NetID Login Service - Apache Installation (Ubuntu / Debian) from Packages
This document goes step-by-step through the download, compilation and installation of the Shibboleth Service Provider (SP) on Ubuntu and Debian Linux Server platform.
System Requirements:
This documentation assumes you have the Apache 2 HTTP Web Server that comes with Debian installed and configured with SSL.
You will also need sudo rights, Internet connectivity and familiarity with Open Source software.
If you do not have all of these things, you cannot proceed and you should contact your system administrator for assistance.
Installing the Shibboleth SP via Debian Packages:
Install the Shibboleth SP:
sudo apt-get install libapache2-mod-shib2
Execute these commands to activate shibd on startup:
sudo chmod +x /etc/init.d/shibd sudo update-rc.d shibd defaults
At this point the Shibboleth daemon has been installed and configured to run at startup.
Start the Shibboleth daemon and examine the logs for any errors:
sudo service shibd start grep -E 'CRIT|ERROR' /var/log/shibboleth/shibd.log
You may see the following item in the shibd log. You can safely ignore it for now.
2016-01-20 09:31:20 CRIT Shibboleth.Application : no MetadataProvider available, configuration is probably unusable
You may also see one or both of the following errors indicating that your Shibboleth key pair is missing.
ERROR OpenSSL : error data: fopen('/etc/shibboleth/sp-key.pem','r')
CRIT Shibboleth.Application : error building CredentialResolver: Unable to load private key from file (/etc/shibboleth/sp-key.pem)
If the above error is in the log, run the following commands to install the key/cert files, and restart the Shibboleth service.
sudo openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -subj "/CN=$HOSTNAME" -keyout /etc/shibboleth/sp-key.pem -out /etc/shibboleth/sp-cert.pem sudo service shibd restart
Enable the shib2 module in Apache and restart Apache:
sudo a2enmod shib2 sudo service apache2 restart
Open up a web browser and point to your site with the following Shibboleth path:
https://www.yoursite.wisc.edu/Shibboleth.sso/Session
Verify that you see this message:
A valid session was not found.
Generate Shibboleth2.xml File
After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.
Automatic Shibboleth2.xml Generator
- Production: https://login.wisc.edu/spgen
- QA: https://loginqa.wisc.edu/spgen
- Test ("ITE"): https://logintest.wisc.edu/spgen
- Wisconsin Federation: https://wayf.wisconsin.edu/spgen/
Manual Configuration
- [Link for document 22321 is unavailable at this time]
- [Link for document 22322 is unavailable at this time]
The NetID Login Service only accepts SSL/TLS connections since we are dealing with user credentials. Thus, the SP login portion of your application must be encrypted. More information can be found at NetID Login Service - Importance of Secure Cookies
Download Metadata Signing Certificate
Save this file in the Shibboleth installation directory. By default this is the same location as your shibboleth2.xml configuration file (\etc\shibboleth)
-
UW-Madison and UW-Madison Federation (eg. PubCookie Replacement)
- Production: https://login.wisc.edu/metadata/login.wisc.edu-signing.pem
- QA: https://loginqa.wisc.edu/metadata/loginqa.wisc.edu-signing.pem
- Test ("ITE"): https://logintest.wisc.edu/metadata/logintest.wisc.edu-signing.pem
-
Wisconsin Federation (eg. Approved IDI Request)
- Download the Signing Certificate
- Or Copy&Paste this address into your address bar: https://wayf.wisconsin.edu/metadata/wayf.wisconsin.edu-signing.pem
Place shibboleth2.xml and metadata signing certificate (login.wisc.edu-signing.pem) in /etc/shibboleth:
sudo cp ~/shibboleth2.xml /etc/shibboleth/shibboleth2.xml sudo wget http://login.wisc.edu/metadata/login.wisc.edu-signing.pem -O /etc/shibboleth/login.wisc.edu-signing.pem
Edit /etc/apache2/mods-available/shib2.conf to enable Shibboleth for specific Locations and applicationId:
<Location /path/to/secured/content> AuthType shibboleth ShibRequestSetting applicationId https://www.yoursite.wisc.edu/shibboleth ShibRequestSetting requireSession 1 require valid-user </Location>
Verify the MD5 checksum of the metadata signing certificate:
md5sum /etc/shibboleth/login.wisc.edu-signing.pem
If you do not see the following checksum, stop and contact help@login.wisc.edu:
478044ae7b137c1182ce7cdb9511f329 /etc/shibboleth/login.wisc.edu-signing.pem
If the checksum matches, restart the Shibboleth daemon and Apache, examine the logs to verify that federation metadata was successfully downloaded:
sudo service shibd restart sudo service apache2 restart sudo grep login.wisc.edu-metadata.xml /var/log/shibboleth/shibd.log
You should see the following in the shibd.log:
2012-01-20 10:15:26 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/opt/shibboleth-sp/var/run/shibboleth/login.wisc.edu-metadata.xml)
Open up a web browser and point to your site with the following Shibboleth path:
https://www.yoursite.wisc.edu/Shibboleth.sso/Metadata
Verify that there is XML metadata content at this path, your browser may try to download it.
You're almost done!
The very last step is to have your site authorized by NetID Login Services as a valid Service Provider.Contact help@login.wisc.edu to have your site authorized.
Until your site is authorized, the following NetID Login Service error message will be presented to your users if they try to access protected content:
Error Message: SAML 2 SSO profile is not configured for relying party https://www.yoursite.wisc.edu/shibboleth