apache/conf/user.db

require valid-user

</Location>

Create the user.db database and a user

htpasswd -c /etc/httpd/conf/user.db <some user>

Create /opt/apache/conf/jk directory and create workers.properties file in this directory

mkdir /opt/apache/conf/jk

touch /opt/apache/conf/jk/workers.properties

Add this information to workers.properties in /opt/apache/conf/jk. The apache logs will say some of these are obsolete, but they work. You can always change it after you get Shibboleth up and running.

# Define 1 real worker using ajp13

worker.list=ajp13

# Set properties for the ajp13 worker

worker.ajp13.type=ajp13

worker.ajp13.host=localhost

worker.ajp13.port=8009

worker.ajp13.lbfactor=50

worker.ajp13.cachesize=10

worker.ajp13.cache_timeout=600

worker.ajp13.socket_keepalive=1

worker.ajp13.recycle_timeout=300

Goto and click on the Login link. I signed up with OpenIDP.org.See section 7 for configuration.

Shibboleth Configuration

After signing up, I followed their setup guide (copied below).

Identity Provider Configuration

TestShib's configuration files are distributed as a set of files that replace the distribution configuration directory for your comfort. Back up the existing configuration directory and let's begin.
[VINCE] Configuration directory is /usr/local/shibboleth-idp/etc.
Download either the .tar file or .zip file.
Decompress the file and copy its contents into the default configuration directory, overwriting when needed.
Place thetestshib.keyand testshib.crtfiles you received when you joined TestShib into the default configuration directory too. Make sure the names are right. If you lost these, rejoin.
The port 8443 virtual host defined in httpd.confor ssl.confneeds to use these new keys as well. Change theSSLCertificateFileand SSLCertificateKeyFiledirectives to match.
Change the providerIdvalue of idp.xml's main IdPConfig element to match the one you're using with TestShib.
Change the smartScope attributes in resolver.xml to match your base domain (e.g., supervillain.edu).
If you'll be testing against other TestShib members as well as the dummy providers, grab a fresh copy of the metadata from and put it in the config directory.

That's it. Restart Apache and Tomcat, and it's time to test it out.

Sample idp.xml configuration located in /usr/local/shibboleth-idp. The items highlighted are the lines that need to correspond to your site.

<?xml version="1.0" encoding="ISO-8859-1"?>

<IdPConfig

xmlns="urn:mace:shibboleth:idp:config:1.0"

xmlns:cred="urn:mace:shibboleth:credentials:1.0"

xmlns:name="urn:mace:shibboleth:namemapper:1.0"

xmlns:xsi="

xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 ../schemas/shibboleth-idpconfig-1.0.xsd"

AAUrl=" IP or Web Host Name>:8080/shibboleth-idp/AA"

resolverConfig="file:///usr/local/shibboleth-idp/etc/resolver.xml"

defaultRelyingParty="urn:mace:shibboleth:testshib"

providerId=" IP or Web Host Name>/shibboleth/testshib/idp">

</RelyingParty>

<Path>file:///usr/local/shibboleth-idp/etc/arps/</Path>

</ArpRepository>

</ReleasePolicyEngine>

<ErrorLog level="DEBUG" location="file:///usr/local/shibboleth-idp/logs/shib-error.log" />

<TransactionLog level="DEBUG" location="file:///usr/local/shibboleth-idp/logs/shib-access.log" />

</Logging>

<NameMapping

xmlns="urn:mace:shibboleth:namemapper:1.0"

id="shm"

format="urn:mace:shibboleth:1.0:nameIdentifier"

type="SharedMemoryShibHandle"

handleTTL="28800"/>

<Key>

<Path>file:///usr/local/shibboleth-idp/etc/testshib.key</Path>

</Key>

<Path>file:///usr/local/shibboleth-idp/etc/testshib.crt</Path>

</Certificate>

</FileResolver>

</Credentials>

<Location>https?://[^:/]+(:(443|80))?/shibboleth-idp/SSO</Location>

</ProtocolHandler>

<Location>.+:8443/shibboleth-idp/AA</Location>

</ProtocolHandler>

<Location>.+:8443/shibboleth-idp/Artifact</Location>

</ProtocolHandler>

</ProtocolHandler>

<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"

uri="file:///usr/local/shibboleth-idp/etc/testshib-metadata.xml"/>

</IdPConfig>

Sample resolver.xml configuration located in /usr/local/shibboleth-idp. The items highlighted are the lines that need to correspond to your site.

</SimpleAttributeDefinition>

</SimpleAttributeDefinition>

<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" smartScope="<Your IP or Web Host Name>">

</SimpleAttributeDefinition>

<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrincipalName" smartScope="<Your IP or Web Host Name>">

</SimpleAttributeDefinition>

</AttributeResolver>

Finally, this is a sample testshib-metadata.xml file. There’s no X-509 cert in here as I was just testing to get Shibboleth working. The sample file was created at I did not get the testshib-metadata.xml file from OpenIDP.org’s site because it didn’t work. However, I still created the file on their side.

