Shibboleth Developers

[Digant C Kasundra <>]

I don't see why such a thing would be hard to adapt to the latest Red
Hat Enterprise Linux release.  As a matter of fact, self-building
tarball+script is the model we use at UTA for our OpenLDAP and Kerberos
deployments.  I'd be happy to help make whatever you create RHEL-ready
(and wouldn't be surprised if it was as-is anyway).

-- DK


On Mon, 2004-11-29 at 12:34, 

 wrote:
> Over the last several months, we've tried to improve the ability of 
> sites to install and operate the Shib software by introducing Install 
> Fests; additionally, we've recently published on the shib web site 
> the "checklist" that was developed to help Fest attendees. Both of 
> these steps have generated some success stories; people do seem to be 
> finding it easier to install and configure shib and the required 
> dependencies. However, there seems to be a set of people that are 
> still having trouble.... discussion of these situations led to the 
> development of the "Quick Start Package" proposal. This note is a 
> description of the current thinking about Quick Start, what its 
> targeted at, and what it would contain....
> 
> -- initially, it would be targeted at Fedora systems..... later, this 
> might be extended.
> 
> -- one goal here is to provide people with direct access to several 
> different "working  installations".
> 
> -- the package would install shib + ALL  the dependencies (eg java, 
> tomcat, etc). It would also contain supporting files and scripts to 
> allow the new install to be easily moved among three possible 
> configurations: operation in localhost mode, operational in bilateral 
> mode, and operational in InQueue.
> 
> -- after the shell archive script runs, the machine should be 
> operational in localhost mode. A user should be able to start X on 
> the Fedora system, start a browser, enter the appropriate url (which 
> we'll supply), and have the freshly installed IdP and SP components 
> interact successfully.
> 
> -- the bilateral mode script would allow *any* browser user to enter 
> the appropriate url and have the freshly installed IdP and SP 
> components interact successfully. (The difference with localhost mode 
> is that url's would no longer contain a hostname of localhost.) This 
> script would generate and use self-signed cert's to have the two 
> components trust each other.
> 
> -- InQueue mode would have the IdP and SP components  join the IQ 
> federation. this would require configuring them to use cert's signed 
> by a trusted CA.....
> 
> -- POTENTIAL CONCERN -- Scott has suggested that the Quick Start 
> package contain a signing key for a CA trusted by IQ. Two reasons: 1) 
> even a moron would now recognize the IQ cannot be trusted for 
> realwork, and 2) this would greatly simplify the steps needed to 
> reconfigure for membership in IQ.
> 
> -- the package would be a shell archive (tarball + script)
> 
> -- the tarball would contain:
>       - java 1.4
>       - tomcat
>       - a directory containing scripts and config files, to be used 
> in normal operation (eg a basic auth user.db file with Test Users in 
> it), and by the three modes
> 
> - the shell archive script would:
>       - install java
>       - install tomcat
>       - download and explode the shib IdP software
>       - use rpm to install the shib SP dependencies and the Shib SP package
>       -### configure the IdP software
>       - copy shib files into the tomcat tree
>       - make required edit's to  tomcat files (see checklist)
>       - start tomcat, wait, stop tomcat
> 
>       -### configure the SP software
>       - edit httpd.conf, to Include files containing items relevant 
> to running both the IdP and SP
> 
>       (I may have missed a couple of items.... but in this note I'm 
> more worried about the concept than the detail)
> 
> -- At this point, the system should be fully operational in localhost mode.
> 
> -- Supplied scripts would edit config files appropriately, and would 
> use files included in the Quick Start package, to reconfigure the 
> machine to bilateral or IQ mode.....