Shibboleth AAI

Links

Switch AAI
Switch AAI Resource Administration

Deployment

Shibboleth install

  • use the manual on the switch aai site 
    # curl -k -O http://pkg.switch.ch/switchaai/SWITCHaai-swdistrib.asc
# apt-key add SWITCHaai-swdistrib.asc
# echo "deb http://pkg.switch.ch/switchaai/debian squeeze main" > /etc/apt/sources.list.d/switchaai.list
# apt-get update
# apt-get install shibboleth
  • next put the config files in "/etc/shibboleth" according to the SwitchAAI manual: SWITCH Shibboleth Service Provider (SP) 2.5 Configuration Guide
    • attribute-map.xml, attribute-policy.xml, shibboleth2.xml, SWITCHaaiRootCA.crt.pem, sp-cert.pem, sp-key.pem
  • this includes a registration with your SWITCHaai Federation Partner (e.g. UZH)

Secure B-Fabric

  • see NativeSPApacheConfig
  • make sure shibboleth knows about the reverse proxy 
    <Location />
    ShibRequestSetting REMOTE_ADDR X-Forwarded-For
</Location>
  • redirect "ShibbolethServelet" B-Fabric after shibboleth authentication 
    <Location /ShibbolethServlet>
    AuthType shibboleth
    ShibRequireSession On
    ShibUseHeaders On
    require valid-user
    #require homeOrgType university
    RedirectMatch  .*      http://fgcz-bfabric.uzh.ch/bfabric/common/shibboleth-login.html
</Location>
  • Apache will redirect to the B-Fabric Application Server and send the shibboleth headers to B-Fabric 
    <Location /bfabric>
        Order allow,deny
        allow from all
        AuthType shibboleth
        ShibUseHeaders On
        require shibboleth
        SetEnv proxy-nokeepalive 1
</Location>
ProxyStatus On
ProxyPreserveHost On
ProxyPass /bfabric http://localhost:8080/bfabric
ProxyPassReverse /bfabric http://localhost:8080/bfabric
  • redirect requests to "/shibboleth" 
    Redirect seeother /shibboleth http://fgcz-bfabric.uzh.ch/Shibboleth.sso/Metadata

Reverse Proxy in front of B-Fabric

  • SwitchAAI needs to connect via HTTPS to the "entityID" and all registered "service locations".
  • Pound needs to accept https connections and return the certificate depending on the requested host (needs pound version 2.6 (!). 
    ListenHTTPS
        Address 0.0.0.0
        Port 443          

        Cert "/etc/pound/cert/bfabric.pem"  
        RewriteLocation 2
End
  • send data to shibboleth to the B-Fabric host 
    Service
    URL "^/(ShibbolethServlet|shibboleth|favicon.*|Shibboleth.sso/.*|secure.*)"
    HeadRequire "Host:.*fgcz-bfabric.*"
    Backend
        Address 130.60.81.30
        Port 443
        HTTPS
    End
    Session
        Type IP
        TTL 3600
    End
End
  • all requests must be redirected to the apache on the bfabric host 
    Service
    URL "/bfabric/.*"
    HeadRequire "Host:.*fgcz-bfabric.*"
    Backend
        Address 130.60.81.30
        Port 80
        TimeOut 3600
    End
    Session
        Type IP
        TTL 3600
    End
End

Shibboleth Troubleshooting

Documentation of errors and problems, hopefully with a solution.

shibsp::ListenerException

Solution: the shibboleth daemon is not running. Get root access on the B-Fabric host and start the daemon.
$ sudo service shibd start