===== SP v2 =====

===== Réference =====

  * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall
  * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPGettingStarted
  * https://services.renater.fr/federation/docs/installation#installer_un_sp_shibboleth
  * https://shib.kuleuven.be/docs/sp/2.x/install-sp-2.x-rhel.html
  * https://wiki.umn.edu/ShibAuth/Shibboleth2Xml
  * https://wiki.cac.washington.edu/display/infra/Configure+a+Service+Provider+for+Step-up+Two-Factor+Authentication
  * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride

===== Repo opensuse =====

opensuse maintient des packages RPM pour plusieurs distribution RPM dont centos !

  * centos7
<code>
[root@wood yum.repos.d]# wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo
</code>

===== yum install =====

<code>
# yum install shibboleth


Dependencies Resolved

============================================================================================================================================
 Package                                             Arch                                   Version                                          Repository                                           Size
============================================================================================================================================
Installing:
 shibboleth                                          x86_64                                 2.5.5-3.1                                        security_shibboleth                                 1.1 M
Installing for dependencies:
 libcurl-openssl                                     x86_64                                 7.43.0-1.1                                       security_shibboleth                                 211 k
 libevent                                            x86_64                                 2.0.21-4.el7                                     base                                                214 k
 liblog4shib1                                        x86_64                                 1.0.9-3.1                                        security_shibboleth                                  68 k
 libmemcached                                        x86_64                                 1.0.16-3.el7                                     base                                                236 k
 libsaml8                                            x86_64                                 2.5.5-1.1                                        security_shibboleth                                 923 k
 libtool-ltdl                                        x86_64                                 2.4.2-20.el7                                     base                                                 49 k
 libxml-security-c17                                 x86_64                                 1.7.3-3.1                                        security_shibboleth                                 286 k
 libxmltooling6                                      x86_64                                 1.5.6-1.1                                        security_shibboleth                                 702 k
 opensaml-schemas                                    x86_64                                 2.5.5-1.1                                        security_shibboleth                                  29 k
 unixODBC                                            x86_64                                 2.3.1-10.el7                                     base                                                413 k
 xerces-c                                            x86_64                                 3.1.1-7.el7_1                                    updates                                             878 k
 xmltooling-schemas                                  x86_64                                 1.5.6-1.1                                        security_shibboleth                                  12 k

Transaction Summary
======================================================================================================================================
Install  1 Package (+12 Dependent packages)

Total download size: 5.1 M
Installed size: 28 M


</code>

<code>
 Installed:
  shibboleth.x86_64 0:2.5.5-3.1       
</code>

===== Post install =====

==== demarrage automatique ====

je conseil d'installer le package bash-completion.noarch pour profiter de la completion des commandes systemctl 

<code>

[root@wikis yum.repos.d]# systemctl enable shibd.service           
ln -s '/usr/lib/systemd/system/shibd.service' '/etc/systemd/system/multi-user.target.wants/shibd.service'

[root@wikis shibboleth]# systemctl start shibd.service
[root@wikis shibboleth]# systemctl status shibd.service
shibd.service - Shibboleth Service Provider Daemon
   Loaded: loaded (/usr/lib/systemd/system/shibd.service; enabled)
   Active: active (running) since Fri 2015-08-07 17:31:14 CEST; 4s ago
 Main PID: 668 (shibd)
   CGroup: /system.slice/shibd.service
           `-668 /usr/sbin/shibd -f -F

Aug 07 17:31:14 wikis systemd[1]: Started Shibboleth Service Provider Daemon.

</code>


Ainsi que httpd restart / reload pour charger le mod_shib contenu dans /etc/httpd/conf.d/shib.conf

<code>
[root@wood ~]# systemctl restart httpd.service 
</code>


==== emplacement des fichiers de log ====

definis dans les fichier .logger :

<code>
[root@wood shibboleth]# grep fileName *.logger
native.logger:log4j.appender.native_log.fileName=/var/log/shibboleth-www/native.log
native.logger:log4j.appender.warn_log.fileName=/var/log/shibboleth-www/native_warn.log
shibd.logger:log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log
shibd.logger:log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
shibd.logger:log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log
shibd.logger:log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log

</code>

==== httpd.conf ====

<code>
$ diff httpd.conf httpd.conf.orig
275c275
< UseCanonicalName On
---
> UseCanonicalName Off
</code>


==== test Status ====

Parametrer l'ACL dans /etc/shibboleth/shibboleth2.xml qui permet d'acceder a cet URL

<code>
<!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 157.159.50.97"/>
</code>

Acces:

  * http://wood.tem-tsp.eu/Shibboleth.sso/Status

les metadata directement:

  * http://wood.tem-tsp.eu/Shibboleth.sso/Metadata


==== test config ====

attention à la libCurl et openssl :

from https://wiki.infn.it/progetti/cloud-areapd/aai_integration_with_keystone/aai_integrations_with_openstack_keystone_icehouse#aai_integrations_in_openstack_keystone_icehouse

