Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
shibboleth IdP installation
01-12-2018, 05:42 PM (This post was last modified: 01-22-2018 10:08 PM by qiracle.)
Post: #1
shibboleth IdP installation
IdP means Identity Provider. It is a part of shibboleth. There is official article about how to install shibboleth IdP: installation

Noted:Within this documentation, idp.home will be used to refer to IdP installation directory (as specified during the installation process; default is /opt/shibboleth-idp). CATALINA_BASE will be used to refer to the location of the Tomcat installation.

1.Peparation
Before installation,please install JDK and Tomcat.Then we should configure environment variables JAVA_HOME.This is a necessary step,Because when we run Tomcat and install IdP, it must have JAVA_HOME.

2.DownLoad shibboleth IdP Package
We can download the latest Identity Provider software package from here. (the zip file has Windows line endings, the tarball Unix line endings). After download ,we get shibboleth-identity-provider-3.3.2.tar.gz(should in Linux and shibboleth-identity-provider version is latest).

3.Install IdP

3.1 Unpack the shibboleth-identity-provider-3.3.2.tar.gz.
Code:
tar -xf shibboleth-identity-provider-3.3.2.tar.gz

3.2 run install.sh (Please run in root mode, otherwise unknown error will occur)
Code:
./bin/install.sh
During this process,we should press the Enter key or set password.After the installation is complete,we can find the shibboleth-idp folder in /opt/shibboleth-idp .

4.Required Configuration Changes of Tomcat

4.1 The idp.war file is in idp.home/war. In order to run the IdP, Tomcat must be informed of the location of the IdP warfile. This should be done with a context descriptor by creating the file CATALINA_BASE/conf/Catalina/localhost/idp.xml and placing the following content in it (replacing idp.home with your IdP's home directory).
Code:
<Context docBase="idp.home/war/idp.war"
         privileged="true"
         antiResourceLocking="false"
         swallowOutput="true">

    <!-- Work around lack of Max-Age support in IE/Edge -->
    <CookieProcessor alwaysAddExpires="true" />
</Context>

4.2 Tomcat listens on ports 8080 and 8443 for user-facing web traffic by default. You will most likely need to modify these ports to 80 and 443 in CATALINA_BASE/conf/server.xml, and make arrangements for Tomcat to run as root, use a port forwarding approach, or rely on some other solution, cf. IdPLinuxNonRootand IdPLinuxNonRootDebianUbuntu
4.3 Download jstl from Maven repository , place it into idp.home/edit-webapp/WEB-INF/lib/, then change to idp.home and run ./bin/build.sh (or build.bat, depending on your platform).
4.4 In ~/.bashrc , add the following parameters to the CATALINA_OPTS environment variable.
Code:
export CATALINA_OPTS="-Xmx1500m  -XX:MaxPermSize=128m -XX:+UseG1GC "

5.Recommended Configuration Changes of Tomcat
  • Limit the allowed size of POST submissions to any HTTP or AJP connectors (including the SOAP connector below) by adding the maxPostSize attribute. A size of about 100K (100000) is a reasonable choice.
  • Disable session persistence by uncommenting the <Manager pathname="" /> line in CATALINA_BASE/conf/context.xml (as noted in the file). This prevents errors from being logged regarding the lack of persistence of the session objects created by the IdP when you stop the container. It is not possible to cluster the IdP using the Tomcat session manager.
6.Supporting SOAP Endpoints
You should review that to understand whether or not you need to support this feature.
The plugin component that supports the requirements on the back-channel is available from here and needs to be copied to CATALINA_BASE/lib
Code:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    clientAuth="want"
    keystoreFile="idp.home/credentials/idp-backchannel.p12"
    keystorePass="PASSWORD"
    keystoreType="PKCS12"
    trustManagerClassName="net.shibboleth.utilities.ssl.TrustAnyCertificate" />
note :Replace idp.home with the IdP home directory entered during installation and
replace PASSWORD with the keystore password entered during installation.

