HOWTO Install and Configure a Shibboleth Embedded Discovery Service.md

HOWTO Install and Configure a Shibboleth Embedded Discovery Service

The Embedded Discovery Service (EDS) allows a Service Provider to run a discovery service within their own site. As such the discovery service can look like any other page on the site and thus not be as jarring to a user as being redirected to a totally different, third-party, discovery service site. The EDS is a set of Javascript and CSS files, so installing it and using it is straight forward and does not require any additional software. Note: you must already have an installed and configured Shibboleth Service Provider, V2.4+, in order to use the EDS.

Index

1. Requirements
2. Installation
   1. Debian
   2. CentOS
3. Enable EDS on Shibboleth SP
4. Configuration
5. Whitelist - How to allow IdPs to access the federated resource
6. How to allow the access to IdPs by specifying their entityID
7. How to allow the access to IdPs that support a specific Entity Category
8. How to allow the access to IdPs that support SIRTFI
9. Blacklist - How to disallow IdPs to access the federated resource
10. How to disallow the access to IdPs by specifying their entityID
11. How to disallow the access to IdPs that support a specific Entity Category
12. Best Practices to follow to maximize the access to the resource
13. Authors
14. Credits

Requirements

• Apache Server (>= 2.4)
• A working Shibboleth Service Provider (>= 2.4)
• Tested on: Debian, CentOS

Installation

Debian

1. sudo su -

2. cd /usr/local/src

3. wget https://shibboleth.net/downloads/embedded-discovery-service/latest/shibboleth-embedded-ds-1.2.2.tar.gz -O shibboleth-eds.tar.gz

4. tar xzf shibboleth-eds.tar.gz

5. cd shibboleth-embedded-ds-1.2.2

6. sudo apt install make ; make install

7. Enable Discovery Service Web Page

   • mv /etc/shibboleth-ds/shibboleth-ds.conf /etc/apache2/conf-available/shibboleth-ds.conf

8. Enable the Discovery Service Page:

   • a2enconf shibboleth-ds.conf

9. Restart Apache to load the new web site:

   • systemctl restart apache2.service

CentOS

1. sudo su -
2. yum install shibboleth-embedded-ds

Enable EDS on Shibboleth SP

1. Update "shibboleth2.xml" file to the new Discovery Service page:

   • vim /etc/shibboleth/shibboleth2.xml

     <SSO discoveryProtocol="SAMLDS" 
          discoveryURL="https://###YOUR.SP.FQDN###/shibboleth-ds/index.html">
        SAML2
     </SSO>
     
     <!-- SAML and local-only logout. -->
     <Logout>SAML2 Local</Logout>
     
     <!-- ...other things ... -->
     
     <!-- JSON feed of discovery information. -->
     <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

2. Restart "shibd" service:

• systemctl restart shibd.service

Configuration

The behaviour of Shibboleth Embedded Discovery Service is controlled by IdPSelectUIParms class contained. idpselect_config.js. In the most of cases you have to modify only this file to change the behaviour of Discovery Service.

Make sure to amend this.returnWhiteList to reflect your server name.

Find here the EDS Configuration Options: https://wiki.shibboleth.net/confluence/display/EDS10/3.+Configuration

Whitelist - How to allow IdPs to access the federated resource

How to allow the access to IdPs by specifying their entityID

1. Modify "shibboleth2.xml":

• vim /etc/shibboleth/shibboleth2.xml

  <MetadataProvider type="XML"
                    uri="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
                    backingFilePath="idem-metadata-sha256.xml">
     <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
     <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
     <MetadataFilter type="Whitelist">
         <Include>https://entityid.idp1.allowed.it/shibboleth</Include>
         <Include>https://entityid.idp2.allowed.it/shibboleth</Include>
         <Include>https://entityid.idp3.allowed.it/shibboleth</Include>
     </MetadataFilter>
  </MetadataProvider>

2. Restart "shibd" service:

• systemctl restart shibd.service

How to allow the access to IdPs that support a specific Entity Category

1. Modify "shibboleth2.xml":

• vim /etc/shibboleth/shibboleth2.xml

  <MetadataProvider type="XML"
                    uri="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
                    backingFilePath="idem-metadata-sha256.xml">
     <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
     <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
     <MetadataFilter type="Whitelist" matcher="EntityAttributes">
         <saml:Attribute Name="http://macedir.org/entity-category"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
         </saml:Attribute>
     </MetadataFilter>
  </MetadataProvider>

2. Restart "shibd" service:

• systemctl restart shibd.service

How to allow the access to IdPs that support SIRTFI

1. Modify "shibboleth2.xml":

• vim /etc/shibboleth/shibboleth2.xml

  <MetadataProvider type="XML"
                    uri="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
                    backingFilePath="idem-metadata-sha256.xml">
     <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
     <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
     <MetadataFilter type="Whitelist" matcher="EntityAttributes">
         <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurancecertification"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
         </saml:Attribute>
     </MetadataFilter>
  </MetadataProvider>

2. Restart "shibd" service:

• systemctl restart shibd.service

Blacklist - How to disallow IdPs to access the federated resource

How to disallow the access to IdPs by specifying their entityID

1. Modify "shibboleth2.xml":

• vim /etc/shibboleth/shibboleth2.xml

  <MetadataProvider type="XML"
                    uri="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
                    backingFilePath="idem-metadata-sha256.xml">
     <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
     <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
     <MetadataFilter type="Blacklist">
         <Include>https://entityid.idp1.denied.it/shibboleth</Include>
         <Include>https://entityid.idp2.denied.it/shibboleth</Include>
         <Include>https://entityid.idp3.denied.it/shibboleth</Include>
     </MetadataFilter>
  </MetadataProvider>

2. Restart "shibd" service:

• systemctl restart shibd.service

How to disallow the access to IdPs that support a specific Entity Category

1. Modify "shibboleth2.xml":

• vim /etc/shibboleth/shibboleth2.xml

  <MetadataProvider type="XML"
                    uri="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
                    backingFilePath="idem-metadata-sha256.xml">
     <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
     <MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" />
     <MetadataFilter type="Blacklist" matcher="EntityAttributes">
         <saml:Attribute Name="http://macedir.org/entity-category"
                         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
             <saml:AttributeValue>https://federation.renater.fr/scope/commercial</saml:AttributeValue>
         </saml:Attribute>
     </MetadataFilter>
  </MetadataProvider>

2. Restart "shibd" service:

• systemctl restart shibd.service

Best Practices to follow to maximize the access to the resource

• REFEDS Discovery Guide

Authors

Original Author

• Marco Malavolti ([email protected])

Credits

• Consortium Shibboleth
• REFEDS Discovery Guide