Table of Contents
This document aims to set out what an institution needs to do from scratch to install a Shibboleth Target . Generally, this requires the use of attributes for users.
This document was compiled by Caroline Ingram, with contributions from Malcolm Murray and Michael Young, at Durham University, and Cal Racey, Jon Dowland and Janet Wheeler, at Newcastle University.
The purpose of this document is to lower the skill set required to understand what is needed to install a Shibboleth Target.
This document follows from previous documentation available from http://iamsect.ncl.ac.uk/.
Shibboleth is a single sign on project that has been developed by a federation of higher education establishments in the United States called Internet2. Shibboleth is not an authentication or authorisation scheme. It is an open, standards-based protocol for securely transferring attributes between an identity provider (local institution) site and service provider (resources) site which is supplied as an open-source reference software implementation. The current reference installation is Shibboleth 1.2. This document will be reviewed for Shibboleth 1.3 during 2006.
Academic libraries licence and offer access to a range of online resources that are regarded as necessary to support research and teaching in any subject. One of the big issues to be solved is maintaining a balance between adhering to the legal and contractual responsibilities to publishers (to limit access to only those users covered by licence terms) and to the library's users (to keep personal information secure), and, finally, to ensure the fundamental function of a library operates - that users are shown the simplest path to the information they want[1].
In order to Install and manage a Shibboleth software implementation you will need to be able to access the following skills:
A reasonable working knowledge of the Linux (or Unix) Command Line Interface (CLI);
Knowledge of how to use the apache web server, either the 2.0.* or 1.3.* versions;
Familiarity with the concepts of https communication (certificates, keys and the like);
Familiarity with firewalls or access to someone who is familiar, in particular with Linux iptables style firewalls;
Familiarity with the setup of Windows Active directory, or access to someone who has those skills.
Finally, you will need a willingness to read around subject areas, management pages and mailing lists, since this is an emerging and swiftly developing area.
There are several essential elements that must be present in the environment to ensure Shibboleth functions well (see the section called “Installing a Shibboleth Target”). Shibboleth is entirely written in Java on the identity provider side. The basic installation of the Shibboleth Identity Provider Server should be carried out before joining the federation, as the latter will test that the installation works, and will require information that will not be available until installation is complete.
IAMSECT deliverables include a Shibboleth Identity Provider set-up guide.
Check previous installation documents on the IAMSECT website for more details. The following need to be considered:
Unless otherwise stated, do not build and install the components in this guide under a remote branch of the file system;
configure your environment so that tools such as wget are able to access the web:
$ export
http_proxy=webproxy.example.edu:8080
Where webproxy.example.edu
is the host and
8080
the port of your web
proxy;
have a firewall installed on servers, but note the ports that need to be unblocked;
note that Pubcookie requires accurate network time.
[1] For additional information see Paschoud, J. (2005) Shibboleth and SAML: at last, a viable global standard for resource access management. New Review of Information Networking Vol. 10, No. 2. (November 2004), pp. 147-160