Shibboleth Authentication

Shibboleth is standards-based, open source middleware software which provides web single sign-on across or within organisational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

The Shibboleth software implements widely used federated identity standards, principally OASIS' SAML, to provide a federated single sign-on and attribute exchange framework. Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application. Using Shibboleth-enabled access simplifies management of identity and permissions for organizations supporting users and applications. Shibboleth is developed in an open and participatory environment, is freely available, and is released under the Apache Software License.

Attached is a technical overview for the Shibboleth 2 specification. You can probably find the latest version of that document, as well as a lot of other Shibboleth 2 documentation at their wiki, https://wiki.shibboleth.net/confluence/display/SHIB2/Home.

Shibboleth at UF

The Shibboleth project is a part of UF's Identity and Access Management. Please visit the project site for more information including an overview, infrastructure information, making an access request, available attributes, and more technical details. Shibboleth SP setup is tracked using the CNS Remedy system.

Attached files for configuring your SP at UF

The SP software can be found under the installation & configuration section of the Shibboleth2 Project Wiki.

Attached to this document is a shibboleth2.xml file. Please select the one named appropriately for your platform, and rename it shibboleth2.xml. This is used by both the Shibboleth service/daemon and the webserver module. You will need to replace a few things in the file. They are:

  • _HOSTNAME_ with the fully-qualified domain name of your site
  • _URN_ with your entity id from your SP approval notification
  • For IIS users: _SITEID_ is IIS host id for this site

Generating a key & certificate for your SP at UF

After you replace these entries, place the file in c:\opt\shibboleth-sp\etc\shibboleth for Windows, /etc/shibboleth for Linux. Next you will need to generate a new key and certificate for your SP to exchange with the IdP. To do this, first remove the sp-key.pem and sp-cert.pem files in c:\opt\shibboleth-sp\etc\shibboleth (Windows) or /etc/shibboleth (Linux). This is also the same place where your shibboleth2.xml file is located. Then get a command prompt in that same directory and run the following: keygen.bat -h _HOSTNAME_ -e _URN_ (Windows) or keygen.sh -h _HOSTNAME_ -e _URN_ (Linux). This will create a new sp-key.pem and sp-cert.pem. Rename the sp-key.pem to _HOSTNAME_.key. Rename sp-cert.pem to _HOSTNAME_.cert.

Please note that this page is not intended to be full documentation on how to use the SP software. Documentation of that nature is already available at the Shibboleth2 wiki and the UF Shibboleth site.

If you are using Apache, ensure your httpd.conf has UseCanonicalName turned on the virtual host you're working on. You will now need to restart your webserver software and the shibboleth service/daemon. You should be able to access: http://_HOSTNAME_/Shibboleth.sso/Metadata. When this works (by that, we mean you can see your full URN and matching URLs and a new SSL public certificate all in the Metadata), you will be able to submit your metadata (see next paragraph).

Uploading the Metadata

Metadata files can be uploaded here:

 https://open-systems.ufl.edu/shibmeta

Only the ISM and/or Technical Contact listed above may submit metadata for the URN. Once the metadata is submitted, the processing required to install it into the IdP is typically performed on Sunday morning, once it is done you will then be able to protect content.

Once the metadata is submitted, it will be processed and you will then be able to protect content. Processing metadata occurs once a week on Sunday morning. Metadata should be submitted no later than noon Thursday in order to be included in the Sunday restart. Metadata submitted after that will not be processed until the following Sunday.

Notifications will be sent to all technical contacts and the ISM when metadata is uploaded, when it is processed, and once it is placed into production. Protecting content is the final step that you must perform in order to complete your work. Please see the UF IT Shibboleth site or the shibboleth.net wiki for more information.

If you have any questions concerning this, or if the ISM, ISA, or Technical Contact information listed below is incorrect or needs to be updated, please submit a ticket at:

 


AttachmentSize
draft-mace-shibboleth-tech-overview-latest.pdf243.32 KB
linux.shibboleth2.xml12.36 KB
windows.shibboleth2.xml12.39 KB