<code>
even if the message is marked as critical, those errors can be ignored. On many RedHat/Fedora installation a different version of libcurl is required, the library is located in /opt/shibboleth/lib64. The shibboleth daemon calls the configuration script /etc/sysconfig/shibd in order to overwrite the system library. In case it is possible to remove the error running the command

LD_LIBRARY_PATH=/opt/shibboleth/lib64 shibd -t
</code>
===== Parametrage shibboleth2.xml =====

le fichier /etc/shibboleth/shibboleth2.xml contient l'essentiel du paramétrage du service Prodider shibboleth. Sont représentés ici uniquement les parties modifiéed par rapport au fichier original, à savoir le service SSO, les messages d'erreur, et les Metadata.

==== SSO ====

Attention,  depuis le version 2.4 l'élément SessionInitiator a été remplacé par l'élément SSO !
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO

<code>
 <ApplicationDefaults entityID="https://wood.tem-tsp.eu/shibboleth"
                         REMOTE_USER="eppn persistent-id targeted-id">

..
 <!-- <SSO entityID="https://idp.example.org/shibboleth" -->
            <SSO
                 discoveryProtocol="SAMLDS" discoveryURL="https://shibidp1.it-sudparis.eu/WAYFIT/WAYF.php">
              SAML2 SAML1
            </SSO>
</code>

==== error messages ====

<code>

 <Errors supportContact="jehan.procaccia@it-sudparis.eu"
            metadata="metadataError_fr.html"
                access="accessError_fr.html"
                ssl="sslError_fr.html"
                localLogout="localLogout_fr.html"
                globalLogout="globalLogout_fr.html"
            logoLocation="/shibboleth-sp/logo.jpg"
            styleSheet="/shibboleth-sp/main.css"/>
...
</code>

==== Metadata ====

<code>
<!-- Chains together all your metadata sources. -->
        <MetadataProvider type="Chaining">
         <!--
            Federation IT />
            -->
                <MetadataProvider type="XML" uri="http://shibidp.it-sudparis.eu/metadata/metadata.itsp.xml"
                  backingFilePath="/etc/shibboleth/metadata.itsp.xml" reloadInterval="7200">
                </MetadataProvider>


                <!-- Meta-donné de la fération de test Ãucation-Recherche -->
                <MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-test-metadata.xml"
                        backingFilePath="/etc/shibboleth/renater-test-metadata.xml" reloadInterval="7200">
                        <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
                        <MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
                </MetadataProvider>

        </MetadataProvider>
</code>

autoriser l'ecriture au user shibd (user sous lequel tourne le daemon shibd) au repertoire de config / telecharement des metadata par defaut /etc/shibboeth 

<code>
[root@wood shibboleth]# chgrp shibd .
[root@wood shibboleth]# chmod 775 .
</code>


==== Certificats de signature des metadata ====

cf https://services.renater.fr/federation/technique/metadata 

certificat Renater 
 
<code>
[root@wood shibboleth]# wget  https://federation.renater.fr/renater/metadata-federation-renater.crt

</code>

===== Multiples vhost sur un meme SP =====

==== references ====

  * https://wiki.cam.ac.uk/raven/Virtual_hosting_issues_with_Shibboleth
  * https://wiki.cam.ac.uk/raven/SP_Metadata
  * https://services.renater.fr/federation/docs/fiches/virtualhosting-sp


avant de generer une nouvelle paire de clée, il est preferable de sauvegarder la paire initiale (car le -f / force les ecrasera )

<code>
[root@wood shibboleth]# cp sp-key.pem sp-key-wood.pem
[root@wood shibboleth]# cp sp-cert.pem sp-cert-wood.pem 
</code>

générer la paire de clé pour l'application/vhost

<code>
[root@wood shibboleth]# ./keygen.sh -h mood.paris-saclay.fr -f 
Generating a 2048 bit RSA private key
............................................................................................+++
....................+++
writing new private key to './sp-key.pem'
-----


[root@wood shibboleth]# mv sp-key.pem sp-key-mood.paris-saclay.fr.pem
[root@wood shibboleth]# mv sp-cert.pem sp-cert-mood.paris-saclay.fr.pem

[root@wood shibboleth]# chown shibd sp-cert-mood.paris-saclay.fr.pem sp-key-mood.paris-saclay.fr.pem

</code>

déclaration de l'application override avec chargement des certificats auto-signés ci-dessus 

<code>
... 
       <ApplicationOverride id="mood" entityID="https://mood.paris-saclay.fr/sp"
                  REMOTE_USER="eppn persistent-id targeted-id">
         <CredentialResolver type="File" key="sp-key-mood.paris-saclay.fr.pem" certificate="sp-cert-mood.paris-saclay.fr.pem"/>
        </ApplicationOverride>

    </ApplicationDefaults>
</code>