August 4, 2011

Checklist for moving a URL to Contao

We recently launched a redesigned website for Disability Services created with Contao. To launch the site site I needed to transfer the ds.umn.edu url from the old server to the Contao server. There were a number of steps involved in the transfer which is why I am documenting them here.

  1. Request a URL transfer from NTS by filling out DNS change form.
  2. Edit Apache config file to include statements for the new URL
  3. Restare Apache for the changes to take effect
  4. Change the website URL in Contao backend for the webroot page

In addition in our case had an alias www.ds.umn.edu that was pointing to ds.umn.edu. That alias also needed to move to the new server. I requested the change with NTS and then created a redirect in Apache configuration file to forward all requests coming to www.ds.umn.edu to go to ds.umn.edu

Website editing in Contao can be integrated with UMN Shibboleth login. In order to use Shibboleth login with the new URL, there were additional steps involved.

  1. Make sure you have SSL certificates installed on the new server for the URL that you are transferring
  2. In Apache config file include the certificate URL paths for the protected part of the site.
  3. Restart Apache for the changes to take effect
  4. Add statements for the new URL in shibboleth2.xml file
  5. Restart Shibboleth service for the change to take effect
  6. Add statements for the new URL in metadata.xml file
  7. Email the Identity Management and ask them to seed the new metadata.xml file

July 11, 2011

Creating a Heading Level 1 for a screen reader

It is best practice that the main topic of a web page is presented in Heading Level 1. What would you do if the main topic is presented to the sighted user in an image? This is quite typical of the websites where the home page of the website displays a banner image and part of the image is text indicated the website's name.

I wrestled with this scenario when re-designing the Disability Services website. There we display a banner image that says Disability Services. This works just fine when you look at, but a blind user reading the page with the screen reader does not get a sense of the page's main topic. This is a problem.

One solution that is used is to wrap the banner image in heading tags and place. In this case, the alternative text that is entered for the banner image gets read by the screen reader and things may appear to work fine.

The problem with this approach is that the banner image may be separated from the main content of the page by other elements such as menus. If this is the case then it confuses the screen reader user since they expect the heading be followed by the main content of the page.

To solve this problem I created a hidden heading level 1 text that is not visible on the screen, but it is read back by the screen reader. First, I inserted a heading level 1 to the top of the main content of the page and I gave the header a special div tag (say hide_heading for example). Then in the css file I created special styling for the this div like so:

#hide_heading
{
position:absolute;
margin-left:-1000em;
}

This code moves the heading away from the screen for the visual user, but it is still read out by the screen reader software.

With this trick I was able to insert an audible heading level 1 in a location where I needed it without changing the visual design of the web page.

Private UThink blog

I set up a private UThink blog for myself and allowed a few others to view it. It is nice that there is this option now available.

Setting up a private blog was a bit tricky however.

When I created the new blog I had an option to make it either public or private. I chose private and then it presented me with a field to enter UMN Internet IDs who would have access to the blog. I indicated those and created my first entry. I checked the site, but noticed that the blog was not protected.

I then researched the UThink wiki and learned about what changes to make to templates in order to make the blog private. The instructions there worked well and didn't take a long time to make.

May 13, 2011

Lost UMN Secure Wireless connection on iPod Touch after changing UMN Internet password

The UMN Secure Wireless connection on iPod Touch or any other smart phone is nice - you only have to set it up once and then it works. That is, it is not necessary to authenticate each time you want to access the Internet over the wireless connection at the University of Minnesota.

But as it turned out the UMN Secure Wireless stops working when you change your UMN Internet password. The two don't seem related, but they are. When UMN Secure wireless is configured the first time it asks you to enter your UMN Internet ID and password to get a certificate that is then stored on your device. Once your UMN Internet password changes, the certificate is no longer valid and you are unable to make a UMN Secure Wireless connection.

