Shibboleth Identity Probider (IDP) Configuration

Last updated on Mar 21, 2021 3 min read

In this blog, I have mentioned the steps that I have followed to configure/install Shibboleth IDP on Ubuntu. As the Shibboleth IDP available in “war” file, so It’s required to install tomcat.

Install Tomcat

I have followed this blog, to install tomcat 9 in Ubuntu OS which contains the following steps:

  • Install OpenJDK
  • Create Tomcat User
  • Install Tomcat
  • Create a systemd Unit File
  • Adjust the Firewall
  • Configure Tomcat Web Management Interface

Tomcat Latest release cab be found here.

Install IDP

Download Shibbboleth IDP

Extract Source

Extract source in “/opt/shibboleth-idp” directory and run “install.sh” and give ownership to tomcat user.

tar -xvzf shibboleth-identity-provider-4.0.1.tar.gz
cd shibboleth-identity-provider-4.0.1/bin
sudo ./install.sh
sudo chown -R tomcat /opt/shibboleth-idp

Deploy WAR File

Deploy war file from “/opt/shibboleth-idp/war/idp.war” into tomcat using tomcat manager.

Nested Servelet Exception

Once war file is deployed, Application gives “Nested Servlet Exception” while accessing Status Page from the browser. To resolve this error it is required to Download jstl-1.2.jar file and place it in “$TOMCAT_INSTALL_DIR/lib” directory.

Install Apache

To confiugre the hostname for Shibboleth IDP, For example: idp.shibboleth.com, I have used apache to do so. Used the below command to install apache on Ubuntu as shown:

sudo apt-get update
sudo apt-get install apache2

Configure HTTPS for IDP Site

To configure the HTTPS for given hostname on Apache, It is required to follow the given steps:

  • Create Self-signed Certificate
  • Configure SSL Params
  • Create Hostname Configuration File
  • Enable Apache Module

Create Self-signed Certificate

To configure the “HTTPS” for Shibboleth IDP website, It is required to create “Self-signed” certificate by issuing the following command.

sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/idp.key -out /etc/apache2/ssl/idp.crt

Configure SSL Params

Configure the SSL Params configuration for Hostname (Ex: idp.shibboleth.com).

sudo nano /etc/apache2/conf-available/ssl-params.conf

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

Create Hostname Configuration File

Create the configuration file by providing information

  • Hostname in “ServerName”
  • Hostname alias in “ServerAlias”
  • Slef-signed certificate path in “SSLCertificateFile” which was generated in above
  • Self-signed certificate key path in “SSLCertificateKeyFile” which was generated in above
sudo nano /etc/apache2/sites-available/idp.shibboleth.com.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerName idp.shibboleth.com
        ServerAlias www.idp.shibboleth.com
        ServerAdmin winma@wso2.com
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
#ProxyRequests Off
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>
SSLEngine on
        SSLProxyEngine On
        SSLCertificateFile /etc/apache2/ssl/idp.crt
        SSLCertificateKeyFile /etc/apache2/ssl/idp.key
ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / http://127.0.0.1:8080/
        ProxyPassReverse / http://127.0.0.1:8080/
		<Location />
          Order allow,deny
          Allow from all
        </Location>
    </VirtualHost>
</IfModule>

Enable Apache Module

In order to make the chnages live, it is required to enable module and sites and ssl confgiration using the following command

sudo a2enmod proxy_http proxy ssl headers
sudo a2ensite idp.shibboleth.com
sudo a2enconf ssl-params
sudo apache2ctl configtest
sudo systemctl restart apache2

Check IDP HTTPS access

Edit the “/etc/hosts” file to configure your domain name and browse to see if it is accessible link in browser.

127.0.0.1 idp.shibboleth.com
Index
Avatar
Sanjay Gondaliya
Technical Director

My research interests include automation in pentration testing.