Difference: CASShibInstallation (1 vs. 11)

Revision 112012-07-13 - DiegoMichelotto

Line: 1 to 1

META TOPICPARENT	name="AdministrationGuide"

Line: 235 to 235

Now we use login link for authentication with INFN AAI.

Added:

>
>

1 Stop Start Restart service

1.1 Stop service

For stop the service launch these commands:

   # service shibd stop
   # service httpd stop
   # service tomcat stop

1.2 Start service

For start the service launch these commands:

   # service shibd start
   # service httpd start
   # service tomcat start

1.3 Restart service

For restart the service launch these commands:

   # service shibd restart
   # service httpd restart
   # service tomcat stop
   # service tomcat start

1.4 Logs

The log that can help you are:

/var/log/shibboleth/shibd.log
/opt/tomcat/logs/catalina.out

References

CASShib: http://code.google.com/p/casshib/

Revision 102012-05-11 - TWikiAdminUser

Line: 1 to 1

META TOPICPARENT	name="AdministrationGuide"

Line: 6 to 6

Added:

>
>

Overall architecture:

1 Service Provider

1.1 Install SP

Line: 238 to 242

-- Diego Michelotto - 11 Nov 2011

META FILEATTACHMENT	attachment="CAS_configuration.png" attr="" comment="CAS configuration" date="1321366658" name="CAS_configuration.png" path="CAS_configuration.png" size="37746" user="DiegoMichelotto" version="1"

Added:

>
>

META FILEATTACHMENT	attachment="auth-casshib.jpg" attr="" comment="" date="1336720847" name="auth-casshib.jpg" path="auth-casshib.jpg" size="82459" user="BaseUserMapping_333" version="1"

Revision 92012-05-08 - TWikiAdminUser

Line: 1 to 1

Changed:

<
<

META TOPICPARENT	name="InstallationGuide"

>
>

META TOPICPARENT	name="AdministrationGuide"

Installation and configuration of CASShib

Revision 82011-12-13 - DiegoMichelotto

Line: 1 to 1

META TOPICPARENT	name="InstallationGuide"

Revision 72011-11-28 - DiegoMichelotto

Line: 1 to 1

META TOPICPARENT	name="InstallationGuide"

Changed:

<
<

Installtion and configuration of CASShib

>
>

Installation and configuration of CASShib

Revision 62011-11-16 - DiegoMichelotto

Line: 1 to 1

META TOPICPARENT	name="InstallationGuide"

Line: 8 to 8

1 Service Provider

Changed:

<
<

0.1 Installa SP

>
>

0.1 Install SP

For the shibboleth installation we use the package manager YUM and we install the software and we start the server.

Revision 52011-11-15 - DiegoMichelotto

Line: 1 to 1

META TOPICPARENT	name="InstallationGuide"

Line: 10 to 10

0.1 Installa SP

Changed:

<
< For the shibboleth installation you can use the package manager YUM and install the software.

>
> For the shibboleth installation we use the package manager YUM and we install the software and we start the server.

 $ yum install shibboleth

Deleted:

<
<

After installation you have to start the server

$ service shibd start

0.1 Configure SP

Changed:

<
< For configuration you have to move in /etc/shibboleth directory.

>
> For configuration we change directory to /etc/shibboleth.

Changed:

<
< If you want that SP support CASShib you must configure the shibboleth2.xml file. Each service needs to have its own protected Shibboleth address for CAS validation. For mapping URLs with services you must add this rows in the shibboleth configuration file.

>
> We edit shibboleth2.xml file for configure the SP to support CASShib. Each service needs to have its own protected Shibboleth address for CAS validation. For mapping URLs with services we add these rows in the shibboleth configuration file.

<RequestMapper type="Native">

Line: 41 to 36

Changed:

<
< After this, you have to configure the section with fake service. This means that if the request doesn't correspond to the regular expressions return an error page. For configuring the registrated services you have to add these lines at the end of shibboleth2.xml file.

>
> After this, we configure the section with fake service. This means that if the request doesn't correspond to the regular expressions return an error page. For configuring the registrated services we add these lines at the end of shibboleth2.xml file.

