Linux @ CERN

Windows Single Sign On (SSO) / CERN Authentication integration on CentOS CERN / Apache and Shibboleth.

About CERN Single Sign On and Shibboleth

• CERN Single Sign On documentation.
• Shibboleth information and documentation.

Installation

# yum install shibboleth

SELINUX=enforcing

SELINUX=permissive

/usr/sbin/setenforce Permissive

LD_PRELOAD=/opt/shibboleth/lib64/libcurl.so.4
export LD_PRELOAD

Configuration for CERN Single Sign On

• We assume that at this point your apache web service (httpd) is already configured and running.
  
• Enable automatic startup of shibboleth daemon:

  # /bin/systemctl enable shibd
  

• Copy following configuration files to /etc/shibboleth/ directory:
  
  • shibboleth2.xml (main shibboleth configuration file customized for CERN SSO).
  • ADFS-metadata.xml (ADFS configuration customized for CERN SSO)
  • attribute-map.xml (ADFS attribute mapping)
  • wsignout.gif
  
  
• Edit /etc/shibboleth/shibboleth2.xml
  
  • set up the listener host (default setting of localhost should be used in most cases):

    <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>

  • replace ALL 5 occurences of somehost.cern.ch, by your system hostname:
    • <Site id="1" name="somehost.cern.ch"/>
    • <Host name="somehost.cern.ch"/>
    • <ApplicationDefaults id="default" policyId="default" entityID="https://somehost.cern.ch/Shibboleth.sso/ADFS" homeURL="https://somehost.cern.ch" ....
    • <saml:Audience>https://somehost.cern.ch/Shibboleth.sso/ADFS</saml:Audience>
    
    
  • Review /etc/httpd/conf.d/shib.conf shibboleth apache configuration.
    
    
  • Configure per-directory (in .htaccess file) or global (in /etc/httpd/conf.d/shib.conf) authentication rules:

    ##########################################################
    SSLRequireSSL   # The modules only work using HTTPS 
    AuthType shibboleth
    ShibRequireSession On
    ### ShibRequireAll On - not supported on Apache 2.4
    ShibExportAssertion Off
    
    ### ShibUseHeaders On 
    ### Uncomment above line if you want shibboleth to 
    ### use also old-style request headers 
    ### may be required for use with Tomcat, or to
    ### allow easy migration of older applications.
    ### It is strongly recommended not to use above
    ### option in order to improve security.
    
    <RequireAll>
        Require valid-user
        Require shib-attr ADFS_GROUP "Some Users Group" "Some Other Users Group"
    </RequireAll>
    ##########################################################
    

    
    
  • Script configuration:
    Please note that contrary to the previous "NICE password" authentication on central WEB/AFS services, the REMOTE_USER field now holds the user mail address (and not the login name). To get back at the login name, you have to use HTTP_ADFS_LOGIN instead.
  
  
  • ADFS Application configuration:
    Once your Apache Web application is configured, you simply need to have your application added to the allowed application list in CERN Single Sign On.
    To do so, simply go to this form and specify these 3 items:
    • Your Application Name, please provide a telling name for your application (it must be unique).
    • Your application URL, as declared in saml:Audience property above.
    • Your name and email for further contact.
    
    
  • Once you get a confirmation that your application has been configured for CERN SSO, (re)start services on your system as root:

    # /bin/systemctl restart shibd
    # /bin/systemctl restart httpd 
    

  Support

  For problems related to packaging of shibboleth / log4shib, contact: linux.support@cern.ch
  For information and help about shibboleth configuration for CERN Single Sign On, see: CERN Authentication web pages
  
  Jaroslaw.Polok@cern.ch