Skip to content

Shibboleth migration to the new CERN SSO

Warning

Shibboleth is not supported by upstream on RHEL/ALMA 9 and thus not supported at CERN. The following documentation is kept as-is for information only: we provide no support for shibboleth integration

If you have configured Shibboleth for the old SSO in a standard way, you can migrate to the new SSO by following these instructions. This guide tries to implement as few changes as possible to your existing configuration.

These instructions are valid for CentOS 7 and the latest CERN build of Shibboleth. We are not distributing any Shibboleth package for newer Operating systems. Other operating systems and Shibboleth packages may have subtle differences.

In each steps below, replace somehost with your domain.

Install signing certificates (optional)

If you want to sign your authentication requests (for added security) you can generate a self-signed certificate and key pair using the following script: /etc/shibboleth/keygen.sh -f -u shibd -h somehost.cern.ch -y 3 -e https://somehost.cern.ch/Shibboleth.sso -o /etc/shibboleth/

This will create sp-cert.pem and sp-key.pem that will be used for signing.

Install new configuration files

Remember to backup your current configuration before installing!

  • IdP Metadata curl https://auth.cern.ch/auth/realms/cern/protocol/saml/descriptor > /etc/shibboleth/idp.xml
  • New shibboleth configuration curl https://gitlab.cern.ch/authzsvc/docs/shibboleth-configuration/-/raw/master/shibboleth2.xml > /etc/shibboleth/shibboleth2.xml
  • New attribute maps curl https://gitlab.cern.ch/authzsvc/docs/shibboleth-configuration/-/raw/master/attribute-mapper.xml > /etc/shibboleth/attribute-map.xml

Edit shibboleth2.xml and replace somehost.cern.ch with your domain.

Restart Shibboleth

systemctl restart shibd

Generate your Metadata

You can find your Metadata at https://somehost.cern.ch/Shibboleth.sso/Metadata.

Alternatively you can generate some using the script /etc/shibboleth/metagen.sh -c sp-cert.pem -h somehost.cern.ch -e https://somehost.cern.ch/Shibboleth.sso

IMPORTANT! If using a signing certifiocate you need to add use="signing" inside the KeyDescriptor attribute. See this example for inspiration.

Register your Application

Go to the Application Portal, following the instructions as needed.

Reproduce the permissions scheme

You will no longer receive all e-groups in the SAML token. For each authorisation required for your application you should create a Role in the Application Portal and link it to a group.

If you define access control based on environment variable ADFS_GROUP in /etc/httpd/conf.d/shib.conf or an .htaccess file, modify this to look at the environment variable CERN_ROLES instead. For example:

##########################################################
SSLRequireSSL   # The modules only work using HTTPS
AuthType shibboleth
ShibRequireSession On
### ShibRequireAll On - not supported on Apache 2.4
ShibExportAssertion Off

### ShibUseHeaders On
### Uncomment above line if you want shibboleth to
### use also old-style request headers
### may be required for use with Tomcat, or to
### allow easy migration of older applications.
### It is strongly recommended not to use above
### option in order to improve security.

<RequireAll>
    Require valid-user
    Require shib-attr CERN_ROLES "myrole"
</RequireAll>
##########################################################

Test it out

Restart Shibboleth once more systemctl restart shibd and test authenticating to your service.

Troubleshooting

Please ask for help using our contacts channels.