Shibboleth Deployment

Shibboleth Deployment Guide

FOREWORD

The objective is to have a proof of concept about “Shibboleth” and the main feature is its deployment. Shibboleth is a software that handles web applications of identity management in federations, which makes it possible to realize a Single Sign On across organizational; boundaries .A federation in this context is a group of organizations which incorporate to share user data and protected resources under common guidelines .Shibboleth provides a uniform authentication mechanism for application offered by the members of a federations, which could be realized with different technologies, architectures and security mechanism.It allows users to sign on to these applications with the same username and passwords and also make itpossible to realize a single sign on for them. Shibboleths primary target domain is higher education, but itcan be used in other areas. Another is the application of proxy server added to shibbolization because combining the two features on the system either bilateral (simple authentications) or federations can be a useful highly secured SSO fast proxy server

The deployment being discussed here are the bilateral, federated and reverse proxying mode application of shibboleth. These three applications are setup in three different phases: Phase 1 for bilateral, Phase2 for DS/WAYF federated and in Phase 3 we add reverse proxying on shibboleth. This User Deployment Guide aims to give an easiest way of complex shibboleth deployment.

The tutorial uses both Windows (XP) and Linux (Cetos.X) operating system. All Softwares can be downloaded for free.

Good Luck!

CMC-2008-9


SHIBBOLETH DEPLOYMENT PHASES
I) SHIBBOLETH BILATERAL DEPLOYMENT

First Phase is to deploy a bilateral deployment of shibboleth with a single IdP and SP on two separate platforms ( Windows and Linux).The discussion are detailed that sufficiently allow user/s to replicate setting and configuration of one server to another. The bilateral deployment will show the use of shibbolization such as: generating certificate and key credentials, doing simple apache http authentications and simple secured website. This will give an example of creating a partner metadata that describe the identities of the two participating Identity provider and the Service providers .Each metadata’s describe different entities that would characterize each providers and be able to acquire credentials registrations, membership to other providers. Communicating between SP and IdP are given a step by step procedure as well us debugging log files to review errors of session and transactions. It gives miscellaneous tutorials for setting Network Time protocols for servers and clients and enabling /opening port against firewall restrictions. This is enough to demonstrate simple Single Sign On authentication applications. Hence some advance shibbolization will be tackled in the next phase.

II) SHIBBOLETH FEDERATED DEPLOYMENT

Second Phase is a deployment of simple federated shibboleth with a two or more IdP and multiple SP; both of which running on two separate platforms ( Windows and Linux).The discussion are detailed that sufficiently allow user/s to replicate setting and configuration of one server to another. The shibboleth federated deployment will show the use of shibbolization such as: generating certificate and key credentials, doing simple apache http authentications and simple secured website. Each metadata’s describe different entities that would characterize providers and be able to acquire credentials registrations and membership wishing to have an access to other providers. This will give examples of creating a partner metadata that describe the identities and entities of the participating groups of Identity provider and Service providers – Shibboleth Federations. Another is the rerouting from a usual IdP SSO to a Discovery Service or the Who Are You From (WAYF server) service .Although not implemented in the second phase, it still discusses how to configure LDAP on shibboleth by interfacing it in apache. Communicating between SP and IdP are given a step by step procedure as well us debugging log files for reviewing errors such as session and transactions. It gives miscellaneous tutorials for setting Network Time protocols and the enabling /opening port against firewall restrictions

III) SHIBBOLETH WITH REVERSE PROXY DEPLOYMENT
Third Phase, lastly if shibboleth Federation works pretty well, then the next phase is the additional application .Aside from shibbolization like Single Sign On access it is possible also to add function like reverse proxying .Reverse proxy is a gateway for servers, and enables on web server to provide content from another transparently. As with the standard proxy, a reverse proxy may server to improve performance of the web by caching, this simple way to mirror a website .But the most common reason to run a reverse proxy is to enable controlled access from the web at large to servers behind firewall. The proxied server may be a web server itself, or it may be an application server using a different protocol, or an application server with just rudimentary HTTP that needs to be shielded from the web at large .In this last phase reverse proxying has been preferred method of deploying shibboleth on the web, replacing the old mod_jk (itself) a special –purpose reverse proxy module) features of Apache. The configuration is simple that it gives a smooth reverse proxy application on shibbolization.

SHIBBOLETH WINDOWS SYSTEM REQUIREMENTS
1) HARDWARES:
2 PC (virtual machine) or 3 PC
1 IdP (windows XP), SP (Windows XP) & SP (Centos X.0)

2) SOFTWARES:
A) Shibboleth Service Provider
Apache 2.2
apache_2.2.4-win32-x86-openssl-0.9.8d.msi
Tomcat 5.5
apache-tomcat-5.5.23.exe
Shibboleth SP 1.3/2.0
shibboleth-sp-1.3f-win32.msi
B) Shibboleth Identity Provider
Apache 2.2
apache_2.2.4-win32-x86-openssl-0.9.8d.msi
Java 1.5 SDK
jre-1_5_0_12-windows-i586-p.exe
Tomcat 5.5
apache-tomcat-5.5.23.exe
Shibboleth IdP 1.3/2.0
shibboleth-idp-1.3.2.zip
3) Miscellaneous:
VNC viewer
VMware
Notepad ++
NTP server & clients (for time sync)
4) Download Sites:
APACHE
http://archive.apache.org/dist/httpd/binaries/win32/apache_2.2.4-win32-x86-openssl-0.9.8d.msi
TOMCAT
http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.23/bin/apache-tomcat-5.5.23.exe
TOMCAT CONNECTOR
http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win32/jk-1.2.26/mod_jk-1.2.26-httpd-
2.2.4.so
JAVA
http://www.livingresources.org/livresforms/Downloads/jre-1_5_0_12-windows-i586-p.exe
SHIBBOLETH IDP
http://shibboleth.internet2.edu/downloads/shibboleth/idp/archive/shibboleth-idp-1.3.2.zip
SHIBBOLETH SP
http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/archive/1.3f/win32/shibboleth-sp-1.3f.msi
NTP
http://download.softros.com/nts.zip

INSTALLING IDENTITY PROVIDER
A) Installing Apache (version 2.2)
i) Download apache
ii) Install the package
iii) Change the directory into C:/Apache2.2/
iv) Test Apache; browse http://localhost/ (“It works”)
B) Install Java (version 5 update 12)
i) Download Java 1.5
ii) Install the package
iii) Change the directory into C:\JRE
iv) Set the PATH environment variable to include JAVA_HOME\bin
C:\> path
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System23\Wbem;C:\Apache2.2\bin
C:\> set JAVA_HOME=C:\JRE\
C:\> set PATH=PATH%;%JAVA_HOME%\bin
C:\> path
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System23\Wbem;C:\Apache2.2\bin;C:\JRE\bin
C) Install Tomcat (version 5 update 12)
i) Download Tomcat
ii) Install the package
iii) Change the directory into C:/Tomcat5.5
iv) Test Tomcat, browse http://localhost:8080
D) Install IdP software package
i)Download IdP 1.3
ii) Install the package
iii) Change the directory into C:/shibboleth-idp
and answer the ff: questions:
iv.1) hostname
iv.2) group name
iv.3) Admin e-mail
v) Copy C:/shibboleth-idp/endorsed/*.jar to C:/Tomcat5.5/webapps/commom/endorsed
vi) Copy C:/shibboleth-idp/shibboleth-idp.war to C:/Tomcat5.5/webapps/
vii) Go to C:/Apache2.2/bin and generate certificate and key file
C:/Apache2.2/bin/
openssl req –new –x509 –nodes –out C:\PKI\sp.crt –keyout C:\PKI\sp.key –config C:\Apache2.2\conf\openssl.cnf
viii) Now you have sp.crt and sp.key in the C:/PKI
ix1) idp.key (Key File)
ix2) idp.crt (Certificate File)

