...
| Panel |
|---|
IS&T is currently supporting customers intending to use Shibboleth 1.3x or 2.x. We recommend that new installations use Shibboleth 2.x based SPs. | Warning |
|---|
| As of June 30, 2010, the Internet2 Shibboleth development team will no longer promise to supply security updates for version 1.3x. The 1.3x version will be considered end of life. We strongly recommend that sites currently running Shibboleth 1.3 in production plan to upgrade to the current version of Shibboleth well in advance of the announced end-of-life date. This will protect against the possibility of a forced but unplanned migration from 1.3 should a security issue or incompatibility be discovered after the end-of-life date has been reached. |
|
Using installers:
| Panel |
|---|
| Info |
|---|
Historical installers: Please note that we strongly recommend that no new systems be created using Shibboleth 1.3x. This software will reach its end of life on June 30th, 2010. At that time, security updates for the software will no longer be created. If you still have some need to obtain the 1.3x packages, for now they can still be obtained from Internet 2. 1.3x RPMs remain available from Internet2 for RHEL 4 and 5. You will typically need the 5 main RPMs: log4shib, opensaml, shibboleth, xerces-c, xml-security-c.
You should normally skip the -devol, -debug, and -doc RPMs from the Internet2 RPM download site.
If your system does not already have curl installed, you will need to install it (via the stock RHEL RPM). A 1.3x installer for IIS is also available from Internet2. |
Some other Linux distributions also maintain binary installers available from the OS distribution point. If you have questions about other distributions please contact touchstone-support and indicate what operating distribution and version you are using. |
Building from source:
| Panel |
|---|
| Tip |
|---|
The Touchstone team recommends that you use the installers available from Internet2 or your operating system vendor. |
However, if you need to build from source, please read the following pages: Once you have built the software successfully, you will need to configure and customize it for use. |
Certificate request and configuration
| Panel |
|---|
Note: Before proceeding to "Configuration and customization for use" you should obtain a server certificate. |
Please make sure that you use lower case servernames in your certificate request. The server name within the certifiacte is case sensitive. Information about how to generate a certificate request and where to send the request can be found in https://wikis-mit-edu.ezproxyberklee.flo.org/confluence/display/WSWG/How+to+acquire+and+verify+a+M.I.T.+x509+Server+Certificate | Note |
|---|
Historical note: If your server already has a server certificate issued by the MIT Certificate Authority, and it was issued after July 1st, 2008, and it has not expired, you should be able to use it with Shibboleth/MIT Touchstone. If the server certificate was issued prior to July 1st, 2008, you probably need to obtain a new server certificate. |
|
Configuration and customization for use
...
Letting the IdP know about your application
| Panel |
|---|
| Info |
|---|
Until the MIT Identity Providers know about your application, they won't release information about an authenticated user to your server. Each Touchstone enabled application running on a server needs to be registered with the IdPs. |
| Tip |
|---|
To register your application server with the MIT IdPs sendmail to touchstone-support with the following information: - A contact email address. We strongly recommend that this be an email list rather than an indivdual's persoanl email address.
- The server or host name. If you have multiple applications installed on the same server, you will actually need to register each application's provider ID. See below for more details.
- Organization name. This is typically the name of the MIT department, lab, or center running the application.
- Organization URL. The URL that provides some basic information about your department, lab, or center.
|
We also encourage you to send the following optional information with your registration information: - The application URL. The actual URL which will be used to access your application.
- Your server platform. (RHEL 4, RHEL 5, Windows, Debian, Solaris, ...)
The IdP doesn't really need to know your hostname. It does need to know the Provider ID that uniquely identifies your application. Typical MIT installations that use the gen-shib.sh script (see above) hide this detail from you so that we simply need the hostname. If you want to learn more about provder ID naming please see EntityNamingat the Internet2 wiki site. A single Shibboleth SP installation is designed to support multiple applications installed on that server, but there are different deployment and configuration strategies to support multiple applications. At MIT we recommend that each application be configured to use a separate Apache vhost, in addtion to simply creating additional ProviderIDs for each application. More information is available here: Shib 1.3 Add Separate Application. |
...
| Panel |
|---|
We are intending to offer some hands on training during IAP 2009. Space will be limited to 18 participants. The hands-on lab is scheduled for January 20th, 1:30-3:30pm. There will also be session talking about configuration options on January 16th, from 2:30-4:00pm. |
Who to Contact:
| Panel |
|---|
unmigrated-wiki-markup |
|---|
| [mailto: Web: [MIT Touchstone|http://mit.edu.ezproxyberklee.flo.org/touchstone]
Email: [touchstone-support@mit.edu|mailto:touchstone-support@mit.edu]\[ | <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="747fa80c-2ff3-49a2-ba81-6a18a4797d94"><ac:plain-text-body><![CDATA[ | Touchstone
Email: touchstone-support@mit.edu
]] ]]></ac:plain-text-body></ac:structured-macro>