7 Quick Test
Code:
./opt/shibboleth-idp/bin/status.sh
If it outputs some information as following:
Code:
### Operating Environment Information
operating_system: Linux
operating_system_version: 3.10.0-693.11.6.el7.x86_64
operating_system_architecture: amd64
jdk_version: 1.8.0_25
available_cores: 4
used_memory: 190 MB
maximum_memory: 1500 MB
It means install successful.

Note:if your Tomcat's port do not change to 80.You should modfiy idp.home/bin/runclass.sh as following(about line 35):
Code:
if [ -z "$IDP_BASE_URL" ] ; then
        IDP_BASE_URL="http://localhost:8080/idp"
        fi
The another way to test whether install successfully is to open http://localhost:8080/idp/status in brower.You will see some information as above.
Here 8080 is my Tomcat's port,you should change it to your port.

8.Install OpenLDAP
After install IdP, we should Install OpenLDAP according to here

--------
20180115/jqq: 5th - 7th have updated
20180122/jqq: add install OpenLDAP
Find all posts by this user
Quote this message in a reply
01-16-2018, 10:48 AM
Post: #2
RE: shibboleth IdP installation
update about Test:
7 Quick Test
Code:
./opt/shibboleth-idp/bin/status.sh
If it outputs some information as following:
Code:
### Operating Environment Information
operating_system: Linux
operating_system_version: 3.10.0-693.11.6.el7.x86_64
operating_system_architecture: amd64
jdk_version: 1.8.0_25
available_cores: 4
used_memory: 190 MB
maximum_memory: 1500 MB
It means install successful.

Note:if your Tomcat's port do not change to 80.You should modfiy idp.home/bin/runclass.sh as following(about line 35):
Code:
if [ -z "$IDP_BASE_URL" ] ; then
        IDP_BASE_URL="http://localhost:8080/idp"
        fi
The another way to test whether install successfully is to open http://localhost:8080/idp/status in brower.You will see some information as above.
Here 8080 is my Tomcat's port,you should change it to your port.
Find all posts by this user
Quote this message in a reply
01-18-2018, 11:46 AM
Post: #3
RE: shibboleth IdP installation
You can get more information by turning the logging level to DEBUG while you're configuring the IdP. To get details for many of the important processes in the IdP, set the following 3 parameters in %{idp.home}/conf/logback.xml to DEBUG:
Code:
<!-- Logging level shortcuts. -->
    <variable name="idp.loglevel.idp" value="DEBUG" /> <!-- Default INFO -->
    <variable name="idp.loglevel.ldap" value="WARN" />
    <variable name="idp.loglevel.messages" value="DEBUG" /> <!-- Default INFO -->
    <variable name="idp.loglevel.encryption" value="DEBUG" /> <!-- Default INFO -->
    <variable name="idp.loglevel.opensaml" value="INFO" />
    <variable name="idp.loglevel.props" value="INFO" />
Find all posts by this user
Quote this message in a reply
01-18-2018, 02:47 PM
Post: #4
RE: shibboleth IdP installation
Best to use root privileges when we start Tomcat, Otherwise you may not see the status of idp when you ./status.sh
Find all posts by this user
Quote this message in a reply
01-22-2018, 10:05 PM
Post: #5
RE: shibboleth IdP installation
(01-18-2018 02:47 PM)jiangqiangqiang Wrote:  Best to use root privileges when we start Tomcat, Otherwise you may not see the status of idp when you ./status.sh
Also we should run ./status.sh in root privileges.
Find all posts by this user
Quote this message in a reply
01-22-2018, 10:15 PM
Post: #6
RE: shibboleth IdP installation
The entityID URL we must to remember. It's very useful in configuration. You have input the entityID during the installation.The default entityID is localhost.localdomain. But this may not be a good choice.
Find all posts by this user
Quote this message in a reply
01-22-2018, 10:30 PM
Post: #7
RE: shibboleth IdP installation
IdP's Metadata is in idp.home/metadata/idp-metadata.xml. We can also see it in http://your_domain/idp/shibboleth. MetaData configure file is in idp.home/conf/metadata-provider.xml. There are two examples about configure to remote Metadata and local Metadata in metadata-provider.xml. We can modify it to use.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: