Installtion and configuration of CASShib
1 Service Provider
1.1 Installa SP
For the shibboleth installation you can use the package manager
YUM and install the software.
$ yum install shibboleth
After installation you have to start the server
$ service shibd start
1.2 Configure SP
For configuration you have to move in
/etc/shibboleth
directory.
If you want that SP support CASShib you must configure the
shibboleth2.xml
file. Each service needs to have its own protected
Shibboleth address for CAS validation. For mapping URLs with services you must add this rows in the shibboleth configuration file.
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="halfback.cnaf.infn.it" port="443" scheme=" https">
<PathRegex regex="casshib/shib/app1" applicationId="app1" authType="shibboleth" requireSession =" true"/>
<PathRegex regex="casshib/shib/app2" applicationId="app2" authType="shibboleth" requireSession =" true"/>
</Host>
</RequestMap>
</RequestMapper>
After this, you have to configure the
section with fake service. This means that if the request doesn't correspond to the regular expressions return an error page. For configuring the registrated services you have to add these lines at the end of
shibboleth2.xml
file.
<ApplicationOverride id="app1" entityID="https://halfback.cnaf.infn.it/casshib/app1" homeURL="https://halfback . cnaf . infn . it/app1/" REMOTE_USER="shibattr-mail">
<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app1/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app1/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app1">
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://gridlab01.cnaf.infn.it/idp/shibboleth">
<SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex ="false" template="bindingTemplat .html"/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator >
</Sessions >
<MetadataProvider type="XML" file="idp-metadata.xml"/>
</ApplicationOverride >
<ApplicationOverride id="app2" entityID="https://halfback.cnaf.infn.it/ casshib/app2" homeURL="https://halfback.cnaf.infn.it/app 2/" REMOTE_USER="shibattr−mail">
<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/casshib/shib/app2/Shibboleth.sso" handlerSSL ="true" exportLocation="/casshib/shib/app2/Shibboleth.sso/GetAssertion" idpHistory="false" idpHistoryDays="7" cookieProps ="; path=/casshib/shib/app2">
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://idp.infn.it/saml2/idp/metadata.php">
<SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html "/>
<SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator >
</Sessions >
<MetadataProvider type="XML" file="idp.infn.it-metadata.xml"/>
</ApplicationOverride >
These rows configure the SP for query the IGI IDP with app1 service and INFN AAI with app2 service. The attribute REMOTE_USER is used to specify which IDP's attributes will be used for the authentication process in the portal.
Now we have to configure the
attribute-map.xml
file for defining the attribute used by shibboleth adding the following rows:
<afp:AttributeRule attributeID="shibattr−eppn">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−uid">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−mail">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−cn">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−sn">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−givenName">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
<afp:AttributeRule attributeID="shibattr−l">
<afp:PermitValueRule xsi:type="ANY"/>
</afp : AttributeRule >
2 Apache server
For a secure communication you need to install the apache server which acts as a front-end.
2.1 Install Apache
Use the package manager for install software.
$ yum install httpd
$ service httpd start
2.2 Apache Configuration
We have to add to
httpd.conf
file the following rows for enabling shibboleth authentication.
##
# CASSHIB ##
Include /etc/shibboleth/apache22.config
Then we have to comment all the rows of
apache22.config
. Now configure Apache to use SSL. Edit the
ssl.conf
file in the Apache directory and in the
default:443>
section add this rows.
UseCanonicalName On
<Location /casshib/shib/∗/login >
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid−user
</Location >
<Location /casshib/shib/∗/Shibboleth . sso>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid−user
</Location >
<Location /casshib/shib/∗/Shibboleth . sso/∗>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid−user
</Location >
ProxyRequests On
ProxyPass /app2/ http://halfback.cnaf.infn.it:8585/app2/
ProxyPassReverse /app2/ http://halfback.cnaf.infn.it:8585/app2/
ProxyPass /app1/ http://halfback.cnaf.infn.it:8585/app1/
ProxyPassReverse /app1/ http://halfback.cnaf.infn.it:8585/app1/
Create the
httpd-jk-mount.conf
file in the same folder and add this rows.
<IfModule jk_module>
JkMount /casshib/* worker1
JkUnMount /casshib/shib/*/Shibboleth.sso worker1
JkUnMount /casshib/shib/*/Shibboleth.sso/* worker1
</IfModule >
Create the
httpd-jk- init.conf
file in the same folder which have this rows.
LoadModule jk_module modules/mod_jk.so
<IfModule jk_module>
JkWorkersFile conf.d/workers.properties
JkShmFile logs/mod_jk.shm
JkLogFile logs/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
</IfModule >
Create the
worker.properties
file in the same directory and add this rows.
worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.host=halfback.cnaf.infn.it
worker.worker1.port=8017
Now restart the Apache server.
$ service httpd restart
3 Tomcat server
CASShib is a webapp and need a tomcat server. For server installation use package manager to install Tomcat server.
$ yum install tomcat6
Modify this rows in the
server.xml
file for configure Tomcat server.
<Connector port ="8585" protocol ="HTTP/1.1" connectionTimeout ="20000" />
[...]
<Connector port="8017" protocol="AJP/1.3" address="127.0.0.1" tomcatAuthentication="false" />
Start server.
$ service tomcat start
4 CASShib
For install CASShib deploy in Tomcat the
war file downloaded from
http://code.google.com/p/casshib/downloads/list . For configuration of CASShib modify the file
$tomcat_dir/webapps/casshib/WEB- INF/classes/casshib-service-registrations.xml
in this way.
<?xml version ="1.0" encoding="UTF−8" standalone="no"?>
<casShibServiceRegistrations >
<service id="https://fullyqualified.service.address.1" appname="app1" passcode="12345" />
<service id="https://fullyqualified.service.address.2" appname="app2" passcode="12345" />
</casShibServiceRegistrations >
Where fullyqualified.service.address.# are the services address (Liferay Portlet Login URL) which use CASShib . For install app1 and app2 you download the casshib-demo-app-1.0.0.war before deploy the
war rename the package in app1 and copy the package and rename in app2, after this deploy the packages. For configure this service edit the
$tomcat_dir/webapps/app1/WEB-INF/web.xml
, and similar for app2, modifying the url of the service and the passcode.
Finally restart Tomcat.
$ service tomcat stop
$ service tomcat start
5 Configure Liferay
From web page of portal navigate to
Manage/Control Panel/Settings/Authentication/CAS and set this parameter.
The other impostation leave empty and save settings. Now use login link for authetnication with INFN AAI.
References
--
Diego Michelotto - 11 Nov 2011