1 / 14

Shibboleth: Installation and Deployment

Shibboleth: Installation and Deployment. Scott Cantor (cantor.2@osu.edu) July 29, 2002. Installation: Packaging. Alpha 1 and 2 are binary distributions. Source was made public in late July: http://middleware.internet2.edu/opensaml/cvs.html Alpha 2.5 will probably be binary with source.

mab
Download Presentation

Shibboleth: Installation and Deployment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Shibboleth: Installation and Deployment Scott Cantor (cantor.2@osu.edu) July 29, 2002

  2. Installation: Packaging • Alpha 1 and 2 are binary distributions. • Source was made public in late July: • http://middleware.internet2.edu/opensaml/cvs.html • Alpha 2.5 will probably be binary with source. • Beta 1 should support “./configure; make; make install” for autoconf platforms and Visual Studio on Windows. • Even with better packaging, manual installation of servlets and Apache modules will be needed.

  3. Installation: General • Solaris 2.x and Linux • Current Basic Requirements: Apache 1.3.26, mod_ssl 2.8.10, OpenSSL 0.9.6, Sun JDK 1.3.1, Jakarta Tomcat 3.3.1 • Binaries distributed as a tarball: $ cd /usr/local $ tar xvfz shib_alpha2_linux_rh72.tar.gz • Deploy Guide: • http://middleware.internet2.edu/shibboleth/docs/DeployGuide-alpha2.txt

  4. Installation: General • Both origins and targets need: • SSL-enabled Apache server, equipped with a certificate signed by a club-approved CA • Jakarta Tomcat servlet engine with AJP 1.3 connector (mod_jk) • All the servlets are packaged together in a single deployment archive (shibboleth.war) that can be copied into tomcat/webapps, auto-expanded, and configured

  5. Installation: Origin Site • Install additional supporting components: • User handles can be stored in-memory or in MySQL • User attributes can be accessed in LDAP or a restricted set (EPPN and affiliation=member) can be “echoed” by the AA • Back-end interfaces will be refined over time to simplify pluggable implementations, and use standard Java APIs like JNDI when possible

  6. Deployment: Origin Site • Choose a name for your site, probably your best known top-level domain. • This name will be part of your club application and is configured into the HS and AA servlets (web.xml). • Special Note: Alpha-2 targets will reject attributes like EPPN if the “scope” doesn’t match the site name. This will be more flexible later.

  7. Deployment: Origin SitePKI Requirements • The web server’s SSL certificate will protect both the HS and AA servlets. • The AA servlet path is configured to support client certificate authentication: <Location "/shibboleth/AA"> SSLVerifyClient optional SSLOptions +ExportCertData </Location> • The allowable client CAs are specified: SSLCACertificateFile /usr/local/shib/etc/ca-bundle.crt

  8. Deployment: Origin SitePKI Requirements • The HS servlet must digitally sign its messages using a key and certificate valid for digital signature creation, signed by a club-approved CA. • Alpha-2 uses a Java keystore, which allows self-generation of a key and certificate request with the keytool command (see deploy guide). • The hostname of your HS is the first field in the certificate request. • Using the SSL server key is possible, but requires some custom Java code to import/export a private key.

  9. Deployment: Origin SiteClub Application • Target sites are given a “registry” of trusted origin sites to protect them from rogue users. • Once names are chosen, provide the following in an e-mail (address in deploy guide): • Site Name • Complete Handle Service servlet URL • The HS hostname (went into the certificate CN) • Aliases/shorthand for your institution (used by WAYF)

  10. Shibbolization Cookbook forOrigin Sites • Apply to the club as an origin site • currently an e-mail message with basic site information • Choose any web server that can host Java Servlet and JSP applications via Tomcat • Deploy a HS behind web initial sign-on • requires a club-trusted certificate usable for signing • web server must also use SSL if handling passwords • can store handles in-memory or in MySQL • beta version should use a “handle in cookie” design

  11. Shibbolization Cookbook forOrigin Sites • Deploy an AA in conjunction with the HS • supports two attribute “contexts”, LDAP and Echo • Install AA plugins for attributes (Java API) • preconfigured with classes for eduPerson attributes • Establish default ARPs for community • alpha-2 comes preconfigured to release everything, hides ARP tools • alpha-2.5 expected to begin exposing ARP interface • early GUI development beginning

  12. Shibbolization Cookbook for Destination Sites • Choose any web server (as long as it’s Apache 1.3.x, but others to follow) • Equip it with the SHIRE and SHAR modules • SHIRE is a Java servlet for the time being, so Tomcat is required • SHAR/RM are combined into mod_shib • Install SHAR plugins for attributes (C++ API) • mod_eduPerson provided

  13. RM and Application Integration • mod_shib currently provides flexible .htaccess processing. • Attributes can be mapped to Require rules and to HTTP headers, including REMOTE_USER. • Existing basic-auth sites can be “hijacked” to use Shibboleth.

  14. Existing Applications(from most to least integrated) • Shibbolize the application and unify intra-campus and inter-campus users • Add a second URL tree for inter-campus users • Use a Shibbolized proxy server • (The latter two might also require code changes or attribute mapping. This is all much simpler for static content.)

More Related