« October 2010 | Main | January 2011 »

December 9, 2010

Explorations into UMN Shibboleth Auth - Part 5 Tweaking Shibboleth configuration


Since I last wrote about Shibboleth there has been considerably more information added to the UMN Shibboleth wiki page. I have tweaked my installation of Shibboleth based on this information. Particularly I have updated the metadata.xml file to match my needs. While I found lots of help from the wiki there were 3 issues that I ran into after following the instructions in the article:
  • Identifying multiple web hosts in shibboleth.xml file
  • Time synchronization between my server and the IdP
  • Customizing the error message and logout page
Let's discuss each item one at a time.

Identifying multiple web hosts in shibboleth.xml file

The wiki guide provides a nice shibboleth.xml file which includes an example of protecting one website. What if I would like to protect more than one website? In that case there are two areas of the file that need to edited:
  1. The RequestMapper needs to map host names to applicationIDs
  2. The ApplicationOverride needs to lists those applicationIDs

Here is an example RequestMapper with two hosts identified:

    <RequestMapper type="Native">

        <RequestMap applicationId="default">

            <Host name="webdev.oed.umn.edu">

                <Path name="secure" authType="shibboleth" requireSession="true"/>


            <Host name="madev.oed.umn.edu" applicationId="madev" authType="shibboleth" requireSession="true"/>

            <Host name="dsdev.oed.umn.edu" applicationId="dsdev" authType="shibboleth" requireSession="true"/>



And here is an example on how the ApplicationOverride would look for these two hosts:

<ApplicationOverride id="dsdev" entityID="https://oedweb.oit.umn.edu/shibboleth/default" homeURL="https://dsdev.oed.umn.edu"/> 

     <ApplicationOverride id="madev" entityID="https://oedweb.oit.umn.edu/shibboleth/default" homeURL="https://madev.oed.umn.edu"/>

Time synchronization between my server and the IdP

Shibboleth is strict about time.  When time is not the same between the Service Provider (SP) and the IdP, then Shibboleth will error out.  The easiest way to ensure that time on your SP matches the Idp is to install time synchronization service - ntpd.  Here is a page that talks about installing ntpd on RedHat CentOS server: http://www.cyberciti.biz/faq/howto-install-ntp-to-synchronize-server-clock/

Customize the error message and logout page

The default Shibboleth installation displays a Shibboleth logo and an invalid email address.  The email address is easy to change.  That is done in shibboleth.xml file.  See UMN Shibboleth wiki page.  You should also include contact information in the metadata file.

Modifying the Shibboleth logo to UMN logo was a little tricky to figure out.  In my case I experienced that the logo was not being displayed because it was listed in the location that required authentication.  Since I was logged out, the image was not displayed.  I had to add "Satisfy Any" to the Apache config file to make this work properly.  This is how the location is now referenced:
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    Allow from all
    Satisfy Any
  Alias /shibboleth-sp/main.css /swadm/web/shibboleth/doc/main.css
  Alias /shibboleth-sp/logo.jpg /swadm/web/shibboleth/doc/logo.jpg