The Shibboleth Service Provider (SP) allows an Apache web server to interact with a SAML Identity Provider (IdP) via the SAML2 protocol. The SP is comprised of an Apache HTTPD module (mod_shib
) and a system daemon (shibd
) that handles state management and most of the actual SAML processing (the module communicates with the daemon; the daemon communicates with the IdP). Red Hat does not offer this software, but the Shibboleth Consortium uses the OpenSUSE Build Service to distribute its packages, so we can still install it with yum
.
Add the Shibboleth repository to yum
Before we can use yum
to install the Shibboleth SP, we have to teach it about the Shibboleth repository from the OpenSUSE Build Service. Run the command
casdev-samlsp# curl http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/security:shibboleth.repo -o /etc/yum.repos.d/security\:shibboleth.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 266 100 266 0 0 1225 0 --:--:-- --:--:-- --:--:-- 1231
casdev-samlsp#
to download the repo configuration file.
Install the Shibboleth SP
Install the Shibboleth SP and its dependencies by running the commands
casdev-samlsp# yum -y install shibboleth
Create a TLS/SSL certificate for the SP
The SP uses its own TLS/SSL certificate for signing and encrypting communications with the IdP. Run the commands
casdev-samlsp# cd /etc/shibboleth
casdev-samlsp# ./keygen.sh -h casdev-samlsp.newschool.edu -e https://casdev.newschool.edu/shibboleth -f -u shibd -y 10
Generating a 3072 bit RSA private key
.........++
...................................................++
writing new private key to './sp-key.pem'
-----
casdev-samlsp#
Any error messages about being unable to remove ./sp-key.pem
or ./sp-cert.pem
may be safely ignored.
Configure systemd
to start shibd
RHEL 7 uses systemd
to manage system resources. Run the command
casdev-samlsp# systemctl enable shibd
to enable the shibd
service in systemd
. This will cause systemd
to start shibd
at system boot time. Additionally, the following commands may now be used to manually start, stop, restart, and check the status of the shibd
service:
# systemctl start shibd
# systemctl stop shibd
# systemctl restart shibd
# systemctl status shibd
Test that HTTPD and shibd
can communicate
Before configuring the SP further, check that Apache HTTP and shibd
are able to communicate. Run the commands
casdev-samlsp# systemctl start shibd
casdev-samlsp# systemctl restart HTTPD
to start the shibd
daemon and restart HTTPD to load the mod_shib
module. Then use curl
to retrieve the SP’s status page:
casdev-samlsp# curl -k https://127.0.0.1/Shibboleth.sso/Status
