If you're new to Shibboleth and need to implement it for web application authentication on Ubuntu Server 10.04 LTS, this guide will walk you through practical steps with concrete examples. Shibboleth is a powerful SAML-based SSO solution, but its learning curve can be steep without proper resources.
Before diving into implementation, here are key resources:
- Official Shibboleth 2 Documentation: https://spaces.internet2.edu/display/SHIB2/Installation
- Shibboleth Consortium Wiki: https://wiki.shibboleth.net
- Internet2 Middleware Initiative: https://www.internet2.edu/products-services/trust-identity-middleware/
Here's a step-by-step installation guide with commands:
# Add the Shibboleth repository
echo "deb http://pkg.shibboleth.net/ubuntu lucid main" | sudo tee /etc/apt/sources.list.d/shibboleth.list
# Import the GPG key
wget -qO - http://pkg.shibboleth.net/ubuntu/bionic/Release.key | sudo apt-key add -
# Update package lists
sudo apt-get update
# Install Shibboleth SP package
sudo apt-get install libapache2-mod-shib2
# Enable the module
sudo a2enmod shib2
After installation, configure your SP by editing /etc/shibboleth/shibboleth2.xml:
<ApplicationDefaults entityID="https://your-sp.example.org/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerSSL="true" cookieProps="https">
<SSO entityID="https://your-idp.example.org/idp/shibboleth">
SAML2 SAML1
</SSO>
<Logout>SAML2 Local</Logout>
</Sessions>
<MetadataProvider type="XML" file="idp-metadata.xml"/>
</ApplicationDefaults>
To protect a specific location in Apache:
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession true
Require valid-user
</Location>
Check these log files when debugging:
/var/log/shibboleth/shibd.log- SP daemon logs/var/log/shibboleth/transaction.log- Detailed transaction logs/var/log/apache2/error.log- Apache error logs
For production environments, consider these security enhancements:
# In shibboleth2.xml
<Sessions ... handlerSSL="true" cookieProps="; SameSite=Strict; Secure">
# Enable strict metadata checking
<MetadataProvider ... validate="true">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="metadata-cert.pem"/>
</MetadataProvider>
Use these tools to verify your setup:
- Shibboleth SP test page:
https://your-server/Shibboleth.sso/Status - SAML tracer browser extension for debugging assertions
curlcommands to test protected endpoints
Shibboleth operates as a SAML-based SSO solution with two primary components: Identity Providers (IdP) and Service Providers (SP). For web application authentication, we'll focus on the SP implementation.
First, ensure your system meets requirements:
sudo apt-get update
sudo apt-get install apache2 libapache2-mod-shib2 opensaml2-tools
Edit the main configuration file:
sudo nano /etc/shibboleth/shibboleth2.xml
Key elements to configure:
<ApplicationDefaults entityID="https://yourdomain.example.org/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerSSL="true" cookieProps="https">
Generate your SP metadata:
sudo shib-keygen -f
sudo shibd -t
Exchange metadata with your IdP. A typical metadata file looks like:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://yourdomain.example.org/shibboleth">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://yourdomain.example.org/Shibboleth.sso/SAML2/POST"
index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Configure your virtual host:
<VirtualHost *:443>
ServerName yourdomain.example.org
SSLEngine on
# Your SSL certificate configuration here
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Location>
</VirtualHost>
Create a simple test page to verify attributes:
<?php
require_once('/usr/share/shibboleth/ssp-modules.php');
$attrs = shib_attrs();
echo "<pre>";
print_r($attrs);
echo "</pre>";
?>
Check logs for errors:
tail -f /var/log/shibboleth/shibd.log
tail -f /var/log/apache2/error.log
Common problems include:
- Clock skew between SP and IdP
- Incorrect entityIDs in metadata
- Missing attribute mappings
For more complex scenarios, consider:
<RequestMapper type="XML">
<RequestMap applicationId="default">
<Host name="yourdomain.example.org" applicationId="yourApp"/>
</RequestMap>
</RequestMapper>