===== SP v2 =====

===== Réference =====

  * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall
  * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPGettingStarted
  * https://federation.renater.fr/docs/installation#installer_un_sp_shibboleth
  * https://shib.kuleuven.be/docs/sp/2.x/install-sp-2.x-rhel.html
  * https://wiki.umn.edu/ShibAuth/Shibboleth2Xml
  * https://wiki.cac.washington.edu/display/infra/Configure+a+Service+Provider+for+Step-up+Two-Factor+Authentication
  * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride

===== Repo opensuse =====

opensuse maintient des packages RPM pour plusieurs distribution RPM dont centos !

  * centos5
<code>
# wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_5/security:shibboleth.repo
</code>

   * Centos6
<code>
# wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_CentOS-6/security:shibboleth.repo
</code>

<code>
[root@idp-imt1-bc ~]# cd /etc/yum.repos.d/
[root@idp-imt1-bc yum.repos.d]# wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_CentOS-6/security:shibboleth.repo
</code>
===== yum install =====

<code>
# yum install shibboleth

=================================================================================================
 Package                    Arch        Version                 Repository                  Size
=================================================================================================
Installing:
 shibboleth                 i686        2.4.3-3.1               security_shibboleth        1.0 M
Installing for dependencies:
 libcurl-openssl            i686        7.21.7-72.1             security_shibboleth        185 k
 liblog4shib1               i686        1.0.4-2.1               security_shibboleth         68 k
 libsaml7                   i686        2.4.3-3.1               security_shibboleth        894 k
 libxerces-c-3_1            i686        3.1.1-2.1               security_shibboleth        903 k
 libxml-security-c16        i686        1.6.1-3.1               security_shibboleth        272 k
 libxmltooling5             i686        1.4.2-3.1               security_shibboleth        616 k
 opensaml-schemas           i686        2.4.3-3.1               security_shibboleth         29 k
 unixODBC                   i686        2.2.14-11.el6           core-0                     382 k
 xmltooling-schemas         i686        1.4.2-3.1               security_shibboleth         11 k

Transaction Summary
=================================================================================================
Install      10 Package(s)

Total download size: 4.3 M
Installed size: 19 M

</code>

<code>
Installed:
  shibboleth.i686 0:2.5.3-1.1  
</code>

===== Post install =====

==== demarrage automatique ====

<code>
# chkconfig shibd on
# chkconfig --list | grep shibd
shibd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
</code>

et manuel la premiere fois:

<code>
# /etc/init.d/shibd start ; tail -f /var/log/shibboleth/shibd.log
</code>

Ainsi que httpd restart / reload pour charger le mod_shib contenu dans /etc/httpd/conf.d/shib.conf

<code>
# /etc/init.d/httpd reload
</code>


==== native.log ====
<code>
[root@blog3 /var/log/httpd]
$ touch native.log
[root@blog3 /var/log/httpd]
$ chown apache native.log
</code>

==== httpd.conf ====

<code>
$ diff httpd.conf httpd.conf.orig
275c275
< UseCanonicalName On
---
> UseCanonicalName Off
</code>


==== test Status ====

Parametrer l'ACL dans /etc/shibboleth/shibboleth2.xml qui permet d'acceder a cet URL

<code>
<!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 157.159.50.97"/>
</code>

Acces:

  * http://www-pub.it-sudparis.eu/Shibboleth.sso/Status

les metadata directement:

  * http://www-pub.it-sudparis.eu/Shibboleth.sso/Metadata



===== Parametrage shibboleth2.xml =====

le fichier /etc/shibboleth/shibboleth2.xml contient l'essentiel du paramétrage du service Prodider shibboleth. Sont représentés ici uniquement les parties modifiéed par rapport au fichier original, à savoir le service SSO, les messages d'erreur, et les Metadata.

==== SSO ====

Attention,  depuis le version 2.4 l'élément SessionInitiator a été remplacé par l'élément SSO !
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO

<code>
 <ApplicationDefaults entityID="https://wp.it-sudparis.eu/shibboleth"
                         REMOTE_USER="eppn persistent-id targeted-id">
...
 <!-- <SSO entityID="https://idp.example.org/shibboleth" -->
            <SSO
                 discoveryProtocol="SAMLDS" discoveryURL="https://shibidp1.it-sudparis.eu/WAYFIT/WAYF.php">
              SAML2 SAML1
            </SSO>
</code>

==== error messages ====

<code>

 <Errors supportContact="jehan.procaccia@it-sudparis.eu"
            metadata="metadataError_fr.html"
                access="accessError_fr.html"
                ssl="sslError_fr.html"
                localLogout="localLogout_fr.html"
                globalLogout="globalLogout_fr.html"
            logoLocation="/shibboleth-sp/logo.jpg"
            styleSheet="/shibboleth-sp/main.css"/>
...
</code>

==== Metadata ====

<code>
<!-- Chains together all your metadata sources. -->
        <MetadataProvider type="Chaining">


         <!--
            Federation IT />
            -->

                <MetadataProvider type="XML" uri="http://shibidp.it-sudparis.eu/metadata/metadata.itsp.xml"
                  backingFilePath="/etc/shibboleth/metadata.itsp.xml" reloadInterval="7200">
                </MetadataProvider>


                <!-- Meta-donné de la fération de test Ãucation-Recherche -->
                <MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-test-metadata.xml"
                        backingFilePath="/etc/shibboleth/renater-test-metadata.xml" reloadInterval="7200">
                        <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
                        <MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
                </MetadataProvider>

        </MetadataProvider>
</code>

===== Multiples vhost sur un meme SP =====

==== references ====

  * https://wiki.cam.ac.uk/raven/Virtual_hosting_issues_with_Shibboleth
  * https://wiki.cam.ac.uk/raven/SP_Metadata
  * https://services.renater.fr/federation/docs/fiches/virtualhosting-sp


générer la paire de clé pour l'application/vhost

<code>
[root@colmut shibboleth]# ./keygen.sh -h moodev.tem-tsp.eu -f 
Generating a 2048 bit RSA private key
......+++
.....................................................................................+++
writing new private key to './sp-key.pem'
-----

[root@colmut shibboleth]# mv sp-key.pem moodev.tem-tsp.eu-sp-key.pem
[root@colmut shibboleth]# mv sp-cert.pem moodev.tem-tsp.eu-sp-cert.pem

[root@colmut shibboleth]# chown shibd moodev.tem-tsp.eu-sp-key.pem moodev.tem-tsp.eu-sp-cert.pem
</code>

déclaration de l'application override avec chargement des certificats auto-signés ci-dessus 

<code>
... 
       <ApplicationOverride id="moodev" entityID="https://moodev.tem-tsp.eu/sp"
                  REMOTE_USER="eppn persistent-id targeted-id">
         <CredentialResolver type="File" key="moodev.tem-tsp.eu-sp-key.pem" certificate="moodev.tem-tsp.eu-sp-cert.pem"/>
        </ApplicationOverride>


    </ApplicationDefaults>
</code>