1. Shibboleth: Installation and Deployment Scott Cantor (cantor.2@osu.edu) July 29, 2002 Scott Cantor (cantor.2@osu.edu) July 29, 2002

2. 2 Installation: Packaging Alpha 1 and 2 are binary distributions. Source was made public in late July: http://middleware.internet2.edu/opensaml/cvs.html Alpha 2.5 will probably be binary with source. Beta 1 should support “./configure; make; make install” for autoconf platforms and Visual Studio on Windows. Even with better packaging, manual installation of servlets and Apache modules will be needed.

3. 3 Installation: General Solaris 2.x and Linux Current Basic Requirements: Apache 1.3.26, mod_ssl 2.8.10, OpenSSL 0.9.6, Sun JDK 1.3.1, Jakarta Tomcat 3.3.1 Binaries distributed as a tarball: $ cd /usr/local $ tar xvfz shib_alpha2_linux_rh72.tar.gz Deploy Guide: http://middleware.internet2.edu/shibboleth/docs/DeployGuide-alpha2.txt

4. 4 Installation: General Both origins and targets need: SSL-enabled Apache server, equipped with a certificate signed by a club-approved CA Jakarta Tomcat servlet engine with AJP 1.3 connector (mod_jk) All the servlets are packaged together in a single deployment archive (shibboleth.war) that can be copied into tomcat/webapps, auto-expanded, and configured

5. 5 Installation: Origin Site Install additional supporting components: User handles can be stored in-memory or in MySQL User attributes can be accessed in LDAP or a restricted set (EPPN and affiliation=member) can be “echoed” by the AA Back-end interfaces will be refined over time to simplify pluggable implementations, and use standard Java APIs like JNDI when possible

6. 6 Deployment: Origin Site Choose a name for your site, probably your best known top-level domain. This name will be part of your club application and is configured into the HS and AA servlets (web.xml). Special Note: Alpha-2 targets will reject attributes like EPPN if the “scope” doesn’t match the site name. This will be more flexible later.

7. 7 Deployment: Origin Site PKI Requirements The web server’s SSL certificate will protect both the HS and AA servlets. The AA servlet path is configured to support client certificate authentication: SSLVerifyClient optional SSLOptions +ExportCertData The allowable client CAs are specified: SSLCACertificateFile /usr/local/shib/etc/ca-bundle.crt

8. 8 Deployment: Origin Site PKI Requirements The HS servlet must digitally sign its messages using a key and certificate valid for digital signature creation, signed by a club-approved CA. Alpha-2 uses a Java keystore, which allows self- generation of a key and certificate request with the keytool command (see deploy guide). The hostname of your HS is the first field in the certificate request. Using the SSL server key is possible, but requires some custom Java code to import/export a private key.

9. 9 Deployment: Origin Site Club Application Target sites are given a “registry” of trusted origin sites to protect them from rogue users. Once names are chosen, provide the following in an e-mail (address in deploy guide): Site Name Complete Handle Service servlet URL The HS hostname (went into the certificate CN) Aliases/shorthand for your institution (used by WAYF)

10. 10 Shibbolization Cookbook for Origin Sites Apply to the club as an origin site currently an e-mail message with basic site information Choose any web server that can host Java Servlet and JSP applications via Tomcat Deploy a HS behind web initial sign-on requires a club-trusted certificate usable for signing web server must also use SSL if handling passwords can store handles in-memory or in MySQL beta version should use a “handle in cookie” design

11. 11 Shibbolization Cookbook for Origin Sites Deploy an AA in conjunction with the HS supports two attribute “contexts”, LDAP and Echo Install AA plugins for attributes (Java API) preconfigured with classes for eduPerson attributes Establish default ARPs for community alpha-2 comes preconfigured to release everything, hides ARP tools alpha-2.5 expected to begin exposing ARP interface early GUI development beginning

12. 12 Shibbolization Cookbook for Destination Sites Choose any web server (as long as it’s Apache 1.3.x, but others to follow) Equip it with the SHIRE and SHAR modules SHIRE is a Java servlet for the time being, so Tomcat is required SHAR/RM are combined into mod_shib Install SHAR plugins for attributes (C++ API) mod_eduPerson provided

13. 13 RM and Application Integration mod_shib currently provides flexible.htaccess processing. Attributes can be mapped to Require rules and to HTTP headers, including REMOTE_USER. Existing basic-auth sites can be “hijacked” to use Shibboleth.

14. 14 Existing Applications (from most to least integrated) Shibbolize the application and unify intra-campus and inter-campus users Add a second URL tree for inter- campus users Use a Shibbolized proxy server (The latter two might also require code changes or attribute mapping. This is all much simpler for static content.)