AUSTRALIAN ACCESS FEDERATION
You MUST NOT continue to installation until you’ve worked through the checklists below. Environmental preparation is critical to a successful outcome.
These requirements apply to both new installations and upgrades from version 3 of Shibboleth
TABLE OF CONTENTS
- Required Checklist
- Upgrading
- Ansible Package
- Server connectivity
- Environmental data for your IdP
- Next steps
Required Checklist
A dedicated CentOS Stream, Rocky or RedHAT version 8 or 9 or Ubuntu 20.04 or 22.04 (virtual or physical), with the following minimum specifications:
- 2 CPU
- 4GB RAM
- 10GB+ partition for OS
The AAF recommends CentOS Stream only be used in the AAF Test environment, NOT as a production IdP.
Upgrading
If you are using the installer to upgrade from version 4 it is highly recommended that perform the installation on a new clean server and migrate required configuration as described in this documentation. This is necessary if your v4 server is running a version 7 CentOS, REDHat or similar that are no longer supported by the installer or the Shibboleth IdP software.
NOTE: If you choose to run the installer on the same server as your v4 IdP, the v4 IdP will not function after the install of v5. This may result in an outage for your users.
Upgrading to a new server allows you to run both new and old simultaneously allowing you to fully test the functionality of your new IdP with minimal disruption to your users.
Ansible Package
Access to additional software repositories are required to provide software such as Ansible. For CentOS the Extra Packages for Enterprise Linux (EPEL) are required. Please refer to the Fedora Wiki - EPEL for additional information.
Server connectivity
- You MUST have SSH access to the server
- You MUST be able to execute commands as
rooton the system without limitation - The server MUST be routable from the public internet with a static IP. Often this means configuring the IP on a local network interface directly but advanced environments may handle this differently.
- The static IP MUST have a publicly resolvable DNS entry. Typically of the form
idp.example.edu The server MUST be able to communicate with the wider internet without blockage due to firewall rules. All publicly routable servers MUST be accessible for:
| Port | Purpose |
| 80 | Outbound HTTP connections [Optional, most if not all content required by the IdP is available over https (Port 443). Some bi-lateral services may provide their metadata over port 80] |
| 443 | Outbound HTTPS connections |
Each of the following commands MUST succeed when run on your server:
- curl http://example.edu
- curl https://example.edu
If direct access is not available, a web proxy will be required! This will allow the installer to access required content on the Internet.
If direct access is not available, then prior to running the Installer and deploy scripts you MUST set the following environment variable; Additional configuration within the IdP will also be required to use the web proxy.
export https_proxy=wwwcache.example.edu:80
The server MUST be accessible from the wider internet without blockage due to firewall rules for:
| Port | Purpose |
|---|---|
| 443 | Inbound HTTPS connections used within SAML flows |
| 8443 (Optional, not recommended) | Backchannel, client verified TLS connections, used within SAML flows. Only required if the Back-Channel is enabled. The AAF recommends that the back channel NOT be enable as there are no federation services that require it. Only if you have local services attached to your IdP that require access to the IdP back channel, should you then enable it. See Shibboleth Wiki - Security and Networking - Back-Channel Support for more details. |
Please refer to the Advanced IdPv4 configuration section If you have is a load balancer or similar between your IdP and the Internet.
Environmental data for your IdP
The following information is required by the AAF IdP Installer and must be populated into the bootstrap-v5.ini file prior to running the installer. This applies to both new installations and migrations from V4.
Mandatory
Values required by the IdP to function.
| Item | Purpose |
|---|---|
| Entity ID | The unique technical name of the IdP. If migrating from an older IdP then its entity id MUST be used on the new IdP. |
| Host Name | The public domain name of the IdP. May be used in determined the entityID of the IdP. |
| Environment | A determination of the AAF federation you wish to register your IdP within, being test or production. AAF Support can assist you in determining this |
| Organisation Name | The human readable display name of your organisation |
| Organisation base domain | e.g. example.edu, used for the scope of user's scoped attributes |
| Organisation Type | The type of organisation |
| Source Attribute ID | The users attribute used in the generation of the auEduPersonSharedToken and eduPersonTargetedID. Usually the user's uid. |
| Persistent Attribute ID | The users attribute used in the generation of the samlSubjectId and samlPairwiseId. This attribute MUST have the following propoerties: * Persistent - NEVER changes once assigned to a user * Non-reassignable - Is NEVER reassigned to another user |
| Install base | Where in the file system you want the IdP to be installed. The default is /opt |
| Patch System Software | If enabled, the operating system software will be updated every time the IdP is deployed, that is the command "yum update -y" will be executed. If you have your own system patching regime in place you can disable this feature. Default is enabled. |
Logging configuration
To enable your IdP to send anonymized logs to the AAF you will need to obtain the keys from the AAF Federation Manger tool under the Identity Providers / F-Ticks Credentials.
| Item | Purpose |
|---|---|
| FTicks Key ID | Key ID provided by the AAF Federation Manger to allow the collection id IdP anonymous logs. |
| FTicks Secret Key | The Secret key provided by the AAF Federation Manger to allow the collection id IdP anonymous logs. |
LDAP connection information
If your IdP connects to an LDAP directory or Active Directory server for authentication and attribute resolution you will need to gather the following information. This information is provided using the bootstrap-v5.ini file in the [ldap] section.
