Shibboleth setup.. So close but can use some help..

Garry Boyce gboyce at cambridgesemantics.com
Fri Sep 23 19:36:24 BST 2011 

Oh.. I should also mention that from an SP perspective
shibboleth.i386                        2.4.3-2.2
installed
shibboleth.x86_64                      2.4.3-2.2
installed

and
https://spaces.internet2.edu/display/InCCollaborate/Shibboleth+Discovery+Con
fig says in 2.4 I use SSO instead of SessionInitiator which I have done.
It looks like:
            <SSO
entityID="https://csisupport.cambridgesemantics.com/idp/shibboleth"
                 discoveryProtocol="SAMLDS"
discoveryURL="https://wayf.incommonfederation.org/DS/WAYF">
              SAML2 SAML1
            </SSO>

That document also says:
You MUST also ensure that you have added SAML V2.0 endpoints and support to
your metadata if your SP is configured to utilize SAML V2.0 (which it is by
default). Failure to do so will result in errors when SAML V2.0 requests are
issued by the SP to IdPs in the InCommon Federation that support SAML V2.0,
because your metadata will indicate a lack of support for that protocol.
Simply add an <AsssertionConsumerService> endpoint for at least the SAML
V2.0 HTTP-POST Binding using the site admin web application.

But it is not clear what to do about that other than what I've already
done..


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On
Behalf Of Garry Boyce
Sent: Friday, September 23, 2011 2:22 PM
To: 'Shib Users'
Subject: RE: Shibboleth setup.. So close but can use some help..

Peter I agree in concept however what I needed was a step by step for a
simple installation of and idp and sp on the same box. I could not find that
in official documentation. Did I miss something?

I used version shibboleth-identityprovider-2.3.3

Looking at official documentation

1) Install went ok and I get an ok from
https://csisupport.cambridgesemantics.com/idp/profile/Status

2) in relying-party.xml where the metadata is configured, I have Filesystem
Metadata Provider as referenced here
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider

<metadata:MetadataProvider xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata" id="SPMETADATA"
metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml" />

3) as referenced here
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass, I have
the ShibUserPassAuth configured correctly and it is authenticating to LDAP

4) for SP as referenced
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddIdP,  I
added

<MetadataProvider type="XML" file="idp-metadata.xml"/>

And the entity id is the same as idp

for SP I get an xml output  from /Shibboleth.sso/Status

5) https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddIdP also
references a SessionInitiator which I don't see in shibboleth2.xml. And it's
not clear for my simple case what I need here. 

I tried copying SessionInitiator (changing entity id ) from
example-shibboleth2.xml but that also made no difference.

The prior instructions I was following also refers to a RequestMap which I
don't see how or if I should configure.

Just in case(but it made no difference) I put in:
    <RequestMapper type="Native">
        <RequestMap>
            <!--
            The example requires a session for documents in /secure on the
containing host with http and https on the default ports. Note that the name
and port in the <Host> elements MUST match Apache's ServerName and Port
directives or the IIS Site name in the <ISAPI> element above.
            -->
            <Host name="csisupport.cambridgesemantics.com">
                <Path name="secure" authType="shibboleth"
requireSession="true"/>
            </Host>
            <!-- Example of a second vhost mapped to a different
applicationId. -->
            <!--
oleth" requireSession="true"/>
            -->
        </RequestMap>
    </RequestMapper>


I'm really stuck. Please help..

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On
Behalf Of Peter Schober
Sent: Friday, September 23, 2011 12:47 PM
To: users at shibboleth.net
Subject: Re: Shibboleth setup.. So close but can use some help..

Jfyi:

* Garry Boyce <gboyce at cambridgesemantics.com> [2011-09-23 18:07]:
> I was following:
> 
> http://csrdu.org/blog/2011/07/04/shibboleth-idp-sp-installation-config
> uration

Then you installed a version of the IdP with a known security issue, cf.
http://shibboleth.internet2.edu/secadv/secadv_20110725.txt

Also some of the installation choices made in that blog post are rather
erractic, IMHO (installing the JVM and tomcat to /usr/local/src, creating a
symlink for the IdP's log files and later overwrite it by installing the SP
which owns that same directory, incorrect filesystem paths, etc.) and some
statements flat out wrong, but that's for the author to correct and keep up
to date, of course.

So generally it's advisable to use the official documentation maintained by
the project & community, and ask questions regarding anything that's
unclear, so that the documentation can be improved.
-peter
--
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net

--
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net

More information about the users mailing list