Child pages
  • Configuring a Shibboleth Identity Provider to join the Tuakiri Federation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There will be two federations available:

  • Tuakiri TESTTest/Dev (work in progressDevelopment Environment (Operational and available now)
  • Tuakiri Prod/ Pilot (release date TBAFederation Service (Available from the 7th June11)
Table of Contents
outlinetrue
indent20px

...

...

  • Register an Organisation for your institution (if not already registered)
  • Wait for the Organisation to be approved
  • Register your IdP under that Organisation
    • Provide the Contact Details for the IdP admin
    • Select the organisation and provide a name and description for your IdP
    • Enter the base URL for your IdP (https://idp.example.org)
    • Enter the PEM encoded certificate used by your IdP for signing Shibboleth assertions (the default is $IDP_HOME/credentials/idp.pem).
    • Select the attributes the IdP will be able to release to the federation
    • Select supported NameID formats. By default, urn:oasis:names:tc:SAML:2.0:nameid-format:transient is already selected. If supporting SAML1, select also urn:mace:shibboleth:1.0:nameIdentifier.
    • Submit the details and wait for your IdP to be approved.
    • After having your IdP registration approved, click on the link sent to you to become an Administrator of the IdP's registration.
    • If supporting SAML1, define the SAML1 endpoints for your IdP.

Configuring your IdP to load the federation metadata:

The code snippets in this section have values for Tuakiri TEST/DEV (Pilot) federation. Please update them accordingly as per the table above - which boils down to removing the "test" component from the file names / URLs in all of the casesif configuring your IdP to join the Tuakiri TEST/DEV federation. (The key code snippets are for convenience given in Appendix A - Tuakiri-TEST Federation below.

NOTE: Check what your IdP home directory is: the directory is typically called shibboleth-idp - and on Debian and Ubuntu systems, it's commonly /usr/local/shibboleth-idp, while on RedHat and CentOS it's /opt/shibboleth-idp. The snippets below are referring to the IdP home directory as $IDP_HOME

  • Download the metadata signing certificate into $IDP_HOME/credentials:
    No Format
    wget http://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-cert.pem -O $IDP_HOME/credentials/tuakiri-test-metadata-cert.pem
  • In $IDP_HOME/conf/relying-party.xml
    • Add the following snippet into the ChainingMetadataProvider:
      Code Block
      xml
      xml
              <!-- Tuakiri Test -->
              <metadata:MetadataProvider id="Tuakiri-TEST" " xsi:type="metadata:ResourceBackedMetadataProvider">
                <metadata:MetadataFilter xsi:type="metadata:ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
                  <metadata:MetadataFilter xsi:type="FileBackedHTTPMetadataProvidermetadata:SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                                metadataURL  trustEngineRef="http://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml"
      shibboleth.MetadataTrustEngine"
                                  backingFilerequireSignedMetadata="true"/usr/local/shibboleth-idp/metadata/tuakiri-test-metadata.xml" />
                <metadata:MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata"></metadata:MetadataFilter>
                  <metadata:MetadataFilterMetadataResource xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadataresource:FileBackedHttpResource"
                                  trustEngineRef="shibboleth.MetadataTrustEngineurl="http://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-signed.xml"
                                  requireSignedMetadata="truefile="/opt/shibboleth-idp/metadata/tuakiri-metadata.xml" />
                </metadata:MetadataFilter>
              </metadata:MetadataProvider>
      
    • And add the following snippet into the <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature"> element:
      Code Block
      xml
      xml
              <security:Credential id="Tuakiri-Test-FederationCredentials-" xsi:type="security:X509Filesystem">
                  <security:Certificate>/usr/localopt/shibboleth-idp/credentials/tuakiri-test-metadata-cert.pem</security:Certificate>
              </security:Credential>
      
      Note

      Remember to uncomment the <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature"> element if it is still commented out (it is commented out in the default configuration).

