wg-pic - Shibboleth Service Provider (SP) setup info
Subject: Presence and IntComm WG
List archive
- From: Rodney McDuff <>
- To:
- Subject: Shibboleth Service Provider (SP) setup info
- Date: Fri, 01 Feb 2008 14:37:06 +1000
Hi All
Here is some links to get a shibboleth SP up and running
1) The Shibboleth Internet2 wiki is a fount of shibboleth knowledge and
I recommend that people browse through it at their leisure. I will
referring to it alot. Here are some links to get your head around the
whole shibboleth thing.
* https://spaces.internet2.edu/display/SHIB/UnderstandingShibboleth
* http://shibboleth.internet2.edu/about.html
* https://spaces.internet2.edu/display/SHIB/DeploymentBackground
* https://wiki.esecurity.edu.au/display/draft/Shibboleth+Architecture
The last URL has an insightful (atleast to the technical) step-by-step
interactions between a user, SP, wayf and Identity Provider (IdP).
2) Installing the Shibboleth SP. The "Service Provider Installation"
section of
<https://spaces.internet2.edu/display/SHIB/InstallingShibboleth> is
pertinent for the shibbolized XMPP account registration service. There
are detailed information for installing the SP on several platforms. I
would imagine that linux and OSX are likely choices.
3) Test installation. In shibboleth developers have put up a "test SP"
called TestShib at <http://www.testshib.org/testshib-reg/index.jsp> so
that people can verify their installation. Just follow the bouncing dot.
4) Have a look at the SP configuration options at
<https://spaces.internet2.edu/display/SHIB/SPConfigurationByTopic>. By
comparing the testshib xml config and the stuff on this page you'll get
an idea of what has to change once you join a real federation. Its
pretty minimal;
* the hostname in the RequestMapProvider stanza
* the providerId in the Applications stanza
* the homeURL in the the Applications stanza
* the certs in the CredentialsProvider stanza
* the wafyURL in the SessionInitiator stanza
When you join Incommon most of these will be constructed from the
information you provide at the Incommon registration process.
Also have a good understanding of
<https://spaces.internet2.edu/display/SHIB/SPProtectionConfig> for fancy
access/authorization control and
<https://spaces.internet2.edu/display/SHIB/SPAttributeConfig> for
understanding Attribute Acceptance Policies (AAPs) work. (Its the
AAP.xml file that controls how attributes embedded in a SAML assertion
are manifested to the webapp.
5) Join Incommon as an SP. Most of the technical info is at:
* <http://www.incommonfederation.org/metadata.html> and
* <http://www.incommonfederation.org/technical.html>
There is an Incommon federation manager at
<https://service1.internet2.edu/siteadmin/manage/> which maintains the
Incommon metadata
<https://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml>. It
requires a username and password to get access to it. Members of
Incommon get a username and password.
Once registered with Incommon modify the shibboleth.xml to reflect you
ProviderID and new cert/key pair (used to secure the shibboleth
back-channel between which SP and IdP and should be provided by
Incommon as part of the registration process.)
6) Become familiar with this page
<https://spaces.internet2.edu/display/SHIB/CPPSPCommonErrors>
--
Dr. Rodney G. McDuff |Ex ignorantia ad sapientiam
Manager, Strategic Technologies Group| Ex luce ad tenebras
Information Technology Services |
The University of Queensland |
EMAIL:
|
TELEPHONE: +61 7 3365 8220 |
- Shibboleth Service Provider (SP) setup info, Rodney McDuff, 01/31/2008
Archive powered by MHonArc 2.6.16.