Skip to content. Skip to navigation

LionShare

Sections
You are here: Home Community LionShare Deployment Shibboleth Plug-in Installing LionShare Plugin for Shibboleth
Document Actions

Installing LionShare Plugin for Shibboleth

Installing LionShare Plugin for Shibboleth


The easiest way to install this is by placing the jar file into the $TOMCAT/webapps/shibboleth/WEB-INF/lib file. You can also build it (similar to the eAuth plugin) by untaring the source in the custom/ directory of your source tree.

(Note: if you build it, you will have to modify the custom/extension-build.xml file to support java 1.5 by changing the two instances of source="1.4" to read source="1.5")

Once installed there are a few changes that need to be made to the shib config files. You also will need the sasl-ca signing cert keystore and the SASL-CA and Shib need to share a cryptoshibhandle keystore. In your case since you already have a cryptoshibhandle keystore for the IdP, that one should be copied over to the SASL-CA and used by it.

===

web.xml (located in $TOMCAT/webapps/shibboleth/WEB-INF)
(or if you are building shib from source, this file is created from webAppConfig/dist.idp.xml so you can change it there)

In this file you need to add the following element

    <servlet-mapping>
        <servlet-name>IdP</servlet-name>
        <url-pattern>/LS</url-pattern>
    </servlet-mapping>


===

idp.xml (located in /usr/local/shibboleth-idp/etc)

The cryptoshibhandle must share the same seed (keystore) as the SASL-CA

You will have to add a protocol handler for the LS endpoint (again, similar to what the eAuth plugin needs):

        <ProtocolHandler implementation="edu.psu.middleware.shibboleth.idp.provider.Lionsharev1_AttributeQueryHandler">
                <Location>.+:8443/shibboleth/LS</Location>
        </ProtocolHandler>

An entry needs to be added to the metadata (ideally just create a new file such as lionshare-metadata.xml and reference it from idp.xml like IQ-metadata.xml)

To create this, just take this text and cut and paste the SASL-CA signing cert where it says (remember to remove the -----BEGIN CERTIFICATE----- and END CERTIFICATE lines):

<EntitiesDescriptor
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
    Name="urn:mace:inqueue"
    validUntil="2010-01-01T00:00:00Z"
<EntityDescriptor entityID="urn:mace:psu.edu:lionshare">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
INSERT PEM ENCODED SASL-CA SIGNING CERT HERE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://rygar.et-test.psu.edu/shibboleth"/>
</SPSSODescriptor>
</EntityDescriptor>
</EntitiesDescriptor>

====

/etc/lsaa.properties

This is the last thing you need to do, just create this file and make it reference the SASL-CA signing cert keystore. Mine looks like this:

lsaa.KeyStoreType = JCEKS
lsaa.KeyStoreFileName = /usr/local/shibboleth-idp/etc/sasl-ca.keystore
lsaa.KeyStorePassword = foobar

====