Shibboleth Service Provider (SP) Configuration
Configure HTTPS for SP Site
To configure the HTTPS for given hostname on Apache, It is required to follow the below steps:
- Create Self-signed Certificate
- Configure SSL Params
- Create Hostname Configuration File
- Enable Apache Module
Create Self-signed Certificate
To configure the “HTTPS” for Shibboleth SP website, it is required to create “Self-signed” certificate by following the below command.
sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/sp.key -out /etc/apache2/ssl/sp.crt
Configure SSL Params
Configure the SSL Params configuration for Hostname (Ex: sp.shibboleth.com).
sudo nano /etc/apache2/conf-available/sp-ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
Create Hostname Configuration
Create the configuration file as follows:
- Hostname in “ServerName”
- Hostname alias in “ServerAlias”
- Slef-signed certificate path in “SSLCertificateFile” which was generated in above
- Self-signed certificate key path in “SSLCertificateKeyFile” which was generated in above
sudo nano /etc/apache2/sites-available/sp.shibboleth.com.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName sp.shibboleth.com
ServerAlias www.sp.shibboleth.com
ServerAdmin winma@wso2.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/sp.crt
SSLCertificateKeyFile /etc/apache2/ssl/sp.key
ProxyRequests Off
ProxyPreserveHost On
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
</IfModule>
Enable Apache Module
In order to make the chnages live, it is required to enable module and sites and ssl confgiration using the following command
sudo a2enmod proxy_http proxy ssl headers
sudo a2ensite sp.shibboleth.com
sudo a2enconf sp-ssl-params
sudo apache2ctl configtest
sudo systemctl restart apache2
Install SP
Run the following command to install the Shibboleth SP.
sudo apt-get install libapache2-mod-shib2
sudo a2enmod auth_basic
sudo a2enmod shib2
Configure SP Certificate
Generate the Key using “shib-keygen” utility and generate the certificate using “openssl” command
sudo shib-keygen -h sp.shibboleth.com
openssl x509 -text -noout -in /etc/shibboleth/sp-cert.pem
Configure Shibboleth2.xml
In order to make the “SP” works, It is required to configure “IDP” and “SP” hostname in “Shibboleth2.xml” along with other configuration as shown in video.
Configure idp hostname as idp.shibboleth.com
Configure sp hostname as sp.shibboleth.com
Under the <Sessions> set handlerSSL=true and cookieProps=https
Include the <MetadataProvider> as following:
<MetadataProvider type="XML" file="idp-metadata.xml"/>
sudo cp /opt/shibboleth-idp/metadata/idp-metadata.xml /etc/shibboleth/
Access Status Page
After configuring shibboleth2.xml, make changes in “/etc/hosts” to map the application to the hostname for accessibility over browser. Once done access the status page link.
127.0.0.1 sp.shibboleth.com
https://sp.shibboleth.com/Shibboleth.sso/Status
SP Login Page Error
In certain circumstances, there might be a possibility the application respond with an error “Unknown or Unusable Identity Provider” as shown below:
Reason of SP Login Page Error
The reason behind the “Unknown or Unusable Identity Provider” error while accessing the SP Login page is “idp-metadata.xml” contains an outdated timestamp in “ValidUntil” attribute as shown below:
How to Resolve SP Login Page Error
In order to resolve the “Unknown or Unusable Identity Provider” error, It is required to set future date in “ValidUntil” attributes in “/opt/shibboleth-idp/metdata/idp-metadata.xml” and copy the modified file in “/etc/shibboleth”.
Unsupported Request Resolved
While accessing SP Login page, sometime application responds with “Web Login Service - Unsupported Request” error. This usually happens when SP Metdata was unknown to IDP, To resolve this error, It’s required to follow the below steps as shown:
Download: https://sp.shibboleth.com/Shibboleth.sso/Metdata
Copy to: sudo cp Metadata /opt/shibboleth-idp/metadata/sp-metadata.xml
sudo gedit /opt/shibboleth-idp/conf/metadata-providers.xml
<MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml"/>
Restart Services:
sudo service tomcat restart
sudo service apache2 restart
sudo service shibd restart
Message Security Error
While accessing the SP Login page, Application sometimes responds with “Web Login Service - Message Security Error”, This usually happens due to protocol mismatch as shown:
Message Security Error Resolved
To resolve the “Web Login Service - Message Security Error”, It is required to write a connector in tomcat configuration file “$TOMCAT_HOME$/conf/server.xml” as shown:
<Connector address="idp.shibboleth.com"
port="8080"
protocol="HTTP/1.1"
proxyPort="443"
scheme="https"
secure="true" />
LDAP Errors
Once all the error related to SP configuration resolved, The SP application respond with “FlowExecutionException” as shown in figure, That means in order to make the SP works, it is required to configure LDAP Server.
To configure the LDAP, Check my blog on LDAP Configuration for Shibboleth SSO
