installing a shibboleth sp from source

Thu, Jul 2, 2015

I’ve been working on an interesting project recently, along the lines of public access to university library resources (walk-in access). I’ve developed an Android app, set up an iBeacon for the App to detect and a backend which interfaces to Active Directory but between the app and the backend is some gubbins. That gubbins is a Shibboleth Service Provider (SP) and although I wrote my own one many years ago, I decided to go with the ‘official’ one and build it from source.

As usual, it’s in a non standard place as I tend not to use /opt and instead much prefer /usr/local. Call me old fashioned. Anyway, this is how to build the Shibboleth SP from source and run it from a ‘non standard’ (i.e. not /opt) location on linux.

These are the various bits ‘n pieces we’ll need:

Download all of the above and extract them into their various directories. The following configure commands are followed by:

make
make install

Let’s start with OpenSSL:

./config –prefix=/usr/local/openssl-1.0.2a 
–openssldir=/usr/local/openssl-1.0.2a
shared

then we need to install Apache:

./configure –enable-layout=shibbolethsp 
–enable-rewrite
–enable-so
–enable-ssl
–with-ssl=/usr/local/openssl-1.0.2a
and this is my config.layout section:

prefix: /usr/local/httpd-2.2.29
exec_prefix: ${prefix}
bindir: ${exec_prefix}/bin
sbindir: ${exec_prefix}/bin
libdir: ${exec_prefix}/lib
libexecdir: ${exec_prefix}/modules
mandir: ${prefix}/man
sysconfdir: ${prefix}/conf
datadir: ${prefix}
installbuilddir: ${datadir}/build
errordir: ${datadir}/error
iconsdir: ${datadir}/icons
htdocsdir: ${datadir}/htdocs
manualdir: ${datadir}/manual
cgidir: ${datadir}/cgi-bin
includedir: ${prefix}/include
localstatedir: /var/log/apache
runtimedir: ${localstatedir}/logs
logfiledir: ${localstatedir}/logs
proxycachedir: ${localstatedir}/proxy

and add this to the top of /usr/local/httpd-2.2.29/bin/apachectl. We need this as we’re not using the version of OpenSSL that comes with linux.

export LD_LIBRARY_PATH=/usr/local/openssl-1.0.2a/lib:/usr/local/shibboleth-sp/lib

Then install apr:

./configure –prefix=/usr/local/apr-1.5.1

and apr-util:

./configure –prefix=/usr/local/apr-1.5.1 
–with-apr=/usr/local/apr-1.5.1

Then we need curl:

export PKG_CONFIG_PATH=/usr/local/openssl-1.0.2a/lib/pkgconfig
./configure –prefix=/usr/local/curl-7.40.0 \
–with-ssl

Now to install Boost:

cp -r boost_1_57_0 /usr/local

configure_xerces

./configure –prefix=/usr/local/shibboleth-sp 
–disable-netaccessor-libcurl

configure_xmlsecurity

./configure –prefix=/usr/local/shibboleth-sp 
–without-xalan
–disable-static
–with-xerces=/usr/local/shibboleth-sp
–with-openssl=/usr/local/openssl-1.0.2a

log4shib:

./configure –prefix=/usr/local/shibboleth-sp 
–disable-static
–disable-doxygen

configure_xmltooling

./configure –prefix=/usr/local/shibboleth-sp 
–with-log4shib=/usr/local/shibboleth-sp
–with-xerces=/usr/local/shibboleth-sp
–with-xmlsec=/usr/local/shibboleth-sp
–with-openssl=/usr/local/openssl-1.0.2a
–with-boost=/usr/local/boost_1_57_0
–with-curl=/usr/local/curl-7.40.0
-C

then OpenSAML:

./configure –prefix=/usr/local/shibboleth-sp 
–with-log4shib=/usr/local/shibboleth-sp
–with-xerces=/usr/local/shibboleth-sp
–with-xmlsec=/usr/local/shibboleth-sp
–with-xmltooling=/usr/local/shibboleth-sp
–with-openssl=/usr/local/openssl-1.0.2a
–with-boost=/usr/local/boost_1_57_0
-C

Now for the SP itself:

./configure –prefix=/usr/local/shibboleth-sp 
–with-log4shib=/usr/local/shibboleth-sp
–with-xerces=/usr/local/shibboleth-sp
–with-xmlsec=/usr/local/shibboleth-sp
–with-xmltooling=/usr/local/shibboleth-sp
–with-openssl=/usr/local/openssl-1.0.2a
–with-boost=/usr/local/boost_1_57_0
–with-apr=/usr/local/apr-1.5.1/bin/apr-1-config
–with-apu=/usr/local/apr-1.5.1/bin/apu-1-config
–enable-apache-22
–with-apxs22=/usr/local/httpd-2.2.29/bin/apxs

Now that the SP is installed, let’s configure some attributes for it to process. Open the file:

/usr/local/shibboleth-sp/etc/shibboleth/attribute-map.xml

and add an attribute:

<Attribute name="urn:oid:0.0.7" id="CB_InterestingAttribute">
  <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>

The above tells the SP to accept the attribute ‘urn:oid:0.0.7’ and turn it into one called ‘CB_InterestingAttribute’. It’s ‘CB_InterestingAttribute’ that any SP protected app will use. For example, if you have a Sinatra app behind the SP, you can access this attribute thusly:

ENV['CB_InterestingAttribute']

I’ll leave the more complex configuration for trusting Identity Providers to the official documentation and instead, finish with showing how to start the SP. Remember we’re using a separate version of OpenSSL:

export LD_LIBRARY_PATH=/usr/local/shibboleth-sp/lib
/usr/local/shibboleth-sp/sbin/shibd -f

One Shibboleth SP, built from source and running from a non standard location. Done!

References