<<O>> Difference Topic ManualInstallIdP (r1.26 - 21 Jul 2008 - BrucLiong)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 35 to 35

Install the IdP

Download the latest IdP package, shibboleth-idp-1.3c.tar.gz

Changed:

<
<

- Shibboleth IdP: shibboleth-idp-1.3.2.tar.gz

>
>

- Shibboleth IdP: shibboleth-idp-1.3.3.tar.gz

Untar it into a temporary working directory. We will refer to this directory as the environment SHIB_INSTALL.
Shibboleth IdP requires that a specific version of the Xerces library be used. For that reason, we need to copy the following files, resolver.jar, xalan.jar, xercesImpl.jar and xml-apis.jar into the $TOMCAT_HOME/common/endorsed folder;

<<O>> Difference Topic ManualInstallIdP (r1.25 - 17 Jul 2008 - BrucLiong)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 415 to 415

Under the new organization, add an IdP with the following details:
- Certificate CN: the hostname of your IdP machine, ie. MY_DNS
- SSO URL: https://MY_DNS/shibboleth-idp/SSO

Deleted:

<
<

- Artifact Resolution Service URL: https://MY_DNS:8443/shibboleth-idp/Artifact

- Attribute Authority Service URL: https://MY_DNS:8443/shibboleth-idp/AA

Added:

>
>

- Artifact Resolution Service URL: https://MY_DNS:8443/shibboleth-idp/Artifact

- Federation Level: 1
Configure your system to regularly download the latest Federation metadata by following this guide here
Note it can be many hours before other SPs in the Testbed Federation

<<O>> Difference Topic ManualInstallIdP (r1.24 - 20 Jun 2008 - BrucLiong)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 290 to 290

xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 shibboleth-idpconfig-1.0.xsd" AAUrl="https://MY_DNS:8443/shibboleth-idp/AA" resolverConfig="file:/usr/local/shibboleth-idp/etc/resolver.ldap.xml"

Changed:

<
<

defaultRelyingParty="urn:mace:federation.org.au:testfed"

>
>

defaultRelyingParty="urn:mace:federation.org.au:testfed:level-1"

providerId="urn:mace:federation.org.au:testfed:MY_DNS">

Changed:

<
<

<RelyingParty name="urn:mace:federation.org.au:testfed"

>
>

<RelyingParty name="urn:mace:federation.org.au:testfed:level-1"

signingCredential="testfed_level_1_cred">

<<O>> Difference Topic ManualInstallIdP (r1.23 - 05 Mar 2008 - BrucLiong)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 65 to 65

- ```
cat newreq.pem
```
- Make sure that when you answer the question above when it comes to setting the Common Name, you enter the machine's Fully Qualified Domain Name such as "myhost.edu.au"

Added:

>
>

- Make sure that your tomcat user (or whatever user that you use for IdP) has access to these certificate files

On the IdP machine, open up a browser and go to this URL http://www.federation.org.au/CA/CA-sign.html
Open the file newreq.pem with a text editor and copy the section between:

<<O>> Difference Topic ManualInstallIdP (r1.22 - 10 Dec 2007 - PeterHS)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 171 to 171

<VirtualHost MY_IP:8443>
    SSLEngine on

Changed:

<
<

ServerName^? MY_DNS

>
>

ServerName^? MY_DNS:8443 UseCanonicalName^? on SSLVerifyDepth^? 10

SSLCipherSuite^? ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLVerifyClient^? optional_no_ca SSLOptions +StdEnvVars +ExportCertData

<<O>> Difference Topic ManualInstallIdP (r1.21 - 27 Aug 2007 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 133 to 133

- ```
Listen 443 
```
```
Listen 8443
```
Create the first SSL virtual host file, 003-ssl-vhost.conf, in the directory /etc/apache2/sites-available,

Changed:

<
<

with the following content, making sure to substitute MY_DNS with your actual hostname:

>
>

with the following content, making sure to substitute MY_DNS with your actual fully qualified hostname:

<VirtualHost MY_IP:443>
    SSLEngine on

Changed:

<
<

ServerName^? MY_DNS

>
>

ServerName^? MY_DNS:443 UseCanonicalName^? on

SSLCipherSuite^? ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLOptions +StdEnvVars +ExportCertData SSLCertificateFile^? /etc/certs/mycert.pem

<<O>> Difference Topic ManualInstallIdP (r1.20 - 25 Aug 2007 - BrucLiong)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 207 to 207

"https://MY_DNS:8443"

Configuring Tomcat mod_jk Connector

Added:

>
>

This section below uses Apache to protect IdP. Alternatively, you can use [Federation.ProtectIdPTomcatAuthentication][using Tomcat Authentication]] to protect IdP.
Also, this section assume you're using mod_jk on apache. Newer apache/httpd can use mod_proxy.