<ApplicationOverride id="app1" entityID="https://halfback.cnaf.infn.it/casshib/app1" homeURL="https://halfback . cnaf . infn . it/app1/" REMOTE_USER="shibattr-mail">

Line: 67 to 62

These rows configure the SP for query the IGI IDP with app1 service and INFN AAI with app2 service. The attribute REMOTE_USER is used to specify which IDP's attributes will be used for the authentication process in the portal.

Changed:

<
< Now we have to configure the attribute-map.xml file for defining the attribute used by shibboleth adding the following rows:

>
> Now we configure the attribute-map.xml file for defining the attribute used by shibboleth adding the following rows:

<afp:AttributeRule attributeID="shibattr&#8722;eppn">

Line: 95 to 90

1 Apache server

Changed:

<
< For a secure communication you need to install the apache server which acts as a front-end.

>
> For a secure communication we need to install the apache server which acts as a front-end.

0.1 Install Apache

Changed:

<
< Use the package manager for install software.

>
> We use the package manager for install software.

 $ yum install httpd

Line: 117 to 112

Include /etc/shibboleth/apache22.config

Changed:

<
< Then we have to comment all the rows of apache22.config. Now configure Apache to use SSL. Edit the ssl.conf file in the Apache directory and in the default:443> section add this rows.

>
> Then we have to comment all the rows of apache22.config. Now we configure Apache to use SSL module. We edit the ssl.conf file in the Apache directory and in the default:443> section we add these rows.

UseCanonicalName On

Line: 147 to 142

ProxyPassReverse /app1/ http://halfback.cnaf.infn.it:8585/app1/

Changed:

<
< Create the httpd-jk-mount.conf file in the same folder and add this rows.

>
> We create the httpd-jk-mount.conf file in the same folder and add these rows.

<IfModule jk_module>

Line: 157 to 152

</IfModule >

Changed:

<
< Create the httpd-jk- init.conf file in the same folder which have this rows.

>
> We create the httpd-jk- init.conf file in the same folder which have these rows.

LoadModule jk_module modules/mod_jk.so

Line: 170 to 165

</IfModule >

Changed:

<
< Create the worker.properties file in the same directory and add this rows.

>
> We create the worker.properties file in the same directory and we add these rows.

worker.list=worker1

Line: 179 to 174

worker.worker1.port=8017

Changed:

<
< Now restart the Apache server.

>
> Now we restart the Apache server for apply the changes.

 $ service httpd restart

Line: 187 to 182

1 Tomcat server

Changed:

<
< CASShib is a webapp and need a tomcat server. For server installation use package manager to install Tomcat server.

>
> CASShib is a webapp and need a tomcat server. We install the server using the package manager.

 $ yum install tomcat6

Changed:

<
< Modify this rows in the server.xml file for configure Tomcat server.

>
> We modify these rows in the server.xml file for configure Tomcat server.

<Connector port ="8585" protocol ="HTTP/1.1" connectionTimeout ="20000" />

Line: 209 to 204

1 CASShib

Changed:

<
< For install CASShib deploy in Tomcat the war file downloaded from http://code.google.com/p/casshib/downloads/list . For configuration of CASShib modify the file $tomcat_dir/webapps/casshib/WEB- INF/classes/casshib-service-registrations.xml in this way.

>
> For install CASShib we deploy in Tomcat the war file downloaded from http://code.google.com/p/casshib/downloads/list . For configuration of CASShib we modify the file $tomcat_dir/webapps/casshib/WEB- INF/classes/casshib-service-registrations.xml in this way.

<?xml version ="1.0" encoding="UTF&#8722;8" standalone="no"?>

Line: 219 to 214

</casShibServiceRegistrations >

Changed:

<
< Where fullyqualified.service.address.# are the services address (Liferay Portlet Login URL) which use CASShib . For install app1 and app2 you download the casshib-demo-app-1.0.0.war before deploy the war rename the package in app1 and copy the package and rename in app2, after this deploy the packages. For configure this service edit the $tomcat_dir/webapps/app1/WEB-INF/web.xml, and similar for app2, modifying the url of the service and the passcode.

>
> Where fullyqualified.service.address.# are the services address (Liferay Portlet Login URL) which use CASShib . For install app1 and app2 we download the casshib-demo-app-1.0.0.war before deploy the war we rename the package in app1.war and we copy the package and rename it in app2.war, after this we deploy the packages. For configure these service we edit the $tomcat_dir/webapps/app1/WEB-INF/web.xml file modifying the url of the service and the passcode. We make the same changes for app2.

Changed:

<
< Finally restart Tomcat.

>
> Finally we restart Tomcat for apply changes.

 $ service tomcat stop

Line: 230 to 225

1 Configure Liferay

Changed:

<
<

From web page of portal navigate to Manage/Control Panel/Settings/Authentication/CAS and set this parameter.

Key	Value <-- -->
Server Name	fullyqualified.Liferay.hostname
Server URL	https://fullyqualified.CASShib.server/casshib/shib/12345
Login URL	https://fullyqualified.CASShib.server/casshib/shib/app2/login

>
>

From web page of portal we navigate to Manage/Control Panel/Settings/Authentication/CAS and we configure Liferay to use CASShib in this way:

Changed:

<
< The other impostation leave empty and save settings. Now use login link for authetnication with INFN AAI.

>
> Now we use login link for authentication with INFN AAI.

References

CASShib: http://code.google.com/p/casshib/

-- Diego Michelotto - 11 Nov 2011 \ No newline at end of file

Added:

>
>

META FILEATTACHMENT	attachment="CAS_configuration.png" attr="" comment="CAS configuration" date="1321366658" name="CAS_configuration.png" path="CAS_configuration.png" size="37746" user="DiegoMichelotto" version="1"

Revision 42011-11-14 - TWikiAdminUser

Line: 1 to 1

META TOPICPARENT	name="InstallationGuide"

Line: 10 to 10

0.1 Installa SP

Changed:

<
< For the shibboleth installation use the package manager YUM and install the software.

>
> For the shibboleth installation you can use the package manager YUM and install the software.

 $ yum install shibboleth

Changed:

<
< After installation start server

>
> After installation you have to start the server

 $ service shibd start

Line: 24 to 24

0.1 Configure SP

Changed:

<
< For configuration go to /etc/shibboleth directory.

>
> For configuration you have to move in /etc/shibboleth directory.

If you want that SP support CASShib you must configure the shibboleth2.xml file. Each service needs to have its own protected Shibboleth address for CAS validation. For mapping URLs with services you must add this rows in the shibboleth configuration file.

Line: 41 to 41

Changed:

<
< After this, you configure the section with fake service. This means that if the request don't match the regular expressions return an error page. For configure the registrated services add this lines at the end of shibboleth2.xml file.

>
> After this, you have to configure the section with fake service. This means that if the request doesn't correspond to the regular expressions return an error page. For configuring the registrated services you have to add these lines at the end of shibboleth2.xml file.

<ApplicationOverride id="app1" entityID="https://halfback.cnaf.infn.it/casshib/app1" homeURL="https://halfback . cnaf . infn . it/app1/" REMOTE_USER="shibattr-mail">

Line: 65 to 65

</ApplicationOverride >

Changed:

<
< This rows configure the SP for query the IGI IDP with app1 service and INFN AAI with app2 service. The attribute REMOTE_USER specify which IDP's attributes will use for the authentication process in the portal.

>
> These rows configure the SP for query the IGI IDP with app1 service and INFN AAI with app2 service. The attribute REMOTE_USER is used to specify which IDP's attributes will be used for the authentication process in the portal.

Changed:

<
< Now configure the attribute-map.xml file for define the attribute used by shibboleth. Add this rows at the file.

>
> Now we have to configure the attribute-map.xml file for defining the attribute used by shibboleth adding the following rows:

<afp:AttributeRule attributeID="shibattr&#8722;eppn">

Line: 95 to 95

1 Apache server

Changed:

<
< For install a secure comunication for CASShib you neet to install the apache server which acts as a front-end.

