A common way to run Shibboleth Identity Provider is by using Apache httpd as a frontend and Tomcat as the backend. This is done by proxying Tomcat via the Apache JServ Protocol. This approach means that you can secure the Shibboleth IdP with Apache’s mod<em>ssl and run the IdP on port 443(I know that this can be done in Tomcat, but I presume people are more comfortable using Apache httpd). The accompanying video is here: https://www.youtube.com/watch?v=pd7msl9-T9E
This guide makes the following assumption that you followed the previous blog post on <a href=”https://www.fukr.org.uk/blog/shibboleth-identity-provider-installation-on-ubuntu-16-04/”>installing Tomcat and Shibboleth Identity Provider
Install Apache httpd
sudo apt-get install apache2
Check which sites are enabled. 000-default is enabled by default.
a2query -s
which returns:
000-default (enabled by the site administrator)
Disable the 000-default site
sudo a2dissite 000-default
Enable mod_proxy_ajp (this will also enable mod_proxy) and mod_ssl
sudo a2enmod proxy_ajp ssl sudo nano /etc/apache2/sites-available/shib-idp.conf
Paste the following into your file, edit the paths to your certificates, private keys, certificate authority chain and log files, then save
<VirtualHost *:443> ServerName shib-idp.lan ServerAdmin my@email.org CustomLog /var/log/apache2/shib-idp.lan.access.log combined ErrorLog /var/log/apache2/shib-idp.lan.error.log SSLEngine On SSLCipherSuite HIGH:MEDIUM:!aNULL:!kRSA:!MD5:!RC4 SSLProtocol all -SSLv2 -SSLv3 SSLCertificateKeyFile /etc/ssl/private/shib-idp.lan.key SSLCertificateFile /etc/ssl/certs/shib-idp.lan.crt SSLCertificateChainFile /etc/ssl/certs/ca-chain.crt <IfModule headers_module> Header set X-Frame-Options DENY Header set Strict-Transport-Security "max-age=31536000;includeSubDomains" </IfModule> ProxyPass /idp ajp://localhost:8009/idp retry=5 <Proxy ajp://localhost:8009> Require all granted </Proxy> </VirtualHost>
To use a self signed certificate, do the following:
sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout /etc/ssl/private/shib-idp.lan.key -out /etc/ssl/certs/shib-idp.lan.crt
Accept the defaults for this except ‘Common Name’ which should be your hosts name, in my case shib-idp.lan
Remove the CertificateChainFile line from /etc/apache2/sites-available/shib-idp.conf
sudo sed -i '/SSLCertificateChainFile/d' /etc/apache2/sites-available/shib-idp.conf
Enable the new site
sudo a2ensite shib-idp && sudo service apache2 reload
Modify the $CATALINA_HOME/conf/server.xml by commenting out the enabled HTTP connector, then paste in the following:
<Connector port="8009" address="127.0.0.1" protocol="AJP/1.3" />
Restart Tomcat
sudo service tomcat8 restart
Test by opening the IdP status page in a web browser at: https://shib-idp.lan/idp/status If you opted for a self signed certificate, you will get an insecure connection warning.