When I changed my Internet password, it took a little bit of figuring out on how to fix the UMN Secure wireless connection on my iPod Touch. I had a hunch that I had to get rid of the old certificate and reconfigure my UMN Secure wireless connection, but I was not able to find where the certificates are stored and how to remove them. My co-worker suggested that I try "forgetting" the UMN Secure wireless connection. This indeed worked. Once I had selected to "forget" the wireless connection, this action erased everything associated with it. The UMN Secure wireless connection still showed up in the available connections list and I was able to connect to it which prompted me to enter my Internet ID and the new password. And voila I was back in business.

January 25, 2011

Configure UMN Google mail and calendar on iPhone, iPod Touch

I find that iPod Touch is only worth as much as much content is on it. And by content I mean various data - email, contacts, calendar, notes etc., apps in general and of course games. Thus it needs to be configured.

Now that the UMN is using Google apps it should be a snap to configure email and calendar syncing with an iPod Touch. It is easy if you know what to do ;-).

For configuring UMN gmail for you iPod Touch or iPhone you can create "other" mail account and the enter settings from OIT provided email settings page. This works fine for email, but it does not synchronize the calendar.

To synchronize email and the calendar too, it is better to use instructions from Google .

In both cases you will need to create a Google Apps Desktop password in the MyAccount options.

December 9, 2010

Explorations into UMN Shibboleth Auth - Part 5 Tweaking Shibboleth configuration

Recap

Since I last wrote about Shibboleth there has been considerably more information added to the UMN Shibboleth wiki page. I have tweaked my installation of Shibboleth based on this information. Particularly I have updated the metadata.xml file to match my needs. While I found lots of help from the wiki there were 3 issues that I ran into after following the instructions in the article:
  • Identifying multiple web hosts in shibboleth.xml file
  • Time synchronization between my server and the IdP
  • Customizing the error message and logout page
Let's discuss each item one at a time.

Identifying multiple web hosts in shibboleth.xml file

The wiki guide provides a nice shibboleth.xml file which includes an example of protecting one website. What if I would like to protect more than one website? In that case there are two areas of the file that need to edited:
  1. The RequestMapper needs to map host names to applicationIDs
  2. The ApplicationOverride needs to lists those applicationIDs

Here is an example RequestMapper with two hosts identified:

    <RequestMapper type="Native">

        <RequestMap applicationId="default">

            <Host name="webdev.oed.umn.edu">

                <Path name="secure" authType="shibboleth" requireSession="true"/>

            </Host>

            <Host name="madev.oed.umn.edu" applicationId="madev" authType="shibboleth" requireSession="true"/>

            <Host name="dsdev.oed.umn.edu" applicationId="dsdev" authType="shibboleth" requireSession="true"/>

        </RequestMap>

    </RequestMapper>

And here is an example on how the ApplicationOverride would look for these two hosts:

<ApplicationOverride id="dsdev" entityID="https://oedweb.oit.umn.edu/shibboleth/default" homeURL="https://dsdev.oed.umn.edu"/> 

     <ApplicationOverride id="madev" entityID="https://oedweb.oit.umn.edu/shibboleth/default" homeURL="https://madev.oed.umn.edu"/>

Time synchronization between my server and the IdP

Shibboleth is strict about time.  When time is not the same between the Service Provider (SP) and the IdP, then Shibboleth will error out.  The easiest way to ensure that time on your SP matches the Idp is to install time synchronization service - ntpd.  Here is a page that talks about installing ntpd on RedHat CentOS server: http://www.cyberciti.biz/faq/howto-install-ntp-to-synchronize-server-clock/

Customize the error message and logout page

The default Shibboleth installation displays a Shibboleth logo and an invalid email address.  The email address is easy to change.  That is done in shibboleth.xml file.  See UMN Shibboleth wiki page.  You should also include contact information in the metadata file.

Modifying the Shibboleth logo to UMN logo was a little tricky to figure out.  In my case I experienced that the logo was not being displayed because it was listed in the location that required authentication.  Since I was logged out, the image was not displayed.  I had to add "Satisfy Any" to the Apache config file to make this work properly.  This is how the location is now referenced:
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Allow from all
    Satisfy Any
  </Location>
  Alias /shibboleth-sp/main.css /swadm/web/shibboleth/doc/main.css
  Alias /shibboleth-sp/logo.jpg /swadm/web/shibboleth/doc/logo.jpg
</IfModule>


October 5, 2010

Accessibility website now live

The accessibility website that we have been working on for quite some time is now live - accessibility.umn.edu .

