John McLear » ukfederation http://mclear.co.uk My mission: To encourage effective use of ICT in Schools. My main focus is on ages 3-11. Fri, 10 Feb 2012 00:46:32 +0000 en hourly 1 http://primaryblogger.co.uk/?v=3.3.1 Shibboleth WAYFless URLs UKFederation http://mclear.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/ http://mclear.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/#comments Tue, 27 Oct 2009 20:55:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/
Shibboleth is a single sign on method used by UK schools.
Shibboleth allows you to log into multiple services without the need to enter your username and password.

Shibboleth WAYFLess URLS is a
knowledge requirement for Shibboleth Service Providers and users. A shibboleth user may use a service frequently and want to skip the Identity provider selection page, a wayfless URL does exactly this.

Example



Copy and paste the above and replace %20 with ?

Another example


What bit do I need to change to configure my service to Primary Logon?
https://wayf.ukfederation.org.uk/shibboleth-wayf/ukfull.wayf?target=cookie
&providerId=urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk
&cache=perm&action=selection
&origin=https://idp.primarylogon.co.uk/idp/shibboleth
&shire=https://target.iay.org.uk/Shibboleth.sso/SAML/POST
The bits in bold need changing.

Related Posts

  1. Configuring Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
  2. Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
  3. Installing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
]]> http://mclear.co.uk/2009/10/27/shibboleth-wayfless-urls-ukfederation/feed/ 0 Configuring Apache for Shibboleth on CentOS to the ukfederation w/ Godaddy certs http://mclear.co.uk/2009/10/27/configuring-apache-for-shibboleth-on-centos-to-the-ukfederation-w-godaddy-certs/ http://mclear.co.uk/2009/10/27/configuring-apache-for-shibboleth-on-centos-to-the-ukfederation-w-godaddy-certs/#comments Tue, 27 Oct 2009 15:37:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/10/27/configuring-apache-for-shibboleth-on-centos-to-the-ukfederation-w-godaddy-certs/ Part 3. Apache config. (1 hour) 
cd /etc/shibboleth
openssl genrsa -des3 -out external.key 2048
openssl req -new -key external.key -out external.csr

The above will create a CSR request for your resource, when asked what the common name is enter something like shib.yourdomain.com - DO NOT use sp.yourdomain.com or the same common name as you used to register your SP!

Edit the CSR and copy its contents into clipboard. Then login to your godaddy hosting account and paste the CSR request into your certificate request. 

Godaddy will do their thing then get back to you with a CRT a few files usually within 24 hours.


When they get back to you with the files copy or download them the files to /etc/shibboleth


Rename shib.yourdomain.com.crt to external.crt
Rename gd_bundle.crt to external_int.crt and place it in /etc/shibboleth




 

Edit /etc/httpd/conf.d/ssl.conf
Replace
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
With
 SSLCertificateKeyFile /etc/shibboleth/external.key
Replace
SSLCertificateFile /etc/pki/tls/private/localhost.crt

With
SSLCertificateFile /etc/shibboleth/external.crt
Under SSLCertificateKeyFile paste SSLCertificateChainFile /etc/shibboleth/external_int.crt
 
 
Edit /etc/httpd/conf/httpd.conf
 
Replace
 UseCanonicalName Off
With
 UseCanonicalName On
Find the line beginning with ServerName
Comment it out
Below it type ServerName shib.yourdomain.com:80

/usr/sbin/apachectl restart


/usr/sbin/apachectl start


The above commands will restart Apache or start it if it hasn't already been started


Edit  /etc/sysconfig/iptables & above all REJECT rules paste:
 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
/sbin/service iptables restart


If everything restarts without any errors then:
Continue to the testing phase

Related Posts

  1. Configuring Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
  2. Installing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
  3. Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs
]]> http://mclear.co.uk/2009/10/27/configuring-apache-for-shibboleth-on-centos-to-the-ukfederation-w-godaddy-certs/feed/ 1 Configuring Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs http://mclear.co.uk/2009/10/27/configuring-shibboleth-sp-2-on-centos-to-the-ukfederation-w-godaddy-certs/ http://mclear.co.uk/2009/10/27/configuring-shibboleth-sp-2-on-centos-to-the-ukfederation-w-godaddy-certs/#comments Tue, 27 Oct 2009 15:35:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/10/27/configuring-shibboleth-sp-2-on-centos-to-the-ukfederation-w-godaddy-certs/ Part 2. Shibboleth Config (6 hours)

cd /etc/shibboleth
wget http://metadata.ukfederation.org.uk/ukfederation.pem
wget http://metadata.ukfederation.org.uk/ukfederation-metadata.xml

Edit shibboleth2.xml

Replace all instances of sp.example.org with your Entity ID ie sp.yourdomain.com

Search for ApplicationDefaults

Add homeURL=”https://sp.domainz.com/ahomeurl” under entityID – homeURL is the first url of the resource if none is specified.

Search for <sessions

Before the default example (Reading Default example directs to a speci… ” Insert: 

<SessionInitiator isDefault="true" id="UKFederation" Location="/WAYF/UKFederation"
type="WAYF" defaultACSIndex="5"
URL="https://wayf.ukfederation.org.uk/WAYF"
/>

Search for exportLocation

Under exportLocation replace http://localhost with https://localhost

Replace all instances of root@localhost with the technical support email address

Search for MetadataProvider

This bit gets messy so pay close attention…..

After the line reading Insert 
<MetadataProvider type="XML"

uri="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"

backingFilePath="/etc/shibboleth/ukfederation-metadata.xml" reloadInterval="14400">

<MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>

<SignatureMetadataFilter certificate="ukfederation.pem"/>

</MetadataProvider>

Search for the line Delete it or comment it out.

Directly below it paste the following:

/etc/shibboleth/sp.key /etc/shibboleth/sp.crt

Don’t forget to replace yourpassword with your key password if you have set one!