Skip to content

Latest commit

 

History

History
171 lines (126 loc) · 5.04 KB

SettingUPEmbeddedDiscoveryService.md

File metadata and controls

171 lines (126 loc) · 5.04 KB

Setting UP Embedded Discovery Service (EDS) on the same Jagger installation (Federation Registory) node.

  1. Install dependancies to overcome issues with libcurl libraries. ( Credits: Josh L.'s Blog )

    • apt install liblog4shib1v5 libxerces-c3.2 libxml-security-c17v5 libcurl3
cp /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0 /usr/lib/x86_64-linux-gnu/libcurl3.so.4.5.0
apt-get install libcurl4
mkdir ~/temp
cd ~/temp
apt-get download libxmltooling7 # Ignore the warnings
ar x libxmltooling7_1.6.4-1ubuntu2.1_amd64.deb
tar xf control.tar.xz
sed -i -e 's/libcurl3 (>= 7.16.2)/libcurl4/g' control
tar -cJvf control.tar.xz control md5sums shlibs triggers
ar rcs libxmltooling-local.deb debian-binary control.tar.xz data.tar.xz
dpkg -i libxmltooling-local.deb
mkdir /etc/systemd/system/shibd.service.d

    • Create the following script to override defaults,

    • vim /etc/systemd/system/shibd.service.d/override.conf

      [Service]
Environment="LD_PRELOAD=libcurl3.so.4.5.0"

  2. Install Shibboleth SP:

    • apt install libapache2-mod-shib2 libapache2-mod-php

    From this point the location of the SP directory is: /etc/shibboleth

  3. Enable shibboleth SP for Embeded Discovery Server over SSL (Letsencypt)

    Create a seperate virtual host /etc/apache2/sites-available/eds.conf with

<VirtualHost *:80>
  
        ServerName fds.YOUR-DOMAIN
        ServerAdmin admin[AT]YOUR-DOMAIN
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        RewriteEngine on
        RewriteCond %{SERVER_NAME} =fds.YOUR-DOMAIN
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Run,

a2ensite eds
certbot --apache -d fds.YOUR-DOMAIN

answer all the questions as you did for previous installations

Edit /etc/apache2/sites-available/eds-le-ssl.conf with

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerName fds.YOUR-DOMAIN
        ServerAdmin admin[AT]YOUR-DOMAIN
        #DocumentRoot /var/www/html
        DocumentRoot /etc/shibboleth-ds

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        #RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

#       RewriteCond %{SERVER_NAME} =fds.YOUR-DOMAIN
#       RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<IfModule mod_alias.c>
  <Location />
    Require all granted
    <IfModule mod_shib.c>
      AuthType shibboleth
      ShibRequestSetting requireSession false
      require shibboleth
    </IfModule>
  </Location>
</IfModule>


SSLCertificateFile /etc/letsencrypt/live/fds.YOUR-DOMAIN/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/fds.YOUR-DOMAIN/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
  1. Edit /etc/shibboleth/shibboleth2.xml opportunely:
...
<ApplicationDefaults entityID="https://fds.YOUR-DOMAIN/shibboleth"
     REMOTE_USER="eppn persistent-id targeted-id">
...
<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerSSL="true" cookieProps="https">
...
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://fds.YOUR-DOMAIN/index.html" isDefault="true">
   SAML2
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
...
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/
...
   	 <MetadataProvider type="XML" validate="true"
              uri="https://fr.YOUR-DOMAIN/metadata/federation/Your-Federation/metadata.xml"
              backingFilePath="federation-metadata.xml" legacyOrgNames="true" reloadInterval="7200">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            

        </MetadataProvider>
  1. Enable Shibboleth Apache2 configuration:
a2enmod shib2
systemctl reload apache2.service 
systemctl restart shibd
  1. Install Shobboleth EDS
cd /usr/local/src

wget https://shibboleth.net/downloads/embedded-discovery-service/1.2.1/shibboleth-embedded-ds-1.2.1.tar.gz -O shibboleth-eds.tar.gz

tar xzf shibboleth-eds.tar.gz

cd shibboleth-embedded-ds-1.2.1

sudo apt install make ; make install

systemctl reload apache2.service 
systemctl restart shibd

  1. Now you are able to reach your Shibboleth SP Metadata on:

    https://fds.YOUR-DOMAIN/Shibboleth.sso/Metadata (change fds.YOUR-DOMAIN to you SP full qualified domain name)

Registering EDS on NREN Federation

Login to Federation web portal to register EDS as service provider. Wait until Federation admin accept your submission

Temporary Enabling EDS Test GUI

Edit etc/shibboleth-ds/idpselect_config.js to change

this.testGUI = true;

You may disable above after a test