The UMN Brief describes the accessibility website as following:

A NEW ONLINE ACCESSIBILITY RESOURCE has been created by the U's Computer Accommodations Program--a partnership of Disability Services and the Office of Information Technology. Accessibility.umn.edu will be a "one stop" for creating accessible documents, presentations, and multimedia; taking a universal design approach to teaching with centrally supported technology; developing web content for users with a variety of learning styles, devices and adaptive technologies; seeking information on accessibility-related federal and Minnesota state laws, U policies, and international web guidelines; and satisfying curiosity about adaptive technologies.

The website has gotten quite a few mentions in various newsletters:

There have been 437 visits out of which 347 are unique visitors to date since it launched in late September 2010.

All of this is good news. Much of the success I think could be contributed to extensive content on the site that is easy to get to.

The vehicle that has made it possible for us to create the accessibility site is Contao CMS. With Contao it has been easy to separate the site design and content creation. Contao is also screen reader usable that enabled us to focus on content creation. Visit the Accessibility website today!

September 22, 2010

Configure backup of Contao sites on OIALinux server

Intro

My last few posts covered working with OIALinux server and moving Contao CMS managed websites from our unit's webserver to OIT hosted server. Next step is to set up backup of Contao websites. There are two distinct items that are necessary to back up:

  • Files that make up Contao sites
  • MySQL database that stores some the data about Contao hosted sites

By default all files in /swadm directory are backed up nightly with 30 retention period. This is done automatically without you needing to do anything.

In order to backup up MySQL however it is necessary to make regular "dumps" of the contao database so that those could be backed up.

Configure MySQL backup

From past experience I knew that configuring regular backups of MySQL can be tricky. I searched the web for the scripts that would do this for me and found AutoMySQLBackup sript. This seemed to do exactly what I needed and was easy enough to set up.

I followed the installation instruction on the AutoMySQLBackup sript page with an exception of the step 5 where you asked to place the script in /etc/cron.daily. Since swadm user doesn't have rights to /etc/cron.daily, I needed to set up crontab for swadm and configure an entry in crontab to run AutoMySQLBackup.

I found a good writeup on setting up crontab. By using this guide I set up crontab and placed an entry to run AutoMySQLBackup every day.

With MySQL dumps created and placed into /swadm/backup directory and automatic backup of all files in /swadm directory, the websites hosted by Contao are backed up.

September 21, 2010

Moving sites hosted with Contao CMS to OIALinux server

Background

We currently host 4 websites with a single install of Contao CMS. This installation of Contao was hosted from our own unit's Linux server. This article covers how I moved the four websites from our unit's server to OIT hosted Linux server. Many pointers on how to move the Contao sits were taken from the Contao documentation.

The move can be broken down into 7 steps:

  1. Create domain aliases
  2. Confige Apache httpd.conf file virtual host
  3. Copy over the files
  4. Change file ownership
  5. Copy the database
  6. Run the Contao install tool
  7. Configure the websites in Contao backend

1. Create domain aliases

Let's say that we had websites with following URLs:
  • siteA.unitname.umn.edu
  • siteB.unitname.umn.edu
  • siteC.unitname.umn.edu
  • siteD.unitname.umn.edu

I wanted to bring up the websites on the new server with different URLs. This would allow me to troubleshoot any problems with them and reduce the downtime to the production URLs. To do this, I requested 4 new DNS aliases to be assigned to the OIA Linux server from OIT Networking Services. Let's call these aliases:

  • siteA2.unitname.umn.edu
  • siteB2.unitname.umn.edu
  • siteC2.unitname.umn.edu
  • siteD2.unitname.umn.edu

Now I have URLs for my 4 websites that are all pointing to the new server.

