[LON-CAPA-cvs] cvs: modules /MIT LC_Shibboleth_MIT_instructions.txt

raeburn raeburn at source.lon-capa.org
Mon Mar 5 20:22:34 EST 2012 

raeburn		Tue Mar  6 01:22:34 2012 EDT

  Added files:                 
    /modules/MIT	LC_Shibboleth_MIT_instructions.txt 
  Log:
  - Document process for installing Shibboleth SSO for LON-CAPA at MIT.  
  
  

Index: modules/MIT/LC_Shibboleth_MIT_instructions.txt
+++ modules/MIT/LC_Shibboleth_MIT_instructions.txt
Instructions for enabling Shibboleth SSO on LON-CAPA at MIT (for CentOS 6).
Stuart Raeburn, March 5th, 2012.

1. Add shibboleth.repo to /etc/yum.repos.d

[security_shibboleth]
name=Shibboleth (CentOS_CentOS-6)
type=rpm-md
baseurl=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_CentOS-6/
gpgcheck=1
gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_CentOS-6/repodata/r
epomd.xml.key
enabled=1


2. Install RPMs 
yum install shibboleth mod_ssl perl-LDAP


3. Run shibboleth installtion script (see:
https://wikis.mit.edu/confluence/display/TOUCHSTONE/Provisioning+Steps)

cd /etc/shibboleth
wget -N http://web.mit.edu/touchstone/config/shibboleth2-sp/gen-shib2.sh
sh gen-shib2.sh


4. Test log-in via:
https://myhost/Shibboleth.sso/Login


5. Test session attribute retrieval
Edit /etc/shibboleth/shibboleth2.xml to include:
<Handler type="Session" Location="/Session" showAttributeValues="true"/>

then point a web browser at: https://myhost/Shibboleth.sso/Session


6. Set shibd to start on boot

/sbin/chkconfig shibd on


7. Install SSL certs and update /etc/httpd/conf.d/ssl.conf
mkdir /etc/httpd/conf/sslcert
mkdir /etc/httpd/conf/sslkey

cp /root/certificates/relate2.cer /etc/httpd/conf/sslcert
cp /root/certificates/relate2-key.pem /etc/httpd/conf/sslkey

Edit /etc/httpd/conf/ssl.conf

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf/sslcert/relate2.cer

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf/sslkey/relate2-key.pem


8. Enable rewrites http -> https
cp /etc/httpd/conf/rewrites/loncapa_rewrite_on.conf /etc/httpd/conf/loncapa_rewrite.conf 


9. Add loncapa_apache_localMIT.conf from modules/MIT in CVS to /etc/httpd/conf


10. To /etc/httpd/conf/httpd.conf add following:
# Load the Shibboleth module.
LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so

immediately before:
Include conf/loncapa_apache.conf


11. Copy the changes from:
http://source.loncapa.org/cgi-bin/cvsweb.cgi/loncom/loncapa_apache.conf.diff?r1=1.211;r2=1.213
to the current version of /etc/httpd/conf/loncapa_apache.conf


12. Add lonshibauth.pm and lonshibacc.pm to /home/httpd/lib/perl/Apache
wget -O /home/httpd/lib/perl/Apache/lonshibauth.pm 'http://source.loncapa.org/cgi-bin/cvsweb.cgi/~checkout~/loncom/auth/lonshibauth.pm?rev=1.1;content-type=text/plain'
wget -O /home/httpd/lib/perl/Apache/lonshibacc.pm 'http://source.loncapa.org/cgi-bin/cvsweb.cgi/~checkout~/loncom/auth/lonshibacc.pm?rev=1.1;content-type=text/plain'

chown www:www /home/httpd/lib/perl/Apache/lonshibauth.pm  /home/httpd/lib/perl/Apache/lonshibacc.pm 
chmod 600  /home/httpd/lib/perl/Apache/lonshibauth.pm  /home/httpd/lib/perl/Apache/lonshibacc.pm


13. Add /home/httpd/html/adm/sso

wget -O /home/httpd/html/adm/sso 'http://source.loncapa.org/cgi-bin/cvsweb.cgi/~checkout~/loncom/html/adm/sso?rev=1.1;content-type=text%2Fplain'
chown www:www /home/httpd/html/sso
chmod 644 /home/httpd/html/sso

More information about the LON-CAPA-cvs mailing list