>
> For a secure communication you need to install the apache server which acts as a front-end.

0.1 Install Apache

Line: 103 to 103

 $ yum install httpd

Deleted:

<
<

After installation start server

$ service httpd start

Changed:

<
<

0.1 Configure Apache

>
>

0.1 Apache Configuration

Changed:

<
< Add to httpd.conf file this row for enable shibboleth authentication.

>
> We have to add to httpd.conf file the following rows for enabling shibboleth authentication.

##

Line: 122 to 117

Include /etc/shibboleth/apache22.config

Changed:

<
< Now comment all the row of apache22.config. Now configure Apache to use SSL. Edit the ssl.conf file in the Apache directory and in the default:443> section add this rows.

>
> Then we have to comment all the rows of apache22.config. Now configure Apache to use SSL. Edit the ssl.conf file in the Apache directory and in the default:443> section add this rows.

UseCanonicalName On

Revision 32011-11-11 - DiegoMichelotto

Line: 1 to 1

META TOPICPARENT	name="InstallationGuide"

Changed:

<
<

Installazione e configurazione di CASShib

>
>

Installtion and configuration of CASShib

1 Service Provider

Added:

>
>

0.1 Installa SP

For the shibboleth installation use the package manager YUM and install the software.

 $ yum install shibboleth

After installation start server

 $ service shibd start

0.2 Configure SP

For configuration go to /etc/shibboleth directory.

<RequestMapper type="Native"> 
      <RequestMap applicationId="default">
         <Host name="halfback.cnaf.infn.it" port="443" scheme=" https">

            <PathRegex regex="casshib/shib/app1" applicationId="app1" authType="shibboleth" requireSession =" true"/>

            <PathRegex regex="casshib/shib/app2" applicationId="app2" authType="shibboleth" requireSession =" true"/> 
         </Host> 
      </RequestMap>
</RequestMapper>

After this, you configure the section with fake service. This means that if the request don't match the regular expressions return an error page. For configure the registrated services add this lines at the end of shibboleth2.xml file.

<ApplicationOverride id="app1" entityID="https://halfback.cnaf.infn.it/casshib/app1" homeURL="https://halfback . cnaf . infn . it/app1/" REMOTE_USER="shibattr-mail">
   <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app1/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app1/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app1"> 
      <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://gridlab01.cnaf.infn.it/idp/shibboleth"> 
         <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex ="false" template="bindingTemplat .html"/>
         <SessionInitiator type="Shib1" defaultACSIndex="5"/>
      </SessionInitiator > 
   </Sessions >
   <MetadataProvider type="XML" file="idp-metadata.xml"/>
</ApplicationOverride >

<ApplicationOverride id="app2" entityID="https://halfback.cnaf.infn.it/ casshib/app2" homeURL="https://halfback.cnaf.infn.it/app 2/" REMOTE_USER="shibattr&#8722;mail">
   <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app2/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app2/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app2"> 
      <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://idp.infn.it/saml2/idp/metadata.php">
         <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html "/>
         <SessionInitiator type="Shib1" defaultACSIndex="5"/> 
      </SessionInitiator >
   </Sessions >
   <MetadataProvider type="XML" file="idp.infn.it-metadata.xml"/> 
</ApplicationOverride >

This rows configure the SP for query the IGI IDP with app1 service and INFN AAI with app2 service. The attribute REMOTE_USER specify which IDP's attributes will use for the authentication process in the portal.

Now configure the attribute-map.xml file for define the attribute used by shibboleth. Add this rows at the file.

<afp:AttributeRule attributeID="shibattr&#8722;eppn"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;uid"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;mail"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;cn"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;sn"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;givenName"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;l"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >

1 Apache server

Added:

>
>

For install a secure comunication for CASShib you neet to install the apache server which acts as a front-end.

0.1 Install Apache

Use the package manager for install software.

 $ yum install httpd

After installation start server

 $ service httpd start

0.2 Configure Apache

Add to httpd.conf file this row for enable shibboleth authentication.

