Shibboleth



Shibboleth2 Linux@Duke Packages

Changes from old packages

  • Because the shibboleth 2 rpm conflicts with shibboleth 1.x rpms and libraries, the shibboleth 2 rpm has been broken out into a seperate repository.
  • These rpms are a direct mirror of the upstream shibboleth 2.x rpms. Duke specific configuration now has it’s own rpm called: dukeshib-tools.
  • At one point, we were testing shibboleth 2.x rpms with a name of ‘shibboleth2’. This is no longer the case. The rpm name is now just ‘shibboleth’. If you were an early adapter that used the ‘shibboleth2’ rpms, you will need to uninstall them before updating to the current version.

How to Upgrade from Shibboleth1.x

  1. Add /etc/yum.repos.d/shibboleth2.repo to your host
  2. Uninstall previous version of shibboleth (note the –nopostun. This is because in certain environments, the post uninstall script fails, preventing the rpm from being fully removed)
    $ sudo rpm -e shibboleth --nopostun
  3. Install the new version of shibboleth:
    $ sudo yum install shibboleth dukeshib-tools
  4. Configure your shibboleth2.xml file
  5. Configure attribute mappings in the attribute-map.xml file.
  6. Customize the error pages and the logo displayed during errors.
  7. Notify the duke idms team (websso-info@duke.edu) that you are changing to a shibboleth2 provider for your specific host.

Testing Enhancements

  1. dukeshib-tools contains a script to generate shibboleth2.xml files. This should only be used as a guide for your application testing. Some changes may need to be made for each specific environment.
    drews@drews-test-01:~$ /opt/dukeshib-tools/bin/generate_shibboleth2_xml.py
    Usage:  /opt/dukeshib-tools/bin/generate_shibboleth2_xml.py
    DEFAULT_HOSTNAME [ADDITIONAL_HOSTNAME [ADDITIONAL_HOSTNAME]...]
    drews@drews-test-01:~$
  2. dukeshib-tools contains a small shell script to check the shibboleth2.xml syntax:
    drews@drews-test-01:~$ /opt/dukeshib-tools/bin/check_configuration.sh
    overall configuration is loadable, check console for non-fatal problems
    Good news, things will at least load
    drews@drews-test-01:~$
  3. Content of shibboleth2.repo

    Note that only production is enabled, you must change enabled=0 to enabled=1 for testing.

    [shibboleth2]
    name=Packages needed for Shibboleth 2.x
    baseurl=http://install.linux.duke.edu//pub/linux/shibboleth2/centos-$releasever/$basearch
    gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_5/repodata/repomd.xml.key
    gpgcheck=1
    enabled=1
    
    [shibboleth2-test]
    name=Packages needed for Shibboleth 2.x
    baseurl=http://testing.linux.duke.edu//pub/linux/shibboleth2/centos-$releasever/$basearch
    gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_5/repodata/repomd.xml.key
    gpgcheck=1
    enabled=0

 

Leave a Reply

Your email address will not be published. Required fields are marked *