Install the mod_jk connector for Apache 2
- ```
$apt-get install libapache2-mod-jk
```

Line: 423 to 425

Deleted:

<
<

-- ChiNguyen - 15 Feb 2006

META FILEATTACHMENT	resolver.ldap.xml	attr="" comment="Basic ldap resolver file" date="1140150673" path="resolver.ldap.xml" size="7022" user="ChiNguyen" version="1.2"
META FILEATTACHMENT	arp.site.xml	attr="" comment="Default arp.site.xml that does not release any attribute" date="1140357452" path="arp.site.xml" size="336" user="ChiNguyen" version="1.1"

<<O>> Difference Topic ManualInstallIdP (r1.19 - 22 Aug 2007 - BrucLiong)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 35 to 35

Install the IdP

Download the latest IdP package, shibboleth-idp-1.3c.tar.gz

Changed:

<
<

- Shibboleth IdP: shibboleth-idp-1.3c.tar.gz

>
>

- Shibboleth IdP: shibboleth-idp-1.3.2.tar.gz

Untar it into a temporary working directory. We will refer to this directory as the environment SHIB_INSTALL.
Shibboleth IdP requires that a specific version of the Xerces library be used. For that reason, we need to copy the following files, resolver.jar, xalan.jar, xercesImpl.jar and xml-apis.jar into the $TOMCAT_HOME/common/endorsed folder;

<<O>> Difference Topic ManualInstallIdP (r1.18 - 04 Jan 2007 - PeterHS)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 12 to 12

Make sure a browser exists in the system, if not, install Mozilla Firefox
Java 1.5.x with JAVA_HOME environment set up to point to this location
Web browser such as Mozilla Firefox

Changed:

<
<

Apache 2 with SSL.

>
>

Apache 2 with SSL

Bind, search, authenticate as a user and retrieve their attributes from your institution's LDAP.
Ntp tools to synchronize time with a remote time server (eg. ntpdate)
wget (or something similar to download files from a webserver on a command line).

Line: 376 to 376

when configuring the LDAP resolver for Shibboleth IdP Attribute Authority. You need to change the details below to match your particular LDAP. For now we assume the following:

- Bind DN: uid=binduser,ou=demo,dc=mams,dc=org,dc=au

Changed:

<
<

- Password for binding to the LDAP: test

>
>

- Bind password: test

- LDAP host: idp-ldap.mams.org.au
- Base DN to search for users: ou=demo,dc=mams,dc=org,dc=au

<<O>> Difference Topic ManualInstallIdP (r1.17 - 25 Sep 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 284 to 284

xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 shibboleth-idpconfig-1.0.xsd" AAUrl="https://MY_DNS:8443/shibboleth-idp/AA" resolverConfig="file:/usr/local/shibboleth-idp/etc/resolver.ldap.xml"

Changed:

<
<

defaultRelyingParty="urn:mace:federation.org.au:testfed:level-1" providerId="urn:mace:federation.org.au:testfed:level-1:MY_DNS">

>
>

defaultRelyingParty="urn:mace:federation.org.au:testfed" providerId="urn:mace:federation.org.au:testfed:MY_DNS">

Changed:

<
<

<RelyingParty name="urn:mace:federation.org.au:testfed:level-1"

>
>

<RelyingParty name="urn:mace:federation.org.au:testfed"

signingCredential="testfed_level_1_cred">

Line: 405 to 405

Log in to your Federation Management page, http://www.federation.org.au/FedManager/jsp/admin-main.jsp. You should change the password emailed to you by updating your details.

Changed:

<
<

Add a new Organization. It is important that your Domain details is the hostname of your IdP machine.

