Skip to content

Latest commit

 

History

History
230 lines (169 loc) · 9.03 KB

HOWTO Install and Configure a Shibboleth Embedded Discovery Service.md

File metadata and controls

230 lines (169 loc) · 9.03 KB

HOWTO Install and Configure a Shibboleth Embedded Discovery Service

The Embedded Discovery Service (EDS) allows a Service Provider to run a discovery service within their own site. As such the discovery service can look like any other page on the site and thus not be as jarring to a user as being redirected to a totally different, third-party, discovery service site. The EDS is a set of Javascript and CSS files, so installing it and using it is straight forward and does not require any additional software. Note: you must already have an installed and configured Shibboleth Service Provider, V2.4+, in order to use the EDS.

Index

  1. Requirements
  2. Installation
    1. Debian/Ubuntu
    2. CentOS
  3. Enable EDS on Shibboleth SP
  4. Configuration
  5. Whitelist - How to allow IdPs to access the federated resource
  6. How to allow the access to IdPs by specifying their entityID
  7. How to allow the access to IdPs that support a specific Entity Category
  8. How to allow the access to IdPs that support SIRTFI
  9. Blacklist - How to disallow IdPs to access the federated resource
  10. How to disallow the access to IdPs by specifying their entityID
  11. How to disallow the access to IdPs that support a specific Entity Category
  12. Best Practices to follow to maximize the access to the resource
  13. Authors
  14. Credits

Requirements

  • Apache Server (>= 2.4)
  • A working Shibboleth Service Provider (>= 2.4)
  • Tested on: Debian, CentOS

Installation

Debian/Ubuntu

  1. sudo su -
    
    cd /usr/local/src
    
    wget https://shibboleth.net/downloads/embedded-discovery-service/latest/shibboleth-embedded-ds-1.2.2.tar.gz -O shibboleth-eds.tar.gz
    
    tar xzf shibboleth-eds.tar.gz
    
    cd shibboleth-embedded-ds-1.2.2
    
    apt install make
    
    make install
  2. Enable Discovery Service Web Page

    • mv /etc/shibboleth-ds/shibboleth-ds.conf /etc/apache2/conf-available/shibboleth-ds.conf
  3. Enable the Discovery Service Page:

    • a2enconf shibboleth-ds.conf
  4. Restart Apache to load the new web site:

    • systemctl restart apache2.service

CentOS

  1. sudo su -
  2. yum install shibboleth-embedded-ds

Enable EDS on Shibboleth SP

  1. Update "shibboleth2.xml" file to the new Discovery Service page:

    • vim /etc/shibboleth/shibboleth2.xml

      <SSO discoveryProtocol="SAMLDS" 
           discoveryURL="https://###YOUR.SP.FQDN###/shibboleth-ds/index.html">
         SAML2
      </SSO>
      
      <!-- SAML and local-only logout. -->
      <Logout>SAML2 Local</Logout>
      
      <!-- ...other things ... -->
      
      <!-- JSON feed of discovery information. -->
      <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
  2. Restart "shibd" service:

    • systemctl restart shibd.service

Configuration

The behaviour of Shibboleth Embedded Discovery Service is controlled by IdPSelectUIParms class contained. idpselect_config.js. In the most of cases you have to modify only this file to change the behaviour of Discovery Service.

Make sure to amend this.returnWhiteList to reflect your server name.

Find here the EDS Configuration Options: https://wiki.shibboleth.net/confluence/display/EDS10/3.+Configuration

Whitelist - How to allow IdPs to access the federated resource

How to allow the access to IdPs by specifying their entityID

  1. Modify "shibboleth2.xml":
  • vim /etc/shibboleth/shibboleth2.xml

    <MetadataProvider type="XML"
                      uri="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
                      backingFilePath="idem-metadata-sha256.xml">
       <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
       <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
       <MetadataFilter type="Whitelist">
           <Include>https://entityid.idp1.allowed.it/shibboleth</Include>
           <Include>https://entityid.idp2.allowed.it/shibboleth</Include>
           <Include>https://entityid.idp3.allowed.it/shibboleth</Include>
       </MetadataFilter>
    </MetadataProvider>
  1. Restart "shibd" service:
  • systemctl restart shibd.service

How to allow the access to IdPs that support a specific Entity Category

  1. Modify "shibboleth2.xml":
  • vim /etc/shibboleth/shibboleth2.xml

    <MetadataProvider type="XML"
                      uri="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
                      backingFilePath="idem-metadata-sha256.xml">
       <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
       <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
       <MetadataFilter type="Whitelist" matcher="EntityAttributes">
           <saml:Attribute Name="http://macedir.org/entity-category"
                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
               <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
           </saml:Attribute>
       </MetadataFilter>
    </MetadataProvider>
  1. Restart "shibd" service:
  • systemctl restart shibd.service

How to allow the access to IdPs that support SIRTFI

  1. Modify "shibboleth2.xml":
  • vim /etc/shibboleth/shibboleth2.xml

    <MetadataProvider type="XML"
                      uri="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
                      backingFilePath="idem-metadata-sha256.xml">
       <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
       <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
       <MetadataFilter type="Whitelist" matcher="EntityAttributes">
           <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurancecertification"
                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
               <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
           </saml:Attribute>
       </MetadataFilter>
    </MetadataProvider>
  1. Restart "shibd" service:
  • systemctl restart shibd.service

Blacklist - How to disallow IdPs to access the federated resource

How to disallow the access to IdPs by specifying their entityID

  1. Modify "shibboleth2.xml":
  • vim /etc/shibboleth/shibboleth2.xml

    <MetadataProvider type="XML"
                      uri="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
                      backingFilePath="idem-metadata-sha256.xml">
       <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
       <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
       <MetadataFilter type="Blacklist">
           <Include>https://entityid.idp1.denied.it/shibboleth</Include>
           <Include>https://entityid.idp2.denied.it/shibboleth</Include>
           <Include>https://entityid.idp3.denied.it/shibboleth</Include>
       </MetadataFilter>
    </MetadataProvider>
  1. Restart "shibd" service:
  • systemctl restart shibd.service

How to disallow the access to IdPs that support a specific Entity Category

  1. Modify "shibboleth2.xml":
  • vim /etc/shibboleth/shibboleth2.xml

    <MetadataProvider type="XML"
                      uri="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
                      backingFilePath="idem-metadata-sha256.xml">
       <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
       <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
       <MetadataFilter type="Blacklist" matcher="EntityAttributes">
           <saml:Attribute Name="http://macedir.org/entity-category"
                           NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
               <saml:AttributeValue>https://federation.renater.fr/scope/commercial</saml:AttributeValue>
           </saml:Attribute>
       </MetadataFilter>
    </MetadataProvider>
  1. Restart "shibd" service:
  • systemctl restart shibd.service

Best Practices to follow to maximize the access to the resource

Authors

Original Author

Credits