You are here:
TWiki
>
IGIPortal Web
>
InstallationGuide
>
CASShibInstallation
(revision 8) (raw view)
<noautolink> ---+!! Installation and configuration of CASShib %TOC% ---# Service Provider ---## Install SP For the shibboleth installation we use the package manager _YUM_ and we install the software and we start the server. <verbatim> $ yum install shibboleth $ service shibd start </verbatim> ---## Configure SP For configuration we change directory to =/etc/shibboleth=. We edit =shibboleth2.xml= file for configure the SP to support CASShib. Each service needs to have its own protected _Shibboleth_ address for CAS validation. For mapping URLs with services we add these rows in the shibboleth configuration file. <verbatim> <RequestMapper type="Native"> <RequestMap applicationId="default"> <Host name="halfback.cnaf.infn.it" port="443" scheme=" https"> <PathRegex regex="casshib/shib/app1" applicationId="app1" authType="shibboleth" requireSession =" true"/> <PathRegex regex="casshib/shib/app2" applicationId="app2" authType="shibboleth" requireSession =" true"/> </Host> </RequestMap> </RequestMapper> </verbatim> After this, we configure the =<ApplicationDefaults id=default...>= section with fake service. This means that if the request doesn't correspond to the regular expressions return an error page. For configuring the registrated services we add these lines at the end of =shibboleth2.xml= file. <verbatim> <ApplicationOverride id="app1" entityID="https://halfback.cnaf.infn.it/casshib/app1" homeURL="https://halfback . cnaf . infn . it/app1/" REMOTE_USER="shibattr-mail"> <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app1/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app1/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app1"> <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://gridlab01.cnaf.infn.it/idp/shibboleth"> <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex ="false" template="bindingTemplat .html"/> <SessionInitiator type="Shib1" defaultACSIndex="5"/> </SessionInitiator > </Sessions > <MetadataProvider type="XML" file="idp-metadata.xml"/> </ApplicationOverride > <ApplicationOverride id="app2" entityID="https://halfback.cnaf.infn.it/ casshib/app2" homeURL="https://halfback.cnaf.infn.it/app 2/" REMOTE_USER="shibattr−mail"> <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app2/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app2/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app2"> <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://idp.infn.it/saml2/idp/metadata.php"> <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html "/> <SessionInitiator type="Shib1" defaultACSIndex="5"/> </SessionInitiator > </Sessions > <MetadataProvider type="XML" file="idp.infn.it-metadata.xml"/> </ApplicationOverride > </verbatim> These rows configure the SP for query the IGI IDP with app1 service and INFN AAI with app2 service. The attribute REMOTE_USER is used to specify which IDP's attributes will be used for the authentication process in the portal. Now we configure the =attribute-map.xml= file for defining the attribute used by shibboleth adding the following rows: <verbatim> <afp:AttributeRule attributeID="shibattr−eppn"> <afp:PermitValueRule xsi:type="ANY"/> </afp : AttributeRule > <afp:AttributeRule attributeID="shibattr−uid"> <afp:PermitValueRule xsi:type="ANY"/> </afp : AttributeRule > <afp:AttributeRule attributeID="shibattr−mail"> <afp:PermitValueRule xsi:type="ANY"/> </afp : AttributeRule > <afp:AttributeRule attributeID="shibattr−cn"> <afp:PermitValueRule xsi:type="ANY"/> </afp : AttributeRule > <afp:AttributeRule attributeID="shibattr−sn"> <afp:PermitValueRule xsi:type="ANY"/> </afp : AttributeRule > <afp:AttributeRule attributeID="shibattr−givenName"> <afp:PermitValueRule xsi:type="ANY"/> </afp : AttributeRule > <afp:AttributeRule attributeID="shibattr−l"> <afp:PermitValueRule xsi:type="ANY"/> </afp : AttributeRule > </verbatim> ---# Apache server For a secure communication we need to install the apache server which acts as a front-end. ---## Install Apache We use the package manager for install software. <verbatim> $ yum install httpd $ service httpd start </verbatim> ---## Apache Configuration We have to add to =httpd.conf= file the following rows for enabling shibboleth authentication. <verbatim> ## # CASSHIB ## Include /etc/shibboleth/apache22.config </verbatim> Then we have to comment all the rows of =apache22.config=. Now we configure Apache to use SSL module. We edit the =ssl.conf= file in the Apache directory and in the =<VirtualHost _default_:443>= section we add these rows. <verbatim> UseCanonicalName On <Location /casshib/shib/∗/login > AuthType shibboleth ShibRequireSession On ShibUseHeaders On require valid−user </Location > <Location /casshib/shib/∗/Shibboleth . sso> AuthType shibboleth ShibRequireSession On ShibUseHeaders On require valid−user </Location > <Location /casshib/shib/∗/Shibboleth . sso/∗> AuthType shibboleth ShibRequireSession On ShibUseHeaders On require valid−user </Location > ProxyRequests On ProxyPass /app2/ http://halfback.cnaf.infn.it:8585/app2/ ProxyPassReverse /app2/ http://halfback.cnaf.infn.it:8585/app2/ ProxyPass /app1/ http://halfback.cnaf.infn.it:8585/app1/ ProxyPassReverse /app1/ http://halfback.cnaf.infn.it:8585/app1/ </verbatim> We create the =httpd-jk-mount.conf= file in the same folder and add these rows. <verbatim> <IfModule jk_module> JkMount /casshib/* worker1 JkUnMount /casshib/shib/*/Shibboleth.sso worker1 JkUnMount /casshib/shib/*/Shibboleth.sso/* worker1 </IfModule > </verbatim> We create the =httpd-jk- init.conf= file in the same folder which have these rows. <verbatim> LoadModule jk_module modules/mod_jk.so <IfModule jk_module> JkWorkersFile conf.d/workers.properties JkShmFile logs/mod_jk.shm JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " </IfModule > </verbatim> We create the =worker.properties= file in the same directory and we add these rows. <verbatim> worker.list=worker1 worker.worker1.type=ajp13 worker.worker1.host=halfback.cnaf.infn.it worker.worker1.port=8017 </verbatim> Now we restart the Apache server for apply the changes. <verbatim> $ service httpd restart </verbatim> ---# Tomcat server CASShib is a webapp and need a tomcat server. We install the server using the package manager. <verbatim> $ yum install tomcat6 </verbatim> We modify these rows in the =server.xml= file for configure Tomcat server. <verbatim> <Connector port ="8585" protocol ="HTTP/1.1" connectionTimeout ="20000" /> [...] <Connector port="8017" protocol="AJP/1.3" address="127.0.0.1" tomcatAuthentication="false" /> </verbatim> Start server. <verbatim> $ service tomcat start </verbatim> ---# CASShib For install CASShib we deploy in Tomcat the _war_ file downloaded from http://code.google.com/p/casshib/downloads/list . For configuration of CASShib we modify the file =$tomcat_dir/webapps/casshib/WEB- INF/classes/casshib-service-registrations.xml= in this way. <verbatim> <?xml version ="1.0" encoding="UTF−8" standalone="no"?> <casShibServiceRegistrations > <service id="https://fullyqualified.service.address.1" appname="app1" passcode="12345" /> <service id="https://fullyqualified.service.address.2" appname="app2" passcode="12345" /> </casShibServiceRegistrations > </verbatim> Where fullyqualified.service.address.# are the services address (Liferay Portlet Login URL) which use CASShib . For install app1 and app2 we download the casshib-demo-app-1.0.0.war before deploy the _war_ we rename the package in _app1.war_ and we copy the package and rename it in _app2.war_, after this we deploy the packages. For configure these service we edit the =$tomcat_dir/webapps/app1/WEB-INF/web.xml= file modifying the url of the service and the passcode. We make the same changes for app2. Finally we restart Tomcat for apply changes. <verbatim> $ service tomcat stop $ service tomcat start </verbatim> ---# Configure Liferay From web page of portal we navigate to *Manage/Control Panel/Settings/Authentication/CAS* and we configure Liferay to use CASShib in this way: <img src="%ATTACHURLPATH%/CAS_configuration.png" alt="CAS_configuration.png" width="470" height="389" /> Now we use login link for authentication with INFN AAI. ---+ References * CASShib: http://code.google.com/p/casshib/ -- [[Main.DiegoMichelotto][Diego Michelotto]] - 11 Nov 2011
Attachments
Attachments
Topic attachments
I
Attachment
Action
Size
Date
Who
Comment
png
CAS_configuration.png
manage
36.9 K
2011-11-15 - 14:17
DiegoMichelotto
CAS configuration
Edit
|
Attach
|
P
rint version
|
H
istory
:
r11
<
r10
<
r9
<
r8
<
r7
|
B
acklinks
|
V
iew topic
|
More topic actions...
Topic revision: r8 - 2011-12-13
-
DiegoMichelotto
User Guide
Administration Guide
Documents
*
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
TWIKI.NET
IGIPortal
Edit
Attach
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback