Redhat Linux Shibboleth Service Provider (SP) Setup Before You Begin

RedHat Linux Shibboleth Service Provider (SP) Setup Before You Begin

In order to use these pre-built packages, you must meet a few requirements

Using RedHat Enterprise Linux or CentOS Using the Apache server that comes with the OS

If you do not meet these requirements, please see the generic Linux/UNIX Shibboleth Service Provider (SP) Setup instructions instead.

Disabling SELinux

1. RedHat Enterprise Linux ships with Security Enhanced Linux (SELinux) enabled by default. However, SELinux interferes with communication between the Apache web server and the Shibboleth process (shibd). For things to work correctly, you must disable SELinux. To do so, copy and paste the contents of the following box into a terminal window. Be sure you are logged in as an administrator or otherwise have the ability to use sudo.

sudo /usr/sbin/setenforce 0 sudo perl -i -pe 's/=enforcing$/=disabled/' /etc/sysconfig/selinux

Installing Shibboleth SP

1. Copy the below compound command into a terminal window for the host on which Shibboleth SP is to be installed. Your account on that host must have the ability to execute the "sudo" command for this to work.

VER=$(cat /etc/redhat-release |perl -i -ne '/release ([0-9])/ && print "$1\n"'); if ((VER>6)); then ARCH="CentOS_"; else ARCH="RHEL_"; fi; echo "wget http://download.opensuse. org/repositories/security://shibboleth/$ARCH$VER/security:shibboleth.repo -O /etc/yum.repos.d/shibboleth. repo && yum -y install shibboleth" | sudo sh

Configuring Shibboleth SP

1. Customize the Shibboleth SP installation to work with the InCommon federation as well as UCSF Identity Providers by copying each of the below commands and pasting them into a terminal window on the same host as above.

sudo wget https://myaccess.ucsf.edu/yum/src/attribute-map.xml -O /etc/shibboleth/attribute-map.xml sudo wget https://myaccess.ucsf.edu/yum/src/idp-metadata.xml -O /etc/shibboleth/idp-metadata.xml sudo wget https://myaccess.ucsf.edu/yum/src/incommon.pem -O /etc/shibboleth/incommon.pem sudo wget https://myaccess.ucsf.edu/yum/src/shibboleth2.xml -O /etc/shibboleth/shibboleth2.xml

2. Use the following command to edit the /etc/shibboleth/shibboleth2.xml configuration file, giving your SP an entityID that matches the host name of the server.

sudo perl -i -pe 's/%HOSTNAME%/'$HOSTNAME'/' /etc/shibboleth/shibboleth2.xml

Alternatively, you can manually edit the /etc/shibboleth/shibboleth2.xml file and replace each occurrence of "%HOSTNAME%" in that file with the publicly accessible DNS name for the host. 3. Determine which SSO environment to use the dev, staging or production SSO entity and uncomment the correct one. /etc/shibboleth/shibboleth2. xml ApplicationDefaults Sessions 3.

SAML2

4. Enable the Shibboleth SP service.

sudo chkconfig shibd on

5. Start the Shibboleth SP daemon. On versions of RHEL and CentOS earlier than version 7, use the below command.

sudo service shibd start

On RHEL and CentOS 7 or newer, use the below command.

sudo systemctl start shibd

Configuring Apache

1. Edit the /etc/httpd/conf.d/shib.conf file. Change the block that refers to "/secure" to match the location you wish to protect with Shibboleth. For example, if your application is accessed by going to "https://myserver.ucsf.edu/myapp", then you'd change "/secure" to "/myapp" in the shib.conf file. When you are finished, restart Apache for the changes to take effect. Use the below command on RHEL and CentOS prior to version 7.

sudo service httpd restart

On RHEL and CentOS 7 or newer, use the below command instead.

sudo systemctl restart httpd