SP-IIS

 
 
TODO:
  • Host name comes before site id
  • clairify subdirs for test servers

Overview


Shibboleth provides Single Sign-On for the web. It consists of two parts; an Identity Provider and a Service Provider. OIT maintains the Identity Providor (or IdP). We install and configure the Service Provider (or SP) on our web servers.

Steps

  1. Install the win32 software
  2. Certify the server with OIT
  3. Configure shibboleth

Details


Install the software

Navigate to >>http://shibboleth.internet2.edu/downloads/win32/ and download the SP package. The name will be something like shibboleth-sp-1.3-win32.msi. Install the package and accept the defaults, rebooting when prompted.

Generate a Certificate

The commincations between the IdP and the SP are encripted via SSL. To talk SSL you need a certificate. Use the commands below to generate one and OIT will sign it. Adapt for your drive letters!

Note: Be sure to change SERVER to the real domain name, such as oak.cats.ohiou.edu.

E:
cd E:\opt\shibboleth-sp\etc
path=%path%;E:\opt\shibboleth-sp\lib
E:\opt\shibboleth-sp\bin\openssl genrsa -out ssl.key 2048
Set SUBJ="/C=US/ST=Ohio/L=Athens/O=Ohio University/OU=IT/CN=SERVER.DOMAIN.EDU"
E:\opt\shibboleth-sp\bin\openssl req -new -config E:\opt\shibboleth-sp\etc\shibboleth\openssl.cnf -key ssl.key -out ssl.csr -subj %SUBJ%

Email the ssl.csr to David Alexander along with the Service Provider Registration Form (link?). OIT will send back the signed certificate and let you know what your new providerId (a text string) will be. You'll need this later when configuring shibboleth.

It is best to store the .key and .crt files in the E:\optshibboleth-sp\etc directory. If you need attributes other than what OIT standardly provides (the developers will know) communicate that to OIT.

Configure Shibboleth's XML

Make a backup of the e:\opt\shibboleth-1.3\etc\shibboleth.xml text file, then open it up for editing. Search for and make the following replacements.

<Host name=sp.example.org> - change to your host name
 …
 …
<Site id="1" name="sp.example.org">   - same as above
   <Alias>sp.example.org</Alias>      - same as above
</Site>
 …
 …
<Applications id="default" providerId="https://boss3.cats.ohiou.edu/shibboleth" - change to the providerID specified by OIT (usually as above)

… … <!-- This default example directs users to a specific IdP's SSO service. --> … wayfURL="https://shibboleth.ohio.edu/shibboleth-idp/SSO" - Set as shown here … … … <MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata" uri="E:/opt/shibboleth-sp/etc/shibboleth/OHIO-metadata.xml"/> - Set to OHIO-metadata.xml as shown here

<saml:Audience>urn:mace:incommon:ohio.edu</saml:Audience> - Change from inqueue to incommon as shown here … … <Key> <Path>E:\opt\shibboleth-sp\etc\sp-example.key</Path> - Set to your location and name </Key> <Certificate> <Path>E:\opt\shibboleth-sp\etc\sp-example.crt</Path> - As above </Certificate>

Copy Additional Files

Copy the OIT-provided AAP.xml and OHIO-metadata.xml files into \shibboleth-sp\etc, overwriting the original files

These files will be available in the future from the OHIO Technology web site >>http://technology.ohio.edu/shibboleth

Restart the Shibboleth Web Publishing services.

Configure IIS

You must allow scripts to execute. Right click to bring up the properties of the site or folder (or master properties), select the 'Home Directory' tab, and toward the bottom change the Execute Permissions from none to scripts only.

Test

Under the default web site root, create a folder named secure and create a text file in it. Surf to that text file in any browser. If you created the file test.txt on the host boss1.admsrv.ohio.edu, surf to >>http://boss1.admsrv.ohio.edu/secure/test.txt It should redirect you to the OIT web login page, then back to the test.txt page.

Additional configuration steps:

Note: if you have multiple host names for the web server, you must include them in the ISAPI section like this:

<Site id="1" name="boss2.admsrv.ohio.edu">
    <Alias>test.admsrv.ohio.edu</Alias>
</Site>

If you don't, you won't get sent back to the proper URL



Notes:


To cover multiple web sites (virtual hosts), add addional 'Site id' and Host entries like the below example

<Site id="1102119354" name="appalachia.citl.ohiou.edu">
    <Alias>appalachia.citl.ohiou.edu</Alias>
 </Site>
 <Site id="1" name="www.myserver.ohiou.edu">
    <Alias>www.myserver.ohiou.edu</Alias>
 </Site>
 …
 …
 <Host name="scope.citl.ohiou.edu">
    <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true"> </Path>
 </Host>
 <Host name="www.myserver.ohiou.edu">
    <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true"> </Path>
 </Host>

To add an entire site do this:

<Host name="housingnsc.admsrv.ohio.edu" scheme="https" authType="shibboleth" requireSession="true" exportAssertion="true"> 
</Host>

If you are virtual hosting, you must inform the IDP so they can list multiple assertion consumer URLs in their config file.



Trouble shooting

If the Shib service starts and then stops

There is most likely a problem with your shibboleth.xml file. A simple typo will cause this, such as leaving off an end bracket. Your best bet is to review your changes and if nothing sticks out, start over from a clean xml file.

If you see a flying pig instead of the page you asked for

Some possible causes are a misconfigured (or typo'd) providerID or a you are using a virtual host that OIT doesn't know about. OIT doesn't support virtual hosts without being forewarned

Institutional access failure

As above, but most likely your cert is on file, but the host name you're coming from isnt.

If you are redirected to a blank page

If your browser is trying to send you to "example.org" it can be as above or more likely a misconfigured xml file and you will need to treat as the first trouble shooting technique

You get sent back to a different host than you were trying to access

You didn't add the alias entry for the host. See above in notes

You see a 404 for a page you know is there

This usually means that you are forwarding to the wrong place on the OIT SSO server. Check your wayfURL.

Unauthorized Identity Provider

You're not using the proper metadata file, or it's not configured in your shibboleth.xml. Look for "MetadataProvider" and check the "uri= " is set as above.

Trouble shooting tools

You may want to use a Perl or ASP script to print out HTTP headers. You may also turn on Shibboleth debugging in the file shibd.logger to see that the attributes were passed correctly. EXAMPLE???



Aditional notes

(To be added where needed later)

'''From David about securing entire sites in IIS'''

Allen,

Here is the solution:

<Host name="housingnsc.admsrv.ohio.edu" scheme="https" authType="shibboleth" requireSession="true" exportAssertion="true"> </Host>

Dave


Forwarded Message
Date: Friday, February 10, 2006 11:55 AM -0500 From: Scott Cantor <cantor.2@osu.edu> To: shibboleth-users@internet2.edu Subject: RE: protecting iis site

> <Host name="host.ohio.edu"> > <Path name="/" authType="shibboleth" > requireSession="true" > exportAssertion="true"></Path> > </Host>

I think you'll find a warning in native.log noting that it's ignoring this "empty" path designation. Part of supporting embedded slashes was stripping leading/trailing slashes, which leaves nothing.

To protect the host, just move the attributes into the Host element and get rid of the Path element.

    • Scott
In talking to Dave about the section labeled InQueue pilot federation, delete for production deployments. he suggested deleting it.


End Forwarded Message

Requirements:

The complete list of prerequisites can be found here:

>>http://shibboleth.internet2.edu/guides/sp/windowsinstall.html

Shibboleth 1.3 Service Provider Installation Notes for IIS 9/27/05

General instructions are available here: >>http://shibboleth.internet2.edu/guides/sp/

You need IIS 5 or 6. IIS 6 is preferred.

If the Service Provider is behind a firewall, the firewall should be configured to allow outgoing http requests on port 8443 to shibboleth.ohio.edu.

Configure IIS

The installer will configure the ISAPI filter for IIS.

The steps to configure the ISAPI filter manually can be found here: >>http://shibboleth.internet2.edu/guides/sp/initialiis.html

Comments