I have a Apache 2.2 webserver which is able to communicate over SSL. I have also installed the Shibboleth2 SP module. Now it is time to test that Shibboleth SP is working and configure it for UMN IdP.
Test that Shibboleth SP is working
I learned a great deal about configuring Shibboleth SP on the Shibboleth2 documentation website
. In addition to learning about how to configure Shibboleth SP, I also used the TestShib Two website
to make sure that Shibboleth was working. The TestShib Two service can be especially beneficial in troubleshooting since they allow access to the TestShib IdP log file to see what may have gone wrong.
It is important to note that the Shibboleth2 documentation and the TestShib Two web service provide information about Shibboleth IdP and SP often on the same page. This can be confusing. I learned after some digging, that I can completely ignore the IdP information on these website since I am only configuring the SP. The IdP is already set up and provided for me by the UMN Identity Management team.
In a nutshell, the general steps in configuring Shibboleth are:
- Create a certificate for Shibboleth SP on your webserver
- Copy your IdP metadate.xml file to Shibboleth SP config directory on your server
- Modify the shibboleth2.xml file to correspond with your IdP requirements and metadata.xml file name and location
- Configure Apache config file to include ServerName, UseCanonicalName On and Location directives to invoke Shibboleth
In my case I went through these steps for the TestShib Two service. In order to use TestShib, I first registered with OpenIdP.org. Once registered I was able to begin their wizard for configuring and testing Shibboleth SP. Step by step details were:
- Generate a self-signed x.509 certificate for Shibboleth SP: ~$ shib-keygen
- Fill out the "Register New Service Provider" form on TestShib Two website. Part of this is copying the content of the sp-cert.pem into the form. In case of Ubuntu the sp-cert.pem file and other Shibboleth configuration files are located in /etc/shibboleth directory. Information about the location of Shibboleth config files for other OSs can be found on Shibboleth Service Provider Installation at USC
- On TestShib Two website generate the shibboleth2.xml file
- Rename the existing shibboleth2.xml file in /etc/shibboleth and copy and paste the new (just generated) shibboleth2.xml file into /etc/shibboleth .
- The TestShib Two website asks you to restart the webserver and shibd and test the Shibboleth service, but there is one more step before testing could be done -- configure Apache configuration file to invoke Shibboleth. For Instructions on how to configure Apache, I found the NativeSP Getting Started guide very useful. In my case I made these changes to the default-ssl file that is located in /etc/apache2/sites-available . Direct link to NativeSPApacheConfigdescribes three items that are necessary:
- Include a ServerName directive with appropriate name (your server Fully Qualified Domain Name)
- Include the UseCanonicalName On in your config file
- Enable the shibd module globally by adding the following before the closing tag of your virtual host file:
- Finally, restart Apache and shibd: ~$ sudo /etc/init.d/apache2 restart and ~$ sudo /etc/init.d/shibd restart
- Test the Shibboleth according to TestShib website instructions. That is go to http://yourserver/secure . If you are redirected to the TestShib website for authentication all is working well. Upon successfully authenticating you are redirected to http://yourserver/secure and will likely get a "Page not found error" unless you have created an index.html file there
Problems that I experienced
While, I was able to configure Shibboleth with the TestShib Two service, it did not go without problems. I ran into three issues:
- After copying and pasting the shibboleth2.xml file to my server and restarting the shibd and apache2, I was not able to see any of the sites that were served by my webserver. When I looked into the apache2 error log file (located in /var/log/apache2) I noticed it was full of shibboleth related errors. Interestingly both Apache and Shibd restarted without problems. The solution for this was to download the shibboleth2.xml file instead of just copying it from the browser window. I used Chrome for the downloading the file and then uploaded it to the correct location. Once I did that and restarted the two services again, the websites were served up fine. The TestShib Two website refers to this error as "If you get XML parsing errors when you try to start shibd, you've got dingbats in your file" :-).
- Once I had the webserver serving pages again, I noticed that when I tried to test Shibboleth SP by going to http://myserver/secure I was not being redirected to the TestShib Two for authentication. The cure for this was that I had not yet configured Apache default-ssl file to explicitly state to use Shibboleth. See item 5 in the previous list for directions in fixing this.
- Finally, I after configuring apache default-ssl file and accessing http://myserver/secure, I was redirected to TestShib Two website, but I was not presented with the login screen. Instead I was given an error that said something about not having strong enough authentication. After Googling the error message, I read that others had experience this same error when their server time was wrong. I then looked at the IdP log on TestShib Two website and noticed that my server time was off by several hours. To fix this I installed ntp: ~$ sudo apt-get install ntp. After restarting shibd (~$ /etc/init.d/shibd restart), I reached the TestShib Two authentication page, was able to authenticate and be redirected back to http://myserver/secure where I received a page not found error as expected.
Configuring Shibboleth SP for UMN IdP
... will be covered in the next post. Meanwhile here is a link to UMN Shibboleth authentication wiki page