在Ubuntu下配置ShibbolethSP(Configure Shibboleth Service Provider on Ubuntu 16)

系统环境(Environments)

Ubuntu 16
Apache 2
Shibboleth 2

安装配置Apache(Get Apache ready for Shibboleth()

如果Apache没有安装，先安装Apache (Make sure Apache is installed, otherwise, run:)

sudo apt-get install apache2

激活SSL (Enable ssl):

sudo a2enmod ssl

激活Apache默认的SSL站点 (Activate the SSL Virtual Host):

sudo a2ensite default-ssl.conf

创建自定义安全证书, 当然如果有正式的证书最好 (Creating a self-signed SSL certificate):

sudo mkdir /etc/apache2/ssl

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

添加受Shibboleth保护的资源 (Add Shibboleth protected application/service for testing)

sudo mkdir /var/www/myservice

创建索引页 (Create index page):

sudo nano /var/www/myservice/index.html

添加索引页内容 (Add content to index.html, e.g.)

<html><body>Shibboleth protected service</body></html>

安装Shibboleth模块 (Install Shibboleth)

sudo apt-get install libapache2-mod-shib2

sudo a2enmod auth_basic

sudo a2enmod shib2

设置Shibboleth证书 (Set up a Shibboleth certificate):

sudo shib-keygen -h localhost

测试证书 (Check certificate):

openssl x509 -text -noout -in /etc/shibboleth/sp-cert.pem

编辑文件/etc/shibboleth/shibboleth2.xml. 记得一定要备份初始文件。(Edit /etc/shibboleth/shibboleth2.xml. Make sure backup the original file before editing!)

其实这个配置文件是可以自动生成的，具体请访问：https://www.testshib.org/configure.html。(Actually, by providing the hostname, testshib.org can generate a sample configuration, e.g. shibboleth2.xml for you automatically at: https://www.testshib.org/configure.html)

配置文件示例 (Sample content below):

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800">    

  <ApplicationDefaults entityID="https://localhost/shibboleth" REMOTE_USER="eppn">        

    <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true">            

      <SSO entityID="https://idp.testshib.org/idp/shibboleth"> SAML2 SAML1 </SSO>                    

      <Logout>SAML2 Local</Logout>            

      <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>            

      <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>            

      <Handler type="Session" Location="/Session" showAttributeValues="true"/>            

      <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>        

    </Sessions>

    <Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>        

    <MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml" backingFilePath="testshib-two-idp-metadata.xml" reloadInterval="180000"/>        

    <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>        

    <AttributeResolver type="Query" subjectMatch="true"/>        

    <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>            

    <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>    

  </ApplicationDefaults>    

  <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>      

  <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>

在Apache中配置受保护资源 (Add protected service into Apache configuration)

编辑如下文件 (Edit file) /etc/apache2/sites-available/default-ssl.conf 

<IfModule mod_ssl.c>        

  <VirtualHost _default_:443>                

    ServerAdmin [email protected]                

    ServerName localhost                

    DocumentRoot /var/www/html                

    ErrorLog ${APACHE_LOG_DIR}/error.log                

    CustomLog ${APACHE_LOG_DIR}/access.log combined                

    SSLEngine on                

    SSLCertificateFile /etc/apache2/ssl/apache.crt                

    SSLCertificateKeyFile /etc/apache2/ssl/apache.key                

    <FilesMatch "\.(cgi|shtml|phtml|php)$">                                

      SSLOptions +StdEnvVars                

    </FilesMatch>                

    <Directory /usr/lib/cgi-bin>                                

      SSLOptions +StdEnvVars                

    </Directory>                

    Alias /myservice/ /var/www/myservice/              

    <Location /myservice/>                     

      AuthType shibboleth                     

      ShibRequestSetting requireSession 1                     

      Require valid-user              

    </Location>        

  </VirtualHost>

</IfModule>

启动Shibboleth服务 (Start Shibboleth service)

sudo service shibd start

也可以在系统启动时就加载Shibboleth。(You may want to enable Shibboleth at startup)

sudo systemctl enable shibd

测试Test Shibboleth SP:
https://localhost/Shibboleth.sso/DiscoFeedDownload Metadata:

https://FQDN/Shibboleth.sso/Metadata

注意Status页面可能不能正常工作。NB: Status page may NOT work, e.g. https://localhost/Shibboleth.sso/Status may returns 403 Error.

现在访问 https://localhost/myservice/ 就会跳转至testshib错误页面。Now accessing https://localhost/myservice/ will redirect you to testshib site.

上传SP元数据 (Upload SP metadata) on https://www.testshib.org/register.html

现在访问你的受保护页面就会跳转至testshib登录页面。Now you should be redirected to TestShib login page.

输入testshib的默认用户名和密码(testshib网站上面找)就会跳转会你的受保护页面。Enter the default name/password and you will be redirected back to your secure service page, e.g. /myservice/index.html (/var/www/myservice/index.html)

更多配置Further configuration

只允许来自特殊域名的用户访问。Allow access only to users from www.XYZ.com (On Apache 2.4)

<Location /myservice/>        

  AuthType shibboleth        

  ShibRequestSetting requireSession 1        

  Require shib-attr affiliation ~ ^.+@www\.XYZ\.com$

</Location>

只允许特定用户访问。Allow access to specified user

<Location /myservice/>        

  AuthType shibboleth        

  ShibRequestSetting requireSession 1        

  Require user [email protected]

</Location>