Installing PAPI as an SSO for a Shibboleth IdP ============================================== Luis Meléndez - Universidad de Córdoba (SPAIN) ---------------------------------------------- Following these instructions, you can configure the SSO service of a Shibboleth IdP as a PAPI PoA. With them the principal's identity will be available to the IdP as long as the PAPI assertion contains its value in an attribute labeled 'uid'. Any other attribute in the assertion is ignored by the IdP These instructions assume the following: - You have installed at least a PAPI AS and a GPoA following the instructions of http://papi.rediris.es/rep/PerlQuickInstall.txt - You hace downloaded the PAPIFilter jar file from: ftp://ftp.rediris.es/rediris/papi/java/papifilter.jar and the PAPI-Shib wrapper filter from: ftp://ftp.rediris.es/rediris/papi/java/PAPIShibWrapperFilter.jar - You have installed a Shibboleth IdP in this host under http://.../shibboleth-idp $ mkdir /usr/local/PAPI/PAPIFilter $ ps -ef | md5sum | cut -c1-32 > /usr/local/PAPI/PAPIFilter/lkey $ cat /var/log/messages | md5sum | cut -c1-32 > /usr/local/PAPIFilter/hkey $ touch /usr/local/PAPI/PAPIFilter/cookies.txt $ chown -R tomcat5 /usr/local/PAPI/PAPIFilter $ cp papifilter.jar $CATALINA_HOME/shared/lib $ cp PAPIShibWrapperFilter.jar $CATALINA_HOME/shared/lib $ cd $CATALINA_HOME/common/lib $ wget http://www.bouncycastle.org/download/bcprov-jdk15-132.jar * Copy the AS public key to /usr/local/PAPI/PAPIFilter/MyAS_pubkey.pem * Copy the GPoA public key to /usr/local/PAPI/PAPIFilter/_GPoA_pubkey.pem In that directory, create the file PoAconf.xml copying the following lines and changing poahost, ashost, etc according to your local installation <<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>> /usr/local/PAPI/PAPIFilter/lkey /usr/local/PAPI/PAPIFilter/hkey id_papifilter /shibboleth-idp/SSO /usr/local/PAPI/PAPIFilter/ cookies.txt 604800 any => accept 300000 $CATALINA_HOME/conf/PAPI/blueball.gif $CATALINA_HOME/conf/PAPI/redball.gif You don't have the right cookies manual 50000 any => accept , - = http://poahost/gpoa/PAPI/cookie_handler.cgi /usr/local/PAPI/PAPIFilter/_GPoA_pubkey.pem <<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>> * Add the following lines to $CATALINA_HOME/webapps/shibboleth-idp/WEB-INF/web.xml just before the last '' <<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>> PAPI Filter es.rediris.papi.filter.PAPIFilter PAPI.configFile /usr/local/PAPI/PAPIFilter/PoAconf.xml PAPI Filter /SSO PAPI Shib Wrapper Filter es.rediris.papi.filter.PAPIShibWrapperFilter PAPI Shib Wrapper Filter /SSO <<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>>