Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Accounts
Network, Phone & TV
Software
Email, Calendar, Mobile
Secure Your Computer
Clusters & Printing
Web Services
Web Login / WebISO
Shibboleth (WebLogin)
About
Attribute Release Policy
Installing Shibboleth
Migration/Upgrade Tip
Protecting Your Web Pages: Linux
Advanced Topics
Services Using Web Login
Academic Technology Services
Technical Support & Services
Training & Education
Campus Partners
Information Security Office (ISO)
Media Technology Services

Advanced Topics

Configuration help for the following advanced topics is included below:

Delete/Recreate Certificates

It is desireable to delete and recreate service provider certificates in the following situations:

  • the default installation creates a certificate that does not contain a ten year lifetime
  • the default installation creates a certificate for the hostname rather than the service name you are using
  • you want to refresh an old certificate (Note: Be sure to save the old certificate and private key.)

Based on your system type, follow the appropriate steps below to delete and recreate service provider certificates:

  • RPM-based system OR Compile from Source, enter the following:
    cd /etc/shibboleth
    rm sp-cert.pem sp-key.pem
    sh keygen.sh -u shibd –g shibd -h servicename -y 10
  • Windows systems, enter the following:
    cd c:/opt/shibboleth-sp/etc/shibboleth
    del sp-cert.pem sp-key.pem
    keygen.bat -h servicename -y 10

Note: In both examples, sp-cert.pem is the existing certificate that you want to replace and servicename is the new certificate name that matches your servicename. The -y 10 specifies the lifetime of the certificate to be created.

Restrict Access to andrew.cmu.edu

Follow these steps to restrict access to only andrew.cmu.edu users:

Apache Servers

  1. In your .htacess file or shib.conf configuration file, do the following:
    replace requre valid-user with require eppn ~ .*@andrew.cmu.edu$

Microsoft IIS Servers

  1. Edit shibboleth2.xml, under <RequestMap> <Host.../> or under <RequestMap> <Path .../> include: <AccessControlProvider path="C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2_ACL.xml" type="XML"/>
  2. Contents of shibboleth2_ACL.xml:
    <?xml version="1.0" encoding="UTF-8"?>
    <AccessControl xmlns="urn:mace:shibboleth:target:config:1.0">
    <RuleRegex require="eppn">@andrew.cmu.edu$</RuleRegex>
    </AccessControl>

Present "REMOTE_USER" Environment Variable Without Domain Component

  1. Add the following line to /etc/shibboleth/attribute-map.xml:
    <Attribute name="urn:oid:1.3.6.1.4.1.3.5.1.1210" id="cmuAndrewCommonNamespaceId"/>
    Note: This adds the CMU specific attribute to the list of known mapped attributes.
  2. In /etc/shibboleth/shibboleth2.xml where HOSTNAME is the name of your service as known to users, change the following line
    FROM:
    <ApplicationDefaults entityID="https://HOSTNAME/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">
    TO:
    <ApplicationDefaults entityID="https://HOSTNAME/shibboleth" REMOTE_USER="cmuAndrewCommonNamespaceId">

Note: This configuration should be used to support legacy applications only. New web services should be designed to use an identifier in the form of "user@domain" to represent the authenticated identity. To release "cmuAndrewCommonNamespaceID" for your service provider, email a request to shibboleth-team@andrew.cmu.edu.

Follow these steps to present the "REMOTE_USER" environment variable without the domain component:

Declare Specific IDP for Specific Web Pages

In addition to accepting identities from InCommon, some applications have an additional administrative area that will only accept identities from a specific identity provider.  Administrative users may find it annoying to work through a discovery service when they know that certain web pages will only accept identities from specific identity provider. The shibboleth2.xml configuration file normally defines where a user is directed when Shibboleth authentication is required.

In the shibboleth2.xml configuration file, the user may be directed to a discovery service: 

<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.incommonfederation.org/DS/WAYF">
SAML2 SAML1 </SSO>

 or to one specific identity provider:

 <SSO entityID="https://some-idp.domain.edu/idp/shibboleth">
SAML2 SAML1 </SSO>

In the apache configuration file the following directives are normally used to protect pages with Shibboleth and will redirect an authenticating user to a discovery service or idenity provider specified in shibboleth2.xml:

<Location /somewebpath/*.cgi>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders on
require valid-user
</Location>

The following directives within an Apache configuration file will overrided the specification within the shibboleth2.xml file for specific pages and direct the authenticating user to a specific identity provider:

<Location /anotherwebpath/*.cgi>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting entityId https://login.cmu.edu/idp/shibboleth
ShibUseHeaders on
require valid-user
</Location>

Note that this configuration only affects where users are directed when authentication is required. Those who already have Shibboleth sessions will not be redirected even if they have not authenticated via the https://login.cmu.edu/idp/shibboleth. The restrictions on acceptance of user identities by the application must still be enforced by the application itself.

Last Updated: 1/29/13