>
>

Add a new Organization. It is important that your Organization Entity Id detail is of the form urn:mace:federation.org.au:testfed:MY DNS

Under the new organization, add an IdP with the following details:
- Certificate CN: the hostname of your IdP machine, ie. MY_DNS
- SSO URL: https://MY_DNS/shibboleth-idp/SSO

Changed:

<
<

- AA URL: https://MY_DNS:8443/shibboleth-idp/AA

>
>

- Artifact Resolution Service URL: https://MY_DNS:8443/shibboleth-idp/Artifact
- Attribute Authority Service URL: https://MY_DNS:8443/shibboleth-idp/AA

- Federation Level: 1
Configure your system to regularly download the latest Federation metadata by following this guide here
Note it can be many hours before other SPs in the Testbed Federation

<<O>> Difference Topic ManualInstallIdP (r1.16 - 31 Jul 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 25 to 25

Install Tomcat 5

Download Tomcat 5

Changed:

<
<

- Tomcat 5.0.28: apache-tomcat-5.5.17.tar.gz

>
>

- Tomcat 5.5.17: apache-tomcat-5.5.17.tar.gz

Unpack the above package into /usr/local and setup the variable TOMCAT_HOME to point to the top level of tomcat.
- ```
$tar xzvf apache-tomcat-5.5.17.tar.gz
```
- ```
$mv apache-tomcat-5.5.17 /usr/local/.
```

Line: 227 to 227

There should already be a jk.load file in /etc/apache2/mods-available.

Make the symbolic links to enable the mod_jk module in Apache 2:

$ln -s /etc/apache2/mods-available/jk.load /etc/apache2/mods-enabled/.

Changed:

<
<

$ln -s /etc/apache2/mods-enabled/jk.conf /etc/apache2/mods-enabled/.

>
>

$ln -s /etc/apache2/mods-available/jk.conf /etc/apache2/mods-enabled/.

Create a new workers.properties file in /etc/apache2 directory with the following:

Line: 362 to 362

Configure Shibboleth IdP with Apache 2 LDAP Authentication:

Install the Apache 2 mod_auth_ldap package:

Changed:

<
<

- ```
$apt-get install libapache-mod-ldap
```

>
>

*

$apt-get install libapache-mod-ldap libapache-auth-ldap

Creating the file in /etc/apache2/mods-available directory called auth_ldap.load with the two lines below:
- ```
LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
```

<<O>> Difference Topic ManualInstallIdP (r1.15 - 27 Jul 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 244 to 244

Changed:

<
<

Add the following directives to the above vhost files (for both port 443 and 8443) just before the enclosing

>
>

Add the following directives to the above vhost files (for both port 443 and 8443) just before the enclosing VirtualHost^? directive

- ```
JkMount /shibboleth-idp/* shibboleth
```

Start up Tomcat 5:

<<O>> Difference Topic ManualInstallIdP (r1.14 - 25 Jul 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 76 to 76

Paste the information into the form on the browser and hit Submit. Copy the resultant certificate into a file and call it mycert.pem.
Note that if you do not run the browser from the same machine as your IdP, you will not be able to obtain a certificate

Changed:

<
<

Download the level-1 CA certificate from this URL: http://www.federation.org.au/CA/level-1-ca.crt into /etc/certs directory

>
>

Download the level-1 CA certificate from this URL: http://www.federation.org.au/level-1-ca.crt into /etc/certs directory

Check that at this point you have the three files:
- Your IdP x509 certificate: mycert.pem
- Your IdP key: mykey.pem

<<O>> Difference Topic ManualInstallIdP (r1.13 - 24 Jul 2006 - ChiNguyen)

  META TOPICPARENT  WebHome 

  Manual Installation of Shibboleth Identity Provider 
Below are step-by-step instructions on setting up an IdP on a Debian Linux system,
   Install Tomcat 5 


 Download Tomcat 5
-<
<
+ Tomcat 5.0.28: jakarta-tomcat-5.0.28.tar.gz
->
>
+ Tomcat 5.0.28: apache-tomcat-5.5.17.tar.gz
  Unpack the above package into /usr/local and setup the variable TOMCAT_HOME to point to the top level of tomcat.
-<
<
+ $tar xzvf jakarta-tomcat-5.0.28.tar.gz

 $mv jakarta-tomcat-5.0.28 /usr/local/.

 ln -s /usr/local/jakarta-tomcat-5.0.28 /usr/local/tomcat
->
>
+ $tar xzvf apache-tomcat-5.5.17.tar.gz

 $mv apache-tomcat-5.5.17 /usr/local/.

