Shibboleth WAYFless URLs UKFederation

Shibboleth is a single sign on method used by UK schools.
Shibboleth allows you to log into multiple services without the need to enter your username and password.

Shibboleth WAYFLess URLS is a
knowledge requirement for Shibboleth Service Providers and users. A shibboleth user may use a service frequently and want to skip the Identity provider selection page, a wayfless URL does exactly this.

Example



Copy and paste the above and replace %20 with ?

Another example

What bit do I need to change to configure my service to Primary Logon?
https://wayf.ukfederation.org.uk/shibboleth-wayf/ukfull.wayf?target=cookie
&providerId=urn:mace:ac.uk:sdss.ac.uk:provider:service:target.iay.org.uk
&cache=perm&action=selection
&origin=https://idp.primarylogon.co.uk/idp/shibboleth
&shire=https://target.iay.org.uk/Shibboleth.sso/SAML/POST
The bits in bold need changing.

Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs

Part 4. Testing (2 hours)

Shibboleth can be started using /sbin/service shibd start
Another option is to use: service shibd restart
If the above doesn’t work try /usr/sbin/shibd -f

If you are going to use different commands to start shibd ensure that multiple copies are not running by doing ps aux | grep shibd

If you see shibd -f & /usr/sbin/shibd….. then you need to kill them and start one. I recommend using service shibd start.

Log files will be in: /var/log/shibboleth/

Check the shibd.log file for errors using this command: cat /var/log/shibboleth/shibd.log | grep ERROR
Your resource URL is https://shib.yourdomain.com/secure
Try browse to it.
If you get nothing then Apache hasn’t started properly, check the apache logs.
You should get something that starts with the shibboleth logo OR a WAYF login screen.
If you get the WAYF screen the things are going great, if you get the Shibboleth error message then we need to make some more configuration changes. See your logs and continue reading.
If you get “Cannot connect to shibd process, a site adminstrator should be notified.”
then your SELINUX restrictions have kicked in. Check by doing
cat /var/log/audit/audit.log | grep shib

More info on SELinux can be found here or by using the sestatus command:

A good output should look like this:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

The fix for the SELinux problem is documented on Page 1 however I recommend being a bit more brutal if your environment is hyper fussy about security.

Once you have a working setup you can browse to http://shib.yourdomain.com/Shibboleth.sso/Metadata to get your automatically generated Metadata and proceed with the UK Federation registration process.
When you speak to the UK Federation to approve your registration you will be asked to run this command from /etc/shibboleth
openssl x509 -sha1 -in sp.crt -noout -fingerprint

You will be asked to provide them with the fingerprint so keep a record of this.
Griffin goes “meow”.

Configuring Apache for Shibboleth on CentOS to the ukfederation w/ Godaddy certs

Part 3. Apache config. (1 hour)

cd /etc/shibboleth
openssl genrsa -des3 -out external.key 2048
openssl req -new -key external.key -out external.csr

The above will create a CSR request for your resource, when asked what the common name is enter something like shib.yourdomain.com – DO NOT use sp.yourdomain.com or the same common name as you used to register your SP!


Edit the CSR and copy its contents into clipboard. Then login to your godaddy hosting account and paste the CSR request into your certificate request.

Godaddy will do their thing then get back to you with a CRT a few files usually within 24 hours.

When they get back to you with the files copy or download them the files to /etc/shibboleth

Rename shib.yourdomain.com.crt to external.crt
Rename gd_bundle.crt to external_int.crt and place it in /etc/shibboleth


 

Edit /etc/httpd/conf.d/ssl.conf
Replace
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
With
 SSLCertificateKeyFile /etc/shibboleth/external.key

Replace
SSLCertificateFile /etc/pki/tls/private/localhost.crt

With
SSLCertificateFile /etc/shibboleth/external.crt
Under SSLCertificateKeyFile paste SSLCertificateChainFile /etc/shibboleth/external_int.crt
 
 
Edit /etc/httpd/conf/httpd.conf
 
Replace
 UseCanonicalName Off
With
 UseCanonicalName On
Find the line beginning with ServerName
Comment it out
Below it type ServerName shib.yourdomain.com:80

/usr/sbin/apachectl restart

/usr/sbin/apachectl start

The above commands will restart Apache or start it if it hasn't already been started

Edit  /etc/sysconfig/iptables & above all REJECT rules paste:
 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
/sbin/service iptables restart

If everything restarts without any errors then:
Continue to the testing phase

Configuring Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs

Part 2. Shibboleth Config (6 hours)

cd /etc/shibboleth
wget http://metadata.ukfederation.org.uk/ukfederation.pem
wget http://metadata.ukfederation.org.uk/ukfederation-metadata.xml

Edit shibboleth2.xml

Replace all instances of sp.example.org with your Entity ID ie sp.yourdomain.com

Search for ApplicationDefaults

Add homeURL=”https://sp.domainz.com/ahomeurl” under entityID – homeURL is the first url of the resource if none is specified.

