Child pages
  • Installing a Shibboleth 3.x IdP

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Create a database. The data would be stored in a single table called StorageService, we recommend creating database idp_db (which, as per other section of this document, can also host the shibpid table for storing the values of the of the PersistentNameID / eduPersonTargetedID attribute and the tb_st table storing the auEduPersonSharedToken values).

    Code Block
    languagesql
     CREATE DATABASE idp_db CHARACTER SET utf8 COLLATE utf8_bin;
     CREATE USER 'idp_admin'@'localhost' IDENTIFIED BY 'IDP_ADMIN_PASSWORD';
     GRANT ALL PRIVILEGES ON idp_db.* TO 'idp_admin'@'localhost';


    Note

    It is strongly encouraged to create the databases with utf8 character encoding and utf8_bin collation (sorting).

    Earlier versions of this document did not specify these settings and the database (and all tables) would be created with the default system encoding and collation.

    To convert these to utf8utf8_bin, please run:

    Code Block
    languagesql
    ALTER DATABASE idp_db DEFAULT CHARACTER SET = utf8 COLLATE = utf8_bin;
    ALTER TABLE tb_st CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;
    ALTER TABLE StorageRecords CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;
    ALTER TABLE shibpid CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;



  • Create the StorageRecords table.  This part can be tricky, as different versions of IdP ship with different versions of Hibernate, which use different database mapping / field names.  IdP 3.0.0 used column names key (and expiration) instead ofid (and expires).  The key issue with that was key is a reserved word in MySQL - and therefore, the column name then must be quoted in all SQL statements.  IdP 3.1.1 reverts back to id (and expires), avoiding the clash with MySQL reserved words.  For IdP 3.1.1+, create the table with:

    Code Block
    CREATE TABLE `StorageRecords` (
     `context` varchar(255) NOT NULL,
     `id` varchar(255) NOT NULL,
     `expires` bigint(20) DEFAULT NULL,
     `value` longtext NOT NULL,
     `version` bigint(20) NOT NULL,
     PRIMARY KEY (`context`,`id`));


  • Add the following beans to $IDP_HOME/conf/global.xml - instead of duplicating them here, please use the MySQL versions from the IdPv3 Storage documentation (section Installation, unfold the snippets under DB-independent Configuration and MySQL Configuration).
    The beans to add are:

    No Format
    shibboleth.JPAStorageService
    shibboleth.JPAStorageService.EntityManagerFactory
    shibboleth.JPAStorageService.JPAVendorAdapter
    shibboleth.JPAStorageService.DataSource


    • Customize the  shibboleth.JPAStorageService.DataSourcebean with database connection parameters: 
      • Set the class to match the Tomcat JDBC pool (already comes preinstalled with Tomcat as tomcat-jdbc.jar), org.apache.tomcat.jdbc.pool.DataSource
      • Set the connection URL, username, password and driverClassName to match your database connection.
      • For MySQL, also set the autoReconnect and wait_timeout parameters (to avoid database connections timing out and to reconnect if they get dropped anyway).
      • Note that with Tomcat JDCBC pool, the JDBC URL property name is just url, not jdbcUrl
      • Set the validationQuery property to a simple query that would probe (validate) the database connection before it is handed out from the pool.  Note that the special syntax, starting with /* ping */ is crucial - this triggers a ping in the database driver; see the MySQL JDBC Driver documentation.
      • Set the testOnBorrow property to actually turn on connection validation on checkout.
      • With all these modifications, the bean could look like: 

        Code Block
        languagehtml/xml
        <bean id="shibboleth.JPAStorageService.DataSource"
            class="org.apache.tomcat.jdbc.pool.DataSource" destroy-method="close" lazy-init="true"
            p:driverClassName="com.mysql.jdbc.Driver"
            p:url="jdbc:mysql://localhost:3306/idp_db?autoReconnect=true&amp;sessionVariables=wait_timeout=31536000"
            p:validationQuery="/* ping */ SELECT 1;"
            p:testOnBorrow="true"
            p:username="idp_admin"
            p:password="IDP_ADMIN_PASSWORD" />


    • And remember to install the database driver.  Note that as the driver will be used by classes outside the web application (the Tomcat JDBC pool), the driver also needs to be installed outside the web application.  The following will work on RHEL/CentOS 7 systems:

      Code Block
      languagebash
      yum install mysql-connector-java
      ln -s /usr/share/java/mysql-connector-java.jar /usr/share/tomcat/lib/


...

...


Earlier versions of this documentation included a workaround needed for IdP 3.1.x only.

Expand
titleClick here to expand historical IdP 3.1.x compatbility workaround... (no action required on IdP 3.2.0+)

Login breaks on IdP 3.1.x with SPs misconfigured to request AuthenticationType urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified.

Version 2 IdP just ignores that misconfiguration and login works. Version 3.2.0 includes a proper workaround, allowing to add a list of contexts to be ignored, with this value being included by default.

On IdP 3.1.x, as an interim workaround, modify $IDP_HOME/system/conf/general-authn-system.xml and add this value to the list of supportedPrincipals in the shibboleth.AuthenticationFlow bean:

Code Block
--- /opt/shibboleth-idp/system/conf/general-authn-system.xml.dist 2015-11-18 10:55:36.713111653 +1300
+++ /opt/shibboleth-idp/system/conf/general-authn-system.xml    2015-11-18 10:55:39.520094266 +1300
@@ -40,6 +40,8 @@
                     c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
                 <bean parent="shibboleth.SAML2AuthnContextClassRef"
                     c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
+                <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                    c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" />
                 <bean parent="shibboleth.SAML1AuthenticationMethod"
                     c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
             </list>

For further details, please see https://issues.shibboleth.net/jira/browse/IDP-780

Note that as this interim workaround is applied to a file under $IDP_HOME/system/, it would get overwritten in an upgrade - but, the next version the upgrade would be introducing should already have the proper permanent workaround included.

No action is required on IdP 3.2.0+

Starting the IdP

  • Make all files under /opt/shibboleth-idp owned by Tomcat:

    No Format
    chown -R tomcat.tomcat /opt/shibboleth-idp


...