Install shibboleth via ansible

[bess]

The shibboleth role should:

• [x] Install all needed software and configuration files
• [x] Provide instructions for how to request access from OIT
• [x] Provide instructions for how to test the connection
• [x] Document and provide to OIT which shibboleth attributes are required for Vireo
• [x] Get our installation authorized by OIT

Dec 8 update: Our shibboleth installation is working and we've asked OIT to authorize it. Awaiting a response from them right now.

Dec 10 update: Jay at OIT says this last batch of attributes was the list he was looking for. He is working on this today.

[bess]

My response to OIT (copied here for reference):

Hi, Jay.

1) These are the shibboleth attributes we need: "SHIB_netid" "SHIB_mail" "SHIB_uin" "SHIB_givenname" "SHIB_initials" "SHIB_sn" "SHIB_dateOfBirth" "SHIB_eduPersonAffilation" "SHIB_phone" "SHIB_postal" "SHIB_mail" "SHIB_permanentPhone" "SHIB_permanentPostal" "SHIB_permanentMail" "SHIB_degree" "SHIB_department" "SHIB_college" "SHIB_major" "SHIB_gradYear" "SHIB_gradMonth" "SHIB_orcid"

2) We are already using SSL for connection, so I don't think we need to further encrypt the traffic, but I am happy to follow OIT's guidance here.

3) The Login can be tested at https://vireo-staging.princeton.edu/Shibboleth.sso/Login

Thank you! Bess Sadler

[bess]

Try 2 on the shibboleth attributes:

Hi, Jay. The truth is, I am not very familiar with this application. This is an application that was being run by OIT for many years, and my group in the library has been asked to take it over. I tried to identify the list of attributes required from the code, and it sounds like I got the wrong list.

Let's try this one:

These are the entries in /etc/shibboleth/attribute-map.xml on the legacy system:

<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="shib_mail"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="shib_netid" />
<Attribute name="urn:oid:2.5.4.4" id="shib_sn"/>
<Attribute name="urn:oid:2.5.4.42" id="shib_givenname"/>

These attributes are used for Princeton students who need to submit a thesis to fulfill their graduation requirement, and for faculty and staff who need to oversee that process. Apparently Mark Ratliff and Keith Martin have previously been points of contact on this application within OIT, in case that is helpful. I need to set this up twice (for staging and production). Instead of duplicating this information in both tickets, I'm going to keep the conversation here, and once we figure out what is needed for staging we can do that for production too. Does that sound okay?

Also, if it would be easier to talk this over on zoom please let me know.

Thank you! Bess Sadler Research Data Support Services Princeton University Library

[bess]

As of 14 Dec, we are able to do a partial authentication to shibboleth. However, it is returning the user to the wrong url. After troubleshooting with @kayiwa and Jay at OIT, here is the diagnosis:

using this URL https://vireo-staging.princeton.edu/Shibboleth.sso/Login
I was able to see the application hit our IDP

Within the SAML request: the ACS URL is: https://vireo-staging/Shibboleth.sso/SAML2/POST

To fix this, you need to update your application to use the correct ACS URL of https://vireo-staging.princeton.edu/Shibboleth.sso/SAML2/POST which is within your metadata file.

Thanks, Jay

That metadata file is being generated by mod_shib, our shibboleth plugin for apache2. I have been trying to figure out how to get it to alter what it creates. I may need to create it the first time manually, and then hand-edit the file and put it into ansible. I'm going to try that next.

[bess]

As of December 17 we are still unable to get this working. Next, Francis and I are going to set up a totally clean ubuntu system on google cloud, which is not behind a load balancer. Then we'll attempt to ONLY install our shibboleth ansible role on it and try to get that working. That should tell us whether the problem is with our base shibboleth installation or whether some issue is being introduced by the load balancer or our proxy setup.

[acozine]

The last piece of the puzzle turned out to be in the Apache config. In the VirtualHost definition, Shibboleth requires UseCanonicalName On to be set. This is reflected in the template in the vireo role.