Windows Single Sign On (SSO) / CERN Authentication integration on Scientific Linux CERN / Apache and Shibboleth.
About CERN Single Sign On and Shibboleth
Installation
As root on your system run:# yum install shibboleth log4shib(above command will pull in all dependencies for above packages,
including: xerces-c, xml-security-c, opensaml and log4cpp
coming from extras repository for SLC5
Note: As of April 2009 the SELinux policy has not been implemented for Shibboleth 2 therefore SELinux must be changed to run in permissive mode on your system for Single Sign On to work. For this please edit /etc/sysconfig/selinux file, and replace the line:
SELINUX=enforcingby
SELINUX=permissiveNext reboot your system or run:
/usr/sbin/setenforce Permissivefor the change to take effect.
Optionally, if not yet installed on your system you may also want to install:
# yum install system-config-httpd
Configuration for CERN Single Sign On
- We assume that at this point your apache web service (httpd) is already configured and running.
- Enable automatic startup of shibboleth daemon:
# /sbin/chkconfig --levels 345 shibd on
- Copy following configuration files to /etc/shibboleth/ directory:
- shibboleth2.xml (main shibboleth configuration file customized for CERN SSO).
- ADFS-metadata.xml (ADFS configuration customized for CERN SSO)
- attribute-map.xml (ADFS attribute mapping)
- wsignout.gif
- Edit /etc/shibboleth/shibboleth2.xml
- set up the listener host (default setting of localhost should be used in most cases):
<TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>
- replace ALL 5 occurences of somehost.cern.ch, by your system hostname:
- <Site id="1" name="somehost.cern.ch"/>
- <Host name="somehost.cern.ch"/>
- <ApplicationDefaults id="default" policyId="default" entityID="https://somehost.cern.ch/Shibboleth.sso/ADFS" homeURL="https://somehost.cern.ch" ....
- <saml:Audience>https://somehost.cern.ch/Shibboleth.sso/ADFS</saml:Audience>
- Review /etc/httpd/conf.d/shib.conf shibboleth apache configuration.
- Configure per-directory (in .htaccess file) or global (in /etc/httpd/conf.d/shib.conf) authentication rules:
########################################################## SSLRequireSSL # The modules only work using HTTPS AuthType shibboleth ShibRequireSession On ShibRequireAll On ShibExportAssertion Off ### ShibUseHeaders On ### Uncomment above line if you want shibboleth to ### use also old-style request headers ### may be required for use with Tomcat, or to ### allow easy migration of older applications. ### It is strongly recommended not to use above ### option in order to improve security. <RequireAll> Require valid-user Require ADFS_GROUP "Some Users Group" "Some Other Users Group" </RequireAll> ##########################################################
- Script configuration:
Please note that contrary to the previous "NICE password" authentication on central WEB/AFS services, the REMOTE_USER field now holds the user mail address (and not the login name). To get back at the login name, you have to use HTTP_ADFS_LOGIN instead. - ADFS Application configuration:
Once your Apache Web application is configured, you simply need to have your application added to the allowed application list in CERN Single Sign On.
To do so, simply go to this form and specify these 3 items:- Your Application Name, please provide a telling name for your application (it must be unique).
- Your application URL, as declared in saml:Audience property above.
- Your name and email for further contact.
- Once you get a confirmation that your application has been configured for CERN SSO, (re)start services on your system as root:
# /sbin/service shibd restart # /sbin/service httpd restart
Support
For problems related to packaging of shibboleth / log4shib, contact: linux.support@cern.ch
For information and help about shibboleth configuration for CERN Single Sign On, see: CERN Authentication web pages
- set up the listener host (default setting of localhost should be used in most cases):