##
# CASSHIB ##

Include /etc/shibboleth/apache22.config

Now comment all the row of apache22.config. Now configure Apache to use SSL. Edit the ssl.conf file in the Apache directory and in the default:443> section add this rows.

UseCanonicalName On

<Location /casshib/shib/&#8727;/login >
   AuthType shibboleth 
   ShibRequireSession On 
   ShibUseHeaders On 
   require valid&#8722;user
</Location >
<Location /casshib/shib/&#8727;/Shibboleth . sso>
   AuthType shibboleth 
   ShibRequireSession On 
   ShibUseHeaders On 
   require valid&#8722;user
</Location >
<Location /casshib/shib/&#8727;/Shibboleth . sso/&#8727;>
   AuthType shibboleth 
   ShibRequireSession On 
   ShibUseHeaders On 
   require valid&#8722;user
</Location >
ProxyRequests On 
ProxyPass /app2/ http://halfback.cnaf.infn.it:8585/app2/
ProxyPassReverse /app2/ http://halfback.cnaf.infn.it:8585/app2/
ProxyPass /app1/ http://halfback.cnaf.infn.it:8585/app1/
ProxyPassReverse /app1/ http://halfback.cnaf.infn.it:8585/app1/

Create the httpd-jk-mount.conf file in the same folder and add this rows.

<IfModule jk_module>
   JkMount /casshib/* worker1
   JkUnMount /casshib/shib/*/Shibboleth.sso worker1 
   JkUnMount /casshib/shib/*/Shibboleth.sso/* worker1
</IfModule >

Create the httpd-jk- init.conf file in the same folder which have this rows.

LoadModule jk_module modules/mod_jk.so 
<IfModule jk_module>
   JkWorkersFile conf.d/workers.properties
   JkShmFile  logs/mod_jk.shm
   JkLogFile  logs/mod_jk.log
   JkLogLevel info
   JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
</IfModule >

Create the worker.properties file in the same directory and add this rows.

worker.list=worker1
worker.worker1.type=ajp13 
worker.worker1.host=halfback.cnaf.infn.it 
worker.worker1.port=8017

Now restart the Apache server.

 $ service httpd restart

1 Tomcat server

Added:

>
>

CASShib is a webapp and need a tomcat server. For server installation use package manager to install Tomcat server.

 $ yum install tomcat6

Modify this rows in the server.xml file for configure Tomcat server.

<Connector port ="8585" protocol ="HTTP/1.1" connectionTimeout ="20000" />
[...]
<Connector port="8017" protocol="AJP/1.3" address="127.0.0.1" tomcatAuthentication="false" />

Start server.

 $ service tomcat start

1 CASShib

Changed:

<
< -- TWikiAdminUser - 2011-11-10

>
>

For install CASShib deploy in Tomcat the war file downloaded from http://code.google.com/p/casshib/downloads/list

. For configuration of CASShib modify the file $tomcat_dir/webapps/casshib/WEB- INF/classes/casshib-service-registrations.xml in this way.

<?xml version ="1.0" encoding="UTF&#8722;8" standalone="no"?> 
<casShibServiceRegistrations >
   <service id="https://fullyqualified.service.address.1" appname="app1" passcode="12345" />
   <service id="https://fullyqualified.service.address.2" appname="app2" passcode="12345" />
</casShibServiceRegistrations >

Where fullyqualified.service.address.# are the services address (Liferay Portlet Login URL) which use CASShib . For install app1 and app2 you download the casshib-demo-app-1.0.0.war before deploy the war rename the package in app1 and copy the package and rename in app2, after this deploy the packages. For configure this service edit the $tomcat_dir/webapps/app1/WEB-INF/web.xml, and similar for app2, modifying the url of the service and the passcode.

Finally restart Tomcat.

 $ service tomcat stop 
 $ service tomcat start

1 Configure Liferay

From web page of portal navigate to Manage/Control Panel/Settings/Authentication/CAS and set this parameter.

Key	Value
Login URL	https://fullyqualified.CASShib.server/casshib/shib/app2/login
Server Name	fullyqualified.Liferay.hostname
Server URL	https://fullyqualified.CASShib.server/casshib/shib/12345