- Shibboleth 2.0 SP for Debian
+ Shibboleth 2 SP for Debian
Introduction
either one that the Shibboleth SP points to directly or one that is part
of a federation that is trusted by the Shibboleth SP.
- This is the Shibboleth 2.0 version of the SP. For the 1.x version of
+ This is the Shibboleth 2 version of the SP. For the 1.x version of
the Shibboleth SP (if it is still available), see libapache-mod-shib.
Installation and Configuration
for more details. If you want the other parts of Shibboleth to also log
to syslog, change the other /etc/shibboleth/*.logger files similarly.
+ The WS-Trust.xsd schema, which is needed if you use the ADFS support
+ and turn on schema validation, was removed from the Debian package for
+ license reasons. To enable it again, do the following:
+
+ 1. Download the original source from
+ http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/
+
+ 2. Extract schemas/WS-Trust.xsd to some convenient location, for
+ example to /etc/shibboleth/WS-Trust.xsd.
+
+ 3. Copy /usr/share/xml/shibboleth/catalog.xml into /etc/shibboleth.
+
+ 4. Uncomment the WS-Trust line and set its uri attribute:
+ <system systemId="http://schemas.xmlsoap.org/ws/2005/02/trust"
+ uri="/etc/shibboleth/WS-Trust.xsd"/>
+
+ 5. Edit /etc/default/shibd to contain
+ DAEMON_OPTS="$DAEMON_OPTS -x /etc/shibboleth/catalog.xml:/usr/share/xml/opensaml/saml20-catalog.xml:/usr/share/xml/xmltooling/catalog.xml"
+
+ 6. Restart the Shibboleth daemon: /etc/init.d/shibd restart.
+
Testing with TestShib
If you don't have a local Shibboleth Federation you can easily join but
the following instructions (but test them against the details on the
testshib.org web pages in case anything has changed):
- 1. If you do not have an OpenIDP identity, go to <http://openidp.org/>
- and create one.
-
- 2. Go to <http://testshib.org/>, click on Join, and then Create and
- manage metadata entries. Log in with your OpenIDP identity.
-
- 3. Click on New Service Provider (unless you've already created an entry
- for this host, in which case reuse it). Enter your hostname, your
- public certificate, and your first and last name, and then click on
- Continue. Verify the information and click on Submit.
+ 1. Go to <http://testshib.org/>, click on Register, and log in with
+ either OpenIDP or ProtectNetwork. If you do not have an identity
+ with either, create one following the links on that page.
- 4. Note the URL in quotes at the top of the page for which the
- credentials were "successfully stored." This URL is your server's
- providerID; save it for later.
+ 2. Click on New Service Provider (unless you've already created an entry
+ for this host, in which case select Edit and reuse it). Enter your
+ hostname, your public certificate, and your first and last name, and
+ then click on Continue. Verify the information and click on Submit.
- 5. Now select Configure, scroll down to Service Provider Configuration,
- choose Other for the platform, and click on Create Me. Save the
- resulting configuration file as /etc/shibboleth/shibboleth2.xml.
+ 3. Now select Configure, scroll down to Service Provider Configuration,
+ choose Other for the platform, enter your hostname, and click on
+ Create Me. Save the resulting configuration file as
+ /etc/shibboleth/shibboleth2.xml.
- 6. Create some part of your web site that's protected with Shibboleth as
+ 4. Create some part of your web site that's protected with Shibboleth as
described above, restart Apache with apache2ctl restart, restart
shibd with /etc/init.d/shibd restart, and then go to that URL. You
should be redirected to the testshib.org IdP, and then get a basic
and in particular the "Configuration" link.
- -- Russ Allbery <rra@debian.org>, Wed, 25 Jun 2008 19:46:06 -0700
+ -- Russ Allbery <rra@debian.org>, Fri, 24 Jul 2009 15:21:41 -0700