Configuring a web service for Shibboleth login
If your web service already has built-in SAML2/Shibboleth support, please configure it according to the service manufacturer's specifications.
If your web service does not have Shibboleth support, you can still set it up in most cases. In this case, a module is installed on your web server that creates an environment variable (REMOTE_USER) visible to your web application. This contains the username of the person who logged in. Many services support the use of REMOTE_USER. If other user properties are required, these can also be transmitted.
Configuring the service
The following assumes that your application is delivered by an Apache server.
You need mod_shib for Apache. This is available with Debian, SLES 12, and SLES 15 with your distribution. For Ubuntu, the packages in the distribution are often outdated, but there are other sources for updated packages. You can also compile the module yourself.
The configuration files for mod_shib are located at /etc/shibboleth.
- If necessary, generate a key pair for your service.
cat <<EOT >> sp-cert.cnf
[req]
default_bits=3072
default_md=sha256
encrypt_key=no
distinguished_name=dn
string_mask=MASK:0002
prompt=no
x509_extensions=ext
[dn]
CN=$(hostname)
[ext]
certificatePolicies = 2.23.140.1.2.2
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier=hash
subjectAltName=DNS:$(hostname)
EOT
openssl req -new -x509 -config sp-cert.cnf -out /etc/ssl/certs/sp-signing-cert.pem -keyout /etc/ssl/private/sp-signing-key.pem -days 1095
- Edit shibboleth2.xml and enter your entityID as entityID in the ApplicationDefaults node..
- In the SSO node, enter https://login.uni-hamburg.de/idp/shibboleth as the entityID.
- Create a MetadataProvider node as follows:
<MetadataProvider type="XML" validate="true" url="https://shibboleth.rrz.uni-hamburg.de/entities/idp.xml?slot=1" backingFilePath="idp.xml" maxRefreshDelay="1800">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="/etc/ssl/certs/shibboleth.pem" verifyBackup="false"/>
</MetadataProvider>
- Create the file /etc/ssl/certs/shibboleth.pem and fill it with the content from the “Technical details” section
- Configure the CredentialResolver as follows
<CredentialResolver type="File" use="signing" key="/etc/ssl/private/sp-signing-key.pem" certificate="/etc/ssl/certs/sp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption" key="/etc/ssl/private/sp-signing-key.pem" certificate="/etc/ssl/certs/sp-signing-cert.pem"/>
- Restart the shibd daemon and apache.
Customize metadata
- Log in at https://shibboleth.rrz.uni-hamburg.de/ with your user ID.
- Click on “edit” next to the entityID of your service.
- Enter the URL of your service provider metadata under “Load metadata from url” and click on “fetch metadata”.
- Fill in the “Contacts” section (all contact types must be specified).
- Under AttributeConsumingServices, select all the attributes you need with the setting required=true.
- In the “Common data” section, check the “Active” checkbox.
- Click on “Update entity.”