These instructions are for the Shibboleth 1.2 target install on Suse Linux 8.2
You can get Shibboleth 1.2 and openSAML by clicking here
The first thing you have to do is get a load of support libraries that are needed by openSAML. At the time of writing, these are documented in the doc/README.txt of the openSAML distribution and are:
- gcc/g++ GNU compiler 3.x I got this from ftp.suse.com. It also required libstdc++-devel-3.3-23.i586.rpm
- OpenSSL 0.9.6/0.9.7 – this was already installed but comes as an rpm from Suse
- libcurl 7.10.3
- Xerces-C 2.2
- log4cpp 0.3.4b
- Xalan – you don’t really need this but xml-security would quite like to use it
- xml-security 0.2.0
the rpms are easy : rpm -Uhv
Nice and easy:
this doesn’t seem to install anything so do:
cp src/.libs/liblog* /usr/lib
./runConfigure -plinux -cgcc -xg++ -minmem -nsocket -tnative -rpthread
the libs are $XERCESROOT/lib
copy libxerces-c.so.25.0 to /usr/lib and recreate the symlinks
the headers have to be installed for xml-security to find them:
cp -r $XERCESROOT/include/xerces /usr/include
Xalan-C (for xml-security)
$XALANCROOT/runConfigure -plinux -cgcc -xg++ -minmem -rpthread
cp $XALANCROOT/lib/* /usr/lib
cp libxml* /usr/lib
cp -r $XSECCROOT/include/xsec /usr/lib
before you go build it you’ll have to do:
ln -s libcurl.so.2.0.2 libcurl.so
or the openSAML build will fail.When you’ve done that, do:
./configure –prefix=/usr/local/shibboleth –with-xmlsec=/usr -C
to test it, you can do:
/usr/local/shibboleth/bin/shibtest -h test-handle
If you get an openSAML error about versions, then you’ve got an old version of openSAML. Those nice people at internet2 have put a version check into the shibboleth build which will save you a lot of hassle
Once you’ve built everything, you can configure Apache 2 by copy/paste the contents of /usr/local/shibboleth/etc/shibboleth/apache2.config to httpd.conf
The target and origin configurations are more complex so I’ll detail them in another blog entry
Trying to code while under attack from low flying jets. What are they looking for? I heard Osama Bin Laden was spotted in Aberystwyth! One minute your contemplating the implementation of a particularly interesting interface and the next there’s a herd of cattle outside the window doing a Cecil B Demille, trampling all in their haste to get away from a screaming jet that is scraping the chimney pots.
OK, so tourists need to get somewhere fast, especially in those huge coaches that force you off the road when you’re cycling home and all they want to see is a smoked glass tinted view from the air conditioned throne that their bahookies are parked on. Presumably the new road through Sleat is to cater for these people as the locals seem to manage with the single track. Now, I’m not against progress but when you call somewhere “The Garden of Skye” and then cut down the trees, you have to wonder why the advertising standards lot haven’t caught wind of this! There’s a vast new swathe of tarmac being laid to replace the trees that were there and to create another motorway for maniacs to speed on. Why don’t they plant a new tree for every one that they’ve cut down?
They’ve even cut down trees that are beyond the end of the new road
A couple of years ago, the loop road through Ord and Tarskavaig got so bad that it was pothole central and during the winter the snow plough wouldn’t come near it. So what did they council do when faced with treacherous 1:7 gradients encased in snow and ice and the real threat of sliding off into a ravine? They waited until the spring and came round the loop road cutting down trees!
Where are all the trees in the garden of Skye going?
Bidh stuth an seo an deidh dhomh rudeigin a r‡dh!
Welcome to the Siva weblog
Just started the Siva weblog.
Over the past month I’ve being converting the first iteration to a Java toolkit. The first version was exploratory, involving much running about and coding while my backside was in flames!
Took a load of research to find out what was supported in the way of remote programmatic account maintenance on Novell systems such as NDS and Groupwise.
Most CNA/CNE folk you speak to only know about the API gateway on groupwise and Console1 on NDS so it’s a hoot trying shoehorn LDAP and NDAP into the system, not to mention COM. A veritable soup of interesting technologies and in the case of COM, completely undocumented! Loads of strong coffee, a copy of dumpbin.exe and a Novell header file. Luvvly Jubbly!
Anyway, there’s now a sourceforge site, ready and waiting for the code and javadocs.
Almost finished the docs and I’m just turfing out some remnants of v1.0 which are going to be replaced by configurable XML/XSLT for the account definitions.
Next job is to think long and hard about the extension interfaces – how best to allow folk to contribute and add their own handler classes to interface with exotic systems we’ve never heard of.
The Guanxi project will make use of Siva to interface with Attribute Stores in the Shibboleth protocol and in fact, Guanxi will be adding shibboleth extensions to Siva.
Been debating whether to bolt Siva onto the existing origin implementation, which, conveniently, is a java web application.
After managing to load it into IntelliJ IDEA and compile however, it seems very generalised and may prove difficult to extend for our case.
However, the hook came when reading the spec – the protocol allows for multiple attribute stores but only one can be active in any one user session and it’s up to the HS to decide which AA to contact for handle generation, that’s if if delegates handle creation to the AA.
Whatever AA is decided upon is then used for the duration of the shibb session.
We’ve got tons of attribute stores and each one contains different info on a user so we need the ability to aggregate attributes from multiple stores, rather than plump for one store and restrict attribute assertions to that one alone.
Also, aggregation will involve conflict resolution, where semantically similar attributes in different stores report different information.
One example is the need for Gaelic names. One store may only have English names but the target is demanding that people be called D??mhnall D??mhnallach to get access to www.domhnalldomhnallach.com/bagpipesinanenclosedspace.mp3
So it looks like I’ll wander down the Siva route and start building a HS.
Welcome to the blog for the Guanxi project
Guanxi will extend Siva to provide Shibboleth protocol capabilities for the UHI Siva project. The Guanxi project’s main website is at www.guanxi.uhi.ac.uk
Over the coming months this blog will provide a personal perspective on developing the shibboleth extensions for Siva and may contain some strong language!
So I’ll be back, as Arnie says, after I’ve digested the draft v0.5 Shibboleth spec (here) – when will it be updated?
The first question is, should we support existing Shibboleth v1.1 implementations? Probably not in my humble opinion as the original Shibboleth implementors have decided to stop supporting it themselves!
Hopefully I’ll bung a “Shibboleth for dummies” article up here soon, once I get up to the dummies level.