Shibboleth Single Sign-on

The following guide/documentation can be used as a reference to install and configure Shibboleth SP v3 on Red Hat Enterprise Linux or CentOS 7.

Shibboleth Installation

This documentation will walk system administrators through setting up a basic Shibboleth SP SSO implementation within Elentra. For further information related to Shibboleth SP, please consult the Shibboleth documentation wiki.

This basic implementation supports both SSO and local user account authentication within Elentra. If your institution only wants to support SSO with no local user account access, then please ensure that you add /api/v2 as an exception.

Add /api as an exception if calendar subscriptions are not working.

See this section for details on how to set these up.

  1. Create a yum repository reference by generating a yum repo file using the generation tool available on the Shibboleth website. The following is an example for RHEL/CentOS 7. 

    vim /etc/yum.repos.d/shibboleth.repo

[shibboleth]
name=Shibboleth (CentOS_7)
mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7
gpgcheck=1
gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
        https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
enabled=1

  2. Install Shibboleth Service Provider (SP) component: 

    yum install shibboleth.x86_64

  3. Start the Shibboleth daemon (shibd) and enable for system startup: 

    systemctl enable shibd
systemctl start shibd

Shibboleth Configuration

Please Note: different institutions will have wildly different Shibboleth configuration requirements. The following should be taken as an example.

  1. In the Shibboleth configuration directory /etc/shibboleth edit the file shibboleth2.xml:

  2. Change the ApplicationDefaults entry and add entityID:

  3. Configure the SSO section with the IDP URL:

  4. Edit the Errors section to update the supportContact:

  5. Find the example MetadataProvider entries, and add a new one after the examples:

  6. Set up the attribute mapping which will identify which IDP provided attributes should be presented to the application in the $_SERVER variable. Add the block below to the configuration file just after the AttributeResolver section.

  7. Create a directory AttributeRelease and add a file called elentra.med.university.edu-attribute-map.xml. This file should contain the appropriate IDP attributes. Please consult your local IDP expert.

  8. Update the 000-elentra.conf Apache configuration file and modify the existing <Directory> directive to match below, and add the following <Location> directive within the <VirtualHost *:443> definition. This tells Shibboleth to operate in passive mode for the site:

  9. Update the shib.conf Apache configuration file and comment out the following lines within the file:

  10. Restart Shibboleth and Apache:

Shibboleth Metadata

You can manually retrieve the application servers Shibboleth metadata for your local IDP team by accessing /Shibboleth.sso/Metadata and saving the output as an XML file.

If you are running your servers behind a load balancer you can temporarily modify the /etc/hosts file and add 127.0.0.1 <hostname> before you call the curl command above. If you don't do this, there is no guarantee you will hit the correct server. Once you have saved the metadata, simply remove this temporary line. Once you have setup Shibboleth up on one of the servers in the cluster, you can copy your /etc/shibboleth directory to the other servers.

PHP Configuration

There is one PHP setting that can cause issues with Single Sign-on. Within /etc/php.d/elentra.iniensure that session.cookie_samesite is set to Lax, and then restart Apache.

Elentra ME Configuration

Elentra ME requires a few configuration changes as well in order to utilize SSO.

  1. Ensure that your Elentra ME .htaccess file contains:

    This rule should appear just before the Default Elentra ME Rules:

  2. Ensure that the AUTH_METHOD in your settings.inc.php file is (or contains) sso:

  3. Review the other settings available in settings.inc.php @todo:

Troubleshooting

Every single sign-on installation is a snow flake. We have built up some decent experience installing and configuring Shibboleth over the years, and will share some factoids, tips, and tricks in this section.

Authentication Methods

Our institution only wants to allow SSO authentication with no local user accounts. When we configure the Shibboleth SP this way, we can no longer log into Elentra.

Perhaps you have not added /api/v2 as an exception and Shibboleth is also protecting the API, which means Elentra is unable to access its own API. Add the following snippet to /etc/httpd/conf.d/000-elentra.conf and be sure to restart Apache afterwards.

Calendar subscriptions are not working when we set up Shibboleth.

Add /api as an exception like above. The calendar subscription API (e.g. json and ics) is still in www-root/api, and not in elentra-1x-api yet, therefore the /api/v2 exception above would not be sufficient.

Load Balancer

HTTPS to the load balancer, then HTTP between the load balancer and the application servers in the cluster.

Note line 3 and line 4 in the following 000-elentra.conf excerpt. It doesn't read like it makes sense, but is required for Shibboleth to function via port 80.

PreviousApplication ServerNextInstalling Supervisor

Last updated