Skip to content

Installing CASshib and configuring ASI to use it

Pekka Ekman edited this page Apr 18, 2012 · 5 revisions

These instructions are for setting up a Shibboleth test environment using openidp.feide.no as the identity provider.

  1. Install the following packages (in Ubuntu)
  • apache2-mpm-worker (or -prefork or -event)
  • libapache2-mod-gnutls
  • libapache2-mod-shib2
  • tomcat6
  1. Create certificates. You can do this in the server or in another computer.

    These instructions are partially based on the instructions and scripts in http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500

    mkdir cert_tmp_dir && cd crt_tmp_dir
    cp /etc/ssl/openssl.cnf .
    export OPENSSL_CONF=./openssl.cnf

    Edit openssl.cnf:

    • under [ CA_default ]:
      • dir = .
      • new_certs_dir = $dir
      • copy_extensions = copy (optional, needed for DNS aliases)
    • under [ policy_match ]:
      • stateOrProvinceName = optional
    • under [ req ]:
      • req_extensions = v3_req (optional, needed for DNS aliases)
    • under [ v3_req ]:
      • subjectAltName = "DNS:1st.dns.alias, DNS:2nd.dns.alias, ..." (optional, add the server's alternate domain names here)

    Create a CA:

    (umask 077; openssl genrsa -out ca.key)
    openssl req -new -key ca.key -out ca.csr
    openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
    touch index.txt
    echo FACE > serial

    Create a server key and sign it with the CA's key. Enter the server's fully qualified domain name in the Common Name field.

    (umask 077; openssl genrsa -out server1.key)
    openssl req -new -key server1.key -out server1.csr
    openssl ca -in server1.csr -cert ca.crt -keyfile ca.key -out server1.crt

    Convert the keys and certificates to Java keystore format. You can add several key/certificate pairs to the keystore by giving multiple -in and -inkey arguments to the first command.

    (umask 077; openssl pkcs12 -export \
                        -in server1.crt -inkey server1.key \
                        -out keystore.pkcs12 )
    (umask 077; openssl pkcs12 -export \
                        -in ca.crt -inkey ca.key -name test_CA \
                        -out keystore_ca.pkcs12 )
    (umask 077; keytool -importkeystore \
                        -srckeystore keystore.pkcs12 -srcstoretype PKCS12 \
                        -destkeystore keystore.jks -deststoretype JKS )
    keytool -importkeystore \
            -srckeystore keystore.pkcs12 -srcstoretype PKCS12 \
            -destkeystore keystore.jks

    Copy ca.crt, server1.crt, server1.key and keystore.jks to the server. Make sure that server1.key and keystore.jks have proper permissions (not world-readable). Import the keystore into default Java keystore in the server. The default keystore password is changeit.

    sudo keytool -importkeystore \
                 -srckeystore some/path/keystore.jks -srcstoretype JKS \
                 -destkeystore /etc/ssl/certs/java/cacerts
  2. Edit /etc/tomcat6/server.xml

  3. Configure Apache to use Shibboleth and act as a reverse proxy forwarding requests to Tomcat. These instructions are for Ubuntu, which uses a heavily customized layout for Apache configuration files.

    • disable all sites (sudo a2dissite <site-name>) and enable the site default-ssl (sudo a2ensite default-ssl)

    • enable required modules: sudo a2enmod gnutls proxy proxy_ajp shib2

    • edit /etc/apache2/ports.conf and comment out the following lines:

      NameVirtualHost *:80
      Listen 80
    • replace the contents of the file /etc/apache2/sites-enabled/default-ssl with the following:

      <VirtualHost _default_:443>
          ServerName https://your.hostname:443
      
          GnuTLSEnable on
          GnuTLSPriorities NORMAL
      
          GnuTLSCertificateFile /some/path/server1.crt
          GnuTLSKeyFile /some/path/server1.key
          GnuTLSClientCAFile /some/path/ca.crt
      
          # Serve these files directly
          ProxyPass /shibboleth-sp !
          Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
          Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg
      
          # This is a kludge needed to make openidp.feide.no IdP
          # work. Openidp.feide.no wants to download the Shibboleth SP
          # metadata from the URL in SAML entityID. However, CASshib uses
          # the login page's URL as entityID. To solve this we'll use
          # mod_rewrite to detect requests from openidp.feide.no's IP
          # address block and redirect these requests to the metadata URL.
          RewriteEngine On
          RewriteCond %{REMOTE_ADDR} ^158\.38\.130\.
          RewriteRule    ^/(?!casshib/)([^/]+)/?$ https://your.hostname/casshib/shib/$1/Shibboleth.sso/Metadata [R,L]
          RewriteCond %{REMOTE_ADDR} ^158\.38\.130\.
          RewriteRule    ^/casshib/(?!shib)([^/]+)/?$ https://your.hostname/casshib/shib/$1/Shibboleth.sso/Metadata [R,L]
      
