Versions Compared

Old Version 12

changes.mady.by.user Alex Stuart

Saved on

compared with

New Version 13

changes.mady.by.user Alex Stuart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated instructions for Shibboleth MDA 1.0.0

...

Up-to-date information on the Shibboleth MDA can be found at https://shibboleth.atlassian.net/wiki/spaces/MA1/overview

Prerequisites and assumptions

  • This guide assumes that the administrator is familiar with Linux, editing text based configuration files and running shell commands.
  • The guide assumes that the administrator has access to a Linux system where a Java Runtime (OpenJDK 8 or newer is recommended) is installed.
  • You have installed openssl and Java 17 (or later). JAVA_HOME is set and exported.
  • You have created the /opt/mda directory for installationIt is assumed that the installation directory will be ‘/opt/eduGAIN-Metadata-Processing’. Root access might be needed to install this software.
  • In order to run cronjobs more securely, an unprivileged user mda-user is recommended to use

...

In the following, we assume that the latest version of the metadata aggregator is 1.0.9.2. Please perform a search-and-replace on this document in case a newer version is available. If the version number differs from 0. 9.2 the configuration in mda.xml may have to be adapted. Please inform support@edugain.org if you find inconsistencies in newer versions.

...

Unarchive the distribution:

...

  1. Download eduGAIN-metadata-example.tar.gz into /opt/mda and unpack the tarfile
  2. Download the Shibboleth MDA to /opt/mda, as per the MDA instructions: https

...

  1. ://shibboleth.atlassian.net/

...

  1. wiki/

...

  1. spaces/

...

  1. MA1/pages/1476984838/Installation+Guide
  2. Unpack the MDA distribution
  3. Download the eduGAIN signing certificate from https://technical.edugain.org/metadata
  4. Check its integrity and authenticity using openssl x509 -fingerprint -sha256 -in /opt/mda/mds-v2.cer  -noout
  5. run eduGAIN-setup.sh to generate signing key and certificate
  6. run eduGAIN-run.sh to download and process the eduGAIN metadata aggregate

There should now be three new metadata files in /opt/mda

You can check

Create run script

Open the file ‘bin/run-mda.sh’ in a text editor and edit the parameters. In particular edit BASE_PATH, JAVA_HOME

Make the file run file and the cron job files executable:
chmod a+x bin/run-mda.sh
chmod a+x cron-jobs/run-mda

Test deployment

Run the Metadata Aggregator
./bin/run-mda.sh
The output should be three new metadata files in the ‘output’ directory.

Then check if the signature on these files can be verified using the certificate whose private key was used to sign the file. Using XMLSecTool this can be verified with:

xmlsectool.sh --verifySignature --inFile output/ metadata.interfederation-all.xml --certificate pki/example-signer-cert.pem

Install Cronjob to run job regularly

...

federation.crt

Post-installation

  1. Set up a cron job to

...

  1. run the metadata aggregator

...

  1. regularly
  2. Publish

...

  1. the metadata regularly


pyFF Federation Feeder

Prerequisites

  • This guide assumes that the administrator is familiar with Linux, editing text based configuration files and running shell commands.
  • The guide assumes that the administrator has access to a Linux system where Python  >=3.9 is installed.
  • It is assumed that the installation directory will be ‘/opt/pyff’. Root access might be needed to install this software.
  • It is assumed that the output metadata directory will be ‘/opt/pyff/output’. Root access might be needed to create this directory.
  • In order to run cronjobs more securely, it is recommended to create and use an unprivileged user pyff-user.

...

Code Block
linenumberstrue
### Load eduGAIN Metadata ###
- load:
   # Load from the eduGAIN Metadata URL
   - https://mds.edugain.org/edugain-v2.xml as edugain-md certs/eduGAIN-signer-ca.pem
   # If your federation feed has entities that are not published on eduGAIN
   # load your federation feed as well - uncomment the line below
   #- ###YOUR-FEDERATION-FEED-URL### as myfederation-md ###PATH-TO-YOUR-FEDERATION-SIGNING-CERT###

- select:
   - edugain-md
   # If your federation feed has entities that are not published on eduGAIN
   # uncomment the line below
   #- myfederation-md


### Produce the Interfederation Metadata ###
### Replace the value of '###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###' and '###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###' with the values of XML attributes "Name" and "ID" chosen for your interfederation metadata stream ###
- xslt:
   stylesheet: tidy.xsl
- finalize:
   Name: ###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###
   ID: ###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###
   cacheDuration: PT5H
   validUntil: P5D
- sign:
   key: certs/sign.key
   cert: certs/sign.crt
- publish:
   - output/my-interfederation-metadata.xml

# The rest of pipe could be removed if you do not plan to publish interfederation feeds which contain
# only SPs (for consuming by IdPs) and only IdPs (for consuming by IdPs)
# Feeds dedicated for IdPs and SPs are a good way to avoid a large feed problem which e.g. requires
# increasing memory_limit for php when simpleSAMLPHP is used
### Fork to produce the Interfederation Identity Providers Metadata ###
### Replace the value of '###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###' and '###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###' with the values of XML attributes "Name" and "ID" chosen for your interfederation metadata stream ###
- fork:
   - select:
      - "edugain-md!//md:EntityDescriptor[md:IDPSSODescriptor]"
   - xslt:
      stylesheet: tidy.xsl
   - finalize:
      Name: ###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###
      ID: ###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###
      cacheDuration: PT5H
      validUntil: P5D
   - sign:
     key: certs/sign.key
      cert: certs/sign.crt
   - publish:
      - output/my-interfederation-idp-metadata.xml

### Fork to produce the Interfederation Service Providers Metadata ###
### Replace the value of '###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###' and '###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###' with the values of XML attributes "Name" and "ID" chosen for your interfederation metadata stream ###
- fork:
   - select:
      - "edugain-md!//md:EntityDescriptor[md:SPSSODescriptor]"
   - xslt:
      stylesheet: tidy.xsl
   - finalize:
      Name: ###YOUR-ENTITIESDESCRIPTOR-NAME-FOR-INTERFEDERATION###
      ID: ###YOUR-ENTITIESDESCRIPTOR-ID-FOR-INTERFEDERATION###
      cacheDuration: PT5H
      validUntil: P5D
   - sign:
      key: certs/sign.key
      cert: certs/sign.crt
   - publish:
      - output/my-interfederation-sp-metadata.xml


Create run script

1) vim /opt/pyff/scripts/run-pyff.sh :

...

Code Block
languagebash
linenumberstrue
MAILTO="your.monitoring.address@your.organisation.org"
55 * * * * root su -c /opt/pyff/scripts/run-pyff.sh - pyff-user


Test deployment

Run the pyFF Federation Feeder
./opt/pyff/scripts/run-pyff.sh

The output should be three new metadata files in the ‘output’ directory.
Then check if the signature on these files can be verified using the certificate whose private key was used to sign the file. Using XMLSecTool this can be verified with:

xmlsectool.sh --verifySignature --inFile output/metadata.interfederation.xml --certificate certs/sign.crt

Publish metadata regularly

Install a cron job that moves the eduGAIN metadata from the ‘output’ directory to a web server where the eduGAIN-enabled entities of your federation can download it. Because the metadata is signed, it can also be served on an http site.

...