 ln -s /usr/local/apache-tomcat-5.5.17 /usr/local/tomcat
  $export TOMCAT_HOME=/usr/local/tomcat
  Create the first SSL virtual host file, 003-ssl-vhost.conf, in the directory /etc/apache2/sites-available,
     with the following content, making sure to substitute MY_DNS with your actual hostname:
-<
<
->
>
     SSLEngine on
->
>
+    ServerName^? MY_DNS
     SSLCipherSuite^? ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLOptions +StdEnvVars +ExportCertData
    SSLCertificateFile^? /etc/certs/mycert.pem
      with the following contents, making sure to substitute MY_DNS with your actual hostname:
-<
<
->
>
     SSLEngine on
->
>
+    ServerName^? MY_DNS
     SSLCipherSuite^? ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLVerifyClient^? optional_no_ca
    SSLOptions +StdEnvVars +ExportCertData
      IdP machine via https protocol on port 443 and 8443, ie. use the followingg URL "https://MY_DNS" and 
     "https://MY_DNS:8443"
-<
<
+  Configuring Tomcat JK2 Connector 

 Install the JK2 connector for Apache 2

 $apt-get install libapache2-mod-jk2
->
>
+  Configuring Tomcat mod_jk Connector 

 Install the mod_jk connector for Apache 2

 $apt-get install libapache2-mod-jk
-<
<
+ Create a file called, jk2.load, in the directory /etc/apache2/mods-available, with the following content:

 LoadModule jk2_module /usr/lib/apache2/modules/mod_jk2.so
->
>
+ Create a file called, jk.conf, in the directory /etc/apache2/mods-available, with the following content:
-<
<
+ Create the configuration file for jk2 called jk2.conf also in the same directory, /etc/apache2/mods-available,
     with the following content:

 JkSet config.file /etc/apache2/workers2.properties
->
>
+  LoadModule^? jk_module mod_jk.so
-<
<
+ Make the symbolic links to enable the jk2 module in Apache 2:

 $ln -s /etc/apache2/mods-available/jk2.load /etc/apache2/mods-enabled/.

 $ln -s /etc/apache2/mods-enabled/jk2.conf /etc/apache2/mods-enabled/.
->
>
+JkWorkersFile^? "/etc/apache2/workers.properties"
JkLogFile^? "/var/log/apache2/mod_jk.log"
-<
<
+ Create a new workers2.properties file in /etc/apache2 directory with the following:


      [logger]
      info=Native logger
      level=ERROR

      [config:]
      file=/etc/apache2/workers2.properties
      debug=0
      debugEnv=0

      [uriMap:]
      info=Maps the requests.
      debug=0

      [shm:]
      info=Scoreboard. Required for reconfiguration and status with multiprocess servers
      file=anonymous
      debug=0

      [workerEnv:]
      info=Global server options
      timing=0
      debug=0

      [lb:lb]
      info=Default load balancer.
      debug=0

      [channel.socket:localhost:8009]
      info=Ajp13 forwarding over socket
      debug=0
      tomcatId=localhost:8009

      #define the worker
      [ajp13:localhost:8009]
      channel=channel.socket:localhost:8009


      [uri:/jsp-examples/*]
      info=JSP 2.0 Examples.
      debug=0

      [uri:/servlets-examples/*]
      info=Servlet 2.4 Examples.
      debug=0
->
>
+JkLogLevel^? debug
-<
<
+      [uri:/shibboleth-idp/*]
      info=IDP
->
>
+      workers.tomcat_home=/usr/local/tomcat
      workers.java_home=/usr/lib/jvm/java-1.5.0-sun-1.5.0.07
      ps=/
      worker.list=shibboleth

      # Definition for local worker using AJP 1.3
      #
      worker.shibboleth.type=ajp13
      worker.shibboleth.host=localhost
      worker.shibboleth.port=8009
<nop>
-<
<
+ Note that the above configuration specifies that all requests to contents 
     under the URL "http://MY_DNS/shibboleth-idp/*" will be forwarded to 
     the Shibboleth Idp webapp residing in Tomcat 5
->
>
+ Add the following directives to the above vhost files (for both port 443 and 8443) just before the enclosing 

 JkMount /shibboleth-idp/* shibboleth
  Start up Tomcat 5:

 $$TOMCAT_HOME/bin/startup.sh

<<O>> Difference Topic ManualInstallIdP (r1.12 - 13 Apr 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 360 to 360

Install ntpdate time synchronization tool:
- ```
$apt-get install ntpdate
```
Under the /etc/cron.hourly directory, create a new script,

Changed:

<
<

called shibboleth-metadata.sh, with the following content:

>
>

called ntpdate.sh, with the following content:

      #!/bin/sh

Line: 364 to 364

      #!/bin/sh

Deleted:

<
<

/usr/sbin/ntpdate 128.250.37.2 129.127.28.4

Deleted:

<
<

METAURL="http://www.federation.org.au/level-1/level-1-metadata.xml" METAFILE="/usr/local/shibboleth-idp/etc/level-1-metadata.xml" TEMPXML="/tmp/metadata-temp.xml" TEMPLOG="/tmp/metadata-log.txt"

wget --cache=off -O $TEMPXML -o $TEMPLOG "$METAURL" if -n ` grep "200 OK" $TEMPLOG ` ^? then cp $TEMPXML $METAFILE fi

rm $TEMPXML $TEMPLOG

Note the above script uses the ntpdate command to update your system clock every hour so that your machine's clock is kept up to date.

Changed:

<
<

The other thing the script does is to regularly download the latest Federation metadata file from the Federation server.

Make sure the script is executable, and then manually execute it for the first time. This will download the federation metadata.
- ```
$chmod u+x shibboleth-metadata.sh
```
- ```
$./shibboleth-metadata.sh
```

>
>

Make sure the script is executable, and then manually execute it for the first time.

Manually download the federation metadata for the first time:

$wget https://www.federation.org.au/level-1/level-1-metadata.xml -O /usr/local/shibboleth-idp/etc/level-1-metadata.xml

Configuring the Shibboleth IdP LDAP resolver:

Line: 456 to 438

- SSO URL: https://MY_DNS/shibboleth-idp/SSO
- AA URL: https://MY_DNS:8443/shibboleth-idp/AA
- Federation Level: 1

Changed:

<
<

Once you have added a new IdP, manually run the shibboleth-metadata.sh script in the /etc/cron.hourly directory, to download the latest Level 1 Testbed Federation metadata.
- ```
$/etc/cron.hourly/shibboleth-metadata.sh$
```

>
>

Configure your system to regularly download the latest Federation metadata by following this guide here

Note it can be many hours before other SPs in the Testbed Federation retrieve the latest metadata that contains your IdP information.

Deleted:

<
<

Open up a browser from any machine and point it to a test Service Provider, https://demo.federation.org.au/shibboleth/target

Deleted:

<
<

At the WAYF, select your new IdP in the drop down list. Authenticate as a user in your system LDAP and you should successfully see a MAMS Test Service Provider Page.

<<O>> Difference Topic ManualInstallIdP (r1.11 - 22 Mar 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 62 to 62

```
mkdir /etc/certs && cd /etc/certs
```

openssl req -newkey rsa:1024 -nodes -keyout newkey.pem -out newreq.pem

```
mv newkey.pem mykey.pem
```

Changed:

<
<

- ```
cat mykey.pem
```

>
>

- ```
cat newreq.pem
```

- Make sure that when you answer the question above when it comes to setting the Common Name, you enter the machine's Fully Qualified Domain Name such as "myhost.edu.au"
On the IdP machine, open up a browser and go to this URL http://www.federation.org.au/CA/CA-sign.html

<<O>> Difference Topic ManualInstallIdP (r1.10 - 13 Mar 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 312 to 312

xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 shibboleth-idpconfig-1.0.xsd" AAUrl="https://MY_DNS:8443/shibboleth-idp/AA" resolverConfig="file:/usr/local/shibboleth-idp/etc/resolver.ldap.xml"

Changed:

<
<

defaultRelyingParty="urn:au:testfed:level-1" providerId="urn:au:testfed:level-1:MY_DNS">

>
>

defaultRelyingParty="urn:mace:federation.org.au:testfed:level-1" providerId="urn:mace:federation.org.au:testfed:level-1:MY_DNS">

Changed:

<
<

<RelyingParty name="urn:au:testfed:level-1"

>
>

<RelyingParty name="urn:mace:federation.org.au:testfed:level-1"

signingCredential="testfed_level_1_cred">

<<O>> Difference Topic ManualInstallIdP (r1.9 - 19 Feb 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 397 to 397

Edit the directory connector part down the bottom of the file to put in your correct LDAP host, binduser and password

Added:

>
>

Configuring the Attribute Release Policy:

Download the attached arp.site.xml and replace the existing one in /usr/local/shibboleth-idp/etc/arps. This is a default site-wide Attribute Release Policy configuration file that prevents the release of any attribute. For examples of how to edit this file and release attribute see this guide ARP.

Configure Shibboleth IdP with Apache 2 LDAP Authentication:

Install the Apache 2 mod_auth_ldap package:

Line: 467 to 475

-- ChiNguyen - 15 Feb 2006

META FILEATTACHMENT	resolver.ldap.xml	attr="" comment="Basic ldap resolver file" date="1140150673" path="resolver.ldap.xml" size="7022" user="ChiNguyen" version="1.2"

Added:

>
>

META FILEATTACHMENT	arp.site.xml	attr="" comment="Default arp.site.xml that does not release any attribute" date="1140357452" path="arp.site.xml" size="336" user="ChiNguyen" version="1.1"

<<O>> Difference Topic ManualInstallIdP (r1.8 - 19 Feb 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 279 to 279

- ```
$$TOMCAT_HOME/bin/startup.sh
```
Go to $TOMCAT_HOME/conf and edit the server.xml file. Make sure that the following block is added or uncommented:

Changed:

<
<

- <Connector port="8009" address="127.0.0.1" request.tomcatAuthentication="false" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

>
>

        <Connector port="8009" address="127.0.0.1" request.tomcatAuthentication="false"
            enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

Make sure that any Coyote Connector defined for port 8009 is commented out
Stop and restart Tomcat 5 and Apache 2 by executing the scripts:

Line: 301 to 303

of blocks which are commented out and closing xml brackets*.

Deleted:

<
<

AAUrl="https://MY_DNS:8443/shibboleth-idp/AA"

Added:

>
>

<IdPConfig xmlns="urn:mace:shibboleth:idp:config:1.0" xmlns:cred="urn:mace:shibboleth:credentials:1.0" xmlns:name="urn:mace:shibboleth:namemapper:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 shibboleth-idpconfig-1.0.xsd" AAUrl="https://MY_DNS:8443/shibboleth-idp/AA"

resolverConfig="file:/usr/local/shibboleth-idp/etc/resolver.ldap.xml"

Deleted:

<
<

defaultRelyingParty="urn:au:testfed:level-1"

Added:

>
>

providerId="urn:au:testfed:level-1:MY_DNS">

Deleted:

<
<

providerId="urn:au:testfed:level-1:MY_DNS"

<RelyingParty name="urn:au:testfed:level-1"

Line: 458 to 465

-- ChiNguyen - 15 Feb 2006

Deleted:

<
<

resolver.ldap.xml: Basic ldap resolver file

Changed:

<
<

META FILEATTACHMENT	resolver.ldap.xml	attr="h" comment="Basic ldap resolver file" date="1140150673" path="resolver.ldap.xml" size="7022" user="ChiNguyen" version="1.2"

>
>

META FILEATTACHMENT	resolver.ldap.xml	attr="" comment="Basic ldap resolver file" date="1140150673" path="resolver.ldap.xml" size="7022" user="ChiNguyen" version="1.2"

<<O>> Difference Topic ManualInstallIdP (r1.7 - 18 Feb 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 11 to 11

administrators to modify it slightly for use on other Linux distributions such as SUSE or RedHat^?.

Make sure a browser exists in the system, if not, install Mozilla Firefox
Java 1.5.x with JAVA_HOME environment set up to point to this location

Changed:

<
<

Apache 2 with SSL and mod_authldap.
Bind, search, authenticate as a user and retrieve their attributes to your institution LDAP.

>
>

Web browser such as Mozilla Firefox
Apache 2 with SSL.
Bind, search, authenticate as a user and retrieve their attributes from your institution's LDAP.

Ntp tools to synchronize time with a remote time server (eg. ntpdate)
wget (or something similar to download files from a webserver on a command line).
Machine with a public IP address and a public DNS name associated with that IP. For the rest of this guide,

Line: 21 to 22

- TCP destination ports (ie. ports on the IdP machine) 80, 443, 8443.
- UDP source port (ie. port on the remote host) 123.

Deleted:

<
<

Updating the System (Debian)

This has to be done to update the system to its latest stage.

   1. cat >/etc/apt/sources.list <<TEXT
      deb ftp://ftp.au.debian.org/debian unstable main contrib non-free
      TEXT
   2. apt-get update
   3. apt-get install less mozilla-firefox apache2 ntpdate

Install Tomcat 5

Download Tomcat 5

Line: 78 to 69

Open the file newreq.pem with a text editor and copy the section between:

   -----BEGIN CERTIFICATE REQUEST-----

Changed:

<
<

   ......

---++++ Configuring the Shibboleth IdP Attribute Release Policies

>
>

   ......

   -----END CERTIFICATE REQUEST-----

Make sure you also include the above lines when copying.

Line: 225 to 215

with the following content:

JkSet config.file /etc/apache2/workers2.properties

Added:

>
>

Make the symbolic links to enable the jk2 module in Apache 2:

$ln -s /etc/apache2/mods-available/jk2.load /etc/apache2/mods-enabled/.

$ln -s /etc/apache2/mods-enabled/jk2.conf /etc/apache2/mods-enabled/.

Create a new workers2.properties file in /etc/apache2 directory with the following:

      [logger]

Line: 356 to 350

Ensure that cron service is enabled on your system.

Added:

>
>

Install ntpdate time synchronization tool:
- ```
$apt-get install ntpdate
```

Under the /etc/cron.hourly directory, create a new script, called shibboleth-metadata.sh, with the following content:

Line: 378 to 374

Changed:

<
<

Note the above script assumes that you have the ntpdate command to update your

>
>

Note the above script uses the ntpdate command to update your

system clock every hour so that your machine's clock is kept up to date.

Changed:

<
<

Make sure you change the location of where ntpdate command resides and change the above script accordingly. The other thing the script does is to regularly

>
>

The other thing the script does is to regularly

download the latest Federation metadata file from the Federation server.

Make sure the script is executable, and then manually execute it for the first time. This will download the federation metadata.

Line: 440 to 435

Log in to your Federation Management page, http://www.federation.org.au/FedManager/jsp/admin-main.jsp. You should change the password emailed to you by updating your details.

Changed:

<
<

Add a new Organization. *It is important that your Domain details is the hostname of your IdP machine.*

>
>

Add a new Organization. It is important that your Domain details is the hostname of your IdP machine.

Under the new organization, add an IdP with the following details:
- Certificate CN: the hostname of your IdP machine, ie. MY_DNS
- SSO URL: https://MY_DNS/shibboleth-idp/SSO

<<O>> Difference Topic ManualInstallIdP (r1.6 - 17 Feb 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Manual Installation of Shibboleth Identity Provider

Below are step-by-step instructions on setting up an IdP on a Debian Linux system,

Line: 71 to 71

```
mkdir /etc/certs && cd /etc/certs
```

openssl req -newkey rsa:1024 -nodes -keyout newkey.pem -out newreq.pem

```
mv newkey.pem mykey.pem
```

Changed:

<
<

- ```
cat newreq.pem
```

>
>

- ```
cat mykey.pem
```

- Make sure that when you answer the question above when it comes to setting the Common Name,

Changed:

<
<

you enter the machine's Fully Qualified Domain Name such as "_myhost.edu.au_"

>
>

you enter the machine's Fully Qualified Domain Name such as "myhost.edu.au"

On the IdP machine, open up a browser and go to this URL http://www.federation.org.au/CA/CA-sign.html
Open the file newreq.pem with a text editor and copy the section between:

   -----BEGIN CERTIFICATE REQUEST-----

Changed:

<
<

   ......

>
>

   ......

---++++ Configuring the Shibboleth IdP Attribute Release Policies

   -----END CERTIFICATE REQUEST-----

Make sure you also include the above lines when copying.
Paste the information into the form on the browser and hit Submit. Copy the resultant certificate into a file and call it mycert.pem.
Note that if you do not run the browser from the same machine as your IdP, you will not be able to obtain a certificate

Changed:

<
<

Download the level-1 CA certificate from this URL: http://www.federation.org.au/CA/level-1-ca.crt.

