NetID Login Service - Apache Installation (Red Hat / CentOS)

Details for installing Shibboleth on Red Hat Enterprise Linux / CentOS with Apache

Apache Linux RedHat/CentOS Shibboleth Service Provider Installation

Apache Linux RedHat/CentOS Shibboleth Service Provider Installation

This document goes step-by-step through the installation of the Shibboleth Service Provider (SP) on RedHat/CentOS Linux Server platform.

System Requirements:

This documentation assumes you have the Apache 2 HTTP Web Server that comes with RedHat/CentOS installed and configured with SSL. SELinux must be disabled.
You will also need sudo rights, Internet connectivity and familiarity with Open Source software.
If you do not have all of these things, you cannot proceed and you should contact your system administrator for assistance.

Installing the Shibboleth SP

If your host is managed by DoIT Systems Engineering, ask your System Administrator to install the Shibboleth Service Provider.

Installing via yum:

The strongly recommended approach is to take advantage of the Build Service's ability to act as a yum repository alongside your existing OS-supplied repository. This allows you to manage the Shibboleth packages in a standard way and pick up updates using a single command.

The root of the repository tree for Shibboleth can be found at http://download.opensuse.org/repositories/security://shibboleth/ with each supported OS in its own subdirectory. Each subdirectory is the root of a yum repository and contains a definition file named security:shibboleth.repo.

Installation varies by OS, but usually you just drop the definition file into a directory such as /etc/yum.repos.d. You can turn the repository on and off by adjusting the "enabled" property in the file, such as to prevent automated updates and maintain manual control.

While enabled, the yum command will "see" the Shibboleth packages when you perform standard operations, and installing the SP should require only a single command.

Step 1: Select your OS and determine the repository configuration file location from the table below:

Operating System Repository Download Link
CentOS 5 http://download.opensuse.org/repositories/security://shibboleth/CentOS_5/security:shibboleth.repo
CentOS 6 http://download.opensuse.org/repositories/security://shibboleth/CentOS_CentOS-6/security:shibboleth.repo
CentOS 7 http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo
RHEL 4 http://download.opensuse.org/repositories/security://shibboleth/RHEL_4/security:shibboleth.repo
RHEL 5 http://download.opensuse.org/repositories/security://shibboleth/RHEL_5/security:shibboleth.repo
RHEL 6 http://download.opensuse.org/repositories/security://shibboleth/RHEL_6/security:shibboleth.repo
RHEL 7 http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo


Step 2: Download and install the Shibboleth repository configuration file:
sudo wget <repo file from link above> -O /etc/yum.repos.d/shibboleth.repo


Step 3: Install Shibboleth:

Be careful of accidentally installing both the 64-bit and 32-bit version on a 64-bit server. The yum repository contains both versions and the OS may think it can install both.

32-bit OS:
sudo yum -y install shibboleth

64-bit OS:
sudo yum -y install shibboleth.x86_64

After Installation

Make sure the following logging directories and files were created, create them if they weren't, set permissions and configure Shibboleth to start on boot:
sudo mkdir -p /var/log/shibboleth
sudo chown -R shibd:shibd /var/log/shibboleth
sudo touch /var/log/httpd/native.log
sudo /sbin/chkconfig --add shibd sudo /sbin/chkconfig --levels 345 shibd on

Start the Shibboleth daemon, Restart Apache and examine the logs for any errors:
sudo /sbin/service shibd start
sudo /sbin/service httpd restart
sudo grep CRIT /var/log/shibboleth/shibd.log

You should see the following item in the shibd log. You can safely ignore it for now. There may be problems with your installation if you see any other CRIT log entries.

2012-01-20 09:31:20 CRIT Shibboleth.Application : no MetadataProvider available, configuration is probably unusable

Open up a web browser and point to your site with the following Shibboleth path:
https://www.yoursite.wisc.edu/Shibboleth.sso/Session

Verify that you see this message:
A valid session was not found.

Integrating Shibboleth SP with RedHat/Centos Apache

Edit /etc/httpd/conf/httpd.conf: The UseCanonicalName directive should be set to On or resource mapping errors will result.
Ensure that the ServerName directive is properly set, and that Apache is being started with SSL enabled.

