Skip to content

Shibboleth Integration with CERN SSO

Warning

Shibboleth is not supported by upstream on RHEL/ALMA 9 and thus not supported at CERN. The following documentation is kept as-is for information only: we provide no support for shibboleth integration

Migration from old CERN SSO

If you have an existing shibboleth installation using the old SSO, you can migrate to the new SSO by following these instructions.

Puppet users

We strongly recommend using the OpenID Connect Puppet Module instead of Shibboleth: https://gitlab.cern.ch/ai/it-puppet-module-cernsso_apache. This Module will be actively maintained for future releases.

Shibboleth installation from scratch (CC7)

As root on your system run:

# yum install shibboleth
(the above command will pull in all dependencies for above packages, including: log4shibm xmltooling-schemas opensaml-schemas curl-openssl xerces-c xml-security-c opensaml log4cpp, coming from 'cern' repository for CC7)

Install the Shibboleth SELinux Policy to enable Shibboleth to run whilst enforcing SELinux.

# yum install shibboleth-selinux

Install signing certificates (optional)

You can generate a self-signed certificate and key pair using the following script: /etc/shibboleth/keygen.sh -f -u shibd -h somehost.cern.ch -y 3 -e https://somehost.cern.ch/Shibboleth.sso -o /etc/shibboleth/

This will create sp-cert.pem and sp-key.pem that will be used for signing.

Configuration for CERN Single Sign On

We assume that at this point your apache web service (httpd) is already configured and running. Enable automatic startup of shibboleth daemon:

# /bin/systemctl enable shibd
Copy following configuration files to /etc/shibboleth/ directory:

  • IdP Metadata curl https://auth.cern.ch/auth/realms/cern/protocol/saml/descriptor > /etc/shibboleth/idp.xml
  • Shibboleth configuration curl https://gitlab.cern.ch/authzsvc/docs/shibboleth-configuration/-/raw/master/shibboleth2.xml > /etc/shibboleth/shibboleth2.xml
  • Attribute maps curl https://gitlab.cern.ch/authzsvc/docs/shibboleth-configuration/-/raw/master/attribute-mapper.xml > /etc/shibboleth/attribute-map.xml

Edit shibboleth2.xml and replace somehost.cern.ch with your domain everywhere it is used.

Review /etc/httpd/conf.d/shib.conf shibboleth apache configuration.

Configure per-directory (in .htaccess file) or global (in /etc/httpd/conf.d/shib.conf) authentication rules:

##########################################################
SSLRequireSSL   # The modules only work using HTTPS
AuthType shibboleth
ShibRequireSession On
### ShibRequireAll On - not supported on Apache 2.4
ShibExportAssertion Off

### ShibUseHeaders On
### Uncomment above line if you want shibboleth to
### use also old-style request headers
### may be required for use with Tomcat, or to
### allow easy migration of older applications.
### It is strongly recommended not to use above
### option in order to improve security.

<RequireAll>
    Require valid-user
    Require shib-attr CERN_ROLES "myrole"
</RequireAll>
##########################################################

Registration for CERN SSO

Generate your Metadata

You can find your Metadata at https://somehost.cern.ch/Shibboleth.sso/Metadata.

Alternatively you can generate some using the script /etc/shibboleth/metagen.sh -c sp-cert.pem -h somehost.cern.ch -e https://somehost.cern.ch/Shibboleth.sso

IMPORTANT! If you are using signing certificates, you need to add use="signing" inside the KeyDescriptor attribute. See the example at https://gitlab.cern.ch/authzsvc/docs/shibboleth-configuration/blob/master/metadata-example.xml for for inspiration.

Register your Application

Go to the Application Portal, following the instructions as needed.

Once you get a confirmation that your application has been configured for CERN SSO, (re)start services on your system as root:

# /bin/systemctl restart shibd
# /bin/systemctl restart httpd

Define the permissions scheme

You will not receive all e-groups in the SAML token. For each authorisation required for your application you should create a Role in the Application Portal and link it to a group. These will appear in the environment variable CERN_ROLES which you can use for access control purposes.

Support

Please ask for help via one of our contact channels.