Code Details for Hosting a Shibboleth SP Web Site in Azure

Continuing my series on hosting a Shibboleth SP web site in Azure, here is the entire install-shib.cmd startup file I used.

rem batch file to install the Shibboleth SP
echo running install-shib batch file >> %temp%\install-shib.txt 2>&1
date /t >> %temp%\install-shib.txt 2>&1

echo calling msiexec to run the Shib MSI >> %temp%\install-shib.txt 2>&1
msiexec.exe /i Shibboleth-SP\shibboleth-sp-2.5.1-win64.msi /quiet /L*v %temp%\shib-msi.txt INSTALLDIR=c:\opt\shibboleth-sp\ /norestart
if errorlevel 1 goto err1

echo calling xcopy to copy the config files >> %temp%\install-shib.txt 2>&1
xcopy /y /q Shibboleth-SP\*.xml c:\opt\shibboleth-sp\etc\shibboleth
if errorlevel 1 goto err2
echo calling xcopy to copy the key files >> %temp%\install-shib.txt 2>&1
xcopy /y /q Shibboleth-SP\*.pem c:\opt\shibboleth-sp\etc\shibboleth
if errorlevel 1 goto err2
echo calling xcopy to copy Shib DLLs that the ISAPI filter loader can't find >> %temp%\install-shib.txt 2>&1
xcopy /y /q "%systemdrive%\Program Files\Shibboleth\SP\lib\*.dll" c:\opt\shibboleth-sp\lib64\shibboleth
if errorlevel 1 goto err2

echo calling appcmd to add the ISAPI handler >> %temp%\install-shib.txt 2>&1
%windir%\System32\inetsrv\appcmd.exe set config /section:handlers /+[name='ShibbolethSP',path='*.sso',verb='*',modules='IsapiModule',scriptProcessor='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll',requireAccess='Script',responseBufferLimit='0']
rem appcmd returns 183 if the setting already exists; ignore and continue
if %errorlevel% EQU 183 goto appcmd2
if errorlevel 1 goto err3

:appcmd2
echo calling appcmd to add the ISAPI filter >> %temp%\install-shib.txt 2>&1
%windir%\System32\inetsrv\appcmd set config /section:isapiFilters /+[name='Shibboleth',path='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll',preCondition='bitness64']
if %errorlevel% EQU 183 goto appcmd3
if errorlevel 1 goto err4

:appcmd3
echo calling appcmd to remove the ISAPI filter restriction >> %temp%\install-shib.txt 2>&1
%windir%\System32\inetsrv\appcmd set config /section:isapiCgiRestriction /+[path='C:\opt\shibboleth-sp\lib64\shibboleth\isapi_shib.dll',description='ShibbolethWebServiceExtension',allowed='True']
if %errorlevel% EQU 183 goto icaclscmd
if errorlevel 1 goto err5

:icaclscmd
echo calling icacls to grant User execute to the Shib folders so the ISAPI filter will load >> %temp%\install-shib.txt 2>&1
icacls c:\opt /grant "Users":(OI)(CI)(RX)
rem if errorlevel 1 goto err6

echo calling icacls to grant NetworkService write to the Shib logging folder so the ISAPI filter can log >> %temp%\install-shib.txt 2>&1
icacls c:\opt\shibboleth-sp\var\log\shibboleth /grant "NetworkService":(OI)(CI)(RX,M)
rem if errorlevel 1 goto err6

:restart
echo restarting the Shib service to pick up the config changes >> %temp%\install-shib.txt 2>&1
net stop shibd_Default
net start shibd_Default
if errorlevel 1 goto err7

rem return a non-zero exit code for success
:success
exit /b 0

:err1
ECHO msiexec exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err2
ECHO xcopy exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err3
echo appcmd configuring handler exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err4
echo appcmd configuring filter exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err5
echo appcmd enabling filter exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err6
echo icacls setting Shib folder perms exited with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

:err7
echo restarting Shib service failed with errorlevel of %errorlevel% >> %temp%\install-shib.txt 2>&1
exit /b %errorlevel%

Here are some of the important edits that must be made to the shibboleth2.xml file. First, update the Site line inside of the ISAPI tag to read like this.

<Site id="1273337584" name="myshibbolethsp.cloudapp.net"/>

Next update the RequestMap section to name your host. Note that a Path element is not used, the entire web site is protected.

<Host name="myshibbolethsp.cloudapp.net" authType="shibboleth" requireSession="true"/>

Now set the entityID. This is the host name with the protocol prefix.

<ApplicationDefaults entityID="https://myshibbolethsp.cloudapp.net/"
 REMOTE_USER="eppn persistent-id targeted-id">

Remember to substitute your site’s DNS name and URL in the above edits.

Ensure that SSL is required.

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
 checkAddress="false" handlerSSL="true" cookieProps="https">

You need to specify your IdP’s entityID. I am using the University of Washington’s IdP in this example.

<SSO entityID="urn:mace:incommon:washington.edu">

Last, you must specify the metadata source and signature. The UW is part of InCommon so its metadata is listed there.

<MetadataProvider type="XML" uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
 backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="Signature" certificate="incommon.pem"/>

Note the reference to the incommon.pem file. The metadata signature public key file is one of the files you must add to the Shibboleth-SP folder in your VS project.

Many more customizations of the Shibboleth SP are possible. These posts just scratch the surface WRT using SAML as an authentication protocol and with using the Shibboleth implementation as a Service Provider. There is a wealth of information on the Shibboleth.net site and on blogs and posts around the web.

In the next post I’ll discuss some issues I’ve yet to resolve.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.