Versions Compared

Old Version 9

changes.mady.by.user Qing Dong

Saved on

compared with

New Version 10

changes.mady.by.user Qing Dong

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

1.follow the instructions in "Touchstone-Shibboleth SP configuration instructions for Apache based systems" at https://wikis-mit-edu.ezproxyberklee.flo.org/confluence/display/ISDA/Touchstone-Shibboleth+SP+configuration+instructions+for+Apache+based+systems

ignore the instruction about apache22.config

shibboleth is installed under /home/www/shibboleth.

2. shibboleth configuration instruction is here: https://wikis-mit-edu.ezproxyberklee.flo.org/confluence/display/ISDA/Touchstone-Shibboleth+SP+configuration+instructions+for+Apache+based+systems

for information on shibboleth options goto : https://spaces.internet2.edu/display/SHIB/SPProtectionConfig

3. in /home/www/shibboleth/etc/shibboleth/apache22.config file, make sure the following lines are defined. It protects the location /.

<Location />
 AuthType shibboleth
 require shibboleth
 ShibRequireSession On
 require valid-user
</Location>

If there is a location you don't want protected, such as /about or /help, add the exception in apache22.config like following:

<location /about>
ShibRequireSession Off
</location>

4. In the apache ssl configuration in /home/www/apache/conf/extra/httpd-ssl.conf, add the following in the <VirtualHost _default_:443> block: (we are only doing touchstone for https. Users can still login as guest via http).

# Touchstone/Shibboleth
Include /home/www/shibboleth/etc/shibboleth/apache22.config

5. In the same file, comment out

SSLVerifyClient require

we don't need client authentication because touchstone handles it.

6. edit  /home/www/shibboleth/etc/shibboleth/shibboleth.xml file

and  in the <Credentials xmlns="urn:mace:shibboleth:credentials:1.0"> block make sure the following exists:

<FileResolver Id="MITcreds">
                    <Key>
                        <Path>/home/www/ssl/private/thalia-dev.mit.edu-2008-08-04-key.pem</Path>
                    </Key>
                    <Certificate>
                        <Path>/home/www/ssl/certs/thalia-dev.mit.edu-2008-08-04-cert.pem</Path>
                    </Certificate>
                    <CAPath>
                        <Path>/home/www/ssl/certs/mitCA.pem</Path>
                    </CAPath>
 </FileResolver>

The key is the server's private key. Certificate is the server's certificate. Make sure that your server certificate should be enabled for server use as well as client use. If not, request a new one.  The ca is the CA that signs the client certificates.

7. We also set the shib ticket life time to 10 hours and timeout to 2 hours, so in /home/www/shibboleth/etc/shibboleth/shibboleth.xml file, you should have

  <Sessions lifetime="36000" timeout="7200" checkAddress="false" consistentAddress="true"
                        handlerURL="/Shibboleth.sso" handlerSSL="true" idpHistory="true" idpHistoryDays="7"> 

8. to pass the HTTP_REMOTE_USER variable, make sure the following is in /home/www/sash-server/conf/consolidator.conf

JkEnvVar REMOTE_USER
JkEnvVar HTTP_REMOTE_USER

also in /home/www/sash-server/servers/thalia/conf/server.xml make sure the AJP connector is defined as follows:

 <!-- An AJP Connector - uncomment if needed -->
    <Connector port="8901"
     request.tomcatAuthentication="false" address="127.0.0.1"
               protocol="AJP/1.3" />

9. restart the webserver: /etc/init.d/web restart

    restart shibboleth daemon: /etc/init.d/shibd restart