The AAF IdP installer only supports connection to one LDAP server. Shibboleth can support multiple LDAP servers as well as other sources of authentication and attributes, including another SAML or OIDC IdP. You’ll need to undertake further customisation during the installation process when prompted. Each of these scenarios are currently outside of the installers scope.
| Item | Purpose |
|---|---|
| LDAP_URL | LDAP URL the Shibboleth IdP will connect to. The URL can only contain the scheme, address, and port. If a secure (recommended) connection is being made to the LDAP server additional configuration will be required. |
| LDAP_BASE_DN | Point from where LDAP will search for users |
| LDAP_BIND_DN | The administrator's bind dn |
| LDAP_BIND_DN_PASSWORD | The administrator's password |
| LDAP_USER_FILTER_ATTRIBUTE | Generally use uid for most LDAP servers and sAMAccountName for MS Active Directory. In some situations the directory will use cn (commonName) to hold the users unique login name. |
If your LDAP connection is over LDAPS or startTLS you will need the root and intermediate certificates that make up the certificate chain to the LDAP certificate the protects the LDAP endpoint.
Policy settings
The following settings are used to configure the IdP based on conformance to each of the policies. Additional changes to your IdPs metadata will be required in the AAF Federation Manager to signal compliance to services in the federation and eduGAIN.
| Item | Purpose |
|---|---|
| REFEDS Baseline for IdPs version 1. | This IdP conforms to the REFEDS Baseline Expectations v1 for Identity Providers: Ref: https://refeds.org/baseline-expectations. |
| REFEDS Assurance version 2 (RAF). | This IdP conforms to the REFEDS Assurance Frame V2. To conform to this framework, the IdP must also conform to the REFEDS Baseline Expectations v1 (see above). |
| REFEDS RAF UNIQUE | Users identifiers meet the criteria listed in RAFv2. |
| REFEDS RAF EPPN UNIQUE | The users eduPersonPrincipalName either meets same the criteria for other identifiers above (no-reassign), can be reassigned after 1 year (reassign-1y) or does not meet the requirements (no value). AAF IdPs should aim to provide eduPersonPrincipalName values that are never re-assigned. |
| REFEDS RAF EPA | The freshness of the users affiliation values is indicated with this values. If the affiliation accurately reflects the users status with 1 working day (1d) or within 31 calendar days (1m). If 1d is asserted, then 1m will automatically also be asserted. |
| REFEDS R AND S V1.3 | This IdP conforms to and supports the REFEDS Research and Scholarship (R&S) v1.3. |
| REFEDS ANONYMOUS V2 | This IdP conforms to the REFEDS Anonymous Access v.2 Ref: https://refeds.org/category/anonymous |
| REFEDS PSEUDONYMOUS V2 | This IdP conforms to the REFEDS Pseudonymous Access v.2 |
| REFEDS PERSONALIZED V2 | This IdP conforms to the REFEDS Personalized Access v.2 Ref: https://refeds.org/category/personalized |
| REFEDS CODE OF CONDUCT V2 | This IdP conforms to the REFEDS Code of Conduct v.2 Ref: https://refeds.org/category/code-of-conduct/v2 |
Advances setting
The following settings are to support either advances features or features the are no longer supported by the AAF but are supported by the software.
| Item | Purpose |
|---|---|
| Install base | The base path for Shibboleth and the IdP Installer configuration. # Changing the base path MUST only occur here, do not attempt to change the base after the initial install. |
| FIREWALL | The type of local firewall to deploy. The default is firewalld. Other options include iptables and none. |
| ENABLE BACKCHANNEL | The Shibboleth IdP can provide a back channel for Service Providers to # communicate directly with the Identity Provider. This has been used for attribute release, transmission of messages via SAML Artifact and more recently for backchannel SLO. The AAF have idenified that none of the use cases for the backchannel are relevant to operation within the AAF, and therefore recommend it no longer be enabled by default. If it is required, for example for a standalone Attribute Authority service, then setting the following to true will enable configuration for the backchannel. |
| ENABLE EDUGAIN | Enable your IdP to participate in eduGAIN (https://aaf.edu.au/edugain/). Your orgainisation must be enabled at the federation before being enabled to use eduGAIN services. Setting the following values to true will only technically enable your IdP. You MUST complete the steps described AAF eduGAIN web site in addition to making the technical changes. |
| IDP BEHIND PROXY | If your IdP is behind a load balancer that is SSL Offloading, set this value to true. The will enable the IdP to receive requests on port 80 from the load balancer. Note: The IdP MUST be within your DMZ or similarly protected area that will not allow general access to port 80 on the IdP. |
| DEFAULT ENCRYPTION | The following option allows you to downgrade encryption from GCM to CBC for all services. Some older services will fail as they are unable to process newer encryption. The recommended approach is to leave the default set at GMC, and carve out exceptions for each SP that doesn't support GCM. Use the he Algorithm Metadata Filter (https://wiki.shibboleth.net/confluence/display/IDP5/AlgorithmFilter) to achieve this. Changing the global setting to CBC is is NOT recommended for production deployments! Please see: https://wiki.shibboleth.net/confluence/display/IDP5/GCMEncryption for more details. |
| WEB PROXYHOST | The name of the WEB Proxy server, for example proxy.example.edu.au |
| WEB PROXYPORT | The port the proxy listen on. |
Next steps
For all new installs and migrations from version 4, once you’ve finalised this checklists and completed editing bootstrap-v5.ini file please continue to the installation stage.