September 2, 2010

Explorations into UMN Shibboleth Auth - Part 4 Configuring Shibboleth SP to use UMN test IdP


So far I have configured my Shibboleth SP to use the TestShib2 service. Using the TestShib2 service is relatively simple as it does not require that you edit the shibboleth2.xml file. The shibboleth2.xml file is provided to you by the service and you can simply copy the file into the correct location and restart the shibd service in order to use it. The shibboleth2.xml file includes an external reference to the metadata.xml file that simplifies its use even more because there is no need to copy the metadata.xml locally and reference it from shibboleth2.xml file.

Steps required for using UMN test Idp

  1. Save a copy of the local computers metadata .xml file by going to http://yourURL/Shibboleth.sso/Metadata. This needs to be sent to idm at umn dot edu along with your request
  2. Send an email to idm at umn dot edu requesting that your server be added to the list of authorized servers for the UMN test IdP.
  3. Request that your username would be added to the user list who are autherized to use the test IdP for authentication.
  4. Download the copy of the test IdP metadata file from UMN Shibboleth wiki and place it in /etc/shibboleth directory on your server.
  5. Configure your server's /etc/shibboleth/shibboleth2.xml file to reference UMN test IdP and the test IdP metadata file.
  6. If you want to protect https space instead of http space, then you need to request that change by emailing idm at umn dot edu.

Configuring shibboleth2.xml file to work with UMN test IdP

The trickiest part of configuring Shibboleth in my view is in configuring the shibboleth2.xml file on your server. This file controls how Shibboleth will behave and what it will try to protect. In this case we are simply protecting a web directory. It is best to start with shibboleth2.xml file that came with the distribution. There are four aspects of that file that need to be changed:
  1. MetadataProvider - This needs to point to the local or remote metadata file
  2. RequestMap - the type and in the case of Native a host name and path of the directory being protected
  3. The right entityID - This is just a name that you give your own server's entity (ie. https://yourURL/shibboleth-sp this does not need to resolve to anything
  4. SessionInitiator - Here you indicate where to relay session requests (in our case this is the UMN test IdP URL

Linked below is a shibboleth2.xml file that is configured to work with UMN Test IdP.

July 27, 2010

Explorations into UMN Shibboleth Auth - Part 3 Testing and Configuring Shibboleth SP


I have a Apache 2.2 webserver which is able to communicate over SSL. I have also installed the Shibboleth2 SP module. Now it is time to test that Shibboleth SP is working and configure it for UMN IdP.

Test that Shibboleth SP is working

I learned a great deal about configuring Shibboleth SP on the Shibboleth2 documentation website. In addition to learning about how to configure Shibboleth SP, I also used the TestShib Two website to make sure that Shibboleth was working. The TestShib Two service can be especially beneficial in troubleshooting since they allow access to the TestShib IdP log file to see what may have gone wrong.

It is important to note that the Shibboleth2 documentation and the TestShib Two web service provide information about Shibboleth IdP and SP often on the same page. This can be confusing. I learned after some digging, that I can completely ignore the IdP information on these website since I am only configuring the SP. The IdP is already set up and provided for me by the UMN Identity Management team.

In a nutshell, the general steps in configuring Shibboleth are:

  1. Create a certificate for Shibboleth SP on your webserver
  2. Copy your IdP metadate.xml file to Shibboleth SP config directory on your server
  3. Modify the shibboleth2.xml file to correspond with your IdP requirements and metadata.xml file name and location
  4. Configure Apache config file to include ServerName, UseCanonicalName On and Location directives to invoke Shibboleth

In my case I went through these steps for the TestShib Two service. In order to use TestShib, I first registered with Once registered I was able to begin their wizard for configuring and testing Shibboleth SP. Step by step details were:

  1. Generate a self-signed x.509 certificate for Shibboleth SP: ~$ shib-keygen
  2. Fill out the "Register New Service Provider" form on TestShib Two website. Part of this is copying the content of the sp-cert.pem into the form. In case of Ubuntu the sp-cert.pem file and other Shibboleth configuration files are located in /etc/shibboleth directory. Information about the location of Shibboleth config files for other OSs can be found on Shibboleth Service Provider Installation at USC
  3. On TestShib Two website generate the shibboleth2.xml file
  4. Rename the existing shibboleth2.xml file in /etc/shibboleth and copy and paste the new (just generated) shibboleth2.xml file into /etc/shibboleth .
  5. The TestShib Two website asks you to restart the webserver and shibd and test the Shibboleth service, but there is one more step before testing could be done -- configure Apache configuration file to invoke Shibboleth. For Instructions on how to configure Apache, I found the NativeSP Getting Started guide very useful. In my case I made these changes to the default-ssl file that is located in /etc/apache2/sites-available . Direct link to NativeSPApacheConfigdescribes three items that are necessary:
    • Include a ServerName directive with appropriate name (your server Fully Qualified Domain Name)
    • Include the UseCanonicalName On in your config file
    • Enable the shibd module globally by adding the following before the closing tag of your virtual host file:
      <Location />
      AuthType shibbolet
      Require shibboleth
  6. Finally, restart Apache and shibd: ~$ sudo /etc/init.d/apache2 restart and ~$ sudo /etc/init.d/shibd restart
  7. Test the Shibboleth according to TestShib website instructions. That is go to http://yourserver/secure . If you are redirected to the TestShib website for authentication all is working well. Upon successfully authenticating you are redirected to http://yourserver/secure and will likely get a "Page not found error" unless you have created an index.html file there

