You are located in service: Identity Management

Configuration for protecting the root directory

Configuration for protecting the root directory

 Detailinformation

  • Save certificate and generated Private Key (see Requesting a Server Certificate) on the server and remember the location
  • Edit /etc/shibboleth/shibboleth2.xml:
    • Replace the node SPConfig with the following code to add the mdui namespace:

      <SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"

          xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"

          xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

          xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

          xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

          xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"

          clockSkew="180">

    • Set the entityID in the ApplicationDefaults to define the ID of the service provider (URL for protected application)

      <ApplicationDefaults id="default" policyId="default" entityID="https://sp.example.com"

    • In the session node set handler="SSL" and cookieProps="https". checkAddress can optionally be set to true and ensures that the IP address matches at login (can cause problems with proxies).

      <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https" redirectLimit="exact">

    • Replace the SSO object with the following code, to set the entityID of the Identity Provider and allow only SAML2:

      <SSO entityID="https://login.rz.rwth-aachen.de/shibboleth"> SAML2 </SSO>

    • Replace the line <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> with the following code to add information about your Service Provider to your Metadata:

      <Handler type="MetadataGenerator" Location="/Metadata" signing="false">

          <mdui:UIInfo>

              <mdui:DisplayName xml:lang="de">Beispiel SP</mdui:DisplayName>

              <mdui:DisplayName xml:lang="en">Example SP</mdui:DisplayName>

              <mdui:Description xml:lang="de">Eine Beschreibung für den SP</mdui:Description>

              <mdui:Description xml:lang="en">An description for the SP</mdui:Description>

          </mdui:UIInfo>

          <md:Organization>

              <md:OrganizationName xml:lang="de">RWTH Aachen University</md:OrganizationName>

              <md:OrganizationName xml:lang="en">RWTH Aachen University</md:OrganizationName>

              <md:OrganizationDisplayName xml:lang="de">RWTH Aachen University</md:OrganizationDisplayName>

              <md:OrganizationDisplayName xml:lang="en">RWTH Aachen University</md:OrganizationDisplayName>

              <md:OrganizationURL xml:lang="de">http://www.rwth-aachen.de</md:OrganizationURL>

              <md:OrganizationURL xml:lang="en">http://www.rwth-aachen.de</md:OrganizationURL>

          </md:Organization>

          <md:ContactPerson contactType="support">

              <md:GivenName>Support</md:GivenName>

              <md:SurName>Adresse</md:SurName>

              <md:EmailAddress>support@sp.example.com</md:EmailAddress>

          </md:ContactPerson>

          <md:ContactPerson contactType="technical">

              <md:GivenName>Technischer</md:GivenName>

              <md:SurName>Ansprechpartner</md:SurName>

              <md:EmailAddress>technik@sp.example.com</md:EmailAddress>

          </md:ContactPerson>

          <md:ContactPerson contactType="administrative">

              <md:GivenName>Adminstrativer</md:GivenName>

              <md:SurName>Ansprechpartner</md:SurName>

              <md:EmailAddress>admin@sp.example.com</md:EmailAddress>

          </md:ContactPerson>

          </Handler>

    • Register the Metadata Provider to get the Metadata of the RWTH Aachen University Identity Provider:

      <!-- RWTH Aachen Metadaten --> <MetadataProvider type="XML" url="https://sso.rwth-aachen.de/metadata/rwth.metadata.xml" backingFilePath="rwth.metadata.xml" maxRefreshDelay="7200"> <MetadataFilter type="Signature" certificate="/path/to/sso.pem"/> </MetadataProvider>

