Installation and configuration of CASShib

Overall architecture:

CAS_configuration.png

1 Service Provider

1.1 Install SP

For the shibboleth installation we use the package manager YUM and we install the software and we start the server.

 $ yum install shibboleth
 $ service shibd start

1.2 Configure SP

For configuration we change directory to /etc/shibboleth.

We edit shibboleth2.xml file for configure the SP to support CASShib. Each service needs to have its own protected Shibboleth address for CAS validation. For mapping URLs with services we add these rows in the shibboleth configuration file.

<RequestMapper type="Native"> 
      <RequestMap applicationId="default">
         <Host name="halfback.cnaf.infn.it" port="443" scheme=" https">

            <PathRegex regex="casshib/shib/app1" applicationId="app1" authType="shibboleth" requireSession =" true"/>

            <PathRegex regex="casshib/shib/app2" applicationId="app2" authType="shibboleth" requireSession =" true"/> 
         </Host> 
      </RequestMap>
</RequestMapper>

After this, we configure the section with fake service. This means that if the request doesn't correspond to the regular expressions return an error page. For configuring the registrated services we add these lines at the end of shibboleth2.xml file.

<ApplicationOverride id="app1" entityID="https://halfback.cnaf.infn.it/casshib/app1" homeURL="https://halfback . cnaf . infn . it/app1/" REMOTE_USER="shibattr-mail">
   <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app1/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app1/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app1"> 
      <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://gridlab01.cnaf.infn.it/idp/shibboleth"> 
         <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex ="false" template="bindingTemplat .html"/>
         <SessionInitiator type="Shib1" defaultACSIndex="5"/>
      </SessionInitiator > 
   </Sessions >
   <MetadataProvider type="XML" file="idp-metadata.xml"/>
</ApplicationOverride >

<ApplicationOverride id="app2" entityID="https://halfback.cnaf.infn.it/ casshib/app2" homeURL="https://halfback.cnaf.infn.it/app 2/" REMOTE_USER="shibattr&#8722;mail">
   <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app2/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app2/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app2"> 
      <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://idp.infn.it/saml2/idp/metadata.php">
         <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html "/>
         <SessionInitiator type="Shib1" defaultACSIndex="5"/> 
      </SessionInitiator >
   </Sessions >
   <MetadataProvider type="XML" file="idp.infn.it-metadata.xml"/> 
</ApplicationOverride >

These rows configure the SP for query the IGI IDP with app1 service and INFN AAI with app2 service. The attribute REMOTE_USER is used to specify which IDP's attributes will be used for the authentication process in the portal.

Now we configure the attribute-map.xml file for defining the attribute used by shibboleth adding the following rows:

<afp:AttributeRule attributeID="shibattr&#8722;eppn"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;uid"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;mail"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;cn"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;sn"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;givenName"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;l"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >

2 Apache server

For a secure communication we need to install the apache server which acts as a front-end.

2.1 Install Apache

We use the package manager for install software.

 $ yum install httpd
 $ service httpd start

2.2 Apache Configuration

We have to add to httpd.conf file the following rows for enabling shibboleth authentication.

##
# CASSHIB ##

Include /etc/shibboleth/apache22.config

Then we have to comment all the rows of apache22.config. Now we configure Apache to use SSL module. We edit the ssl.conf file in the Apache directory and in the default:443> section we add these rows.

UseCanonicalName On

<Location /casshib/shib/&#8727;/login >
   AuthType shibboleth 
   ShibRequireSession On 
   ShibUseHeaders On 
   require valid&#8722;user
</Location >
<Location /casshib/shib/&#8727;/Shibboleth . sso>
   AuthType shibboleth 
   ShibRequireSession On 
   ShibUseHeaders On 
   require valid&#8722;user
</Location >
<Location /casshib/shib/&#8727;/Shibboleth . sso/&#8727;>
   AuthType shibboleth 
   ShibRequireSession On 
   ShibUseHeaders On 
   require valid&#8722;user
</Location >
ProxyRequests On 
ProxyPass /app2/ http://halfback.cnaf.infn.it:8585/app2/
ProxyPassReverse /app2/ http://halfback.cnaf.infn.it:8585/app2/
ProxyPass /app1/ http://halfback.cnaf.infn.it:8585/app1/
ProxyPassReverse /app1/ http://halfback.cnaf.infn.it:8585/app1/

We create the httpd-jk-mount.conf file in the same folder and add these rows.