Problems that I experienced

While, I was able to configure Shibboleth with the TestShib Two service, it did not go without problems. I ran into three issues:
  1. After copying and pasting the shibboleth2.xml file to my server and restarting the shibd and apache2, I was not able to see any of the sites that were served by my webserver. When I looked into the apache2 error log file (located in /var/log/apache2) I noticed it was full of shibboleth related errors. Interestingly both Apache and Shibd restarted without problems. The solution for this was to download the shibboleth2.xml file instead of just copying it from the browser window. I used Chrome for the downloading the file and then uploaded it to the correct location. Once I did that and restarted the two services again, the websites were served up fine. The TestShib Two website refers to this error as "If you get XML parsing errors when you try to start shibd, you've got dingbats in your file" :-).
  2. Once I had the webserver serving pages again, I noticed that when I tried to test Shibboleth SP by going to http://myserver/secure I was not being redirected to the TestShib Two for authentication. The cure for this was that I had not yet configured Apache default-ssl file to explicitly state to use Shibboleth. See item 5 in the previous list for directions in fixing this.
  3. Finally, I after configuring apache default-ssl file and accessing http://myserver/secure, I was redirected to TestShib Two website, but I was not presented with the login screen. Instead I was given an error that said something about not having strong enough authentication. After Googling the error message, I read that others had experience this same error when their server time was wrong. I then looked at the IdP log on TestShib Two website and noticed that my server time was off by several hours. To fix this I installed ntp: ~$ sudo apt-get install ntp. After restarting shibd (~$ /etc/init.d/shibd restart), I reached the TestShib Two authentication page, was able to authenticate and be redirected back to http://myserver/secure where I received a page not found error as expected.

Configuring Shibboleth SP for UMN IdP

... will be covered in the next post. Meanwhile here is a link to UMN Shibboleth authentication wiki page.

July 26, 2010

Explorations into UMN Shibboleth Auth - Part 2 Installing Shibboleth SP on Ubuntu OS

Overview of Tasks

In order to use Shibboleth SP the web server needs to be able to communicate over SSL (https connection). My tasks then for installing Shibboleth SP are:
  1. Create a self-serv certificate for SSL
  2. Enable SSL for Apache web server on Ubuntu
  3. Install Shibboleth for Apache web server
  4. Enable Shibboleth SP on Apache web server
  5. Test Shibboleth to make sure it is working
  6. Configure Shibboleth to use UMN Shibboleth Identity Provider (IdP)

These directions apply to Apache version 2.2 and Ubuntu OS version 9.10 (Karmic Koala). More detailed descriptions of these tasks will follow.

Tasks 1 and 2: Create a self-serv certificate for SSL and enable SSL on Apache.

I learned good information about creating a certificate in this article in Ubuntu Documentation, but eventually opted to go a much simpler route for creating the certificate and enabling it on Apache. The documentation for the method I chose is available in Ubuntu OS in /usr/share/doc/apache2.2-common/README.Debian.gz file. The steps I performed were:
  1. Installed ssl-cert package: ~$ sudo apt-get install ssl-cert -- This creates a self-serv certification for your server automatically.
  2. Enabled default-ssl virtual host: ~$ sudo a2ensite default-ssl
  3. Enabled Apache's SSL module: ~$ sudo a2enmod ssl
  4. Restarted Apache: ~$ sudo /etc/init.d/apache2 restart

Tasks 3 and 4: Install and enable Shibboleth SP on Apache 2.2

  1. Installed Shibboleth module for Ubuntu 9.10: ~$ sudo apt-get install libapache2-mod-shib2
  2. Enabled Apache Shibboleth module: ~$ sudo a2enmod shib
  3. Restarted Apache ~$ sudo /etc/init.d/apache2 restart

Tasks 5 and 6: Test Shibboleth SP and configure it for UMN IdP... - see next posts

Explorations into UMN Shibboleth Auth - Part 1: Overview

Background and Goals

UMN is transitioning from Central Authentication Hub (CAH) into using Shibboleth for authentication of protected web pages and applications. Here are brief notes about my attempts to implement Shibboleth on Ubuntu 9.10. The goal of these explorations is to eventually be able to accomplish the following:

  1. Protect a directory on a webserver with Shibboleth
  2. Restrict the content to only a subset of authenticated users
  3. Create a form and protect it with Shibboleth authentication
  4. Automatically populate some publicly available information (name, email etc) after a successful authentication
  5. Integrate Shibboleth with Contao CMS member login
  6. Create a new member on Contao after a successful authentication with Shibboleth.
  7. Automatically populate some publicly available information with a form in Contao after a successful authentication with Shibboleth.

When reading documentation about Shibboleth, there are two acronyms that are being used -- Shibboleth Service Provider (SP) and Shibboleth Identity Provider (IdP). Often the Shibboleth documentation talks about both of these on the same page even though they are completely different animals. The Shibboleth SP is the client that is using the IdP for authentication. I learned that I can safely ignore information about configuring and IdP since that is already provided to me by the UMN Identity Management team. The information that I need to read is under Shibboleth SP.

Up next: Installing Shibboleth SP on Ubuntu OS