       -----BEGIN CERTIFICATE-----

      MIIGJDCCBQygAwIBAgIHG/DviWuqkDANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQG EwJERTEUMBIGA1UEChMLUldUSCBBYWNoZW4xFzAVBgNVBAMTDlJXVEggQWFjaGVu IENBMSAwHgYJKoZIhvcNAQkBFhFjYUByd3RoLWFhY2hlbi5kZTAeFw0xNjA5MDgx NDEzMTNaFw0xOTA3MDkyMzU5MDBaMIGDMQswCQYDVQQGEwJERTEcMBoGA1UECAwT Tm9yZHJoZWluLVdlc3RmYWxlbjEPMA0GA1UEBwwGQWFjaGVuMRQwEgYDVQQKDAtS V1RIIEFhY2hlbjESMBAGA1UECwwJSVQgQ2VudGVyMRswGQYDVQQDDBJzc28ucnd0 aC1hYWNoZW4uZGUwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDAnWGs FygVjb5a6RUqRWluE9BOA3v3lz09aGkey7yRHkDKNKRzddYn2Dr+HaBJYQSH7Y5/ jVgbu5FKxRhrEedYlyPIukFWWSQDXU9zz3WZ0VI96omSQrtg6g7GXbASAnvYgmcL c+Pr4l1DLISCvWcQZRXo/7QT9msqUWrkCCzfvwptHHG+L8sfC8PYKuiPtznwfwJq zq/rhGu2ROGMVEn42EpKIlXDkVPo066MYQrb3+KeuYu8UpGhqLdME1Ixux56+OrT 0ZZWuvZQGN78eRtfuQPxMHo5sbm5tg+JLgUWmytSiIWmO+BP7Vioiu9RyySLFNc7 qZWE9yU43bcZvdXL3FeqgZF0pED1bfoNlt3+GF1yYgvzpZ1ofTViDUlrjI2z7K2g 6BYvD18rNBkjD0v5agDLVjw3tPpUzJFLEbgwItJBbYBDCf1v3UltB/wo/LpYElLX dH/Hk9bxOL++RIqwzPHPuW7mJ3vL5aywtT+zBMhoJP+HkMEU4EfGu9rKn7MCAwEA AaOCAj8wggI7MFkGA1UdIARSMFAwEQYPKwYBBAGBrSGCLAEBBAMFMBEGDysGAQQB ga0hgiwCAQQDATAPBg0rBgEEAYGtIYIsAQEEMA0GCysGAQQBga0hgiweMAgGBmeB DAECAjAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF BQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFOsRWa47do8qrMmuaAKtODRGz7DEMB8G A1UdIwQYMBaAFG7VPsAcL3HJPL9JTu9qVUjs0fI4MB0GA1UdEQQWMBSCEnNzby5y d3RoLWFhY2hlbi5kZTB5BgNVHR8EcjBwMDagNKAyhjBodHRwOi8vY2RwMS5wY2Eu ZGZuLmRlL3J3dGgtY2EvcHViL2NybC9jYWNybC5jcmwwNqA0oDKGMGh0dHA6Ly9j ZHAyLnBjYS5kZm4uZGUvcnd0aC1jYS9wdWIvY3JsL2NhY3JsLmNybDCByQYIKwYB BQUHAQEEgbwwgbkwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUv T0NTUC1TZXJ2ZXIvT0NTUDBABggrBgEFBQcwAoY0aHR0cDovL2NkcDEucGNhLmRm bi5kZS9yd3RoLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBABggrBgEFBQcwAoY0 aHR0cDovL2NkcDIucGNhLmRmbi5kZS9yd3RoLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0 LmNydDANBgkqhkiG9w0BAQsFAAOCAQEAEAVXQE6EzilGmNZzNbRJpee/6K6RSACn 0kTCZ/9pDVZ51jPCzM64EM91jtaB74yoVmrN0tmvQVAYXgYirzu1bGJSVf9mFHE6 RJ2raRxE5/nKCbj1yxwlRS1elgbxFk0m1dUJzy46ynZVR/e6AWmg03+Wx1MJlibo uetLTGcSEtIxjV6mW6f+69DehNl/PK8DTsvH4i2ivlV59cQP6flwT+FgxzioZMW0 BhP+qOydV+pJ2Um5SSb90iJb+61B5mGPT+mG3hpGekRX9qY+pSzZdEqIS0kG6tn8 Ehjp3lWPJ+2zNdaGv97RPYGiciaN0i0dyc+ogQN0CDFmKTw4/jcInA==

      -----END CERTIFICATE-----

    • Register certificate in Credential Resolver to enable encryption and decryption of SAML data:

      <CredentialResolver type="File" key="/Pfad/zum/Private/Key.pem" certificate="/path/to/certificate.pem"/>

    • Check if the configuration can be loaded

      shibd -t

      For RHEL based systems (centOS etc) the LD_LIBRARY_PATH must be extended first: export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/shibboleth/lib64/

    • Restart the Shibboleth Service Provider

      systemctl restart shibd


 Zusatzinformation

  • An example of a setup for protecting the root directory can be found here.

last changed on 29.01.2021

How did this content help you?