Skip to content

SLC6: CERN Single Sign-On

Windows Single Sign On (SSO) / CERN Authentication integration on Scientific Linux CERN / Apache and Shibboleth.

About CERN Single Sign On and Shibboleth


Installation

As root on your system run:

# yum install shibboleth log4shib xmltooling-schemas opensaml-schemas

(above command will pull in all dependencies for above packages,
including: curl-openssl, xerces-c, xml-security-c, opensaml and log4cpp
coming from extras repository for SLC6

Note: The SELinux policy has not been implemented for Shibboleth 2 therefore SELinux must be changed to run in permissive mode on your system for Single Sign On to work. For this please edit /etc/sysconfig/selinux file, and replace the line:

SELINUX=enforcing
by
SELINUX=permissive
Next reboot your system or run:
/usr/sbin/setenforce Permissive
for the change to take effect.

SLC6 libcurl is precompiled against NSS, while shibboleth requires a libcurl compiled agains OpenSSL: the curl-openssl packages provide such modified version of libcurl library which is installed in parallel to the standard curl libraries.

In order to make shibboleth daemon use this library, edit /etc/sysconfig/shibd file and insert there following two lines:

LD_PRELOAD=/opt/shibboleth/lib64/libcurl.so.4
export LD_PRELOAD
(change lib64 to lib for installation on a 32bit system) this is not needed , updated shibboleth packages will use a special libcurl-openssl version solving the problem.

Configuration for CERN Single Sign On

  • We assume that at this point your apache web service (httpd) is already configured and running.
  • Enable automatic startup of shibboleth daemon:
    # /sbin/chkconfig --levels 345 shibd on
    
  • Copy following configuration files to /etc/shibboleth/ directory:


  • Edit /etc/shibboleth/shibboleth2.xml
    • set up the listener host (default setting of localhost should be used in most cases):
      <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/>
    • replace ALL 5 occurences of somehost.cern.ch, by your system hostname:
      • <Site id="1" name="somehost.cern.ch"/>
      • <Host name="somehost.cern.ch"/>
      • <ApplicationDefaults id="default" policyId="default" entityID="https://somehost.cern.ch/Shibboleth.sso/ADFS" homeURL="https://somehost.cern.ch" ....
      • <saml:Audience>https://somehost.cern.ch/Shibboleth.sso/ADFS</saml:Audience>

    • Review /etc/httpd/conf.d/shib.conf shibboleth apache configuration.

    • Configure per-directory (in .htaccess file) or global (in /etc/httpd/conf.d/shib.conf) authentication rules:
      ##########################################################
      SSLRequireSSL   # The modules only work using HTTPS
      AuthType shibboleth
      ShibRequireSession On
      ShibRequireAll On
      ShibExportAssertion Off

      ### ShibUseHeaders On ### Uncomment above line if you want shibboleth to ### use also old-style request headers ### may be required for use with Tomcat, or to ### allow easy migration of older applications. ### It is strongly recommended not to use above ### option in order to improve security. <RequireAll> Require valid-user Require ADFS_GROUP "Some Users Group" "Some Other Users Group" </RequireAll> ##########################################################


    • Script configuration:
      Please note that contrary to the previous "NICE password" authentication on central WEB/AFS services, the REMOTE_USER field now holds the user mail address (and not the login name). To get back at the login name, you have to use HTTP_ADFS_LOGIN instead.

    • ADFS Application configuration:
      Once your Apache Web application is configured, you simply need to have your application added to the allowed application list in CERN Single Sign On.
      To do so, simply go to this form and specify these 3 items:
      • Your Application Name, please provide a telling name for your application (it must be unique).
      • Your application URL, as declared in saml:Audience property above.
      • Your name and email for further contact.

    • Once you get a confirmation that your application has been configured for CERN SSO, (re)start services on your system as root:
      # /sbin/service shibd restart
      # /sbin/service httpd restart
      

    Support

    For problems related to packaging of shibboleth / log4shib, contact: linux.support@cern.ch
    For information and help about shibboleth configuration for CERN Single Sign On, see: CERN Authentication web pages