Setting up LabTrove as a Shibboleth Service Provider
These instructions are intended for Ubuntu/Debian Linux servers. Generally the instructions will be the same for other Linux operating systems but some of the commands may need to be changed. These instructions are based on those given by the UK Access Management Federation for setting up a Shibboleth Service Provider (SP), so if you want to use a different Discovery Service you will need to adapt as appropriate.
- Install Shibboleth libraries, Service Provider (SP) schemas and Apache module for Shibboleth:
sudo apt-get install libapache2-mod-shib2 shibboleth-sp2-schemas
- Enable the following Apache modules:
sudo a2enmod proxy proxy_http shib2
- Make a copy of the current /etc/shibboleth/shibboleth2.xml and then write over the original with this shibboleth2.xml file.
- Open /etc/shibboleth/shibboleth2.xml and do the following:
- Replace sp.example.org with the host and domain of your Trove. Where this is preceded by a protocol this must be https to comply with the UK Access Management Federation's (and most Discovery Services') requirements. If you are not using https, you can follow these instructions to setup your Trove to use https. Make sure you also update the Trove's configuration file to set $ct_config['blog_protocol'] to https.
- Replace email@example.com with an appropriate support email address for your Trove.
- From the /etc/shibboleth directory run the following command:
sudo shib-keygen -h your-labtrove-hostname.your.domain
- Edit the Apache configuration file for your Trove site in /etc/apache/sites-enabled/ adding the following lines just before the end the Trove's VirtualHost description:
<Location /shibboleth-sp> Allow from all </Location> Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg <Location /secure> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </Location> <Location /shibboleth> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </Location>
- Edit the Trove's .htaccess file (in the docs/ directory) and add the following line after the RewriteEngine on line:
RewriteRule ^Shibboleth.sso - [L,NC]
- Ensure that in the Trove's configuration file (config.php) you have updated $ct_config['plugins'] to use login_shib rather than the default login_openid.
- Restart Shibboleth Daemon and then Apache.
sudo service shibd restart sudo service apache2 restart
- Go to your Trove site and click on the Login link. If all the configuration you have done up to now is correct you should see a Shibboleth titled page with the following message
Inter-institutional Access System Failure The inter-institutional access system experienced a technical failure. Please email administrator's name and include the following error message: Discovery Service failure at (/DS002/uk.ds) Couldn't find endpoint https://your-labtrove-hostname.your.domain/Shibboleth.sso/DS in metadataThis means that you can successfully connect to the UK Access Management Federation's Discovery Service (DS) but your Trove is not yet registered as a Service Provider (SP) with this Discovery Service.
Registering with a Discovery Service (DS)
To register as a Service Provide (SP) with the UK Access Management Federation you need to the following:
- If your organisation is not already a member of the UK Access Management Federation. You will need to follow these instructions to join.
- Follow these instructions to register with the UK Access Management Federation.
- There is a wiki for installing and configuring Shibboleth 2.
- /var/log/shibboleth/shibd.log is the log file for the Shibboleth Daemon. This will show any errors it has encountered.
- Typing in your error message (minus site specific information) into a search engine is also a good way to find wikis, forums and blog posts to help you debug your problem.
When logging out of your Trove, you will be prompted that to completely logout, (so that someone cannot simply click the Login link and login as you without as password), you will need close your browser. This is because Shibboleth Identity Providers (IdPs) by default have a session time of 30 minutes, which is supported by a cookie. The only straightforward and guaranteed way to remove this cookie, so the next user has to type in a username and password to login to your Trove, is to restart the browser.
Newer Identity Providers (IdPs) support something called Single Log Out (SLO). LabTrove does not currently support this, so that a user can log out of both your Trove and the IdP at the same time, as there are many issues associated with it.