2. Confige Apache httpd.conf file virtual host

In order to direct these aliases to correct location on the server I configured Apache to use Name Based virtual hosts. Since all four websites are hosted with Contao, I need to create one virtual host directive for the main server URL (name.unitname.umn.edu) and second virtual host directive for the 4 sites that are served with Contao.

NameVirtualHost *:80

<VirtualHost *:80>
ServerName name.unitname.umn.edu
DocumentRoot /swadm/web
<Directory /swadm/web>
allow from all
Options +Indexes
</Directory>
</VirtualHost>

<VirtualHost *:80>
DocumentRoot /swadm/web/contaosites
<Directory /swadm/web/contaosites>
AllowOverride All
Options Indexes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
ServerName siteA2.unitname.umn.edu
ServerAlias siteB2.unitname.umn.edu siteC2.unitname.umn.edu siteD2.unitname.umn.edu
</VirtualHost>

3. Copy over the files

Next, I created a compressed file of all files and directories of contaosites folder on the old server. This is where all the files are stored that make up the four websites. I copied the compressed file to the new server and uncompressed into /swadm/web/contaosites folder.

4. Change file ownership

In order for the Contao CMS application to work all files and folder have to be owned by the user account that is used by Apache webserver. On the old server which ran Ubuntu Linux, this account was www-data. On the new server which is Red Hat, the Apache runs under a user account called apache. Changing file ownership is something that swadm user account is not allowed to do. I send an email to oialinux at umn dot edu asking them to make this change.

5. Copy the database

Created a mysql dump file (mysqldum -B contaodb) of the Contao database and imported it into the mysql database ( mysql database < contaodb.sql) on the new server. I used this MySQL tutorial for the syntax.

6. Run the Contao install tool

Next I accessed http://name.unitname.umn.edu/contaosites/contao/install.php and logged in with the install tool username and password that I had used for my initial Contao installation on the old server. The installation tool allowed me to enter my database username and password to be used by Contao CMS.

7. Configure the websites in Contao backend

Once I had configured the database connection, I could access Contao backend by going to http://name.unitname.umn.edu/contaosites/contao with my browser and log in. Once logged in I navigated to Site Structure and changed the site website root DNS for each for the site to use the new aliases.

With this all 4 websites are active with new URLs. Once I have verified that everything works properly, I can transfer the correct site URLs to the new server.

September 20, 2010

Prepping OIALinux server for Contao CMS

Contao CMS system requirements

Contao CMS requires three items for hosting:

  • Php version 5
  • Apache web server
  • MySQL database server

OIALinux server currently comes with

  • php-5.1.6
  • apache 2.2.3
  • mysql-5.0.77

All software is installed, but it needs to be configure to work so that swadm user can administer it.

Configure Apache

Apache is installed into /swadm/etc/httpd directory. However the DocumentRoot directive in httpd.conf file needs to be edited to point to a directory in /swadm space. So first, I created a new directory called web in /swadm directory. Then I edited the httpd.conf file DocumentRoot directive to point to /swadm/web .

To test my configuration I placed a file called index.html in /swadm/web and started Apache (sudo /etc/services httpd start). Then I navigated to the server URL to see if I can see the contents of the index. html file.

Configure MySQL

MySQL server is installed, but it is not configured yet. To begin configuring MySQL:

  1. First become a swadm user:
    sudo su - swadm
  2. now we need to create a directory for MySQL databases:
    mkdir /swadm/mysql
  3. Next we change the datadir value in /etc/my.cnf to point to the MySQL database directory
    sudoedit /etc/my.cnf and change the datadir value with the text editor
  4. Next we launch the MySQL service
    sudo /etc/service mysqld start
  5. Since this was the first time starting MySQL it prompted me to choose if I wanted to run a secure installation. I chose yes. The wizard configured the system database and prompted me for a MySQL root password. Now we have a working instance of MySQL.

Create a new user and database for Contao CMS

Once we have a working MySQL service we can proceed to create a user account and database for storing Contao CMS information. I used this MySQL administration guide to help me with this task.

First, I created a new database:
mysqladmin -h localhost -u root -p create bedrock
Next, I created a new user and gave it permission to the database:

[prompt]$ mysql -h localhost -u root -ppassword
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 3.23.41

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> USE mysql;
mysql> SHOW TABLES;
+-----------------+
| Tables_in_mysql |
+-----------------+
| columns_priv |
| db |
| func |
| host |
| tables_priv |
| user |
+-----------------+
mysql> INSERT INTO user (Host, User, Password, Select_priv) VALUES ('', 'Dude1', password('supersecret'), 'Y');
mysql> FLUSH PRIVILEGES; - Required each time one makes a change to the GRANT table
mysql> GRANT ALL PRIVILEGES ON bedrock.* TO Dude1;
mysql> FLUSH PRIVILEGES; - Required each time one makes a change to the GRANT table
mysql> quit

Now we have a user account and a database that we can use for Contao CMS.

Install a Php plugin

Contao requires two additional extensions to be installed and enabled in PHP:
  • mbstring
  • SOAP

To enable these, send an email to oialinux at umn.edu and ask them to install it for you.

Now our environment is set up to install Contao.

Logging into OIALinux server

Background

This last summer UMN OIT began offering a new hosted server service. The service provides units with a virtual server (either Red Hat Linux or Windows 2003 server) upon a request from the unit director. We (Disability Services) began using this service about a month ago. We are using the OIALinux server for hosting our websites. This article talks about how to log into OIALinux server and is meant primarily for server administrators and website developers.

OIALinux server does not provide any kind of Graphical User Interface (GUI) access, rather you use an SSH client (Putty) software to log into the server and administer it. There are two ways on how you can log in:

  1. First creating a VPN connection and then SSH into the server (let's call it VPN connection)
  2. First SSH into a gateway server (ale.oit.umn.edu or ale2.oit.umn.edu) and then from there SSH into your server (non-VPN connection).

In both cases you would need to use MKey + Pin for your password.

Let's take a more detailed look at how the login works.

VPN connection

For creating a VPN connection you would first need to install VPN IPSec software that is made available from the OIT website. Once installed you need to add a customer vpn profile.pcf. You would need to download and copy that file into C:\Program Files\Cisco Systems\VPN Client\Profiles directory. Once there, you can start a new VPN connection and log in with your Internet username and MKey + Pin for a password. After creating the VPN connection, you can launch Putty from desktop and SSH into your server again authenticating with your Internet ID and MKey + Pin as password.

Non VPN connection

For creating a non-VPN connection, you would launch Putty and SSH into ale.oit.umn.edu or ale2.oit.umn.edu. Once logged in, you would enter the command SSH yourservername and SSH into your server. Both of these connections are created by using your Internet ID and MKey+PIN for password.

I find that first creating a VPN connection and then SSH into a server is easier and provides an additional benefit of being able to use a Secure FTP client such as WINSCP to view the server directory structure, file permissions, and file content.

Brief description on user permissions on the server

Once on the server you may notice that you do not have permissions to do much. Try issuing a command sudo -l as your user account to see what you can do. There is another account on the server (swadm) that has more administrative permmission to the server. To work as a swadm user, issue a command sudo su - swadm .

September 2, 2010

Explorations into UMN Shibboleth Auth - Part 4 Configuring Shibboleth SP to use UMN test IdP

Recap

So far I have configured my Shibboleth SP to use the TestShib2 service. Using the TestShib2 service is relatively simple as it does not require that you edit the shibboleth2.xml file. The shibboleth2.xml file is provided to you by the service and you can simply copy the file into the correct location and restart the shibd service in order to use it. The shibboleth2.xml file includes an external reference to the metadata.xml file that simplifies its use even more because there is no need to copy the metadata.xml locally and reference it from shibboleth2.xml file.