Edit /etc/httpd/conf.d/shibd.conf to enable Shibboleth for specfic Locations:
<Location /path/to/secured/content>
  AuthType shibboleth
  ShibRequestSetting applicationId "www.yoursite.wisc.edu"
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

Restart Apache after changing httpd.conf and shibd.conf:
sudo /sbin/service httpd restart

Download Metadata Signing Certificate

Save this file in the Shibboleth installation directory (Default: \etc\shibboleth)
  • UW-Madison and UW-Madison Federation (eg. PubCookie Replacement)
    • Download the Signing Certificate
    • Or Copy&Paste this address into your address bar: https://login.wisc.edu/metadata/login.wisc.edu-signing.pem
  • Wisconsin Federation (eg. Approved IDI Request)
    • Download the Signing Certificate
    • Or Copy&Paste this address into your address bar: https://wayf.wisconsin.edu/metadata/wayf.wisconsin.edu-signing.pem

Generate Shibboleth2.xml File

After installing the SP software for Shibboleth you'll need to configure the shibboleth2.xml file correctly to work with the NetID Login Service. We recommend you use the automatic shibboleth2.xml generator.

Automatic

Manual

Place shibboleth2.xml and metadata signing certificate (login.wisc.edu-signing.pem) in /etc/shibboleth:
sudo cp ~/shibboleth2.xml /etc/shibboleth/shibboleth2.xml
sudo wget http://login.wisc.edu/metadata/login.wisc.edu-signing.pem -O /etc/shibboleth/login.wisc.edu-signing.pem

Verify the MD5 checksum of the metadata signing certificate:
md5sum /etc/shibboleth/login.wisc.edu-signing.pem


If you do not see the following checksum, stop and contact help@login.wisc.edu:
478044ae7b137c1182ce7cdb9511f329 /etc/shibboleth/login.wisc.edu-signing.pem

If the checksum matches, restart the Shibboleth daemon and Apache, examine the logs to verify that federation metadata was successfully downloaded:
sudo /sbin/service shibd restart
sudo /sbin/service httpd restart
sudo grep login.wisc.edu-metadata.xml /var/log/shibboleth/shibd.log


You should see the following in the shibd.log:
2012-01-20 10:15:26 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/opt/shibboleth-sp/var/run/shibboleth/login.wisc.edu-metadata.xml)

Open up a web browser and point to your site with the following Shibboleth path:
https://www.yoursite.wisc.edu/Shibboleth.sso/Metadata

Verify that there is XML metadata content at this path, your browser may try to download it.

Service Provider Activation

Once you have your SP application installed, configured, and integrated correctly you need to activate it with the NetID Login Service. The process involves either sending the Metadata file (https://localhost/Shibboleth.sso/Metadata) or a link to your Metadata location (https://domain.wisc.edu/Shibboleth.sso/Metadata) for your application to NetID Login Service email with your preferred contact for the SP.


Until your site is authorized, the following NetID Login Service error message will be presented to your users if they try to access protected content:
Sorry, there was a problem. Unsupported Request: The application you have accessed is not registered for use with this service.

Troubleshooting

If you are having troubles try these resources:

Errata

RedHat 6

Red Hat Enterprise 6 was recently released. The SP is compatible with it, but not if the OS-supplied version of libcurl is used. Red Hat has rebuilt many packages on top of the Netscape Security Services stack (NSS) instead of OpenSSL, including curl.

This is a breaking change because curl does not have the same feature set when used with NSS, and one of the features it loses is required by the SP for basic operation in most, though not all, deployments. Specifically, if your SP requires the use of back-channel SOAP communication with IdP (this describes most scenarios involving legacy IdPs and attribute queries), it won't function without the workaround noted below.

Until recently, the Shibboleth Project provided a substitute libcurl package (called libcurl-openssl) that was intended to "upgrade" and replace the OS-supplied package. This was rightly noted as a bad solution, since it potentially affects other OS-supplied software.

As of version 2.4.3, the Service Provider package set now includes an improved curl-openssl package set that installs to /opt/shibboleth and does not overwrite or interfere with the OS-supplied version. It is also based on the most recent version of libcurl available and will be kept updated if curl security updates are released.

On affected platforms (RH6, CentOS 6, etc.), the shibboleth packages now depend on this look-aside package and ensure its installation in the normal fashion. The /etc/init.d/shibd script installed for you will also include a LD_LIBRARY_PATH variable that directs the shibd process to load the alternative version of libcurl.so instead of the normal one.

The new package set should not require any special adjustments to your OS upgrade stream, and the lookaside package will not impact any other software unless you manually set the same LD_LIBRARY_PATH variable in your shell.

Note also that some of the utilities accompanying the SP, such as the resolvertest program, may not function properly without the same variable being set, but there is no shell script provided for you to set this; you'll have to do this by hand.


Document Sourced from official Shibboleth documentation. Adapted September 27th, 2011 from: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMInstall



Keywords:netid login service webiso iso sso saml2 shib shibboleth install apache red hat rhel centos linux redhat centos   Doc ID:20454
Owner:Ryan L.Group:Access Management Services
Created:2011-09-27 15:19 CDTUpdated:2016-09-13 13:38 CDT
Sites:Access Management Services, DoIT Help Desk, Middleware
Feedback:  1   1