• https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall
• https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPGettingStarted
• https://federation.renater.fr/docs/installation#installer_un_sp_shibboleth
• https://shib.kuleuven.be/docs/sp/2.x/install-sp-2.x-rhel.html
• https://wiki.umn.edu/ShibAuth/Shibboleth2Xml
• https://wiki.cac.washington.edu/display/infra/Configure+a+Service+Provider+for+Step-up+Two-Factor+Authentication
• https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride

opensuse maintient des packages RPM pour plusieurs distribution RPM dont centos !

• centos7

[root@wood yum.repos.d]# wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo

# yum install shibboleth

Dependencies Resolved

=================================================================================================
 Package                                        Arch                              Version                                    Repository                                      Size
=================================================================================================
Installing:
 shibboleth                                     x86_64                            2.5.4-3.2                                  security_shibboleth                            1.1 M
Installing for dependencies:
 libcurl-openssl                                x86_64                            7.42.1-1.1                                 security_shibboleth                            210 k
 libevent                                       x86_64                            2.0.21-4.el7                               base                                           214 k
 liblog4shib1                                   x86_64                            1.0.9-3.1                                  security_shibboleth                             68 k
 libmemcached                                   x86_64                            1.0.16-3.el7                               base                                           236 k
 libsaml8                                       x86_64                            2.5.4-3.3                                  security_shibboleth                            923 k
 libtool-ltdl                                   x86_64                            2.4.2-20.el7                               base                                            49 k
 libxml-security-c17                            x86_64                            1.7.3-3.1                                  security_shibboleth                            286 k
 libxmltooling6                                 x86_64                            1.5.4-4.2                                  security_shibboleth                            702 k
 opensaml-schemas                               x86_64                            2.5.4-3.3                                  security_shibboleth                             29 k
 unixODBC                                       x86_64                            2.3.1-10.el7                               base                                           413 k
 xerces-c                                       x86_64                            3.1.1-6.el7                                base                                           878 k
 xmltooling-schemas                             x86_64                            1.5.4-4.2                                  security_shibboleth                             12 k

Transaction Summary
=============================================================
Install  1 Package (+12 Dependent packages)

Total download size: 5.1 M
Installed size: 28 M
Is this ok [y/d/N]: y

Installed:
  shibboleth.x86_64 0:2.5.4-3.2            

[root@wood yum.repos.d]# systemctl list-units --all | grep -i shib
shibd.service                           loaded inactive dead      LSB: Shibboleth 2 Service Provider Daemon

[root@wood yum.repos.d]# systemctl enable shibd.service           
shibd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig shibd on
The unit files have no [Install] section. They are not meant to be enabled
using systemctl.
Possible reasons for having this kind of units are:
1) A unit may be statically enabled by being symlinked from another unit's
   .wants/ or .requires/ directory.
2) A unit's purpose may be to act as a helper for some other unit which has
   a requirement dependency on it.
3) A unit may be started when needed via activation (socket, path, timer,
   D-Bus, udev, scripted systemctl call, ...).
[root@wood yum.repos.d]# chkconfig --list | grep shibd

Note: This output shows SysV services only and does not include native
      systemd services. SysV configuration data might be overridden by native
      systemd configuration.

      If you want to list systemd services use 'systemctl list-unit-files'.
      To see services enabled on particular target use
      'systemctl list-dependencies [target]'.

shibd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off

et manuel la premiere fois:

# /etc/init.d/shibd start ; tail -f /var/log/shibboleth/shibd.log

Ainsi que httpd restart / reload pour charger le mod_shib contenu dans /etc/httpd/conf.d/shib.conf

[root@wood ~]# systemctl restart httpd.service 

[root@blog3 /var/log/httpd]
$ touch native.log
[root@blog3 /var/log/httpd]
$ chown apache native.log

$ diff httpd.conf httpd.conf.orig
275c275
< UseCanonicalName On
---
> UseCanonicalName Off

Parametrer l'ACL dans /etc/shibboleth/shibboleth2.xml qui permet d'acceder a cet URL

<!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 157.159.50.97"/>

Acces:

• http://www-pub.it-sudparis.eu/Shibboleth.sso/Status

les metadata directement:

• http://www-pub.it-sudparis.eu/Shibboleth.sso/Metadata

le fichier /etc/shibboleth/shibboleth2.xml contient l'essentiel du paramétrage du service Prodider shibboleth. Sont représentés ici uniquement les parties modifiéed par rapport au fichier original, à savoir le service SSO, les messages d'erreur, et les Metadata.

Attention, depuis le version 2.4 l'élément SessionInitiator a été remplacé par l'élément SSO ! https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO

 <ApplicationDefaults entityID="https://wp.it-sudparis.eu/shibboleth"
                         REMOTE_USER="eppn persistent-id targeted-id">
...
 <!-- <SSO entityID="https://idp.example.org/shibboleth" -->
            <SSO
                 discoveryProtocol="SAMLDS" discoveryURL="https://shibidp1.it-sudparis.eu/WAYFIT/WAYF.php">
              SAML2 SAML1
            </SSO>

 <Errors supportContact="jehan.procaccia@it-sudparis.eu"
            metadata="metadataError_fr.html"
                access="accessError_fr.html"
                ssl="sslError_fr.html"
                localLogout="localLogout_fr.html"
                globalLogout="globalLogout_fr.html"
            logoLocation="/shibboleth-sp/logo.jpg"
            styleSheet="/shibboleth-sp/main.css"/>
...

<!-- Chains together all your metadata sources. -->
        <MetadataProvider type="Chaining">


         <!--
            Federation IT />
            -->

                <MetadataProvider type="XML" uri="http://shibidp.it-sudparis.eu/metadata/metadata.itsp.xml"
                  backingFilePath="/etc/shibboleth/metadata.itsp.xml" reloadInterval="7200">
                </MetadataProvider>


                <!-- Meta-donné de la fération de test Ãucation-Recherche -->
                <MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-test-metadata.xml"
                        backingFilePath="/etc/shibboleth/renater-test-metadata.xml" reloadInterval="7200">
                        <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
                        <MetadataFilter type="Signature" certificate="metadata-federation-renater.crt"/>
                </MetadataProvider>

        </MetadataProvider>

autoriser l'ecriture au user shibd (user sous lequel tourne le daemon shibd) au repertoire de config / telecharement des metadata par defaut /etc/shibboeth

[root@wood shibboleth]# chgrp shibd .
[root@wood shibboleth]# chmod 775 .

• https://wiki.cam.ac.uk/raven/Virtual_hosting_issues_with_Shibboleth
• https://wiki.cam.ac.uk/raven/SP_Metadata
• https://services.renater.fr/federation/docs/fiches/virtualhosting-sp

générer la paire de clé pour l'application/vhost

[root@colmut shibboleth]# ./keygen.sh -h moodev.tem-tsp.eu -f 
Generating a 2048 bit RSA private key
......+++
.....................................................................................+++
writing new private key to './sp-key.pem'
-----

[root@colmut shibboleth]# mv sp-key.pem moodev.tem-tsp.eu-sp-key.pem
[root@colmut shibboleth]# mv sp-cert.pem moodev.tem-tsp.eu-sp-cert.pem

[root@colmut shibboleth]# chown shibd moodev.tem-tsp.eu-sp-key.pem moodev.tem-tsp.eu-sp-cert.pem

déclaration de l'application override avec chargement des certificats auto-signés ci-dessus

... 
       <ApplicationOverride id="moodev" entityID="https://moodev.tem-tsp.eu/sp"
                  REMOTE_USER="eppn persistent-id targeted-id">
         <CredentialResolver type="File" key="moodev.tem-tsp.eu-sp-key.pem" certificate="moodev.tem-tsp.eu-sp-cert.pem"/>
        </ApplicationOverride>


    </ApplicationDefaults>