<head>
<meta http-equiv="Content-Language" content="en-us">
-<meta name="generator" content="Microsoft FrontPage 5.0">
-<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shibboleth Origin Deployment Guide</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">
</center>
<p>Shibboleth Origin Deployment Guide<br>
Shibboleth Version 1.1<br>
-July 28, 2003<br>
+December 3, 2003<br>
</p>
<h3>This version of the deploy guide is for Shibboleth v1.1. For documentation
related to prior versions of Shibboleth, please consult the appropriate branch
ensure robustness. Failover and redundant configurations are now supported.</li>
<li>The SHAR may now optionally store its session and attribute cache in a
back-end database in addition to the previously available in-memory option.
- </li>
- <span class="feature">[1.1]</span> </li>
+ <span class="feature">[1.1]</span> </li>
<li>Federation supplied files (sites.xml and trust.xml) are now refreshed in
a much more robust manner. </li>
- </li>
<li>The SHAR can be configured to request specific attributes from the
Origin. </li>
<li>The SHAR can use TCP sockets when responding to the Apache module, for
</ol>
</li>
<li><a href="#5.e."><font color="black">Local Error Page</font></a></li>
+
+ <li><a href="#5.f."><font color="black">Using a New Attribute</font></a></li>
+
</ol>
</li>
<li>
to the <span class="fixedwidth"><Ajp13Connector></span>
configuration element to ensure that the user's identity is passed
from Apache to the servlet environment.</li>
+ <li>The AJP13Connector for tomcat is not compatible with the new JMX support. To remove some warnings that will appear in the tomcat log every time tomcat is restarted, comment out all of the JMX stuff (anything that says "mbeans") from server.xml.</li>
</ol>
</li>
<li>It is <b>strongly</b> recommended that the AA be SSL-protected to
protect attributes in transit. To do so, add an appropriate location
block to <span class="fixedwidth">httpd.conf</span>:<blockquote>
<p><span class="fixedwidth"><Location /shibboleth/AA>
- SSLVerifyClient optional SSLOptions +StdEnvVars +ExportCertData
- </Location> </span></p>
+ <br> SSLVerifyClient optional
+ <br> SSLOptions +StdEnvVars +ExportCertData
+ <br></Location> </span></p>
</blockquote>
</li>
</ol>
<li><span class="fixedwidth">
edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName = <URI></span>
<blockquote>
- <p>The value of this must entered as assigned by the federation used
- for testing or initial operation.</p>
+ <p>Enter the value assigned to the site by the federation.</p>
</blockquote>
</li>
<li><span class="fixedwidth">
the containing element. Otherwise evaluates to
<span class="fixedwidth">FALSE</span>. Regular expressions are
evaluated in accordance with the the
- <a href="http://java.sun.com/j2se/1.4/docs/api/java/util/%20%20%20%20%20%20%20%20%20%20%20%20%20%20regex/Pattern.html#sum">
+ <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/package-summary.html">
Java 1.4 Pattern API</a>.</p>
</blockquote>
</li>
<dd class="valueopt">An element of the element <span class="fixedwidth">
JNDIDirectoryDataConnector</span>. Specifies an optional duration in
<span class="fixedwidth">seconds</span> for which the attribute resolver
- may cache information retrieved from this connector.</dd>
+ may cache information retrieved from this connector. The default is zero seconds (no caching)</dd>
</dl>
<p>A representation of a properly constructed <span class="fixedwidth">
JNDIDirectoryDataConnector</span> element would look like:</p>
<cacheTime="2400"/><br>
</JNDIDirectoryDataConnector> </span></p>
</blockquote>
+ <p>If the ldap server must be accessed over SSL, and JDK 1.4.1 is being used, two changes must be made to the <span class="fixedwidth">JNDIDirectoryDataConnector</span> element:</p>
+ <p>1. On the java.naming.provider.url Property, add <port number> after the hostname in the ldap url (the default port for ldap over SSL is 636),</p>
+ <p>2. Add this Property element:</p>
+ <blockquote>
+ <p><span class="fixedwidth"><Property name="java.naming.security.protocol" value="ssl" "></span></p>
+ </blockquote>
+ <p>If the ldap server must be accessed over SSL, and JDK 1.4.2 is being used, then change ldap:// to ldaps:// in the value of the <span class="fixedwidth">java.naming.provider.url</span> Property.</p>
+ <p>NOTE: This assumes that the ldap server's cert is rooted with a CA that is in the JVM's default keystore (ie: a commercial CA). If not, the CA cert must be added.</p>
<p><span class="fixedwidth">SimpleAttributeDefinition</span>:</p>
<dl>
<dd class="attribute"><span class="fixedwidth">id = <string></span> </dd>
connector includes a pre-existing scope (<span class="fixedwidth">bob@foo.edu</span>),
that scope is used instead. Contained within the
<span class="fixedwidth">SimpleAttributeDefinition</span> element.</dd>
+ <dd class="attributeopt"><span class="fixedwidth"><lifeTime
+ "<seconds>"/></span> </dd>
+ <dd class="valueopt">Specifies in the attribute assertion
+ how long the attribute should be cached and retained by the target upon
+ receipt. Federations and trust agreements may have some bearing on the
+ population and use of this field. Contained within the
+ <span class="fixedwidth">SimpleAttributeDefinition</span> element.</dd>
<dd class="attributeopt"><span class="fixedwidth">sourceName =
"<string>"</span> </dd>
<dd class="valueopt">Specifies a different source attribute name to be
SimpleAttributeDefinition</span> element.</dd>
<dd class="attributeopt"><span class="fixedwidth"><cacheTime
"<seconds>"/></span> </dd>
- <dd class="valueopt">An element of the element <span class="fixedwidth">
- SimpleAttributeDefinition</span>. Specifies an optional duration in
+ <dd class="valueopt">Specifies an optional duration in
<span class="fixedwidth">seconds</span> for which the attribute resolver
- may cache this attribute for use in additional assertions.</dd>
- <dd class="attributeopt"><span class="fixedwidth"><lifeTime
- "<seconds>"/></span> </dd>
- <dd class="valueopt">An element of the element <span class="fixedwidth">
- SimpleAttributeDefinition</span>. Specifies in the attribute assertion
- how long the attribute should be cached and retained by the target upon
- receipt. Federations and trust agreements may have some bearing on the
- population and use of this field.</dd>
+ may cache this attribute for use in additional assertions. Contained within
+ the <span class="fixedwidth">SimpleAttributeDefinition</span> element.</dd>
</dl>
<p>A representation of a properly constructed <span class="fixedwidth">
SimpleAttributeDefinition</span> element would look like:</p>
<blockquote>
- <p><span class="fixedwidth"><SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrincipalName"
- smartScope="shibdev.edu" sourceName="universityPerson"><br>
+ <p><span class="fixedwidth"><SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrincipalName"<br>
+ smartScope="shibdev.edu" cacheTime="600" lifeTime="3600" sourceName="universityPerson"><br>
<DataConnectorDependency requires="dataConnector"/><br>
<AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/><br>
- <cacheTime="600"/><br><br>
- <lifeTime="3600"/><br><br>
</SimpleAttributeDefinition> </span></p>
</blockquote>
<p>A properly formed <span class="fixedwidth">resolver.xml</span> file to
requesting SHAR. It outputs the resulting SAML <Attribute /> elements. This
allows administrators to view the results of tweaking the resolver
configuration without having to continually reload the origin web
- application. Initially, the following two steps must be performed:</p>
+ application. <span class="fixedwidth">resolvertest</span> is also useful for testing when the AA is first configured to use an attribute repository (ldap or sql). Initially, the following two steps must be performed:</p>
<ol>
<li>Set the shell variable <span class="fixedwidth">SHIB_HOME</span> to
the directory path where the Shibboleth tarball was exploded (typically
<p><br>
<br>
</p>
+<h4><a name="5.f."></a>5.f. Using a New Attribute</h4>
+<p>In order for an attribute to be sent to a target, two steps are required:</p>
+<p>1. The attribute has to be defined in resolver.xml. See section <a href="#5.d.">5.d</a>.</p>
+<p>2. The effective ARP for that target has to release this attribute value. See section <a href="#5.b.">5.b.</a>.</p>
+<p>Note: resolvertest is a useful tool for verifying the correctness of the definitions.</p>
+<p>Note: the AAP at the target must also define this attribute. See the Shibboleth Target Deploy Guide.</p>
+
+<p><br>
+<br>
+</p>
<hr>
<p><br>
</p>
projects / shibboleth / sp.git / blobdiff