Shibboleth

Introduction

Shibboleth is an Internet2 Middleware Initiative project that has created an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on SAML. Federated identity allows for information about users in one security domain to be provided to other organizations in a federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain user names and passwords. Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and get access to secure content.

Notes

  1. FreeBSD supports a Service Provider version 2 component of the Shibboleth that can be used in Apache Web servers in:

    
    /usr/ports/security/shibboleth2-sp
    
    

Configuration Notes for Apache2

  1. Install shibboleth libraries on service provider (varies by OS and package manager) and make sure module is enabled. Ex:
    apt install libapache2-mod-shib2
    a2enmod shib2
    
  2. Generate openssl CSR and private key for new shibboleth service provider. Ex:
    openssl req -new -newkey rsa:2048 -nodes 
         -out XXX_cse_buffalo_edu.csr 
         -keyout XXX_cse_buffalo_edu.key 
         -subj "/C=US/ST=New York/L=Buffalo/O=State University of New York at Buffalo/CN=XXX.cse.buffalo.edu"
    
  3. EIS will request the CSR and generate a certificate file XXX.cer that will need to be transferred to the service provider.
  4. Modify /etc/shibboleth/shibboleth2.xml:
      <ApplicationDefaults entityID="https://XXX.cse.shibboleth.buffalo.edu/shibboleth-sp"
                             REMOTE_USER="uid eppn persistent-id targeted-id">
    
      <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                      checkAddress="true" handlerSSL="true" cookieProps="https">
    
      <Errors supportContact="cse-consult@buffalo.edu"
                helpLocation="/about.html"
                styleSheet="/shibboleth-sp/main.css"/>
            
      <CredentialResolver type="File" key="/path/to/XXX.key" certificate="/path/to/XXX.cer"/>
    
    Note: The XXX.key file was generated on the service provider along with the CSR file. The XXX.cer was provided by EIS after sending them the CSR file.
  5. Add to /etc/shibboleth/shibboleth2.xml:
      <!-- remotely supplied metadata provided by EIS -->
      <MetadataProvider type="Chaining">
                <MetadataProvider type="XML" uri="https://ubidm.buffalo.edu/shibboleth/metadata.xml"
                             backingFilePath="metadata.xml" maxRefreshDelay="86400">
                </MetadataProvider>
    
                <MetadataFilter type="EntityRoleWhiteList">
                            md:IDPSSODescriptor
      </MetadataProvider>
    
  6. Add to /etc/shibboleth/attribute-map.xml (if doesn't exist):
        <Attribute name="urn:mace:dir:attribute-def:uid" id="uid">
            <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
        </Attribute>
        <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid">
            <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
        </Attribute>
    
  7. Restart shibboleth and apache. Ex:
    service shibd restart
    service apache2 restart
    

Implementation Notes

  1. Require authentication with section directives e.g. VirtualHost, Directory, Location, etc in .htaccess or Apache2 config files:
       <Directory "/usr/local/httpd/htdocs">
          AuthType shibboleth
          ShibRequireSession on
          Require valid-user
       </Directory>
    
  2. After successful login, UBITname attribute (uid) is available in PHP as $_SERVER['uid'] and is also loaded into $_SERVER['REMOTE_USER']. Ex:
       <?php
          echo $_SERVER['uid'];
       ?>
    
  3. After successful login, check session information on service provider:
    https://XXX.cse.buffalo.edu/Shibboleth.sso/Session
  4. Logs are in /var/logs/shibboleth

References

  1. http://en.wikipedia.org/wiki/Shibboleth
  2. http://en.wikipedia.org/wiki/Shibboleth_%28Internet2%29
  3. http://wings.buffalo.edu/help/UBITname_authentication.php