META TOPICPARENT |
name="AdministrationGuide" |
Installation and configuration of CASShib
Overall architecture:
1 Service Provider
1.1 Install SP
For the shibboleth installation we use the package manager YUM and we install the software and we start the server.
$ yum install shibboleth
$ service shibd start
1.2 Configure SP
For configuration we change directory to /etc/shibboleth .
We edit shibboleth2.xml file for configure the SP to support CASShib. Each service needs to have its own protected Shibboleth address for CAS validation. For mapping URLs with services we add these rows in the shibboleth configuration file.
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="halfback.cnaf.infn.it" port="443" scheme=" https">
<PathRegex regex="casshib/shib/app1" applicationId="app1" authType="shibboleth" requireSession =" true"/>
<PathRegex regex="casshib/shib/app2" applicationId="app2" authType="shibboleth" requireSession =" true"/>
</Host>
</RequestMap>
</RequestMapper>
After this, we configure the section with fake service. This means that if the request doesn't correspond to the regular expressions return an error page. For configuring the registrated services we add these lines at the end of shibboleth2.xml file.
<ApplicationOverride id="app1" entityID="https://halfback.cnaf.infn.it/casshib/app1" homeURL="https://halfback . cnaf . infn . it/app1/" REMOTE_USER="shibattr-mail">
<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app1/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app1/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app1">
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://gridlab01.cnaf.infn.it/idp/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex ="false" template="bindingTemplat .html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator >
</Sessions >
<MetadataProvider type="XML" file="idp-metadata.xml"/>
</ApplicationOverride >
<ApplicationOverride id="app2" entityID="https://halfback.cnaf.infn.it/ casshib/app2" homeURL="https://halfback.cnaf.infn.it/app 2/" REMOTE_USER="shibattr−mail">
<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app2/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app2/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app2">
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://idp.infn.it/saml2/idp/metadata.php">
<SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html "/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator >
</Sessions >
<MetadataProvider type="XML" file="idp.infn.it-metadata.xml"/>
</ApplicationOverride >
These rows configure the SP for query the IGI IDP with app1 service and INFN AAI with app2 service. The attribute REMOTE_USER is used to specify which IDP's attributes will be used for the authentication process in the portal.
Now we configure the attribute-map.xml file for defining the attribute used by shibboleth adding the following rows:
<afp:AttributeRule attributeID="shibattr−eppn">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−uid">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−mail">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−cn">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−sn">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−givenName">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−l">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
2 Apache server
For a secure communication we need to install the apache server which acts as a front-end.
2.1 Install Apache
We use the package manager for install software.
$ yum install httpd
$ service httpd start
2.2 Apache Configuration
We have to add to httpd.conf file the following rows for enabling shibboleth authentication.
##
# CASSHIB ##
Include /etc/shibboleth/apache22.config
Then we have to comment all the rows of apache22.config . Now we configure Apache to use SSL module. We edit the ssl.conf file in the Apache directory and in the default:443> section we add these rows.
UseCanonicalName On
<Location /casshib/shib/∗/login >
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid−user
</Location >
<Location /casshib/shib/∗/Shibboleth . sso>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid−user
</Location >
<Location /casshib/shib/∗/Shibboleth . sso/∗>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid−user
</Location >
ProxyRequests On
ProxyPass /app2/ http://halfback.cnaf.infn.it:8585/app2/
ProxyPassReverse /app2/ http://halfback.cnaf.infn.it:8585/app2/
ProxyPass /app1/ http://halfback.cnaf.infn.it:8585/app1/
ProxyPassReverse /app1/ http://halfback.cnaf.infn.it:8585/app1/
We create the httpd-jk-mount.conf file in the same folder and add these rows.
<IfModule jk_module>
JkMount /casshib/* worker1
JkUnMount /casshib/shib/*/Shibboleth.sso worker1
JkUnMount /casshib/shib/*/Shibboleth.sso/* worker1
</IfModule >
We create the httpd-jk- init.conf file in the same folder which have these rows.
LoadModule jk_module modules/mod_jk.so
<IfModule jk_module>
JkWorkersFile conf.d/workers.properties
JkShmFile logs/mod_jk.shm
JkLogFile logs/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
</IfModule >
We create the worker.properties file in the same directory and we add these rows.
worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.host=halfback.cnaf.infn.it
worker.worker1.port=8017
Now we restart the Apache server for apply the changes.
$ service httpd restart
3 Tomcat server
CASShib is a webapp and need a tomcat server. We install the server using the package manager.
$ yum install tomcat6
We modify these rows in the server.xml file for configure Tomcat server.
<Connector port ="8585" protocol ="HTTP/1.1" connectionTimeout ="20000" />
[...]
<Connector port="8017" protocol="AJP/1.3" address="127.0.0.1" tomcatAuthentication="false" />
Start server.
$ service tomcat start
4 CASShib
For install CASShib we deploy in Tomcat the war file downloaded from http://code.google.com/p/casshib/downloads/list . For configuration of CASShib we modify the file $tomcat_dir/webapps/casshib/WEB- INF/classes/casshib-service-registrations.xml in this way.
<?xml version ="1.0" encoding="UTF−8" standalone="no"?>
<casShibServiceRegistrations >
<service id="https://fullyqualified.service.address.1" appname="app1" passcode="12345" />
<service id="https://fullyqualified.service.address.2" appname="app2" passcode="12345" />
</casShibServiceRegistrations >
Where fullyqualified.service.address.# are the services address (Liferay Portlet Login URL) which use CASShib . For install app1 and app2 we download the casshib-demo-app-1.0.0.war before deploy the war we rename the package in app1.war and we copy the package and rename it in app2.war, after this we deploy the packages. For configure these service we edit the $tomcat_dir/webapps/app1/WEB-INF/web.xml file modifying the url of the service and the passcode. We make the same changes for app2.
Finally we restart Tomcat for apply changes.
$ service tomcat stop
$ service tomcat start
5 Configure Liferay
From web page of portal we navigate to Manage/Control Panel/Settings/Authentication/CAS and we configure Liferay to use CASShib in this way:
Now we use login link for authentication with INFN AAI.
|