INSTALLING SERVICE PROVIDER
A) Installing Apache (versions 2.2)
i) Download apache
ii) Install the package
iii) Change the directory into C:/Apache2.2/
iv) Test Apache; browse http://localhost/ (“It works”)
C:/Apache2.2/bin/
httpd -k start –n “Apache2”
httpd -k sttop
B) Installing Shibboleth Software (version 1.3)
ii) Download SP
iii) Unzipped the SP package (shibboleth-1.3f.zip)
iv) Install the package (shibboleth-1.3f.msi)
and answer the following questions
iv.1) hostname
iv.2) group name
iv.3)e-mail
v) Change the directory into C:/shibboleth-sp
vi) make a dir C:/PKI
vii) goto C:/Apache2.2/bin/ generate a certificate and key file for SP
C:/Apache2.2/bin/
openssl req –new –x509 –nodes –out C:\PKI\idp.crt –keyout C:\PKI\idp.key –config C:\Apache2.2\conf\openssl.cnf
viii) Now you have sp.crt and sp.key in the C:/PKI folder
ix1) sp.key ( Key File)
ix2) sp.crt (Certificate File)
C) Install Tomcat (version 5 update 12)
i) Download Tomcat
ii) Install the package
iii) Change the directory into C:/Tomcat5.5
iv) Test Tomcat, browse http://localhost:8080/


BILATERAL IdP SETUP & CONFIGURATIONS
1) Apache configurations
i) Edit httpd.conf in the C:\Apache2.2\conf
ii) Uncomment/ remove the hash (#) symbol in Loadmodule modules/mod_ssl.so line
iii) Uncomment/remove the hash (#) symbol in Include extra/httpd-ssl.conf line.
iv) Edit httpd-ssl.conf in the C:\Apache2.2\conf\extra
SSLCertificate c:\PKI\idp.crt
SSLCertificateKeyFile\idp.key
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLOptions +StdEnvVars +ExportCertData
v) Create a file named “workers.properties” in the C:\Apache2.2\conf folder
worker.list=ajp13
worker.ajp13.port= 8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
v) Download the latest win32 version of the mod_jk-httpd-2.2.4.so
vii) Copy mod_jk_httpd-2.2.4.so in the C:\Apache2.2\modules\ folder
viii) Create a file named “httpd-tomcat.conf “in the C:\Apache2.2\conf\extra folder
ix) Edit httpd-tomcat .conf
Loadmodule jk_module conf/modules/mod_jk-apache-2.2.4.so
JkWokersFile C:/Apache2.2/conf/workers.properties
JkLog File C:/Apache2.2/logs/mod_jk.log
JkShmFile C:/Apache2.2/logs/mod_jk.shm
JkMount Shibboleth-idp ajp13
JkMount Shibboleth-idp/*.jsp ajp13
x) Create a file name “httpd-ssl-8443.conf” in the C:\Apache2.2\conf\extra folder
xi) Copy the content of “httpd-ssl.conf” and replace 443 by 8443.
2) Tomcat configurations
i) Edit server.xml in the C:\Tomcat5.5\conf directory.
ii) Find/locate “8009”, replace the command statement then save.

3) IdP configurations
i) Edit idp.xml found in the C:/shibboleth-idp/etc/ folder
i.1) Replace example.edu.org by bi-idp.xxd.edu.ph
i.2) Search and replace 443 by 8443 (port 8443 for SSL).
i.3) Replace “defcreds” by “bilateral”
i.4) Replace the previous certificate by the generated idp.crt
i.5) Configure certificate and key file path “file:/c:/PKI/Idp.key”
i.6) Configure certificate and key file path “file:/c:/PKI/Idp.crt”
ii) Copy the example-metadata.xml in the C:\shibboleth-sp\etc\shibboleth folder
ii.2) Rename the copied example-metadata.xml into partner-metadata.xml
ii.3) Edit the partner-metadata.xml
ii.4) Replace the shibidp.crt and shibdsp.crt by a new generated idp.crt and sp.crt strings of characters.

==========================================================================

----BEGIN CERTIFICATE-----
MIID6TCCA1KgAwIBAgIJANz/+JnxoNSPMA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD
VQQGEwJQSDEPMA0GA1UECBMGTWFuaWxhMRQwEgYDVQQHEwtRdWV6b24gQ2l0eTEg
MB4GA1UEChMXTWFpbiBMaWJyYXJ5IFVQIERpbGltYW4xEzARBgNVBAsTCnVwZC5l
ZHUucGgxGjAYBgNVBAMTEWJpLWlkcC51cGQuZWR1LnBoMSEwHwYJKoZIhvcNAQkB
FhJzaGlidGVzdEB5YWhvby5jb20wHhcNMDgxMTI5MDA1MzA5WhcNMDgxMjI5MDA1
MzA5WjCBqjELMAkGA1UEBhMCUEgxDzANBgNVBAgTBk1hbmlsYTEUMBIGA1UEBxML
UXVlem9uIENpdHkxIDAeBgNVBAoTF01haW4gTGlicmFyeSBVUCBEaWxpbWFuMRMw
EQYDVQQLEwp1cGQuZWR1LnBoMRowGAYDVQQDExFiaS1pZHAudXBkLmVkdS5waDEh
MB8GCSqGSIb3DQEJARYSc2hpYnRlc3RAeWFob28uY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDAylRbmuv0PMhpdgtEZ/2QilMmARJnNu2orwWhL5zmSPSC
E/CMmsuArIDBOu2sekAdMvez9ymtoRc4zdf1Fy85FpEi+UNhRB0FSNLF4kE3Zq6b
GXu8HEU3f7Rz9Fs/Wmni1R32/H8JEKfP69Qf241JKBaliB2CadQF7JwjdQF72wID
AQABo4IBEzCCAQ8wHQYDVR0OBBYEFAuvQ8jh2mcEUYWu04BZEfR7tCjtMIHfBgNV
HSMEgdcwgdSAFAuvQ8jh2mcEUYWu04BZEfR7tCjtoYGwpIGtMIGqMQswCQYDVQQG
EwJQSDEPMA0GA1UECBMGTWFuaWxhMRQwEgYDVQQHEwtRdWV6b24gQ2l0eTEgMB4G
A1UEChMXTWFpbiBMaWJyYXJ5IFVQIERpbGltYW4xEzARBgNVBAsTCnVwZC5lZHUu
cGgxGjAYBgNVBAMTEWJpLWlkcC51cGQuZWR1LnBoMSEwHwYJKoZIhvcNAQkBFhJz
aGlidGVzdEB5YWhvby5jb22CCQDc//iZ8aDUjzAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBQUAA4GBADKTpbJ2h2mNq45e87yYxVSayMZEJx2ombz7XrlWBkumnZ0t
kUIFtb0gkaJJMD90H0kweb1Vco7CtUvGGqPUhazIAjSQOkKoRz7NsSrmuCPtEC1p
6TG5n2FPVnoyoAnwkxz0OPjf5F5YQVKidoAmfVN69Fs1p5VDRjH2T0ZtzwRU
-----END CERTIFICATE-----

==========================================================================

ii)Edit resolver.xml in the C:\Shibboleth-idp\extra\
ii.1) Change the smartcope=”” content by xxd.edu.ph
iii) Create a partner-metadata.xml file in the C:\shibboleth-sp\etc\ folder by copying example-
metadata.xml
iii.1) Replace the original shibdidp.crt and shibdsp.crt by idp.crt and sp.crt respectively.
iii.2) Replace the content by upd.edu.ph
iii.3) Replace idp.example.edu.org by bi-idp.xxd.edu.ph and sp.example.edu.org by bi-sp.xxd.edu.ph

BILATERAL SP SETUP & CONFIGURATIONS
1) Apache configurations
i) Edit httpd.conf in the C:\Apache2.2\conf
ii) Uncomment/ remove the hash (#) symbol in Loadmodule modules/mod_ssl.so line.
iii) Uncomment/remove the hash (#) symbol in Include /extra/httpd-ssl.conf line.
iv) Edit httpd-ssl.conf in the C:\Apache2.2\conf\extra
SSLCertificate c:\PKI\sp.crt
SSLCertificateKeyFile\sp.key
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLOptions +StdEnvVars +ExportCertData
v) Create a file named “workers.properties” in the C:\Apache2.2\conf folder
worker.list=ajp13
worker.ajp13.port= 8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
v) Download the latest win32 version of the mod_jk-httpd-2.2.4.so
vii) Copy mod_jk_httpd-2.2.4.so in the C:\Apache2.2\modules\ folder.
viii) Create a file named “httpd-tomcat.conf “in the C:\Apache2.2\conf\extra folder
ix) Edit httpd-tomcat .conf
Loadmodule jk_module conf/modules/mod_jk-apache-2.2.4.so
JkWokersFile C:/Apache2.2/conf/workers.properties
JkLog File C:/Apache2.2/logs/mod_jk.log
JkShmFile C:/Apache2.2/logs/mod_jk.shm
JkMount Shibboleth-idp ajp13
JkMount Shibboleth-idp/*.jsp ajp13
2) SP configurations
i) Edit shibboleth.xml in the C:\shibboleth-sp\etc\shibboleth folder
ii) Replace the FileResolverId “defcreds” to “bilateral”
iii) Copy and change the path of the certificate and key file to
iii.1) Configure certificate and key file path “file:/c:/PKI/sp.key”
iii.2) Configure certificate and key file path “file:/c:/PKI/sp.crt”
iv) Search and replace the idp.example.edu.org by bi-idp.upd.edu.ph (our IdP)
vi) Replace example-metadata.xml by the modified partner-metadata.xml
x) Copy the example-metadata.xml in the C:\shibboleth-sp\etc\shibboleth folder
ix) Rename the copied example-metadata.xml into partner-metadata.xml
xi) Edit partner-metadata.xml
xii) Replace both shibidp.crt and shibdsp.crt by the newly generated idp.crt and sp.crt respectively
12
Note***
1) After the SSL cli command check for the generated idp.crt and idp.key stored in the /PKI/ directory.
2) Open idp.crt by a notepad++ editor.
3) Copy or cut (please back up) a string of characters with in” BEGIN & END CERTIFICATE” delimiter.
4) Paste the copied certificate in step # 4, thus it will replace the certificate content of the
to found in the partner-metadata.xml of Identity Provider.
5) IdP server can be accessed by a multiple Service Providers in a bilateral Shibboleth. It is done by
inserting another
which equivalently describe a newly added Service Provider entities inside or within the IdP partner-
metada.xml.
iv.2) sp.crt
==========================================================================
-----BEGIN CERTIFICATE-----
MIID5jCCA0+gAwIBAgIJAO7iXQVDMgydMA0GCSqGSIb3DQEBBQUAMIGpMQswCQYD
VQQGEwJQSDEPMA0GA1UECBMGTWFuaWxhMRQwEgYDVQQHEwtRdWV6b24gQ2l0eTEg
MB4GA1UEChMXTWFpbiBMaWJyYXJ5IFVQIERpbGltYW4xEzARBgNVBAsTCnVwZC5l
ZHUucGgxGTAXBgNVBAMTEGJpLXNwLnVwZC5lZHUucGgxITAfBgkqhkiG9w0BCQEW
EnNoaWJ0ZXN0QHlhaG9vLmNvbTAeFw0wODExMjcwNzMzMTBaFw0wODEyMjcwNzMz
MTBaMIGpMQswCQYDVQQGEwJQSDEPMA0GA1UECBMGTWFuaWxhMRQwEgYDVQQHEwtR
dWV6b24gQ2l0eTEgMB4GA1UEChMXTWFpbiBMaWJyYXJ5IFVQIERpbGltYW4xEzAR
BgNVBAsTCnVwZC5lZHUucGgxGTAXBgNVBAMTEGJpLXNwLnVwZC5lZHUucGgxITAf
BgkqhkiG9w0BCQEWEnNoaWJ0ZXN0QHlhaG9vLmNvbTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAwvMjbrZ/xb2swp+gijBHaCLoG7Vp5JXybWc/tWBL4qxjaFNh
GWKmDLzyf89SGjFvU741giS658sFWj4S6HHHVm/JbvZOmz+FmmeaKch4JIeLag9Q
WELBarz3KmAA60SpyKxZ4dkQKhDfKhdXbDPqGZ2XpfHU7WDC1tzOvYNlspMCAwEA
AaOCARIwggEOMB0GA1UdDgQWBBQ1G4eVVShYUvmxcbQJdGhOqSkSYjCB3gYDVR0j
BIHWMIHTgBQ1G4eVVShYUvmxcbQJdGhOqSkSYqGBr6SBrDCBqTELMAkGA1UEBhMC
UEgxDzANBgNVBAgTBk1hbmlsYTEUMBIGA1UEBxMLUXVlem9uIENpdHkxIDAeBgNV
BAoTF01haW4gTGlicmFyeSBVUCBEaWxpbWFuMRMwEQYDVQQLEwp1cGQuZWR1LnBo
MRkwFwYDVQQDExBiaS1zcC51cGQuZWR1LnBoMSEwHwYJKoZIhvcNAQkBFhJzaGli
dGVzdEB5YWhvby5jb22CCQDu4l0FQzIMnTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4GBAFqSeEud1mw5jDTZNGTD3Y64po0dE+2SPexh5Ir5m43xrcEpIbf8
QuufnJL9P4T9iCFgjdTq91bNC0/Q4x7uhU4HuybDRnI0keIb2T9KgY+eNfCvv1O/
fYvipw2Je3KGlUj+zlGhQXZG0z2muqfYs0yQzt0qCp1QGlxltDNFAvyM
-----END CERTIFICATE-----

==========================================================================
6)File 3) Create an index.html
1)Create a folder “secure” in the web path subdirectory of /usr/local/apache2/htdocs/ folder.
2)Create an /usr/local/apache2/htdocs/secure index.html to be use a a secured webpage .

MISCELLANEOUS SETUP & CONFIGURATIONS
1) Installing NTP client and Server
i.1) Install the NTP (time) server software package to either IdP or SP machine server
i.2) click the Setting->Broadcast (to broadcast UDP time packet)
ii.1) Install the package of NTP (time) software clients to the rest of IdP and SP
ii.2) Install the package of AD-Deployment NTP clients
ii.2) click the “Sync Now) to synchronize the time from NTP server
Note* **
1) Using IP addresses to access both Service Providers and Identity Providers is not ideal and confusing,
instead use an initial domain.
2) A user within a local network can test both IdP and SP by accessing their respective local domains.
2) Configure a simple IP -> DNS HTTP-URL access.
i) Goto C:\windows32\System32\drivers\etc\ folder
ii) Edit the “host”, type the following
# This is just a substitute if there is no DNS server available.
#---Configure to your own preference (local domain)
10.36.129.38 bi-sp.xxd.edu.ph
10.36.129.36 bi-idp.xxd.edu.ph
10.36.133.15 secure-sp.xxd.edu.ph
10.36.133.6 secure-idp.xxd.edu.ph

COMMUNICATIONS B/W SP & IdP
1) IdP Authentications using Apache (IdP server side)
i) Edit the httpd.conf file in C:\Apache2.2\conf folder
i.2) Add the following shibboleth configurations
#-------Shibconfig----------------
#LoadModule Shibboleth module
LoadModule mod_shib /usr/local/shibboleth-sp/libexec/mod_shib_22.so
#Global Configuration
ShibSchemaDir c: /shibboleth-sp/share/xml/shibboleth
ShibConfig c: /shibboleth-sp/share/xml/shibboleth
#.SSO

SetHandler shib-handler

AuthType Basic
AuthName "XX Diliman IdP"
AuthUserFile C:/shibboleth-idp/credentials/user.db
require valid-user

2) Password and database for HTTP access (Username & Password)
C:\> htpasswd –c –b c:/shibboleth-idp/credentials /user.db bopher xxx
Check for user.db in the folder
C:\> cd C:\ shibboleth-idp/credentials
3) To bounce other services goto program->control panel->Administrative tools-> click this icon
4) Service Provider (SP server side)
4.1) Starting shibboleth 1.3 daemon.