Installing PAPI as an SSO for a Shibboleth IdP ============================================== Following these instructions, you can configure the SSO service of Shibboleth IdP as a PoA of PAPI. It makes available to the IdP the identity of the principal, as long as the PAPI assertion contains its value in the 'uid' field. Any other field in the assertion is not passed. These instructions assume the following: - You have installed at least a PAPI AS and a GPoA following the instructions of http://papi.rediris.es/rep/PerlQuickInstall.txt - You hace downloaded the PAPIFilter jar file from: ftp://ftp.rediris.es/rediris/papi/java/papifilter.jar and the PAPI-Shib wrapper filter from: ftp://ftp.rediris.es/rediris/papi/java/PAPIShibWrapperFilter.jar - You have installed a Shibboleth IdP in this host under http://.../shibboleth-idp $ mkdir /usr/local/PAPI/PAPIFilter $ ps -ef | md5sum | cut -c1-32 > /usr/local/PAPI/PAPIFilter/lkey $ cat /var/log/messages | md5sum | cut -c1-32 > /usr/local/PAPIFilter/hkey $ touch /usr/local/PAPI/PAPIFilter/cookies.txt $ chown -R tomcat5 /usr/local/PAPI/PAPIFilter $ cp papifilter.jar $CATALINA_HOME/shared/lib $ cp PAPIShibWrapperFilter.jar $CATALINA_HOME/shared/lib $ cd $CATALINA_HOME/common/lib $ wget http://www.bouncycastle.org/download/bcprov-jdk15-132.jar * Copy the AS public key to /usr/local/PAPI/PAPIFilter/MyAS_pubkey.pem * Copy the GPoA public key to /usr/local/PAPI/PAPIFilter/_GPoA_pubkey.pem In that directory, create the file PoAconf.xml copying the following and changing poahost, ashost, etc: <<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>> <?xml version="1.0" encoding="ISO-8859-1"?> <!-- Configuration file for PAPI filter in Tomcat Version: 0.2 06/07/2006 Author: Ajay Daryanani Arjandas --> <!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> <properties> <!-- Recognized AS's. For each AS, define: description, file path, public & private key files and URL, with the format: ASname.parameter --> <!-- <entry key="MyAS.desc">Test AuthServer</entry> <entry key="MyAS.pubkeyName">/usr/local/PAPI/PAPIFilter/MyAS_pubkey.pem</entry> <entry key="MyAS.URL">http://ashost/cgi-bin/AuthServer</entry> --> <!-- Cookie encrypting/decrypting AES key files --> <entry key="PoAkeys.lkeyName">/usr/local/PAPI/PAPIFilter/lkey</entry> <entry key="PoAkeys.hkeyName">/usr/local/PAPI/PAPIFilter/hkey</entry> <!-- PoA configuration values --> <entry key="PoAconf.serviceID">id_papifilter</entry> <entry key="PoAconf.location">/shibboleth-idp/SSO</entry> <entry key="PoAconf.path">/usr/local/PAPI/PAPIFilter/</entry> <entry key="PoAconf.cookieFile">cookies.txt</entry> <entry key="PoAconf.cookieMaxAge">604800</entry> <entry key="PoAconf.Cookie_Reject">any => accept</entry> <entry key="PoAconf.Lcook_Timeout">300000</entry> <entry key="PoAconf.acceptURL">$CATALINA_HOME/conf/PAPI/blueball.gif</entry> <entry key="PoAconf.rejectURL">$CATALINA_HOME/conf/PAPI/redball.gif</entry> <entry key="PoAconf.rejectMessage">You don't have the right cookies</entry> <entry key="PoAconf.POST_Method">manual</entry> <entry key="PoAconf.URL_Timeout">50000</entry> <entry key="PoAconf.PAPI_Filter">any => accept</entry> <entry key="PoAconf.attSeparator">,</entry> <entry key="PoAconf.valSeparator">-</entry> <entry key="PoAconf.attValSeparator">=</entry> <!-- Parent GPoA values --> <entry key="ParentGPoA.URL">http://poahost/gpoa/PAPI/cookie_handler.cgi</entry> <entry key="ParentGPoA.pubkeyName">/usr/local/PAPI/PAPIFilter/_GPoA_pubkey.pem</entry> </properties> <<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>> * Add the following lines to $CATALINA_HOME/webapps/shibboleth-idp/WEB-INF/web.xml just before the last '</web-app>' <<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>> <filter> <filter-name>PAPI Filter</filter-name> <filter-class>es.rediris.papi.filter.PAPIFilter</filter-class> <init-param> <param-name>PAPI.configFile</param-name> <param-value>/usr/local/PAPI/PAPIFilter/PoAconf.xml</param-value> </init-param> </filter> <filter-mapping> <filter-name>PAPI Filter</filter-name> <url-pattern>/SSO</url-pattern> </filter-mapping> <filter> <filter-name>PAPI Shib Wrapper Filter</filter-name> <filter-class>es.rediris.papi.filter.PAPIShibWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>PAPI Shib Wrapper Filter</filter-name> <url-pattern>/SSO</url-pattern> </filter-mapping> <<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>>