>
>

Download the level-1 CA certificate from this URL: http://www.federation.org.au/CA/level-1-ca.crt into /etc/certs directory
Check that at this point you have the three files:
- Your IdP x509 certificate: mycert.pem
- Your IdP key: mykey.pem
- Level-1 CA x509 certificate: level-1-ca.crt

Configure Apache 2 with SSL

Line: 138 to 143

- ```
Listen 443 
```
```
Listen 8443
```
Create the first SSL virtual host file, 003-ssl-vhost.conf, in the directory /etc/apache2/sites-available,

Changed:

<
<

with the following content:

>
>

with the following content, making sure to substitute MY_DNS with your actual hostname:

Changed:

<
<

>
>

SSLEngine on SSLCipherSuite^? ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLOptions +StdEnvVars +ExportCertData

Line: 148 to 153

SSLCertificateKeyFile^? /etc/certs/mykey.pem CustomLog^? /var/log/apache2/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Added:

>
>

DocumentRoot^? /var/www/ Options FollowSymLinks^? AllowOverride^? None Options Indexes FollowSymLinks^? MultiViews^? AllowOverride^? None Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place RedirectMatch^? ^/$ /apache2-default/

Create the second ssl vhost file, 004-ssl-vhost.conf, also in the same directory /etc/apache2/sites-available,

Changed:

<
<

with the following content:

>
>

with the following contents, making sure to substitute MY_DNS with your actual hostname:

Changed:

<
<

>
>

SSLEngine on SSLCipherSuite^? ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLVerifyClient^? optional_no_ca SSLOptions +StdEnvVars +ExportCertData

Changed:

<
<

SSLCertificateFile^? /etc/certs/mycert.crt

>
>

SSLCertificateFile^? /etc/certs/mycert.pem

SSLCertificateKeyFile^? /etc/certs/mykey.pem CustomLog^? /var/log/apache2/ssl_request_log_aa "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Added:

>
>

DocumentRoot^? /var/www/ Options FollowSymLinks^? AllowOverride^? None Options Indexes FollowSymLinks^? MultiViews^? AllowOverride^? None Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place RedirectMatch^? ^/$ /apache2-default/

Line: 253 to 289

enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

Make sure that any Coyote Connector defined for port 8009 is commented out

Changed:

<
<

Stop and restart Tomcat 5 by executing the scripts:

>
>

Stop and restart Tomcat 5 and Apache 2 by executing the scripts:

```
$$TOMCAT_HOME/bin/shutdown.sh
```
```
$$TOMCAT_HOME/bin/startup.sh
```

Added:

>
>

- ```
$/etc/init.d/apache 2 restart
```

Test that the Tomcat connector is working by pointing your browser to "https://MY_DNS/servlets-examples/index.html". You should see a page where you can try out all the example servlets that came with Tomcat 5.

Line: 265 to 302

/usr/local/shibboleth-idp, ie your SHIB_HOME. If not, you will need to make the changes to point to your correct location. You will also need to replace MY_DNS with the actual value of your IdP DNS name.

Changed:

<
<

Search and edit /usr/local/shibboleth-idp/etc/idp.xml with the following changes:

>
>

Make a backup of your /usr/local/shibboleth-idp/etc/idp.xml to /usr/local/shibboleth-idp/etc/idp.xml.orig
Search and edit /usr/local/shibboleth-idp/etc/idp.xml with the following changes. *Be very careful of blocks which are commented out and closing xml brackets*.

      AAUrl="https://MY_DNS:8443/shibboleth-idp/AA"

Line: 352 to 391

Configuring the Shibboleth IdP LDAP resolver:

Added:

>
>

Download the attached resolver.ldap.xml and replace the existing one in /usr/local/shibboleth-idp/etc/resolver.ldap.xml

Changed:

<
<

Configuring the Shibboleth IdP Attribute Release Policies

>
>

Edit the directory connector part down the bottom of the file to put in your correct LDAP host, binduser and password

Configure Shibboleth IdP with Apache 2 LDAP Authentication:

Line: 370 to 408

We make the same assumptions about the LDAP as before,

Changed:

<
<

when configuring the LDAP resolver for Shibboleth IdP Attribute Authority. You need to change the details below to match your particular LDAP. For now we assume the following:

- Bind DN: uid=binduser,ou=people,dc=example,dc=org

>
>

when configuring the LDAP resolver for Shibboleth IdP Attribute Authority. You need to change the details below to match your particular LDAP. For now we assume the following:

- Bind DN: uid=binduser,ou=demo,dc=mams,dc=org,dc=au

- Password for binding to the LDAP: test

Changed:

<
<

- LDAP host: localhost
- Base DN to search for users: ou=people, dc=example,dc=org

>
>

- LDAP host: idp-ldap.mams.org.au
- Base DN to search for users: ou=demo,dc=mams,dc=org,dc=au

In the first SSL virtual host file, /etc/apache2/sites-available/003-ssl-vhost.conf, just before the enclosing , add the following:

Line: 383 to 421

AuthType^? Basic