Table of Contents
Shibboleth is a project conceived by a consortia of American educational institutes (Internet2/MACE) to solve the problem of authentication of users to resources provided by lots of external companies and institutes. For more details see http://shibboleth.internet2.edu/
The purpose of this document is to lower the skill set required to install Shibboleth . This document follows the previous guide: 'Installing Pubcookie on Redhat AS 3.0 and authenticating against Windows Active Directory' available from http://iamsect.ncl.ac.uk/.
It is not the intention of this guide to give a full overview of how to install Redhat AS3.0. The Redhat installation documentation is good and should be used. This guide will focus on administration from the command line as most web servers run "headless" (i.e. no monitor, no windows, no graphical interface) so are only administrable by command line. Command line is available in all graphical environments.
Shibboleth is a single sign on project that has come out of a federation of higher education establishments in the United States called Internet2. It is now being viewed as the replacement for Athens login in the U.K.
In order to Install and manage a pubcookie server you will need to be able to access the following skills:
A reasonable working knowledge of the Linux (or Unix) Command Line Interface (CLI);
Knowledge of how to use the apache web server, either the 2.0.* or 1.3.* versions;
Familiarity with the concepts of https communication (certificates, keys and the like);
Familiarity with fire walls or access to someone who is familiar, in particular with Linux iptables style firewall;
Most importantly a willingness to read around subject areas, man pages, google, and mailing lists.
In order to be able to install a Shibboleth origin (identity provider) you will require the following:
A subscription to the Redhat network for at least one slot for Redhat AS3.0;
A standard "x86" server (i.e. A standard server with standard Intel or AMD chip set as sold by Dell etc);
The ability to synchronise system time against a network time protocol (NTP) server;
A SSL server certificate for the web server, the certificate must be valid and be signed by Certificate Authority (CA) e.g. Thawte or Verisign;
Root user access to the server;
A preexisting pubcookie login server installation as detailed in a previous document.
While this install guide is based on an install on Redhat AS3.0, much of it is still applicable to other Linux distributions.
For the purpose of this guide we will assume that your
institution has a web presence called "example.edu" and
that your Shibboleth server will be called
"shib.example.edu". We will also assume that you call your
secure serving SSL key shib.example.edu.key and you call the
signed certificate file you get back from your certificate
authority shib.example.edu.crt.signed
Code listings are provided within boxes like this:
$ echo hello world
File contents are provided within boxes like this:
The contents of a file
Some commands can be executed as a normal user, others are required to be executed with super-user privileges. You can follow this guide entirely as the super-user, or you could be a normal user for a number of steps. For the latter case, switching between users and managing resulting permission issues is an exercise left to the reader.
To indicate which category a given command falls into, the standard bourne-shell delimiters are used, '$' for normal user, '#' for superuser:
$ echo normal user command # echo super user command