SLC6: CERN Single Sign-On

Windows Single Sign On (SSO) / CERN Authentication integration on Scientific Linux CERN / Apache and Shibboleth.

About CERN Single Sign On and Shibboleth

• CERN Single Sign On documentation.
• Shibboleth information and documentation.

Installation

As root on your system run:

# yum install shibboleth log4shib xmltooling-schemas opensaml-schemas

(above command will pull in all dependencies for above packages,
including: curl-openssl, xerces-c, xml-security-c, opensaml and log4cpp
coming from extras repository for SLC6

Note: The SELinux policy has not been implemented for Shibboleth 2 therefore SELinux must be changed to run in permissive mode on your system for Single Sign On to work. For this please edit /etc/sysconfig/selinux file, and replace the line:

SELINUX=enforcing

by

SELINUX=permissive

Next reboot your system or run:

/usr/sbin/setenforce Permissive

for the change to take effect.

SLC6 libcurl is precompiled against NSS, while shibboleth requires a libcurl compiled agains OpenSSL: the curl-openssl packages provide such modified version of libcurl library which is installed in parallel to the standard curl libraries.

In order to make shibboleth daemon use this library, edit /etc/sysconfig/shibd file and insert there following two lines:

LD_PRELOAD=/opt/shibboleth/lib64/libcurl.so.4
export LD_PRELOAD

(change lib64 to lib for installation on a 32bit system) this is not needed , updated shibboleth packages will use a special libcurl-openssl version solving the problem.

Configuration for CERN Single Sign On

• We assume that at this point your apache web service (httpd) is already configured and running.
  
• Enable automatic startup of shibboleth daemon:

  # /sbin/chkconfig --levels 345 shibd on
  

• Copy following configuration files to /etc/shibboleth/ directory:
  
  • shibboleth2.xml (main shibboleth configuration file customized for CERN SSO).
  • ADFS-metadata.xml (ADFS configuration customized for CERN SSO)
  • attribute-map.xml (ADFS attribute mapping)
  • wsignout.gif
  
  
• Edit /etc/shibboleth/shibboleth2.xml
  
  • set up the listener host (default setting of localhost should be used in most cases):

    <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>

  • replace ALL 5 occurences of somehost.cern.ch, by your system hostname:
    • <Site id="1" name="somehost.cern.ch"/>
    • <Host name="somehost.cern.ch"/>
    • <ApplicationDefaults id="default" policyId="default" entityID="https://somehost.cern.ch/Shibboleth.sso/ADFS" homeURL="https://somehost.cern.ch" ....
    • <saml:Audience>https://somehost.cern.ch/Shibboleth.sso/ADFS</saml:Audience>
    
    
  • Review /etc/httpd/conf.d/shib.conf shibboleth apache configuration.
    
    
  • Configure per-directory (in .htaccess file) or global (in /etc/httpd/conf.d/shib.conf) authentication rules:

    ##########################################################
    SSLRequireSSL   # The modules only work using HTTPS
    AuthType shibboleth
    ShibRequireSession On
    ShibRequireAll On
    ShibExportAssertion Off
    
    ### ShibUseHeaders On
    ### Uncomment above line if you want shibboleth to
    ### use also old-style request headers
    ### may be required for use with Tomcat, or to
    ### allow easy migration of older applications.
    ### It is strongly recommended not to use above
    ### option in order to improve security.
    <RequireAll>
        Require valid-user
        Require ADFS_GROUP "Some Users Group" "Some Other Users Group"
    </RequireAll>
    ##########################################################
    

    
    
  • Script configuration:
    Please note that contrary to the previous "NICE password" authentication on central WEB/AFS services, the REMOTE_USER field now holds the user mail address (and not the login name). To get back at the login name, you have to use HTTP_ADFS_LOGIN instead.
  
  
  • ADFS Application configuration:
    Once your Apache Web application is configured, you simply need to have your application added to the allowed application list in CERN Single Sign On.
    To do so, simply go to this form and specify these 3 items:
    • Your Application Name, please provide a telling name for your application (it must be unique).
    • Your application URL, as declared in saml:Audience property above.
    • Your name and email for further contact.
    
    
  • Once you get a confirmation that your application has been configured for CERN SSO, (re)start services on your system as root:

    # /sbin/service shibd restart
    # /sbin/service httpd restart
    

  Support

  For problems related to packaging of shibboleth / log4shib, contact: linux.support@cern.ch
  For information and help about shibboleth configuration for CERN Single Sign On, see: CERN Authentication web pages
  
  Jaroslaw.Polok@cern.ch