          ProxyRequests Off
          <Proxy *>
              Order deny,allow
              Allow from all
          </Proxy>
      
          # always keep the host header
          ProxyPreserveHost On
      
          ProxyPass / ajp://localhost:8765/
      
          UseCanonicalName On
      
          # Protect the login and Shibboleth.sso URLs.
          <LocationMatch "/casshib/shib/[^/]*/(login|Shibboleth.sso(/[^/]*)?)">
              AuthType shibboleth
              ShibRequireSession On
              ShibUseHeaders On
              require valid-user
          </LocationMatch>
      
      </VirtualHost>
  4. Restart Tomcat and Apache

  5. Get IdP metadata by some means and put the metadata file in a suitable place on the server.

    wget -O /some/path/openidp.feide.no-metadata.xml https://openidp.feide.no/simplesaml/saml2/idp/metadata.php
  6. Edit the file /etc/shibboleth/shibboleth2.xml

    • if <RequestMapper type="Native"> exists, delete or comment out it and its contents

    • add the following under the root element (<SPConfig>):

          <RequestMapper type="Native">
              <RequestMap applicationId="default">
                  <!-- the attribute 'name' must match the hostname in Apache's ServerName directive: -->
                  <Host name="your.hostname" port="443" scheme="https">
                      <!-- add a PathRegex element for each service: -->
                      <PathRegex regex="casshib/shib/app1" applicationId="app1" authType="shibboleth" requireSession="true"/>
                      ...
                  </Host>
              </RequestMap>
          </RequestMapper>
    • edit the element <ApplicationDefaults>:

          <ApplicationDefaults id="default" policyId="default"
                               entityID="https://your.hostname/BOGUS_SERVICE"
                               homeURL="https://your.hostname/BOGUS_SERVICE"
                               REMOTE_USER="shibattr-uid"
                               signing="false" encryption="false">
      • Under the element, add ApplicationOverride for each service:

            <ApplicationDefaults id="default" ...>
                ...existing elements...
        
                <ApplicationOverride id="app1"
                                     entityID="https://your.hostname/casshib/app1"
                                     homeURL="https://app1.url/"
                                     REMOTE_USER="shibattr-uid">
                    <!-- NOTE the cookieProps path is different for each service.
                         The handlerURL needs to fall within the path of the cookie. -->
                    <Sessions lifetime="28800" timeout="3600" checkAddress="false"
                              handlerURL="/casshib/shib/app1/Shibboleth.sso" handlerSSL="true"
                              exportLocation="/casshib/shib/app1/Shibboleth.sso/GetAssertion" 
                              idpHistory="false" idpHistoryDays="7"
                              cookieProps="; path=/casshib/shib/app1">
                    </Sessions>
                </ApplicationOverride>
                ...
            </ApplicationDefaults>
      • Under <ApplicationDefaults> / <Sessions>, comment out existing <SSO> elements and add an SSO element for your IdP:

        <SSO entityID="https://openidp.feide.no">
          SAML2 SAML1
        </SSO>
      • Add a MetadataProvider element for your IdP (also under <ApplicationDefaults>):

        <MetadataProvider type="XML" file="/some/path/openidp.feide.no-metadata.xml"/>
  7. Run the following commands:

    sudo sed -i -e 's/\bid="/id="shibattr-/' /etc/shibboleth/attribute-map.xml
    sudo sed -i -e 's/\b\(attributeID="\)\([^\*]\)/\1shibattr-\2/' /etc/shibboleth/attribute-policy.xml
  8. Edit /etc/shibboleth/attribute-map.xml:

    • Add the following under the top level element (<Attributes>):

          <!-- for openidp.feide.no: -->
          <Attribute name="uid" id="shibattr-uid"/>
  9. Restart shibd

  10. Download CASshib

  11. Extract the package and copy the file casshib-server-x.x.xx/modules/casshib-server-webapp-x.x.xx.war to /var/lib/tomcat6/webapps/casshib.war (as root). Tomcat should automatically extract the package to the subdirectory casshib.

  12. Edit the file /var/lib/tomcat6/webapps/casshib/WEB-INF/classes/casshib-service-registrations.xml:

    • add a <service> element under <casShibServiceRegistrations>:

      <service id="https://idp03.aalto.fi/idp/shibboleth"
               appname="name"
               passcode="96306" />

      TODO: explain where the id attribute comes from

TODO: callback and ASI configuration