<IfModule jk_module>
   JkMount /casshib/* worker1
   JkUnMount /casshib/shib/*/Shibboleth.sso worker1 
   JkUnMount /casshib/shib/*/Shibboleth.sso/* worker1
</IfModule >

We create the httpd-jk- init.conf file in the same folder which have these rows.

LoadModule jk_module modules/mod_jk.so 
<IfModule jk_module>
   JkWorkersFile conf.d/workers.properties
   JkShmFile  logs/mod_jk.shm
   JkLogFile  logs/mod_jk.log
   JkLogLevel info
   JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
</IfModule >

We create the worker.properties file in the same directory and we add these rows.

worker.list=worker1
worker.worker1.type=ajp13 
worker.worker1.host=halfback.cnaf.infn.it 
worker.worker1.port=8017

Now we restart the Apache server for apply the changes.

 $ service httpd restart

3 Tomcat server

CASShib is a webapp and need a tomcat server. We install the server using the package manager.

 $ yum install tomcat6

We modify these rows in the server.xml file for configure Tomcat server.

<Connector port ="8585" protocol ="HTTP/1.1" connectionTimeout ="20000" />
[...]
<Connector port="8017" protocol="AJP/1.3" address="127.0.0.1" tomcatAuthentication="false" />

Start server.

 $ service tomcat start

4 CASShib

For install CASShib we deploy in Tomcat the war file downloaded from http://code.google.com/p/casshib/downloads/list . For configuration of CASShib we modify the file $tomcat_dir/webapps/casshib/WEB- INF/classes/casshib-service-registrations.xml in this way.

<?xml version ="1.0" encoding="UTF&#8722;8" standalone="no"?> 
<casShibServiceRegistrations >
   <service id="https://fullyqualified.service.address.1" appname="app1" passcode="12345" />
   <service id="https://fullyqualified.service.address.2" appname="app2" passcode="12345" />
</casShibServiceRegistrations >

Where fullyqualified.service.address.# are the services address (Liferay Portlet Login URL) which use CASShib . For install app1 and app2 we download the casshib-demo-app-1.0.0.war before deploy the war we rename the package in app1.war and we copy the package and rename it in app2.war, after this we deploy the packages. For configure these service we edit the $tomcat_dir/webapps/app1/WEB-INF/web.xml file modifying the url of the service and the passcode. We make the same changes for app2.

Finally we restart Tomcat for apply changes.

 $ service tomcat stop 
 $ service tomcat start

5 Configure Liferay

From web page of portal we navigate to Manage/Control Panel/Settings/Authentication/CAS and we configure Liferay to use CASShib in this way:

CAS_configuration.png

Now we use login link for authentication with INFN AAI.

6 Stop Start Restart service

6.1 Stop service

For stop the service launch these commands:

   # service shibd stop
   # service httpd stop
   # service tomcat stop

6.2 Start service

For start the service launch these commands:

   # service shibd start
   # service httpd start
   # service tomcat start

6.3 Restart service

For restart the service launch these commands:

   # service shibd restart
   # service httpd restart
   # service tomcat stop
   # service tomcat start

6.4 Logs

The log that can help you are:

  • /var/log/shibboleth/shibd.log
  • /opt/tomcat/logs/catalina.out

References

-- Diego Michelotto - 11 Nov 2011

Topic attachments
I Attachment Action Size Date Who Comment
PNGpng CAS_configuration.png manage 36.9 K 2011-11-15 - 14:17 DiegoMichelotto CAS configuration
JPEGjpg auth-casshib.jpg manage 80.5 K 2012-05-11 - 07:20 TWikiAdminUser  
Topic revision: r11 - 2012-07-13 - DiegoMichelotto
 
TWIKI.NET
This site is powered by the TWiki collaboration platformCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback