Shibboleth Integration with CERN SSO
Migration from old CERN SSO
If you have an existing shibboleth installation using the old SSO, you can migrate to the new SSO by following these instructions.
Puppet users
We strongly recommend using the OpenID Connect Puppet Module instead of Shibboleth: https://gitlab.cern.ch/ai/it-puppet-module-cernsso_apache. This Module will be actively maintained for future releases.
Shibboleth installation from scratch (CC7)
As root on your system run:
# yum install shibboleth
Install the Shibboleth SELinux Policy to enable Shibboleth to run whilst enforcing SELinux.
# yum install shibboleth-selinux
Install signing certificates (optional)
You can generate a self-signed certificate and key pair using the following script:
/etc/shibboleth/keygen.sh -f -u shibd -h somehost.cern.ch -y 3 -e https://somehost.cern.ch/Shibboleth.sso -o /etc/shibboleth/
This will create sp-cert.pem and sp-key.pem that will be used for signing.
Configuration for CERN Single Sign On
We assume that at this point your apache web service (httpd) is already configured and running. Enable automatic startup of shibboleth daemon:
# /bin/systemctl enable shibd
- IdP Metadata
curl https://auth.cern.ch/auth/realms/cern/protocol/saml/descriptor > /etc/shibboleth/idp.xml - Shibboleth configuration
curl https://gitlab.cern.ch/authzsvc/docs/shibboleth-configuration/-/raw/master/shibboleth2.xml > /etc/shibboleth/shibboleth2.xml - Attribute maps
curl https://gitlab.cern.ch/authzsvc/docs/shibboleth-configuration/-/raw/master/attribute-mapper.xml > /etc/shibboleth/attribute-map.xml
Edit shibboleth2.xml and replace somehost.cern.ch with your domain everywhere it is used.
Review /etc/httpd/conf.d/shib.conf shibboleth apache configuration.
Configure per-directory (in .htaccess file) or global (in /etc/httpd/conf.d/shib.conf) authentication rules:
##########################################################
SSLRequireSSL # The modules only work using HTTPS
AuthType shibboleth
ShibRequireSession On
### ShibRequireAll On - not supported on Apache 2.4
ShibExportAssertion Off
### ShibUseHeaders On
### Uncomment above line if you want shibboleth to
### use also old-style request headers
### may be required for use with Tomcat, or to
### allow easy migration of older applications.
### It is strongly recommended not to use above
### option in order to improve security.
<RequireAll>
Require valid-user
Require shib-attr CERN_ROLES "myrole"
</RequireAll>
##########################################################
Registration for CERN SSO
Generate your Metadata
You can find your Metadata at https://somehost.cern.ch/Shibboleth.sso/Metadata.
Alternatively you can generate some using the script /etc/shibboleth/metagen.sh -c sp-cert.pem -h somehost.cern.ch -e https://somehost.cern.ch/Shibboleth.sso
IMPORTANT! If you are using signing certificates, you need to add use="signing" inside the KeyDescriptor attribute. See the example at https://gitlab.cern.ch/authzsvc/docs/shibboleth-configuration/blob/master/metadata-example.xml for for inspiration.
Register your Application
Go to the Application Portal, following the instructions as needed.
Once you get a confirmation that your application has been configured for CERN SSO, (re)start services on your system as root:
# /bin/systemctl restart shibd
# /bin/systemctl restart httpd
Define the permissions scheme
You will not receive all e-groups in the SAML token. For each authorisation required for your application you should create a Role in the Application Portal and link it to a group. These will appear in the environment variable CERN_ROLES which you can use for access control purposes.
Support
Please ask for help via one of our contact channels.