[Koha-bugs] [Bug 8446] Shibboleth authentication patch

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Sun Oct 20 22:03:23 CEST 2013 

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8446

--- Comment #10 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
So.... the most complicated bit of all this (as you may have guessed) is
actually in steps 2. and 3. above!

Step 2 - Configuring Shibboleth party of trust.

Shibboleth config files should be located at: /etc/shibboleth

The important files are:
   shibboleth2.xml - The main config file
   attribute-map.xml - The attribute mapping file

You will also want to create a directory to keep IdP metadata backups within:
   mkdir /var/cache/shibboleth/metadata/
   chown -r _shibd:_shibd /var/shibboleth/metadata

Let's configure some things:

1. First up, we need to setup the SP (Service Provider) identity.

In the shibboleth2.xml file you should find a line similar to:

  <ApplicationDefaults entityID="https://kohaopac.mytestserver.com"

Modify this so that the 'entityID' matches your OPAC URL.

2. Next, we need to tell the shibboleth daemon where the IdP (identity
provider) is.

In the shibboleth2.xml file you should find a block similar to:

    <SSO entityID="http://sso.testidentityprovider.com/auth/metadata">
        SAML2 SAML1
    </SSO>

Modify this so that the entityID matches the IdP's sign in URL.

3. Finally, you'll need to tell the daemon where to fetch the IdP's metadata
from and set a backup path:

In the shibboleth2.xml file you should find a block similar to:

     <MetadataProvider type="XML"
uri="https://sso.testidentityprovider.com/auth/metadata"
              
backingFilePath="/var/cache/shibboleth/metadata/testidp-metadata.xml"
               reloadInterval="7200" >
     </MetadataProvider>

Modify this so that the uri matches the IdP's public metadata page, and point
the backingFilePath to the directory we created.

4. The config is now done... but you should create some keys to work with your
shibboleth SP:

    sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout
server.key -out server.crt

Your key and certicate names will obviously need to match those in the
shibboleth2.xml config file.

5. Restart the shibd daemon:

   sudo /etc/init.d/shibd restart

6. We're about ready to swap Matadata:  Tell you're IdP provider that your
Metadata is available at:

    https://youropacurl.com/Shibboleth.sso/Metadata

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list