Page tree
Skip to end of metadata
Go to start of metadata

Introduction

No matter whether you're running on Windows, Linux, macOS, FreeBSD, or somewhere else, the Shibboleth configuration process is more similar than different. Open the shibboleth2.xml file (saved in /etc/shibboleth on POSIX-type systems such as Linux, FreeBSD and macOS, and saved in C:\opt\shibboleth-sp\etc\shibboleth\ on Windows systems), and make the following changes.

Download a pre-configured shibboleth2.xml file here and follow the directions below to customize it for your application.

Set entityID

Find the line that begins <ApplicationDefaults entityID="...". Set entityID to be the domain name of your app followed by "/shibboleth". For example:

shibboleth2.xml ApplicationDefaults element
<ApplicationDefaults entityID="https://hostname.ucsf.edu/shibboleth"

Session Timeout

Find the line that starts with "<Sessions". "Lifetime" is the maximum time someone can be logged into your service provider, which defaults to 8 hours. "Timeout" is how long someone can be idle without being logged out, which defaults to 1 hour. Both values are set in seconds. Adjust them as appropriate for your application, but don't worry about the other options.

shibboleth2.xml Sessions element
<Sessions lifetime="28800"
          timeout="3600"
          checkAddress="false"
          relayState="ss:mem"
          handlerSSL="true">

Specify an IdP

Still in shibboleth2.xml, find the line that starts with "<SSO". Change the entityID to match the MyAccess IdP you want to use. Unless you've been told otherwise, use the "Staging" IdP listed below.  You'll change it to the "Production" IdP listed below once testing is complete in the "Staging" IdP.

  • Production (non-InCommon Federation members): https://dp.ucsf.edu/idp/shibboleth
  • Production (InCommon Federation members): urn:mace:incommon:ucsf.edu
  • Staging: https://idp-stage.ucsf.edu/idp/shibboleth
  • Development: https://idp-dev.ucsf.edu/idp/shibboleth

If your SP will be an InCommon Federation member, use the "InCommon Federation member" version of the entityID.  If not, use the "non-InCommon Federation member" version.

For example:

<SSO entityID="https://idp-stage.ucsf.edu/idp/shibboleth" >
  SAML2 SAML1
</SSO>

Load Metadata

Download our IdP metadata.  For Development, go to: https://idp-dev.ucsf.edu/idp/shibboleth.  For Staging, go to: https://idp-stage.ucsf.edu/idp/shibboleth.  For both InCommon and non-InCommon Production, go to https://dp.ucsf.edu/idp/shibboleth.  Save it in the same directory as shibboleth2.xml, naming it "idp-metadata.xml".

In shibboleth2.xml, find the locally maintained metadata line that begins with "<MetadataProvider type="XML" file=..." and set the value for the file to "idp-metadata.xml".

Attributes

MyAccess sends your application attributes about the currently logged in user. For the SP to process the attributes correctly, it needs to know which ones it will be getting.

Download the attributes-map.xml file and save it in the same location as shibboleth2.xml. Overwrite the existing file..  You can review the Attribute Definitions for SPs to see what attributes are available.

Save SP Metadata

To integrate with MyAccess, you will need to provide a copy of your SP's metadata to the Identity and Access Management team. You can get that metadata by visiting the following URL, replacing "hostname.ucsf.edu" with your site's domain name:

https://hostname.ucsf.edu/Shibboleth.sso/Metadata

Apache Configuration

This section isn't truly generic - it's for users of the Apache web server only. Windows IIS users, please refer to your specific documentation instead.

You can specify which paths you would like to be protected by Shibboleth anywhere in your Apache configuration. The Shibboleth software you installed also includes a file that loads the Shibboleth Apache module and protects an example directory. You may wish to modify that file, or configure protected paths elsewhere.

To protect a path, use a configuration block like the following. This configuration would require a Shibboleth login to visit any content starting with "/secure".

<Location /secure>
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    require valid-user
</Location>

If you are setting this configuration in a .htaccess file, omit the <Location> and </Location> lines.


  • No labels