Shibboleth

Introduction

Shibboleth is an Internet2 Middleware Initiative project that has created an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on SAML. Federated identity allows for information about users in one security domain to be provided to other organizations in a federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain user names and passwords. Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and get access to secure content.

Notes

  1. FreeBSD supports a Service Provider version 2 component of the Shibboleth that can be used in Apache Web servers in:

    
    /usr/ports/security/shibboleth2-sp
    
    

Configuration Notes for Apache2

  1. Install shibboleth libraries on service provider (varies by OS and package manager) and make sure module is enabled. Ex:
    apt install libapache2-mod-shib2
    a2enmod shib2
    
  2. Generate openssl certificate and private key for new shibboleth service provider. UBIT recommends a self-signed certificate valid for 10 years. Ex:
    $ openssl req 
              -subj "/C=US/ST=NY/L=Buffalo/OU=University at Buffalo/CN=jeeves.cse.shibboleth.buffalo.edu" 
              -new -newkey rsa:2048 
              -x509 -sha256 
              -days 3650 
              -nodes 
              -out jeeves.crt 
              -keyout jeeves.key
    
    
  3. UBIT will request the self-signed certifivate and generate a certificate file XXX.cer that will need to be transferred to the service provider.

    Note: UBIT is no longer signing certificates for shibboleth. They will request the self-signed certificate generated above to add to their metadata. Use this self signed certificate in the shibboleth configuration files.

  4. Modify /etc/shibboleth/shibboleth2.xml using the entityID provided by UBIT:
      <ApplicationDefaults entityID="https://XXX.cse.buffalo.edu/shibboleth-sp"
                             REMOTE_USER="uid eppn persistent-id targeted-id">
    
      <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                      checkAddress="false" consistentAddress=true handlerSSL="true" cookieProps="https">
    
      <SSO entityID="urn:mace:buffalo.edu:shibboleth">
                  SAML2 SAML1
                </SSO>
    
      <Errors supportContact="cse-consult@buffalo.edu"
                helpLocation="/about.html"
                styleSheet="/shibboleth-sp/main.css"/>
            
      <CredentialResolver type="File" key="/path/to/XXX.key" certificate="/path/to/XXX.cer"/>
    
    Note: The XXX.key file was generated on the service provider along with the CSR file. The XXX.cer was provided by EIS after sending them the CSR file.

    Note: UBIT is no longer signing certificates for shibboleth. They will request the self-signed certificate generated above to add to their metadata. Use this self signed certificate in the shibboleth configuration files.

  5. Add to /etc/shibboleth/shibboleth2.xml:
      <!-- remotely supplied metadata provided by UBIT -->
      <MetadataProvider type="Chaining">
                <MetadataProvider type="XML" uri="https://shibboleth.buffalo.edu/shibboleth/metadata.xml"
                             backingFilePath="metadata.xml" maxRefreshDelay="86400">
                </MetadataProvider>
    
                <MetadataFilter type="EntityRoleWhiteList">
                            <RetainedRole>md:IDPSSODescriptor</RetainedRole>
                </MetadataFilter>
      </MetadataProvider>
    
    Note: There is a discrepancy between Shibboleth v2 and v3 with the property 'uri' vs. 'url'. 'uri' is recognized in v3, 'url' in v2. New installs of shibboleth running v3 should use 'uri'.
  6. Add to /etc/shibboleth/attribute-map.xml (if doesn't exist):
        <!-- attribute mapping provided by UBIT -->
        <Attribute name="urn:mace:dir:attribute-def:uid" id="uid">
            <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
        </Attribute>
        <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid">
            <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
        </Attribute>
    
  7. Restart shibboleth and apache. Ex:
    service shibd restart
    service apache2 restart
    

Implementation Notes

  1. Require authentication with section directives e.g. VirtualHost, Directory, Location, etc in .htaccess or Apache2 config files, from http://www.buffalo.edu/ubit/service-guides/web-hosting/webapps/instructi...
       <Directory "/usr/local/httpd/htdocs">
           AuthType shibboleth
           ShibRequestSetting requireSession 1
           Require valid-user
       </Directory>
    
  2. After successful login, UBITname attribute (uid) is available in PHP as $_SERVER['uid'] and is also loaded into $_SERVER['REMOTE_USER']. Ex:
       <?php
          echo $_SERVER['uid'];
       ?>
    
  3. After successful login, check session information on service provider:
    https://XXX.cse.buffalo.edu/Shibboleth.sso/Session
  4. Logs are in /var/logs/shibboleth

References

  1. http://en.wikipedia.org/wiki/Shibboleth
  2. http://en.wikipedia.org/wiki/Shibboleth_%28Internet2%29
  3. http://wings.buffalo.edu/help/UBITname_authentication.php