Differences

This shows you the differences between two versions of the page.

--- en:services:it_security:aai:serviceowner [2024/01/31 16:19] – [Setting up your Service Provider (SP)] sdabbag
+++ en:services:it_security:aai:serviceowner [2024/01/31 17:28] (current) – [Setting up your Service Provider (SP)] sdabbag
@@ Line 89: / Line 89: @@
 ----
-** Example: Installation Guidline**
+** Example: Installation Guideline**
@@ Line 98: / Line 97: @@
 . Configure ''/etc/sbhibboleth/shibboleth2.xml''. You can use the default and configure the following values:
-  * entityID: Use your identifier for this SP e.g. ''entityID="https://oc.test.up2university.eu/shibboleth"''
+  * entityID: Use your identifier for this SP e.g. ''entityID="https://sp.example.org/shibboleth"''
-  * SSO: The url of the metadata for the up2u SSO instance which will be used to start an authentication workflow:  ''<SSO entityID="https://sso.up2university.eu/simplesaml/saml2/idp/metadata.php">SAML2</SSO>''
+  * SSO: The url of the metadata for the GWDG SSO instance which will be used to start an authentication workflow:  ''<SSO entityID="https://sso.example.org/simplesaml/saml2/idp/metadata.php">SAML2</SSO>''
   * MetadataProvider: Where to fetch metadata for the SSO instance and where to cache it on disk: ''<MetadataProvider
                 type="XML"
-                uri="https://sso.up2university.eu/simplesaml/saml2/idp/metadata.php"
+                uri="https://sso.example.org/simplesaml/saml2/idp/metadata.php"
-                backingFilePath="/etc/shibboleth/metadata/sso.up2university.eu.xml"
+                backingFilePath="/etc/shibboleth/metadata/sso.example.org.xml"
                 reloadInterval="7200">
       </MetadataProvider>''
@@ Line 115: / Line 114: @@
 . Restart apache and shibd: ''systemctl restart shibd.service; systemctl restart apache2.service;'' or ''/etc/init.d/shibd restart; /etc/init.d/apache2 restart'' (depending on your distribution and version)
-. Check if your metadata is available. It should be found at ''https://your service url/Shibboleth.sso/Metadata''. If it looks valid, proceed to step 7. Please keep in mind that the official documentation says not to use the autogenerated Metadata. If you decide to follow this hint, make the metadata publicy available at another place and proceed to step 7.
+. Check if your metadata is available. It should be found at ''https://sp.example.org/Shibboleth.sso/Metadata''. If it looks valid, proceed to step 7. Please keep in mind that the official documentation says not to use the autogenerated Metadata. If you decide to follow this hint, make the metadata publicy available at another place and proceed to step 7.
-. Open an issue in this github project to have your metadata configured in the up2u-sso. Provide either the autoconfigured or hosted metadata link in there.
+. Open an issue in this github project to have your metadata configured in the sso. Provide either the autoconfigured or hosted metadata link in there.
 ----
 ** Example: Configuration**
-In this section are the config files of one prototype SP inside up2u with ownCloud
 ''/etc/shibboleth/shibboleth2.xml''
@@ Line 149: / Line 147: @@
     <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
-    <ApplicationDefaults entityID="https://oc.test.up2university.eu/shibboleth"
+    <ApplicationDefaults entityID="https://sp.example.org/shibboleth"
                          REMOTE_USER="eppn persistent-id targeted-id">
@@ Line 170: / Line 168: @@
             You can also override entityID on /Login query string, or in RequestMap/htaccess.
             -->
-            <SSO entityID="https://sso.up2university.eu/simplesaml/saml2/idp/metadata.php">
+            <SSO entityID="https://sso.example.org/simplesaml/saml2/idp/metadata.php">
               SAML2 SAML1
             </SSO>
@@ Line 200: / Line 198: @@
 	   <MetadataProvider
                 type="XML"
-                uri="https://sso.up2university.eu/simplesaml/saml2/idp/metadata.php"
+                uri="https://sso.example.org/simplesaml/saml2/idp/metadata.php"
-                backingFilePath="/etc/shibboleth/metadata/sso.up2university.eu.xml"
+                backingFilePath="/etc/shibboleth/metadata/sso.example.org.xml"
                 reloadInterval="7200">
               </MetadataProvider>
@@ Line 257: / Line 255: @@
+''/etc/shibboleth/attribute-map.xml''
+<code>
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+    <!-- First some useful eduPerson attributes that many sites might use. -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <!-- A persistent id attribute that supports personalized anonymous access. -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+    -->
+    <!-- Third, the new version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+    <!-- Fourth, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+    <!-- Some more eduPerson attributes, uncomment these to use them... -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+    -->
+    <!-- Examples of LDAP-based attributes, uncomment to use these... -->
+    <!--
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
+    <Attribute name="urn:oid:2.5.4.13" id="description"/>
+    <Attribute name="urn:oid:2.5.4.7" id="l"/>
+    <Attribute name="urn:oid:2.5.4.10" id="o"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+    -->
+</Attributes>
+</code>
+**/etc/apache2/site-enabled/ssl.conf**
+<code>
+<VirtualHost *:443>
+  DocumentRoot /var/www/html
+  <Directory />
+    Options FollowSymLinks
+    AllowOverride None
+  </Directory>
+  <Directory /var/www/>
+    Options Indexes FollowSymLinks
+		AllowOverride All
+		Order allow,deny
+		allow from all
+  </Directory>
+    # always fill env with shib variable
+    <Location />
+        AuthType shibboleth
+        ShibRequestSetting requireSession false
+        Require shibboleth
+    </Location>
+  <Location /index.php/login>
+    AuthType shibboleth
+    ShibRequireSession On
+    ShibUseHeaders Off
+    ShibExportAssertion On
+    require valid-user
+  </Location>
+  ServerName sp.example.org
+  UseCanonicalName On
+SSLCertificateFile /etc/letsencrypt/live/sp.example.org/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/sp.example.org/privkey.pem
+Include /etc/letsencrypt/options-ssl-apache.conf
+</VirtualHost>
+</code>