  • Configure attribute release/filtering through the federation:
    • Contact the federation administrators and request a URL for the Attribute Filter for your IdP. The attribute filter may have to be manually added to the list of attribute filters published. The URL would look like:
      No Format
      http://directory.test.tuakiri.ac.nz/attribute-filter/<institution-domain>.xml
    • Add the following entry into <srv:Service id="shibboleth.AttributeFilterEngine" in $IDP_HOME/conf/service.xml (note that the URL varies for each IdP and has to be obtained from the federation administrators):
      Code Block
      xml
      xml
              <srv:ConfigurationResource xsi:type="resource:FileBackedHttpResource"
                                    url="http://directory.test.tuakiri.ac.nz/attribute-filter/<institution-domain>.xml"
                                    file="/opt/shibboleth-idp/conf/tuakiri-test-attribute-filter.xml" />
      
      Note

      Note: if your $IDP_HOME is different from /opt/shibboleth-idp, change the file path in the above snippet accordingly.

      Note

      If configuring this in Shibboleth IdP 2.1.x, do not use the srv: namespace prefix - i.e., use just:

      Code Block
      xml
      xml
      
              <ConfigurationResource xsi:type="resource:FileBackedHttpResource"
                            url="http://directory.tuakiri.ac.nz/attribute-filter/<institution-domain>.xml"
                            file="/opt/shibboleth-idp/conf/tuakiri-attribute-filter.xml" />
      
      
  • We also strongly recommend you configure your IdP to periodically reload this file - we recommend at 2 hour interval. This is documented in detail in the IdP Install Manual: Reloading configuration section and Load AAF Atribute Filter sections. The simple step is to add the configurationResourcePollingFrequency="PT2H0M0.000S" and configurationResourcePollingRetryAttempts="10" attributes to the <srv:Service id="shibboleth.AttributeFilterEngine" element.
    No Format
        <srv:Service id="shibboleth.AttributeFilterEngine"
    +             configurationResourcePollingFrequency="PT2H0M0.000S" configurationResourcePollingRetryAttempts="10"
                 xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
    

Now your IdP should be able to access service provides within the Tuakiri (Test/Dev) federation.

Appendix A - Tuakiri-TEST Federation

This section gives the variants of the commands to be used when configuring the IdP to join the Tuakiri-TEST Federation (instead of Tuakiri Pilot).

  • To download the Tuakiri-TEST metadata signing certificate, run the following command:
    No Format
    wget http://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-cert.pem -O $IDP_HOME/credentials/tuakiri-test-metadata-cert.pem
  • For loading the Tuakiri-TEST metadata, put the following into relying-party.xml:
    Code Block
    xml
    xml
    
            <!-- Tuakiri-TEST -->
            <metadata:MetadataProvider id="Tuakiri-TEST" xsi:type="metadata:ResourceBackedMetadataProvider">
              <metadata:MetadataFilter xsi:type="metadata:ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
                <metadata:MetadataFilter xsi:type="metadata:SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                                trustEngineRef="shibboleth.MetadataTrustEngine"
                                requireSignedMetadata="true" />
              </metadata:MetadataFilter>
              <metadata:MetadataResource xsi:type="resource:FileBackedHttpResource"
                              url="http://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml"
                              file="/opt/shibboleth-idp/metadata/tuakiri-test-metadata.xml" />
            </metadata:MetadataProvider>
    
  • And the code to load the Tuakiri-TEST metadata signing certificate would be - also in relying-party.xml in the <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature"> element:
    Code Block
    xml
    xml
    
            <security:Credential id="Tuakiri-Test-FederationCredentials" xsi:type="security:X509Filesystem">
                <security:Certificate>/opt/shibboleth-idp/credentials/tuakiri-test-metadata-cert.pem</security:Certificate>
            </security:Credential>
    
  • The snippet to load attribute filter configuration would be (again, drop the srv namespace prefix with Shibboleth IdP 2.1.x):
    Code Block
    xml
    xml
    
            <srv:ConfigurationResource xsi:type="resource:FileBackedHttpResource"
                                  url="http://directory.test.tuakiri.ac.nz/attribute-filter/<institution-domain>.xml"
                                  file="/opt/shibboleth-idp/conf/tuakiri-test-attribute-filter.xml" />