Installing PAPI as an SSO for a Shibboleth IdP
==============================================
Luis Meléndez - Universidad de Córdoba (SPAIN)
----------------------------------------------
Following these instructions, you can configure the SSO service of a
Shibboleth IdP as a PAPI PoA. With them the principal's identity will
be available to the IdP as long as the PAPI assertion contains its
value in an attribute labeled 'uid'.
Any other attribute in the assertion is ignored by the IdP
These instructions assume the following:
- You have installed at least a PAPI AS and a GPoA following the
instructions of
http://papi.rediris.es/rep/PerlQuickInstall.txt
- You hace downloaded the PAPIFilter jar file from:
ftp://ftp.rediris.es/rediris/papi/java/papifilter.jar
and the PAPI-Shib wrapper filter from:
ftp://ftp.rediris.es/rediris/papi/java/PAPIShibWrapperFilter.jar
- You have installed a Shibboleth IdP in this host under
http://.../shibboleth-idp
$ mkdir /usr/local/PAPI/PAPIFilter
$ ps -ef | md5sum | cut -c1-32 > /usr/local/PAPI/PAPIFilter/lkey
$ cat /var/log/messages | md5sum | cut -c1-32 > /usr/local/PAPIFilter/hkey
$ touch /usr/local/PAPI/PAPIFilter/cookies.txt
$ chown -R tomcat5 /usr/local/PAPI/PAPIFilter
$ cp papifilter.jar $CATALINA_HOME/shared/lib
$ cp PAPIShibWrapperFilter.jar $CATALINA_HOME/shared/lib
$ cd $CATALINA_HOME/common/lib
$ wget http://www.bouncycastle.org/download/bcprov-jdk15-132.jar
* Copy the AS public key to /usr/local/PAPI/PAPIFilter/MyAS_pubkey.pem
* Copy the GPoA public key to /usr/local/PAPI/PAPIFilter/_GPoA_pubkey.pem
In that directory, create the file PoAconf.xml copying the
following lines and changing poahost, ashost, etc according to your local
installation
<<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>>
/usr/local/PAPI/PAPIFilter/lkey
/usr/local/PAPI/PAPIFilter/hkey
id_papifilter
/shibboleth-idp/SSO
/usr/local/PAPI/PAPIFilter/
cookies.txt
604800
any => accept
300000
$CATALINA_HOME/conf/PAPI/blueball.gif
$CATALINA_HOME/conf/PAPI/redball.gif
You don't have the right cookies
manual
50000
any => accept
,
-
=
http://poahost/gpoa/PAPI/cookie_handler.cgi
/usr/local/PAPI/PAPIFilter/_GPoA_pubkey.pem
<<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>>
* Add the following lines to
$CATALINA_HOME/webapps/shibboleth-idp/WEB-INF/web.xml
just before the last ''
<<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>>
PAPI Filter
es.rediris.papi.filter.PAPIFilter
PAPI.configFile
/usr/local/PAPI/PAPIFilter/PoAconf.xml
PAPI Filter
/SSO
PAPI Shib Wrapper Filter
es.rediris.papi.filter.PAPIShibWrapperFilter
PAPI Shib Wrapper Filter
/SSO
<<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>>