Difference between revisions of "Spider"
Jrobertson (talk | contribs) |
|||
(8 intermediate revisions by one other user not shown) | |||
Line 3: | Line 3: | ||
===Shibboleth Installation & Configuration === | ===Shibboleth Installation & Configuration === | ||
− | Download the latest version of Shibboleth from: https://shibboleth.net/downloads/service-provider/latest/ and install it using the default options. All files will be found under [C:\opt\shibboleth-sp\etc\shibboleth] | + | Download the latest version of Shibboleth from: https://shibboleth.net/downloads/service-provider/latest/ and install it using the default options. All files will be found under '''[C:\opt\shibboleth-sp\etc\shibboleth]''' |
Open shibboleth2.xml with a text editor | Open shibboleth2.xml with a text editor | ||
Line 9: | Line 9: | ||
=== IIS Configuration (Shibboleth)=== | === IIS Configuration (Shibboleth)=== | ||
− | If you have not already done so install IIS onto either the | + | If you have not already done so install IIS onto either the Spider Application Server or a different server. |
You will need to make sure that you have ISAPI Extensions and ISAPI Filters installed on IIS which can both be found under Add Server Roles > Web Server (IIS) > Web Server > App Development | You will need to make sure that you have ISAPI Extensions and ISAPI Filters installed on IIS which can both be found under Add Server Roles > Web Server (IIS) > Web Server > App Development | ||
Line 42: | Line 42: | ||
</code> | </code> | ||
+ | |||
+ | === Update RequestMapper === | ||
+ | |||
+ | The RequestMapper tells IIS which Paths for a certain host need to use Shibboleth for authentication. We are going to use “user” for ours so any user going to host/user will need to be logged in if not they will be taken to the login page. If you wanted to add /admin to this, you can just copy and paste the user line and replace user with admin. | ||
+ | |||
+ | <code> | ||
+ | <RequestMapper type="Native"> | ||
+ | |||
+ | <RequestMap> | ||
+ | |||
+ | <Host name="spider.saintaug.nsw.edu.au" authType="shibboleth" requireSession="true"> | ||
+ | |||
+ | <Path name="CustomStAug" authType="none" requireSession="false" /> | ||
+ | |||
+ | <Path name="Images" authType="none" requireSession="false" /> | ||
+ | |||
+ | <Path name="images" authType="none" requireSession="false" /> | ||
+ | |||
+ | <Path name="fonts" authType="none" requireSession="false" /> | ||
+ | |||
+ | <Path name="ScriptResource.axd" authType="none" requireSession="false" /> | ||
+ | |||
+ | <Path name="WebResource.axd" authType="none" requireSession="false" /> | ||
+ | |||
+ | </Host> </RequestMap> </RequestMapper> | ||
+ | |||
+ | </code> | ||
+ | |||
+ | === Update ApplicationDefaults === | ||
+ | |||
+ | The ApplicationDefaults will set the remote_user variable which will contain the headers we want to set we will want to make sure we include ppcuser here as that is what we will use in the Spider configuration for Web Auth. | ||
+ | |||
+ | <code> | ||
+ | <ApplicationDefaults entityID="https://iis.domain.vm/shibboleth" | ||
+ | REMOTE_USER="eppn persistent-id targeted-id ppcuser" | ||
+ | cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> | ||
+ | </code> | ||
+ | |||
+ | === Update SSO === | ||
+ | |||
+ | The SSO section contains the location of our Identity Provider which will be your Federation Service Name followed by /adfs/services/trust. | ||
+ | |||
+ | <code> | ||
+ | <SSO entityID="http://schoollogin.cloudworkengine.net/saml2/idp/metadata" | ||
+ | discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> | ||
+ | SAML2 SAML1 | ||
+ | </SSO> | ||
+ | </code> | ||
+ | |||
+ | === Add automatic metadata fetching === | ||
+ | |||
+ | There are 2 ways you can load the metadata for your identity provider the first is from a local file which you would need to manually update if you ever make changes to it and the other is by using a URL which will automatically grab the metadata as needed and will make life easier later. This URL is going to be your Federation Service Name followed by /federationmetadata/2007–06/federationmetadata.xml | ||
+ | |||
+ | <code> | ||
+ | <MetadataProvider type="XML" url="partnermetadata.xml"/> | ||
+ | </code> | ||
+ | |||
+ | === Open attribute-map.xml === | ||
+ | |||
+ | Now we need to tell Shibboleth where it can find the value we want to set to ppcuser, We used the Windows Account Name option in the claims issuance so that is what we will set here. | ||
+ | |||
+ | <code> | ||
+ | <Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" id="ppcuser"/> | ||
+ | </code> | ||
+ | |||
+ | === Restart Shibboleth === | ||
+ | |||
+ | You have 2 ways to do this, either load up Services Manager (services.msc) and find Shibboleth 2 Daemon and click restart or open a command prompt window and run: | ||
+ | |||
+ | <code> | ||
+ | net stop shibd_default | ||
+ | net start shibd_default | ||
+ | </code> | ||
+ | |||
+ | === IIS Configuration (Proxy) === | ||
+ | |||
+ | The only thing left to do now is to setup IIS to act as a proxy to do this we will the IIS ARR (Application Request Routing) module which can be found here: https://www.iis.net/downloads/microsoft/application-request-routing | ||
+ | |||
+ | Once installed we will need to enable the Proxy option, Open IIS Manager and select the local server from the tree on the left then find '''Application Request Routing Cache.''' | ||
+ | *On the right select '''Server Proxy Settings''' | ||
+ | |||
+ | *Check the Enable Proxy checkbox and click Apply on the right | ||
+ | |||
+ | *Select your site on the left and click on '''URL Rewrite'''. | ||
+ | |||
+ | *Click '''Add Rules''' on the right and pick '''Blank Rule''' from under '''Inbound rules.''' | ||
+ | |||
+ | *The first rule to create is one to ignore any requests that come in to [FQDN]/Shibboleth.sso/ as we don’t want to block any of the Shibboleth functions. | ||
+ | *#Give your rule a name and set the '''Requested URL''' to '''Matches the Pattern''' and set '''Using''' to '''Regular Expression'''. | ||
+ | *#Set the Pattern to '''Shibboleth.sso/.*''' | ||
+ | *#Check the '''Ignore case”''' checkbox | ||
+ | *#Set the '''Action type''' at the bottom to '''None''' | ||
+ | *#Check '''Stop Processing''' of subsequent rules. | ||
+ | |||
+ | *Our next rule will be to pass anything else off to Spider Application Server. Create a new blank rule and this time set the pattern to (.*) | ||
+ | |||
+ | *Now for the action set the type to '''Rewrite''' and for the '''Rewrite URL''' use http://[spider_ip_or_fqdn]:9191/{R:1} and check '''Append Query String.''' With a bit more work you can configure this internal route to use HTTPS if needed. | ||
+ | |||
+ | *Now restart IIS by clicking restart on the right or by opening a command prompt window and running '''iisreset.''' | ||
+ | |||
+ | [[Category: Single Sign On Services]] |
Latest revision as of 05:54, 14 October 2021
Contents
- 1 Shibboleth Installation & Configuration
- 2 IIS Configuration (Shibboleth)
- 3 Cloudwork Configuration
- 4 Edit InProcess so we use the correct IIS site
- 5 Update RequestMapper
- 6 Update ApplicationDefaults
- 7 Update SSO
- 8 Add automatic metadata fetching
- 9 Open attribute-map.xml
- 10 Restart Shibboleth
- 11 IIS Configuration (Proxy)
Shibboleth Installation & Configuration
Download the latest version of Shibboleth from: https://shibboleth.net/downloads/service-provider/latest/ and install it using the default options. All files will be found under [C:\opt\shibboleth-sp\etc\shibboleth]
Open shibboleth2.xml with a text editor
IIS Configuration (Shibboleth)
If you have not already done so install IIS onto either the Spider Application Server or a different server.
You will need to make sure that you have ISAPI Extensions and ISAPI Filters installed on IIS which can both be found under Add Server Roles > Web Server (IIS) > Web Server > App Development
Cloudwork Configuration
Download the metadata from here enter the FQDN for your IIS Server followed by /Shibboleth.sso/Metadata (For iis.domain.vm the URL would be iis.domain.vm/Shibboleth.sso/Metadata) and then upload the XML file
Edit InProcess so we use the correct IIS site
We need to change the site name. This will be the Fully Qualified Domain Name (FQDN) that your users connect to.
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="1" name="iis.domain.vm" scheme="https" port="443"/>
</ISAPI>
</InProcess>
NOTE: If you are running Shibboleth V3 then an additional entry needs to be put into the code above. V3 requires the command useHeaders="true". Therefore, if you are implementing a Shibboleth V3 configuration, please use the code below instead, which has the useHeaders=“true” command added.
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="1" name="iis.domain.vm" scheme="https" port="443" useHeaders="true" />
</ISAPI> </InProcess>
Update RequestMapper
The RequestMapper tells IIS which Paths for a certain host need to use Shibboleth for authentication. We are going to use “user” for ours so any user going to host/user will need to be logged in if not they will be taken to the login page. If you wanted to add /admin to this, you can just copy and paste the user line and replace user with admin.
<RequestMapper type="Native">
<RequestMap>
<Host name="spider.saintaug.nsw.edu.au" authType="shibboleth" requireSession="true">
<Path name="CustomStAug" authType="none" requireSession="false" />
<Path name="Images" authType="none" requireSession="false" />
<Path name="images" authType="none" requireSession="false" />
<Path name="fonts" authType="none" requireSession="false" />
<Path name="ScriptResource.axd" authType="none" requireSession="false" />
<Path name="WebResource.axd" authType="none" requireSession="false" />
</Host> </RequestMap> </RequestMapper>
Update ApplicationDefaults
The ApplicationDefaults will set the remote_user variable which will contain the headers we want to set we will want to make sure we include ppcuser here as that is what we will use in the Spider configuration for Web Auth.
<ApplicationDefaults entityID="https://iis.domain.vm/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id ppcuser"
cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">
Update SSO
The SSO section contains the location of our Identity Provider which will be your Federation Service Name followed by /adfs/services/trust.
<SSO entityID="http://schoollogin.cloudworkengine.net/saml2/idp/metadata"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
Add automatic metadata fetching
There are 2 ways you can load the metadata for your identity provider the first is from a local file which you would need to manually update if you ever make changes to it and the other is by using a URL which will automatically grab the metadata as needed and will make life easier later. This URL is going to be your Federation Service Name followed by /federationmetadata/2007–06/federationmetadata.xml
<MetadataProvider type="XML" url="partnermetadata.xml"/>
Open attribute-map.xml
Now we need to tell Shibboleth where it can find the value we want to set to ppcuser, We used the Windows Account Name option in the claims issuance so that is what we will set here.
<Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" id="ppcuser"/>
Restart Shibboleth
You have 2 ways to do this, either load up Services Manager (services.msc) and find Shibboleth 2 Daemon and click restart or open a command prompt window and run:
net stop shibd_default
net start shibd_default
IIS Configuration (Proxy)
The only thing left to do now is to setup IIS to act as a proxy to do this we will the IIS ARR (Application Request Routing) module which can be found here: https://www.iis.net/downloads/microsoft/application-request-routing
Once installed we will need to enable the Proxy option, Open IIS Manager and select the local server from the tree on the left then find Application Request Routing Cache.
- On the right select Server Proxy Settings
- Check the Enable Proxy checkbox and click Apply on the right
- Select your site on the left and click on URL Rewrite.
- Click Add Rules on the right and pick Blank Rule from under Inbound rules.
- The first rule to create is one to ignore any requests that come in to [FQDN]/Shibboleth.sso/ as we don’t want to block any of the Shibboleth functions.
- Give your rule a name and set the Requested URL to Matches the Pattern and set Using to Regular Expression.
- Set the Pattern to Shibboleth.sso/.*
- Check the Ignore case” checkbox
- Set the Action type at the bottom to None
- Check Stop Processing of subsequent rules.
- Our next rule will be to pass anything else off to Spider Application Server. Create a new blank rule and this time set the pattern to (.*)
- Now for the action set the type to Rewrite and for the Rewrite URL use http://[spider_ip_or_fqdn]:9191/{R:1} and check Append Query String. With a bit more work you can configure this internal route to use HTTPS if needed.
- Now restart IIS by clicking restart on the right or by opening a command prompt window and running iisreset.