Steps required for using UMN test Idp

  1. Save a copy of the local computers metadata .xml file by going to http://yourURL/Shibboleth.sso/Metadata. This needs to be sent to idm at umn dot edu along with your request
  2. Send an email to idm at umn dot edu requesting that your server be added to the list of authorized servers for the UMN test IdP.
  3. Request that your username would be added to the user list who are autherized to use the test IdP for authentication.
  4. Download the copy of the test IdP metadata file from UMN Shibboleth wiki and place it in /etc/shibboleth directory on your server.
  5. Configure your server's /etc/shibboleth/shibboleth2.xml file to reference UMN test IdP and the test IdP metadata file.
  6. If you want to protect https space instead of http space, then you need to request that change by emailing idm at umn dot edu.

Configuring shibboleth2.xml file to work with UMN test IdP

The trickiest part of configuring Shibboleth in my view is in configuring the shibboleth2.xml file on your server. This file controls how Shibboleth will behave and what it will try to protect. In this case we are simply protecting a web directory. It is best to start with shibboleth2.xml file that came with the distribution. There are four aspects of that file that need to be changed:
  1. MetadataProvider - This needs to point to the local or remote metadata file
  2. RequestMap - the type and in the case of Native a host name and path of the directory being protected
  3. The right entityID - This is just a name that you give your own server's entity (ie. https://yourURL/shibboleth-sp this does not need to resolve to anything
  4. SessionInitiator - Here you indicate where to relay session requests (in our case this is the UMN test IdP URL

Linked below is a shibboleth2.xml file that is configured to work with UMN Test IdP.
shibboleth2_UMN_TestIdP.xml

July 29, 2010

Steps to implement UMN web template in Contao CMS

Overview

University of Minnesota has created a web template that features UMN header and footer . This template is becoming a requirement for all UMN domain websites by the end of 2010. The template code that is provided is includes the necessary css, javascript, and html files and is the easiest to implement if the website is created in Dreamweaver or another HTML editor. University Technology Training Center offers a class on implementing the UMN web template with Dreamweaver. If the website is not edited by simply a text editor, but rather with a web content management system, then implementing the UMN template can be more challenging. This article shows how to implement the UMN web template with Contao CMS (formerly known as TYPOlight).

Steps to implement UMN templates in Contao CMS

  1. Install Contao according to documentation: http://www.contao.org/documentation.html . Do not install the demonstration site.
  2. Download UMN web templates from http://www.webdepot.umn.edu/templates.php
  3. Upload Web template files to /contao_root/tl_files/umn_template
  4. Import UMN template CSS files into Contao:

    1. With the browser enter Contao admin interface (http://yourdomain/contao)
    2. Login
    3. Create a new theme under themes. Provide a theme name and theme author's name. For Folders select umn_template, for templates folder templates/umn_template folder (you have to create /templates/umn_template folder in Contao Templates area before hand).
    4. For the theme that you created, click on CSS icon, and then CSS import
    5. Import all css files that come with the UMN template
    6. Change the print style sheet to only apply to print and not all.
    7. Edit the CSS files to direct them to correct asset location (When css files get imported, they are re-created in the root folder of your site, but assets (images etc) are still in /contao_root/tl_files/umn_template .
    8. You may benefit from installing CSSeditor extension (note, does not work in Contao v2.9RC1 yet)
    9. Edit directives where it is pointing to images
  5. Create front end modules for the header:

    1. Create a new Custom HTML module and call it UMN header
    2. Copy everything between <!-- * BEGIN TEMPLATE HEADER (MAROON BAR)* --> and <!--END UofM TEMPLATE HEADER--> from index_2.7.3.html.
    3. Remove the last </div> tag. This </div> would otherwise close the wrapper div.
    4. Change the path to the Search image to tl_files/umn_2.7.3/assets/img/search_button.gif
  6. Create front end module for the footer:

    1. Create a new Custom HTML module and call it UMN footer
    2. Copy everything between <!-- * BEGIN TEMPLATE FOOTER--> and <!--END UofM TEMPLATE FOOTER--> from index_2.7.3.html
  7. Create a custom Contao template to work with your layout:

    1. In Contao back end, click on Templates, then New Template
    2. Choose fe_page.tpl for the template and umn_template as a target folder.
  8. Add <div class="container_12" id="bg273"> to the fe_page.tpl page, under <div id="container"> statement (not sure if we need to add another closing div tag because of this. Seems to work fine without it)
  9. Create a page layout that includes the modules:

    1. Include the header and indicate header height (UMN Template header and campus links are 85 pixels wide)
    2. Include the footer and indicate footer height
    3. Choose the number of columns
    4. Select the style sheets.
    5. Change the order of style sheets to be: 1. reset, 2. Text, 3. Template, 4. Optional, 5, print.
    6. Select the custom layout that you created
    7. Add <script type="text/javascript" src="tl_files/umn_2.7.3/lib/js/searchfield.js"></script> in the head section of the fe_page.tpl file to enable the search javascript here. Please note that this javascript conflicts with some of the mootools javascript such as image slimbox and possibly others.

July 27, 2010

Explorations into UMN Shibboleth Auth - Part 3 Testing and Configuring Shibboleth SP

Recap

I have a Apache 2.2 webserver which is able to communicate over SSL. I have also installed the Shibboleth2 SP module. Now it is time to test that Shibboleth SP is working and configure it for UMN IdP.

Test that Shibboleth SP is working

I learned a great deal about configuring Shibboleth SP on the Shibboleth2 documentation website. In addition to learning about how to configure Shibboleth SP, I also used the TestShib Two website to make sure that Shibboleth was working. The TestShib Two service can be especially beneficial in troubleshooting since they allow access to the TestShib IdP log file to see what may have gone wrong.

It is important to note that the Shibboleth2 documentation and the TestShib Two web service provide information about Shibboleth IdP and SP often on the same page. This can be confusing. I learned after some digging, that I can completely ignore the IdP information on these website since I am only configuring the SP. The IdP is already set up and provided for me by the UMN Identity Management team.

In a nutshell, the general steps in configuring Shibboleth are:

  1. Create a certificate for Shibboleth SP on your webserver
  2. Copy your IdP metadate.xml file to Shibboleth SP config directory on your server
  3. Modify the shibboleth2.xml file to correspond with your IdP requirements and metadata.xml file name and location
  4. Configure Apache config file to include ServerName, UseCanonicalName On and Location directives to invoke Shibboleth

In my case I went through these steps for the TestShib Two service. In order to use TestShib, I first registered with OpenIdP.org. Once registered I was able to begin their wizard for configuring and testing Shibboleth SP. Step by step details were:

  1. Generate a self-signed x.509 certificate for Shibboleth SP: ~$ shib-keygen
  2. Fill out the "Register New Service Provider" form on TestShib Two website. Part of this is copying the content of the sp-cert.pem into the form. In case of Ubuntu the sp-cert.pem file and other Shibboleth configuration files are located in /etc/shibboleth directory. Information about the location of Shibboleth config files for other OSs can be found on Shibboleth Service Provider Installation at USC
  3. On TestShib Two website generate the shibboleth2.xml file
  4. Rename the existing shibboleth2.xml file in /etc/shibboleth and copy and paste the new (just generated) shibboleth2.xml file into /etc/shibboleth .
  5. The TestShib Two website asks you to restart the webserver and shibd and test the Shibboleth service, but there is one more step before testing could be done -- configure Apache configuration file to invoke Shibboleth. For Instructions on how to configure Apache, I found the NativeSP Getting Started guide very useful. In my case I made these changes to the default-ssl file that is located in /etc/apache2/sites-available . Direct link to NativeSPApacheConfigdescribes three items that are necessary:
    • Include a ServerName directive with appropriate name (your server Fully Qualified Domain Name)
    • Include the UseCanonicalName On in your config file
    • Enable the shibd module globally by adding the following before the closing tag of your virtual host file:
      <Location />
      AuthType shibbolet
      Require shibboleth
      </Location>
  6. Finally, restart Apache and shibd: ~$ sudo /etc/init.d/apache2 restart and ~$ sudo /etc/init.d/shibd restart
  7. Test the Shibboleth according to TestShib website instructions. That is go to http://yourserver/secure . If you are redirected to the TestShib website for authentication all is working well. Upon successfully authenticating you are redirected to http://yourserver/secure and will likely get a "Page not found error" unless you have created an index.html file there

