ShibbolethSP

From Guild TV
Jump to: navigation, search

Shibboleth is a Single Sign On (SSO) system used by the university to authenticate users on multiple systems without exposing their personal data unnecessarily. As part of the motion that was passed by Guild Council, Guild TV must use Shibboleth to ensure that only students of the University of Birmingham have access to the live streams of Guild Council.

Distro and optional programs used

These instructions were written for Ubuntu Server 12.04.1 running on Amazon EC2, but should easily be translatable to other linux distributions. Amazon Linux on EC2 required manual compilation of the code, which takes a long time (and didnt work when I tried it). Apache 2.2 was used as the web server with PHP, although nginx or others should be possible without much difficulty. You will need root access to the server.

Webserver Setup

Start off by installing the webserver of your choice. For Apache on Ubuntu, this can be done by running

sudo tasksel install lamp-server

Then install shibboleth-sp

sudo apt-get install shibboleth-sp2-schemas opensaml2-tools

If Apache is being used, install

sudo apt-get install libapache2-mod-shib2

otherwise there should be a package relevant to your webserver.

We need to enable the required modules in Apache.

a2enmod shib2
a2enmod ssl
a2enmod rewrite

Make sure that both port 80 and 443 (http and https) are allowed through any firewalls to the server.

Setup Shibboleth

Setup new domain

I shall be demoing with the name shib.example.com, and I shall be assuming that https is desired.

We start off by generating a new certificate for communication with the Identity Provider (Idp)

cd /etc/shibboleth
sudo shib-keygen -h shib.example.com

Now we need to configure shibboleth before we get the Idp to import our metadata We start by copying the example shibboleth2.xml to /etc/shibboleth/ Then we need to edit the ApplicationDefaults:entityID to match our new domain name. You may also want to update the supportContact email address further down the file.

Also you need to copy the metadata file for the Idp. Found here, it should be saved as /etc/shibboleth/idp-meta.xml

This is the step that will probably take the longest. We need to get the Idp to import our metadata that can be found at https://shib.example.com/Shibboleth.sso/Metadata

Once our metadata has been imported, we now need to test the setup. We can test it by using some sample website code, import it to the root of the website. Now go to https://shib.example.com/secure/

You should get sent to a login page. Once logged in, it should send you back to your domain. If this works, then we have almost finished.

You may now need to stop access to the website over http. A simple redirect to the https site will suffice.

You should now have a fully functioning shibboleth setup, next we shall secure your website.

Setup existing domain

To configure shibboleth for an existing domain on a new server is fairly simple, assuming we have all the configuration files and keys from before. For https://live.guildtv.co.uk the files should be available in the Guild TV Dropbox.

The simplest method is to extract the archive to the root of the filesystem. This will put all the config files in the original locations that they were in at the time of writing. This will only work if using Ubuntu, other distros will require the files to be placed in the appropriate locations.

WARNING, this will destroy any existing websites being hosted on this server

We need to run the following commands to enable the https site

sudo a2ensite default-ssl
sudo service apache2 restart

The SSL certificate will probably have expired, so that may need renewing. It is stored in /etc/ssl/apache, and referenced in /etc/apache2/sites-available/default-ssl.

You should now have a fully functioning shibboleth setup, next we shall secure your website.

Securing a website with Shibboleth

If we are using apache, securing a folder with shibboleth is very easy, simply copy this .htaccess file to the folder you want to secure, you may need to merge it with your existing file.

If you are using another webserver, you will have to lookup how to enable authentication yourself.