</SimpleAttributeDefinition>

</SimpleAttributeDefinition>

<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" smartScope="<Your IP or Web Host Name>">

</SimpleAttributeDefinition>

<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrincipalName" smartScope="<Your IP or Web Host Name>">

</SimpleAttributeDefinition>

</AttributeResolver>

enterprise:/usr/local/shibboleth-idp/etc # cat testshib-metadata.xml

<EntityDescriptor

xmlns="urn:oasis:names:tc:SAML:2.0:metadata"

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"

xmlns:ds="

entityID="<Your IP or Web Host Name>"

validUntil="2010-01-01T00:00:00Z">

<shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">96.38</shib:Scope>

</Extensions>

<ds:KeyInfo>

<ds:KeyName<Your IP or Web Host Name</ds:KeyName>

</ds:KeyInfo>

</KeyDescriptor>

<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location=" IP or Web Host Name>/shibboleth-idp/Artifact" index="1"/>

<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location=" IP or Web Host Name>/shibboleth-idp/SSO"/>

</IDPSSODescriptor>

<shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0"<Your IP or Web Host Name</shib:Scope>

</Extensions>

<ds:KeyInfo>

<ds:KeyName<Your IP or Web Host Name</ds:KeyName>

</ds:KeyInfo>

</KeyDescriptor>

<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location=" IP or Web Host Name>:8443/shibboleth-idp/AA"/>

<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

</AttributeAuthorityDescriptor>

<OrganizationName xml:lang="en">Vince</OrganizationName>

<OrganizationDisplayName xml:lang="en">Vince</OrganizationDisplayName>

</Organization>

<SurName>Vince</SurName>

</ContactPerson>

</EntityDescriptor>

Test Shibboleth

Restart apache and tomcat. Tomcat needs time to clean itself up (I believe it’s because of Java’s JVM), so we need to wait a bit before bringing it back up (hence the sleep 60 command).

cd /etc/init.d

./apachectl stop; ./apachectl start

./tomcat stop; sleep 60; ./tomcat start

Test here: and enter your service provider ID. It should be similar to this: IP or Web Host Name>/shibboleth/testshib/idp. If everything went through, you should get this screen.

Shibboleth Service Provider Setup on Linux

This document explains how to install the service provider of Shibboleth using apache webserver and tomcat. It is assumed that apache webserver and Java are already installed on your machine. The Java version I’m using is version 5. It is also assumed that you’re using Linux.

Environment Setup

If you haven’t setup the identity provider, then follow steps 1, 2, 3, and 5 above in the identity provider section. Additionally, the following are also needed. (Information from: I am using OpenSuse 10.1 and his instructions needed some tweaking. Order matters with xerces being compiled and installed first before xml-security!

export XERCESCROOT=/root/shibboleth-1.3/xerces-c-src_2_6_1
Note that the location XERCESCROOT is the source of xerces’ unpacked (untarred) location.
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/shibboleth-sp/lib:$XERCESCROOT/lib
wget /root
cd /root
gunzip log4cpp-0.3.5rc1.tar.gz
tar –xf log4cpp-0.3.5rc1.tar
cd log4cpp-0.3.5rc1
./configure --prefix=/opt/shibboleth-sp --with-pthreads --disable-static --disable-oxygen
make
make install
wget /root
cd /root
tar xvfz xerces-c-src_2_6_1.tar.gz ; cd xerces-c-src_2_6_1/src/xercesc
./runConfigure -p linux -r pthread -P /opt/shibboleth-sp
make
make install
wget /root
cd /root
tar xvfz xml-security-c-1.3.1.tar.gz ; cd xml-security-c-1.3.1
./configure --prefix=/opt/shibboleth-sp --without-xalan
make
make install
wget
cd /root
tar xvfz opensaml-1.1b.tar.gz ; cd opensaml-1.1
./configure --prefix=/usr/local/shibboleth-sp --with-log4cpp=/usr/local/shibboleth-sp --with-xerces=/usr/local/shibboleth-sp --with-xmlsec=/opt/swinst/xml-security-c-1.2.1
make
make install

Get and Install Shibboleth Service Provider

Download the service provider portion of the Shibboleth here:

wget /root

Unpack and compile the source with these steps.NOTE: Shibboleth compilation does not work with Suse 10.x. It has a bug and is unsupported. The following file needs to be edited with these corrections: apache/mod_apache.cpp.

Line 196: Change int to long
Line 344: Change int to long
Line 348: Change int to long
Line 393: Change int to long
Line 430: Change int to long

After doing the above change, I later found that there was a patch found in this message thread:

Perform the following operations to compile and install shibboleth service provider.

cd /root
gunzip shibboleth-sp-1.3f.tar.gz
tar –xf shibboleth-sp-1.3f.tar
cd shibboleth-1.3
./configure --with-mysql=/opt/mysql --with-saml=/opt/shibboleth-sp --with-log4cpp=/opt/shibboleth-sp --with-xerces=/opt/shibboleth-sp --with-xmlsec=/opt/shibboleth-sp --enable-apache-22 --with-apxs22=/opt/apache/bin/apxs--with-apr1=/opt/apache/bin/apr-1-config --prefix=/opt/shibboleth-sp -C
Since I’m using apache 2.2, You may need to change the highlighted items appropriately for your system.
make
make install

There is a shibd script to start the shibd daemon. It is RedHat specific but can be modified to work in Suse. Here’s the complete script. The checkpid command had to be removed and the location of the shibd daemon had to be changed (highlighted).