Problems that I experienced

While, I was able to configure Shibboleth with the TestShib Two service, it did not go without problems. I ran into three issues:
  1. After copying and pasting the shibboleth2.xml file to my server and restarting the shibd and apache2, I was not able to see any of the sites that were served by my webserver. When I looked into the apache2 error log file (located in /var/log/apache2) I noticed it was full of shibboleth related errors. Interestingly both Apache and Shibd restarted without problems. The solution for this was to download the shibboleth2.xml file instead of just copying it from the browser window. I used Chrome for the downloading the file and then uploaded it to the correct location. Once I did that and restarted the two services again, the websites were served up fine. The TestShib Two website refers to this error as "If you get XML parsing errors when you try to start shibd, you've got dingbats in your file" :-).
  2. Once I had the webserver serving pages again, I noticed that when I tried to test Shibboleth SP by going to http://myserver/secure I was not being redirected to the TestShib Two for authentication. The cure for this was that I had not yet configured Apache default-ssl file to explicitly state to use Shibboleth. See item 5 in the previous list for directions in fixing this.
  3. Finally, I after configuring apache default-ssl file and accessing http://myserver/secure, I was redirected to TestShib Two website, but I was not presented with the login screen. Instead I was given an error that said something about not having strong enough authentication. After Googling the error message, I read that others had experience this same error when their server time was wrong. I then looked at the IdP log on TestShib Two website and noticed that my server time was off by several hours. To fix this I installed ntp: ~$ sudo apt-get install ntp. After restarting shibd (~$ /etc/init.d/shibd restart), I reached the TestShib Two authentication page, was able to authenticate and be redirected back to http://myserver/secure where I received a page not found error as expected.

Configuring Shibboleth SP for UMN IdP

... will be covered in the next post. Meanwhile here is a link to UMN Shibboleth authentication wiki page.

July 26, 2010

Explorations into UMN Shibboleth Auth - Part 2 Installing Shibboleth SP on Ubuntu OS

Overview of Tasks

In order to use Shibboleth SP the web server needs to be able to communicate over SSL (https connection). My tasks then for installing Shibboleth SP are:
  1. Create a self-serv certificate for SSL
  2. Enable SSL for Apache web server on Ubuntu
  3. Install Shibboleth for Apache web server
  4. Enable Shibboleth SP on Apache web server
  5. Test Shibboleth to make sure it is working
  6. Configure Shibboleth to use UMN Shibboleth Identity Provider (IdP)

These directions apply to Apache version 2.2 and Ubuntu OS version 9.10 (Karmic Koala). More detailed descriptions of these tasks will follow.

Tasks 1 and 2: Create a self-serv certificate for SSL and enable SSL on Apache.

I learned good information about creating a certificate in this article in Ubuntu Documentation, but eventually opted to go a much simpler route for creating the certificate and enabling it on Apache. The documentation for the method I chose is available in Ubuntu OS in /usr/share/doc/apache2.2-common/README.Debian.gz file. The steps I performed were:
  1. Installed ssl-cert package: ~$ sudo apt-get install ssl-cert -- This creates a self-serv certification for your server automatically.
  2. Enabled default-ssl virtual host: ~$ sudo a2ensite default-ssl
  3. Enabled Apache's SSL module: ~$ sudo a2enmod ssl
  4. Restarted Apache: ~$ sudo /etc/init.d/apache2 restart

Tasks 3 and 4: Install and enable Shibboleth SP on Apache 2.2

  1. Installed Shibboleth module for Ubuntu 9.10: ~$ sudo apt-get install libapache2-mod-shib2
  2. Enabled Apache Shibboleth module: ~$ sudo a2enmod shib
  3. Restarted Apache ~$ sudo /etc/init.d/apache2 restart

Tasks 5 and 6: Test Shibboleth SP and configure it for UMN IdP... - see next posts