<StatusHandler time='2017-10-25T19:12:42Z'><Version Xerces-C='3.1.1' XML-Tooling-C='1.6.0' XML-Security-C='1.7.3' OpenSAML-C='2.6.0' Shibboleth='2.6.0'/><NonWindows sysname='Linux' nodename='casdev-samlsp.newschool.edu' release='3.10.0-693.2.2.el7.x86_64' version='#1 SMP Sat Sep 9 03:55:24 EDT 2017' machine='x86_64'/><SessionCache><OK/></SessionCache><Application id='default' entityID='https://sp.example.org/shibboleth'/><Handlers><Handler type='ArtifactResolutionService' Location='/Artifact/SOAP' Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP'/><Handler type='AssertionConsumerService' Location='/SAML2/POST' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'/><Handler type='AssertionConsumerService' Location='/SAML2/POST-SimpleSign' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign'/><Handler type='AssertionConsumerService' Location='/SAML2/Artifact' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'/><Handler type='AssertionConsumerService' Location='/SAML2/ECP' Binding='urn:oasis:names:tc:SAML:2.0:bindings:PAOS'/><Handler type='AssertionConsumerService' Location='/SAML/POST' Binding='urn:oasis:names:tc:SAML:1.0:profiles:browser-post'/><Handler type='AssertionConsumerService' Location='/SAML/Artifact' Binding='urn:oasis:names:tc:SAML:1.0:profiles:artifact-01'/><Handler type='SessionInitiator' Location='/Login'/><Handler type='SingleLogoutService' Location='/SLO/SOAP' Binding='urn:oasis:names:tc:SAML:2.0:bindings:SOAP'/><Handler type='SingleLogoutService' Location='/SLO/Redirect' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'/><Handler type='SingleLogoutService' Location='/SLO/POST' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'/><Handler type='SingleLogoutService' Location='/SLO/Artifact' Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'/><Handler type='LogoutInitiator' Location='/Logout'/><Handler type='MetadataGenerator' Location='/Metadata'/><Handler type='Status' Location='/Status'/><Handler type='Session' Location='/Session'/><Handler type='DiscoveryFeed' Location='/DiscoFeed'/></Handlers><md:KeyDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyName>casdev-samlsp.newschool.edu</ds:KeyName><ds:KeyName>https://casdev.newschool.edu/shibboleth</ds:KeyName><ds:X509Data><ds:X509SubjectName>CN=casdev-samlsp.newschool.edu</ds:X509SubjectName><ds:X509Certificate>MIIEQTCCAqmgAwIBAgIJAJgyfve+2p4MMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
BAMTG2Nhc2Rldi1zYW1sc3AubmV3c2Nob29sLmVkdTAeFw0xNzEwMjUxOTA5NTNa
Fw0yNzEwMjMxOTA5NTNaMCYxJDAiBgNVBAMTG2Nhc2Rldi1zYW1sc3AubmV3c2No
b29sLmVkdTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKnAVWGK7S1f
nmL41kvXlU9l2BDQNKEpoEnu428Bg8Az/5e1wxs2eMk9XymPobEJ5LlT0Fyr4nSl
NqRSHkCOFdoll+W8qfqn3AxgYaGDccU+JREp2uz8FYDpAwFsC/3bGWVrKW6aUW6T
sAoQwdcL2XlokQ3NkdwimYv6gB2sP8kNje7G8gl1kEodu6QucDwChvHHTF5MQuPz
5L2iWBif2ZFBE7+AokIYL3rZCUSVviq6e77hJ2p0l4Rtx2I20AaHKaOFGITwtELx
mIVzJ9747lEq6xV9VeFFG7wmJqFioy39hPoKL9rtMhkGg78LsX6famSjYqUW12qs
QjyazOUd0ve3C8WBX/PVIA3I3WpQTpgT/xIZSbuHUa7fYE5+BRvcZOaRVk6WfHja
ABCx43D5f6FPHj3pfcsGZzKrT26QJYeIIcNgsgH+KQAszjfIYF1iJNCkJQGGkbQX
DL+Fvr7PaLOWjf31A85KSHWXe9F7cFovwk+l6Q8RuT4al8sL9ibYcwIDAQABo3Iw
cDBPBgNVHREESDBGghtjYXNkZXYtc2FtbHNwLm5ld3NjaG9vbC5lZHWGJ2h0dHBz
Oi8vY2FzZGV2Lm5ld3NjaG9vbC5lZHUvc2hpYmJvbGV0aDAdBgNVHQ4EFgQUlo8B
+EW+irsywPjzuc8cBeLvXU8wDQYJKoZIhvcNAQELBQADggGBAKh7J3VZAYNs5Lr3
ox7rvz9Vhx5ZzvZ28j6TlTFvtbh4OSNYlP3G3o627MtORY/bPzm63bQrfq53OTOf
JiqMENEOGXrqBbFqRfR32P75BWfXsh2ZSxdGXU6O9czFpjrycAKZgWv9U2OYFpyb
m14RzSqQq34pyL8nScJ2dO5cK/Ei5SeL76U8Jf68fVVhL6eEZ3eV93jtUafLW4r6
ouiO9v26d+W6hnzk5R0ntitNgkCudcpFH/heDXawbxhXOkEHbAQ1ggqdE/vnWVfx
PKxvhKw6UW1PsaYoy+yiXwzX3rIxLGTfnqJ8cdb4gjDE8tXOxMjVdbWeFTY5aDWG
Nv9KkJ9W5dEz1s91enceM9XzINvca2d/qa7hflEEHnWNhXKIQ8BEXKjEPFFkcclo
r5hpkVNVVGEC2ZA1nSQlrDBMpf/3uDgPxVh474vuDTJHvcEXpfNqEITBdxO2t7dV
HGiljHQvACTaqHAL0sYUpZPVk3CE2RV+B0m3jugIlnT3VB7tFQ==
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyName>casdev-samlsp.newschool.edu</ds:KeyName><ds:KeyName>https://casdev.newschool.edu/shibboleth</ds:KeyName><ds:X509Data><ds:X509SubjectName>CN=casdev-samlsp.newschool.edu</ds:X509SubjectName><ds:X509Certificate>MIIEQTCCAqmgAwIBAgIJAJgyfve+2p4MMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
BAMTG2Nhc2Rldi1zYW1sc3AubmV3c2Nob29sLmVkdTAeFw0xNzEwMjUxOTA5NTNa
Fw0yNzEwMjMxOTA5NTNaMCYxJDAiBgNVBAMTG2Nhc2Rldi1zYW1sc3AubmV3c2No
b29sLmVkdTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKnAVWGK7S1f
nmL41kvXlU9l2BDQNKEpoEnu428Bg8Az/5e1wxs2eMk9XymPobEJ5LlT0Fyr4nSl
NqRSHkCOFdoll+W8qfqn3AxgYaGDccU+JREp2uz8FYDpAwFsC/3bGWVrKW6aUW6T
sAoQwdcL2XlokQ3NkdwimYv6gB2sP8kNje7G8gl1kEodu6QucDwChvHHTF5MQuPz
5L2iWBif2ZFBE7+AokIYL3rZCUSVviq6e77hJ2p0l4Rtx2I20AaHKaOFGITwtELx
mIVzJ9747lEq6xV9VeFFG7wmJqFioy39hPoKL9rtMhkGg78LsX6famSjYqUW12qs
QjyazOUd0ve3C8WBX/PVIA3I3WpQTpgT/xIZSbuHUa7fYE5+BRvcZOaRVk6WfHja
ABCx43D5f6FPHj3pfcsGZzKrT26QJYeIIcNgsgH+KQAszjfIYF1iJNCkJQGGkbQX
DL+Fvr7PaLOWjf31A85KSHWXe9F7cFovwk+l6Q8RuT4al8sL9ibYcwIDAQABo3Iw
cDBPBgNVHREESDBGghtjYXNkZXYtc2FtbHNwLm5ld3NjaG9vbC5lZHWGJ2h0dHBz
Oi8vY2FzZGV2Lm5ld3NjaG9vbC5lZHUvc2hpYmJvbGV0aDAdBgNVHQ4EFgQUlo8B
+EW+irsywPjzuc8cBeLvXU8wDQYJKoZIhvcNAQELBQADggGBAKh7J3VZAYNs5Lr3
ox7rvz9Vhx5ZzvZ28j6TlTFvtbh4OSNYlP3G3o627MtORY/bPzm63bQrfq53OTOf
JiqMENEOGXrqBbFqRfR32P75BWfXsh2ZSxdGXU6O9czFpjrycAKZgWv9U2OYFpyb
m14RzSqQq34pyL8nScJ2dO5cK/Ei5SeL76U8Jf68fVVhL6eEZ3eV93jtUafLW4r6
ouiO9v26d+W6hnzk5R0ntitNgkCudcpFH/heDXawbxhXOkEHbAQ1ggqdE/vnWVfx
PKxvhKw6UW1PsaYoy+yiXwzX3rIxLGTfnqJ8cdb4gjDE8tXOxMjVdbWeFTY5aDWG
Nv9KkJ9W5dEz1s91enceM9XzINvca2d/qa7hflEEHnWNhXKIQ8BEXKjEPFFkcclo
r5hpkVNVVGEC2ZA1nSQlrDBMpf/3uDgPxVh474vuDTJHvcEXpfNqEITBdxO2t7dV
HGiljHQvACTaqHAL0sYUpZPVk3CE2RV+B0m3jugIlnT3VB7tFQ==
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><Status><OK/></Status></StatusHandler>
casdev-samlsp#
The details of the XML document returned by this command aren’t terribly important since the SP hasn’t been configured yet.
curl
command must be run from the server against the localhost
IP address (127.0.0.1
). The -k
option to curl
is also needed, since the server’s SSL certificate is advertising a different host name.