Search for <sessions

Before the default example (Reading Default example directs to a speci… ” Insert:

<SessionInitiator isDefault="true" id="UKFederation" Location="/WAYF/UKFederation" 
type="WAYF" defaultACSIndex="5" 
URL="https://wayf.ukfederation.org.uk/WAYF"
/>

Search for exportLocation

Under exportLocation replace http://localhost with https://localhost

Replace all instances of root@localhost with the technical support email address

Search for MetadataProvider

This bit gets messy so pay close attention…..

After the line reading Insert
<MetadataProvider type="XML"

uri="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"

backingFilePath="/etc/shibboleth/ukfederation-metadata.xml" reloadInterval="14400">

<MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>

<SignatureMetadataFilter certificate="ukfederation.pem"/>

</MetadataProvider>

Search for the line Delete it or comment it out.

Directly below it paste the following:

/etc/shibboleth/sp.key /etc/shibboleth/sp.crt

Don’t forget to replace yourpassword with your key password if you have set one!

For now we are done in shibboleth2.xml

Run ./keygen.sh to generate your new key pair

mv sp-key.pem sp.key
mv sp-cert.pem sp.crt

Now we must configure Apache for shibboleth

Installing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs

Internet 2 give some “creative” documentation for this procedure so I thought I’d write some that are easier to follow:


Part 0. Planning. (2 hours)

  1. Download CentOS Netimage boot CD from http://centos.org
  2. Receive approval from the UK federation for your service.
  3. Purchase a cheep Godaddy Cert or have one ready for your service. Be aware that you will be getting 1 SSL cert to secure your resource and another SSL cert (a self signed one) to talk to the UK federation. Do not get these certificates confused!
  4. Create the appropriate DNS records to point to the IP of your resource and the IP of your SP. IE shib.yourdomain.com (your resource) should resolve to the IP of the apache server and sp.yourdomain.com (service provider) should resolve to the same IP.

Part 1. Install (2 hours)

First things first. Install Cent OS. You don’t need a gui or anything fancy, just a web server. Do all the blow as a root user.

Set the your hostname in /etc/sysconfig/network & /etc/hosts to match the FQDN of your SP ie sp.yourdomain.com

Install ntp date and set the date (you might want to add a cron job for this):

yum install ntp.i386
ntpdate pool.ntp.org

NOTE: BELOW IS NOW DEFUNCT AND YOU SHOULD USE THE DOCUMENTATION HERE – although still complete the SELINUX section

cd /root/
curl -O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/log4shib-1.0.3-1.1.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xerces-c-3.0.1-5.1.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xml-security-c-1.5.1-3.2.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/xmltooling-1.2.2-1.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/opensaml-2.2.1-1.i386.rpm \
-O http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/2.2.1/RPMS/i386/RHE/5/shibboleth-2.2.1-2.i386.rpm

The above will put the files you need in /root

Edit /etc/yum.conf (use vi or nano) copy the gpgcheck command and then comment it out to read #gpgcheck=yes, set gpgcheck=no below the commented line.

yum -y install ntp
/usr/sbin/ntpdate pool.ntp.org
yum localinstall xerces-c-3.0.1-5.1.i386.rpm
yum -y install unixODBC.i386
rpm -ivh log4shib-1.0.3-1.1.i386.rpm
rpm -ivh xml-security-c-1.5.1-3.2.i386.rpm
rpm -ivh xmltooling-1.2.2-1.i386.rpm
rpm -ivh opensaml-2.2.1-1.i386.rpm
rpm -ivh shibboleth-2.2.1-2.i386.rpm

The above will install the packages. Your shibboleth config will live in /etc/shibboleth


Edit /etc/selinux/config
Comment out SELINUX=enforcing
Type in SELINUX=disabled

setenforce 0

Warning: This will disable some security options, it can be left enabled but tweeks will need to be made to the socket restrictions later on. Can someone please document this better?


Or instead of doing above you can use system-config-securitylevel-tui to disable and restart selinux

/usr/sbin/shibd -v

Will return the version of shibboleth installed. If it does then: