This tutorial provides an easy way to deploy a Shibboleth Authentication Application (a Java application) and a Shibboleth Service Provider (an Apache server with Shibboleth support). The infrastructure required for this deployment is one machine where the Shibboleth Service Provider and the Shibboleth Authentication Application will be installed. This machine must have a public IP address.
IMPORTANT NOTE: Throughout this guide we will provide several example values for the different properties that are used in configuration files. It is important that, as you advance in the installation procedure, the real values of your installation are noted down. You will need these values to replace, where appropriate, the example values given in this guide.
The understanding of a Fogbow site deployment is essential for understanding this guide. All documentation regarding such deployment is available in the Fogbow Site Deploy guide.
The installation machine is a machine running any Unix-like operating system, on which Git and Ansible can be installed. Additionally, it needs to have ssh access to the deployment machines.
Log in the installation machine and perform the following steps:
If not already installed, install Git.
If not already installed, install Ansible.
If not already, installed, install pwgen:
# DEBIAN/UBUNTU
$ apt-get install -y pwgen
# FEDORA
$ dnf install -y pwgen
# CENTOS
$ yum install -y pwgen
# MacOS
$ brew install pwgen- Download the Shibboleth Authentication Application project:
$ git clone https://github.com/fogbow/shibboleth-authentication-application.gitGo to the directory conf-files inside the deploy directory.
$ cd shibboleth-authentication-application/deploy/conf-filesThen, edit the configuration files present in this directory, as instructed below. The templates already available indicate which fields need to be filled in (Required), and which have default values (Not Required), and, therefore, are not mandatory. However, some of the required fields may be left empty, since the deployment tool is able to fill them with the correct values.
$ cat hosts.conf
# Required
internal_host_private_ip=
# Required
remote_hosts_user=
# Not Required (if not specified, ansible will use the host ssh keys)
ansible_ssh_private_key_file=The internal_host_private_ip configuration constant is the internal-host private IP address of the Fogbow site.
The remote_hosts_user is the user name that should be used to access the the internal-host via ssh. Let us assume that this user name is ubuntu.
Considering the example values assumed in this guide (and in the Fogbow Site Deploy guide), the content of the hosts.conf would be:
$ cat hosts.conf
# Required
internal_host_private_ip=10.11.4.3
# Required
remote_hosts_user=ubuntu
# Not Required (if not specified, ansible will use the host ssh keys)
ansible_ssh_private_key_file=Generate the RSA keys that will be used by the Shibboleth Authentication Application. The public key generated needs to be installed in the machine running the Fogbow Authentication Service (AS).
openssl genrsa -out rsa_key.pem 2048
openssl pkcs8 -topk8 -in rsa_key.pem -out private.key -nocrypt
openssl rsa -in private.key -outform PEM -pubout -out public.keyCreate Service Provider certificates and become a registered Service Provider at your Shibboleth Authentication Provider. This step varies depending on your Shibboleth Authentication provider. Below you can find the instructions for some providers:
After you receive the required information from the Shibboleth Authentication provider you can fill in the general.conf file.
$ cat general.conf
# ------------------------- Shibboleth Authetication Application (Java App) ------------------------
# Required
shib_http_port=
# Required
fogbow_gui_url=
# Required
ship_private_key_path=
# Required
ras_public_key_path=
# Required
service_provider_machine_ip=
# --------------------------- Service Provider (Apache + Shibboleth) ------------------------------
# Required
service_provider_rnp_certificate=
# Required
service_provider_rnp_key=
# Required
service_provider_domain=
# Required
descovery_service_url=
# Required
descovery_service_metadata_url=- Shibboleth Authetication Application configuration
-
The shib_http_port is the port http where the Shibboleth Authentication Application.
-
The fogbow_gui_url is the Fogbow Gui url that was deployed by Fogbow Deploy.
-
The ship_private_key_path is the private key path generated in the pre requirements of this configuration.
-
The as_public_key_path is the AS public key path.
-
The service_provider_machine_ip is the private ip of the internal host.
- Service Provider (Apache + Shibboleth)
-
The service_provider_rnp_certificate is the certificate generated in the pre requirements of this configuration.
-
The service_provider_rnp_key is the certificate key generated in the pre requirements of this configuration.
-
The service_provider_domain is the domain(DNS address) used to configure your Service Provider. Look the pre requirements configuration.
-
The descovery_service_url is the Descovery Service url provided by your Shibboleth Authentication Provider. Look the pre requirements configuration.
-
The descovery_service_metadata_url is the Descovery Service Metadata url provided by your Shibboleth Authentication Provider. Look the pre requirements configuration.
Considering the example values assumed in this guide (and in the Fogbow Site Deploy guide), the content of the general.conf would be:
$ cat general.conf
# ------------------------- Shibboleth Authetication Application (Java App) ------------------------
# Required
shib_http_port=8000
# Required
fogbow_gui_url=http://fogbow-gui.lsd.ufcg.edu.br
# Required
ship_private_key_path=/tmp/shibboleth-authentication_application_private_key.pem
# Required
as_public_key_path=/tmp/authentication_servive_public_key.pem
# Required
service_provider_machine_ip=10.11.4.3
# --------------------------- Service Provider (Apache + Shibboleth) ------------------------------
# Required
service_provider_rnp_certificate=/tmp/domain-fogbow.lsd.ufcg.edu.br.crt
# Required
service_provider_rnp_key=/tmp/domain-fogbow.lsd.ufcg.edu.br.key
# Required
service_provider_domain=domain-fogbow.lsd.ufcg.edu.br
# Required
## Using CAFE CHIMARRAO with example
descovery_service_url=https://ds.chimarrao.cafe.rnp.br/WAYF
# Required
descovery_service_metadata_url=https://ds.chimarrao.cafe.rnp.br/metadata/chimarrao-metadata.xmlNow, you only need to go back to the Shibboleth Authentication Application directory, and run the installation script.
$ cd ..
$ bash install.sh