Shibboleth Service Provider Installation and Configuration

This site provides localized instructions to install and configure the Shibboleth service provider.

1. Install the SP software

First step is to get the Shibboleth Service Provider (SP) software running. Installation instructions can be found at:

https://wiki.shibboleth.net/confluence/display/SHIB2/Installation

The above site contains complete installation instructions for Linux and Windows platform servers. Get the SP software installed up to the point where the following URL works from your SP server:

https://localhost/Shibboleth.sso/Status

Notes:

  • SELinux should be disabled or in permissive mode unless you know what you are doing.
  • NTP or some other time synchronization mechanism must be operating.
  • To add using yum, create a file in /etc/yum.repos.d such as shib-sp.repo. Copy the repo file from the desired repository (see the above site for a selection). Then, ‘yum install shibboleth’ .

2. Configuration of shibboleth2.xml

Note that the following instructions will guide you to configure your SP for the production shib environment at U of T. If you have non-standard configuration, send email to shib.admin@utoronto.ca.

shibboleth.xml is the primary configuration file for the Shibboleth SP.

All filesystem path references below are in UNIX form, for Windows OS, please alter as appropriate.

a) entityID
located in: <ApplicationDefaults>
format: https://sp.department_domain.utoronto.ca/unique_identifier
example: https://sp.math.utoronto.ca/calculus_tutorial

The entityID uniquely identifies the SP. It is in URL form and should be chosen with the expectation that it may eventually be used as a resolvable DNS name but does not need to be resolvable now. The domain name portion of the entityID is not required be the same as the DNS hostname of the SP. It is very important that the entityID not change over the lifetime of the service since it’s value is used in the derivation of long-term persistent user identifiers.

b) Session Initiation (pointing to an IdP)

This configuration is used by the SP to determine what to do when there is no established session for the user eg. user authentication is required. It contains the name of the U of T Identity Provider (IdP) that will be used to establish a session with the user.

Add the following configuration under the <Sessions> object:

<!– Default SessionInititator directs to

idpz.utorauth.utoronto.ca (the production IdP) –>

<SSO entityID=”https://idpz.utorauth.utoronto.ca/shibboleth”>

SAML2

</SSO>

c) Metadata Configuration

This configuration is used by the SP to locate the SAML metadata which is the collection of shared configuration and security information used by all participants to create and process authentication and authorization information. Add the following configuration under the <MetadataProvider> object, comment out all other nested <MetadataProvider> blocks:

<!– UofT Federation Metadata – served from sites.utoronto.ca –> <MetadataProvider type=”XML” url=”https://sites.utoronto.ca/security/UToronto_SAML_Metadata.xml” backingFilePath=”/etc/shibboleth/UToronto_SAML_Metadata.xml” reloadInterval=”3600″>

<MetadataFilter type=”RequireValidUntil” maxValidityInterval=”5184000″/>

<MetadataFilter type=”Signature” verifyName=”false” certificate=”/etc/shibboleth/utorauth_metadata_verify.crt”/>

</MetadataProvider>

d) Metadata Verification Certificate

Download the following certificate from here:

http://sites.utoronto.ca/security/projects/utorauth_metadata_verify.crt

and store it at the path:

/etc/shibboleth/utorauth_metadata_verify.crt

e) New features in shibboleth version 3

Please refer to this documentation about how to implement multi-factor authentication login flow and define the customized session length:

https://isea.utoronto.ca/shibboleth-migration-new-features-and-potential-impact/

f) Completion

Metadata for the SP site needs to be created and installed in the internal federation file (specified in the MetadataProvider element above). You must submit the following information to the shibboleth operations team for this purpose:

    1. entityID
    2. Fully-qualified domain name of this service provider.
    3. The self-signed X.509 certificate automatically generated during the shibboleth software install (usually /etc/shibboleth/sp-cert.pem) .

You can submit this using the webform on the following site:

https://auth-admin.utoronto.ca/shib/app/sp-request

g) Troubleshooting

See the following site for tips to solve problems:

http://sites.utoronto.ca/security/projects/sp-troubleshoot.htm