Archive for the ‘ukfederation’ Category
-
Shibboleth WAYFless URLs UKFederation
Shibboleth is a single sign on method used by UK schools.
Shibboleth allows you to log into multiple services without the need to enter your username and password.Shibboleth WAYFLess URLS is aknowledge requirement for Shibboleth Service Providers and users. A shibboleth user may use a service frequently and want to skip the Identity provider selection page, a wayfless URL does exactly this.Example
Copy and paste the above and replace %20 with ?Another example
What bit do I need to change to configure my service to Primary Logon?https://wayf.ukfederation.org.uk/shibboleth-wayf/ukfull.wayf?target=cookie&providerId=urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk&cache=perm&action=selection&origin=https://idp.primarylogon.co.uk/idp/shibboleth&shire=https://target.iay.org.uk/Shibboleth.sso/SAML/POSTThe bits in bold need changing. -
Configuring Apache for Shibboleth on CentOS to the ukfederation w/ Godaddy certs
Part 3. Apache config. (1 hour)
cd /etc/shibboleth openssl genrsa -des3 -out external.key 2048 openssl req -new -key external.key -out external.csr
The above will create a CSR request for your resource, when asked what the common name is enter something like shib.yourdomain.com - DO NOT use sp.yourdomain.com or the same common name as you used to register your SP!
Edit the CSR and copy its contents into clipboard. Then login to your godaddy hosting account and paste the CSR request into your certificate request.
Godaddy will do their thing then get back to you with a CRT a few files usually within 24 hours.When they get back to you with the files copy or download them the files to /etc/shibbolethRename shib.yourdomain.com.crt to external.crtRename gd_bundle.crt to external_int.crt and place it in /etc/shibbolethEdit /etc/httpd/conf.d/ssl.confReplaceSSLCertificateKeyFile /etc/pki/tls/private/localhost.keyWithSSLCertificateKeyFile /etc/shibboleth/external.keyReplaceSSLCertificateFile /etc/pki/tls/private/localhost.crt
WithSSLCertificateFile /etc/shibboleth/external.crtUnder SSLCertificateKeyFile paste SSLCertificateChainFile /etc/shibboleth/external_int.crtEdit /etc/httpd/conf/httpd.confReplaceUseCanonicalName OffWithUseCanonicalName OnFind the line beginning with ServerNameComment it outBelow it type ServerName shib.yourdomain.com:80
/usr/sbin/apachectl restart/usr/sbin/apachectl startThe above commands will restart Apache or start it if it hasn't already been startedEdit /etc/sysconfig/iptables & above all REJECT rules paste:-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT/sbin/service iptables restartIf everything restarts without any errors then:Continue to the testing phase -
Configuring Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
Part 2. Shibboleth Config (6 hours)
cd /etc/shibboleth wget http://metadata.ukfederation.org.uk/ukfederation.pem wget http://metadata.ukfederation.org.uk/ukfederation-metadata.xml
Edit shibboleth2.xml
Replace all instances of sp.example.org with your Entity ID ie sp.yourdomain.comSearch for ApplicationDefaults
Add homeURL=”https://sp.domainz.com/ahomeurl” under entityID – homeURL is the first url of the resource if none is specified.
Search for <sessions
Before the default example (Reading Default example directs to a speci… ” Insert:
<SessionInitiator isDefault="true" id="UKFederation" Location="/WAYF/UKFederation" type="WAYF" defaultACSIndex="5" URL="https://wayf.ukfederation.org.uk/WAYF" />
Search for exportLocation
Under exportLocation replace http://localhost with https://localhost
Replace all instances of root@localhost with the technical support email addressSearch for MetadataProvider
This bit gets messy so pay close attention…..
After the line reading Insert<MetadataProvider type="XML" uri="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml" backingFilePath="/etc/shibboleth/ukfederation-metadata.xml" reloadInterval="14400"> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/> <SignatureMetadataFilter certificate="ukfederation.pem"/> </MetadataProvider>
Search for the line Delete it or comment it out.
Directly below it paste the following:
/etc/shibboleth/sp.key /etc/shibboleth/sp.crt
Don’t forget to replace yourpassword with your key password if you have set one!
For now we are done in shibboleth2.xml
Run ./keygen.sh to generate your new key pair
mv sp-key.pem sp.key mv sp-cert.pem sp.crt
What people are peeping
- King's Science Academy announced in Bradford
- Installing Etherpad on Windows (CYGWIN)
- Installing Etherpad on Debian
- Classdroid - Teacher Android App
- Top 10 Google Android Apps for School #education
- Free schools: the good, the bad and the ugly. September 6, 2010 Doug Belshaw
- Wawne Primary School, Hull September 6, 2010 blog
- Stopping an oil spill September 6, 2010 malbell
- King’s Science Academy announced in Bradford September 6, 2010 johnyma22
- Formalising meetings September 6, 2010 Terry Freedman
Links
- Etherpad Foundation
- Primary Games Arena
- Primary School Web 2 Catalogue
- Primary Technology
- Tom Hudson
- Wordpress

