Versions Compared

Old Version 2

changes.mady.by.user Chad Redman

Saved on

compared with

New Version 3

changes.mady.by.user Chad Redman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
indent15px

Requirements

  • Docker or other OCI server OR Java 11 or higher (Tested with Amazon Corretto 11)
  • %TODO% G memory
  • RDBMS for persistent configuration storage:
    • PostgreSQL (version 14 is the presumed default)
    • Tested with latest docker images of MariaDB, MySQL and SQL Server.  
    • docker-compose and application.yml examples for each DB can be found in the testbed directory in the Git repository.
  • A method for providing generated metadata to the associated IDP:
    • Shared filesystem
    • Git push/pull
    • file transfer
    • MDQ

Downloads

Pre-built docker images are on Docker Hub.

Releases for the Java war file can be found in the Internet2 GitHub project repository.

Quick Start Demo

Using Docker:

Code Block
languagebash
titlequickstart - Using Docker
docker run \
    -p 8080:8080 \
    -p 9090:9090 \
  i2incommon/shib-idp-ui:latest

...

API documentation from Swagger is available on port 9090. This port is exposed in this demo, but is not for user access in production.

Deployment Considerations

The principal output from the Shib IDP UI application are XML files. Metadata provider records in the UI correspond to MetadataConfiguration resources, which contain pointers to the actual entity metadata to consume. Metadata source records in the UI define individual entities, and each entity corresponds to a single XML file defining its metadata. The entity files are generally to be used with a LocalDynamicMetadataProvider, and the entity file names follow its convention of lower case hex-encoded SHA-1 digest of the entityID, suffixed with ".xml" The locations in the filesystem to save the output are defined by UI application properties, and have no defaults. See {Configuration} for details on how to define these.

...

  • UI running as a web application on the same server as the IDP, and saved to local filesystem
  • Shared filesystem between the UI and the IDP
  • Git push/pull jobs
  • file transfer jobs

Running

The Shibboleth IdP UI is built as a Java Spring Boot (https://spring.io/projects/spring-boot) application. It can be run as a standalone Java application (using an embedded Tomcat server), or as a Java web application running under an installed Tomcat or Jetty web application server. Both the standalone and web application methods can be used either directly on a web server, or packaged inside a Docker image. Internet2 supplies pre-built Docker images for released versions. The deployment method is largely dependent on your own infrastructure and knowledge base.

Configuration

Regardless of which method is used to run the Shibboleth IdP UI, configuration is required. Much of the behavior of the UI can be set and controlled through property files which can be in one or both of the following formats:

...

Spring properties also utilize profile designations, which target the reading of an environment-specific configuration file. For example, when passing Java system property -Dspring.profiles.active=prod, setting environment variable SPRING_PROFILES_ACTIVE=prod, or setting property spring.profiles.active=prod in application.properties, application startup will additionally load file application-prod.properties, using the same search order as for application.properties.

Database properties

The Shib IDP UI can be integrated with a variety of back end databases to store registry information. The distribution includes JDBC drivers for PostgreSQL, MySQL, MariaDB, and SQL Server. With no custom database configuration, the application will default to an embedded in-memory H2 database, which will be cleared out on application exit. Database-specific properties to set are:

...

Code Block
languageyml
titleSQL Server
spring:
  datasource:
    platform: sqlserver
    driver-class-name: com.microsoft.sqlserver.jdbc.SQLServerDriver
    url: jdbc:sqlserver://db-hostname:1433
    username: sa
    password: Password1
  jpa:
    properties:
      hibernate:
        dialect: org.hibernate.dialect.SQLServerDialect

Authentication

There are three methods for authenticating users. The first two involve choosing an encryption scheme for the password from one of the following:

...

Code Block
languageyml
titlepac4j properties example
shibui:
  default-password: "{noop}password"
  user-bootstrap-resource: file:/opt/shibui/conf/users.csv
  roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_ENABLE,ROLE_PONY
  pac4j-enabled: true
  pac4j:
    keystorePath: "/opt/shibui/conf/samlKeystore.jks"
    keystorePassword: "password"
    privateKeyPassword: "password"
    serviceProviderEntityId: "https://shibui.local/shibui"
    serviceProviderMetadataPath: "/opt/shibui/conf/sp-metadata.xml"
    identityProviderMetadataPath: "/opt/shibboleth-idp/metadata/idp-metadata.xml"
    forceServiceProviderMetadataGeneration: false
    callbackUrl: "https://shibui.local/shibui/callback"
    maximumAuthenticationLifetime: 3600000
    simpleProfileMapping:
      username: urn:oid:0.9.2342.19200300.100.1.1
      firstName: urn:oid:2.5.4.42
      lastName: urn:oid:2.5.4.4
      email: urn:oid:0.9.2342.19200300.100.1.3
      groups: urn:oid:2.5.4.15 # businessCategory
      roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7 # eduPersonEntitlement

Entity Metadata Files

Entity metadata is not written to XML files by default. To periodically write the generated metadata files to a target directory, define:

...

Info

Each entity corresponds to a single XML file defining its metadata. To calculate the SHA-1 base name from an entityID, the following can be run on the command line:


$ echo -n "urn:test:foobar" | openssl sha1
d278c9975472a6b4827b1a8723192b4e99aa969c

Metadata Provider File

The metadata providers defined in the UI are not written to an external XML file by default. To periodically write the generated configuration to a filesystem resource, define:

...

Similar to the entity task run rate, the shibui.metadataProviders.taskRunRate property defaults to 30000 or every 30 seconds and can accept a number which represents milliseconds, or a Java Duration.

Metadata External Provider File

TODO

Other properties

The full set of properties used in the UI, with their defaults, are embedded in the war file application.yml and application.properties.

Spring properties can also be utilized to define server behavior. Logging levels, JDBC tuning, or HTTPS are common ones to use.

Enabling HTTPS Listener

Add these Spring properties to your configuration file:

...

Code Block
languagebash
titlegenerating a keystore
keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650

Deployments Examples

Internet2 Docker image - base image with mounted configuration

In this example, properties include shibui.user-bootstrap-resource=file:/opt/shibui/users.csv, along with connections to an existing database.

...

There are many ways to deploy an application with Docker and the following example is only meant to show a simplistic approach for demonstration purposes.  A docker compose example of a fully functioning Shibboleth IdP UI with full integration with the Shibboleth IdP can be found in the smoke-test testbed in the Git repository.

Standalone war file

This example assumes all the files are placed in the same directory that the war will be run from and that the PostgreSQL database is running locally.

  1. Download the war from https://github.internet2.edu/TIER/shib-idp-ui/releases/
  2. Create a users.csv with:
    root,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,user1@example.org
  3. Start the database
    docker run --rm --name postgres-db -p 5432:5432 -e POSTGRES_PASSWORD=shibui -e POSTGRES_USER=shibui -d postgres

  4. Create a basic Shibboleth IdP UI configuration with database settings

    Code Block
    languageyml
    titlestartup - standalone war file
    spring:
  profiles:
    include:
  datasource:
    platform: postgres
    driver-class-name: org.postgresql.Driver
    url: jdbc:postgresql://localhost:5432/shibui
    username: shibui
    password: shibui
  jpa:
    show-sql: false
    properties:
      hibernate:
        dialect: org.hibernate.dialect.PostgreSQL95Dialect
        format_sql: true
shibui:
  user-bootstrap-resource: file:users.csv
  roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_PONY


  5. Run the war and tell it where to find your configuration files
    java -Xmx1g -jar shibui-1.16.0.war --spring.config.additional-location=file:application.yml

  6. You can access the application at http://localhost:8080 and login with root/password

  7. Running under https is accomplished by adding the following to your configuration file

    Code Block
      server:
    ssl:
      key-store: keystore.p12
      key-store-password: password
      key-store-type: pkcs12
      key-alias: tomcat
      key-password: password
    port: 8443

Tomcat web application

This example assume Tomcat but the procedure for Jetty or others will be similar.  Also assumes configuration files will be placed in /opt/shibui/ and that the Postgres database is already running.

...