Installtion and configuration of CASShib

1 Service Provider

1.1 Installa SP

For the shibboleth installation you can use the package manager YUM and install the software.

 $ yum install shibboleth

After installation you have to start the server

 $ service shibd start

1.2 Configure SP

For configuration you have to move in /etc/shibboleth directory.

If you want that SP support CASShib you must configure the shibboleth2.xml file. Each service needs to have its own protected Shibboleth address for CAS validation. For mapping URLs with services you must add this rows in the shibboleth configuration file.

<RequestMapper type="Native"> 
      <RequestMap applicationId="default">
         <Host name="halfback.cnaf.infn.it" port="443" scheme=" https">

            <PathRegex regex="casshib/shib/app1" applicationId="app1" authType="shibboleth" requireSession =" true"/>

            <PathRegex regex="casshib/shib/app2" applicationId="app2" authType="shibboleth" requireSession =" true"/> 
         </Host> 
      </RequestMap>
</RequestMapper>

After this, you have to configure the section with fake service. This means that if the request doesn't correspond to the regular expressions return an error page. For configuring the registrated services you have to add these lines at the end of shibboleth2.xml file.

<ApplicationOverride id="app1" entityID="https://halfback.cnaf.infn.it/casshib/app1" homeURL="https://halfback . cnaf . infn . it/app1/" REMOTE_USER="shibattr-mail">
   <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app1/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app1/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app1"> 
      <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://gridlab01.cnaf.infn.it/idp/shibboleth"> 
         <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex ="false" template="bindingTemplat .html"/>
         <SessionInitiator type="Shib1" defaultACSIndex="5"/>
      </SessionInitiator > 
   </Sessions >
   <MetadataProvider type="XML" file="idp-metadata.xml"/>
</ApplicationOverride >

<ApplicationOverride id="app2" entityID="https://halfback.cnaf.infn.it/ casshib/app2" homeURL="https://halfback.cnaf.infn.it/app 2/" REMOTE_USER="shibattr&#8722;mail">
   <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app2/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app2/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app2"> 
      <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://idp.infn.it/saml2/idp/metadata.php">
         <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html "/>
         <SessionInitiator type="Shib1" defaultACSIndex="5"/> 
      </SessionInitiator >
   </Sessions >
   <MetadataProvider type="XML" file="idp.infn.it-metadata.xml"/> 
</ApplicationOverride >

These rows configure the SP for query the IGI IDP with app1 service and INFN AAI with app2 service. The attribute REMOTE_USER is used to specify which IDP's attributes will be used for the authentication process in the portal.

Now we have to configure the attribute-map.xml file for defining the attribute used by shibboleth adding the following rows:

<afp:AttributeRule attributeID="shibattr&#8722;eppn"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;uid"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;mail"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;cn"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;sn"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;givenName"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr&#8722;l"> 
   <afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >

2 Apache server

For a secure communication you need to install the apache server which acts as a front-end.

2.1 Install Apache

Use the package manager for install software.

 $ yum install httpd
 $ service httpd start

2.2 Apache Configuration

We have to add to httpd.conf file the following rows for enabling shibboleth authentication.

##
# CASSHIB ##

Include /etc/shibboleth/apache22.config

Then we have to comment all the rows of apache22.config. Now configure Apache to use SSL. Edit the ssl.conf file in the Apache directory and in the default:443> section add this rows.

UseCanonicalName On

<Location /casshib/shib/&#8727;/login >
   AuthType shibboleth 
   ShibRequireSession On 
   ShibUseHeaders On 
   require valid&#8722;user
</Location >
<Location /casshib/shib/&#8727;/Shibboleth . sso>
   AuthType shibboleth 
   ShibRequireSession On 
   ShibUseHeaders On 
   require valid&#8722;user
</Location >
<Location /casshib/shib/&#8727;/Shibboleth . sso/&#8727;>
   AuthType shibboleth 
   ShibRequireSession On 
   ShibUseHeaders On 
   require valid&#8722;user
</Location >
ProxyRequests On 
ProxyPass /app2/ http://halfback.cnaf.infn.it:8585/app2/
ProxyPassReverse /app2/ http://halfback.cnaf.infn.it:8585/app2/
ProxyPass /app1/ http://halfback.cnaf.infn.it:8585/app1/
ProxyPassReverse /app1/ http://halfback.cnaf.infn.it:8585/app1/

Create the httpd-jk-mount.conf file in the same folder and add this rows.

<IfModule jk_module>
   JkMount /casshib/* worker1
   JkUnMount /casshib/shib/*/Shibboleth.sso worker1 
   JkUnMount /casshib/shib/*/Shibboleth.sso/* worker1
</IfModule >

Create the httpd-jk- init.conf file in the same folder which have this rows.

LoadModule jk_module modules/mod_jk.so 
<IfModule jk_module>
   JkWorkersFile conf.d/workers.properties
   JkShmFile  logs/mod_jk.shm
   JkLogFile  logs/mod_jk.log
   JkLogLevel info
   JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
</IfModule >

Create the worker.properties file in the same directory and add this rows.

worker.list=worker1
worker.worker1.type=ajp13 
worker.worker1.host=halfback.cnaf.infn.it 
worker.worker1.port=8017

Now restart the Apache server.

 $ service httpd restart

3 Tomcat server

CASShib is a webapp and need a tomcat server. For server installation use package manager to install Tomcat server.

 $ yum install tomcat6

Modify this rows in the server.xml file for configure Tomcat server.

<Connector port ="8585" protocol ="HTTP/1.1" connectionTimeout ="20000" />
[...]
<Connector port="8017" protocol="AJP/1.3" address="127.0.0.1" tomcatAuthentication="false" />

Start server.

 $ service tomcat start

4 CASShib

For install CASShib deploy in Tomcat the war file downloaded from http://code.google.com/p/casshib/downloads/list . For configuration of CASShib modify the file $tomcat_dir/webapps/casshib/WEB- INF/classes/casshib-service-registrations.xml in this way.

<?xml version ="1.0" encoding="UTF&#8722;8" standalone="no"?> 
<casShibServiceRegistrations >
   <service id="https://fullyqualified.service.address.1" appname="app1" passcode="12345" />
   <service id="https://fullyqualified.service.address.2" appname="app2" passcode="12345" />
</casShibServiceRegistrations >

Where fullyqualified.service.address.# are the services address (Liferay Portlet Login URL) which use CASShib . For install app1 and app2 you download the casshib-demo-app-1.0.0.war before deploy the war rename the package in app1 and copy the package and rename in app2, after this deploy the packages. For configure this service edit the $tomcat_dir/webapps/app1/WEB-INF/web.xml, and similar for app2, modifying the url of the service and the passcode.

Finally restart Tomcat.

 $ service tomcat stop 
 $ service tomcat start

5 Configure Liferay

From web page of portal navigate to Manage/Control Panel/Settings/Authentication/CAS and set this parameter.

Key Value
Login URL https://fullyqualified.CASShib.server/casshib/shib/app2/login
Server Name fullyqualified.Liferay.hostname
Server URL https://fullyqualified.CASShib.server/casshib/shib/12345

The other impostation leave empty and save settings. Now use login link for authetnication with INFN AAI.

References

-- Diego Michelotto - 11 Nov 2011

Edit | Attach | Print version | History: r11 | r6 < r5 < r4 < r3 | Backlinks | Raw View | More topic actions...
Topic revision: r4 - 2011-11-14 - TWikiAdminUser
 
Edit Attach

TWIKI.NET
This site is powered by the TWiki collaboration platformCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback