Enabling SSO with CQ5 – Part III

In the previous part, we discussed protecting CQ5 author instances when CQ5 acts as a service provider (SP). In this blog post, we’ll cover how to protect any published resource/website. We’ll be using Shibboleth SP for the same.

Necessary Steps:

1. Installing LDAP Server.
2. Installing Shibboleth IdP.
3. Installing Apache Tomcat on Ubuntu.
4. Configuring Shibboleth IdP.
5. Installation of SP.
6. Make Apache aware of shibboleth
7. The configuration of Shibboleth SP and providing it to IdP.
8. Protecting and accessing the CQ published resource.

Steps 1-4 have already been covered in Part I. Subsequent steps are explained below :

5. Installation of SP

Installing SP and its configuration was a bit difficult task for me as the existing documentation was not very clear. I would like to mention a few important points and brief the installation steps below.

Installing Apache2
sudo apt-get install apache2

Installing Shibboleth SP
The easiest way to install SP is via the command line.

sudo apt-get install libapache2-mod-shib2 shibboleth-sp2-schemas

When the installation is completed, various components of Shibboleth will be placed in appropriate directories based on the OS file system layout. You may check:

• Shibboleth configuration files will be placed at /etc/shibboleth/ and the necessary Apache configuration in /etc/httpd/conf.d/shib.conf
• shibd will be installed to /usr/sbin and maybe managed using /sbin/service and /sbin/chkconfig
• An appropriate version of mod_shib and other pluggable modules will be installed to /usr/lib/shibboleth/
• Logs will be located in /var/log/shibboleth/shibd.log

The installation directory structure may vary depending upon the OS version/type you are using. It might happen that some of the folders/files mentioned above might not be present in your file system. In my case, I was not able to see /etc/httpd/conf.d/shib.conf file. If the same thing happens with you, then make all apache related configurations in apache2.conf file as per the apache installation directory structure in your system.

Initial testing can be done by hitting the URL http://localhost/Shibboleth.sso/Status.

6. Make Apache aware of Shibboleth
Tell apache where to find the mod_shib you just installed (assuming you are using Apache 2.2). Add the below line in apache2.conf file.

LoadModule mod_shib /usr/lib/apache2/modules/mod_shib_22.so

Note : (For CQ only ) If you have enabled dispatcher, make sure you specify the above line before dispatcher loading i.e. shibd should load before dispatcher gets load.

7. Configuration of Shibboleth SP and providing it to IdP.
The way shibboleth works are by running a daemon called shibd at the same time apache runs, and then mod_shib.so knows how to talk to shibd.

Configure /etc/shibboleth/shibboleth2.xml
This file tells mod_shib and shibd all about your setup. It is probably already full of data, but be careful – you need to configure it to know which IdP you’re connecting to. Take a backup of the original file before directly editing this one.

Make sure the ‘entityID’ points at your machine. Update the entityID in <ApplicationDefaults> tag as follows. (You can provide your own ID as well)

&amp;lt;ApplicationDefaults REMOTE_USER=&amp;quot;eppn persistent-id targeted-id&amp;quot; entityID=&amp;quot;http://&amp;lt;your domain&amp;gt;/shibboleth&amp;quot;&amp;gt;

I’ll be using as the Entity Id.
Configure the IdP you want to use. Provide the entity ID of the IdP configured in part I or you can simply copy the entity ID present in <SAML_IDP_HOME>/metadata/idp-metadata.xml file

&amp;lt;SSO entityID=&amp;quot;https://idp.intelligrape.com/idp/shibboleth&amp;quot;&amp;gt;SAML2 SAML1&amp;lt;/SSO&amp;gt;

Also, specify where the IdP’s metadata will come from. At the IdP server, copy its metadata file idp-metadata.xml located at <SAML_IDP_HOME>/metadata directory and place it at your SP server at location /etc/shibboleth/ directory. Add the below tag in /etc/shibboleth/shibboleth2.xml if not already present.

&amp;lt;MetadataProvider type=&amp;quot;XML&amp;quot; file=&amp;quot;idp-metadata.xml&amp;quot;/&amp;gt;

Configure SP’s Metadata file

• If you read the instructions at the shibboleth site they seem to VERY STRONGLY IMPLY that you need to construct your own Metadata file for an SP. It is PARTLY true. To start off with, let provide a Metadata file for you. shibd will create one on-the-fly and serve it to you automatically.
• Copy and paste the contents in a file say sp-metadata.xml. Save this file to the location <SAML_IDP_HOME>/metadata. Once you create or acquire metadata for SP, you must supply it to the IdP. Similarly, the IdP MUST supply its metadata to the SP which was already done in the previous step.
• At IdP server add the following to the relying-party.xml file (at <SAML_IDP_HOME>/conf/) just after the IdP’s own metadata is defined:

&amp;lt;metadata:MetadataProvider xsi:type=&amp;quot;FilesystemMetadataProvider&amp;quot; xmlns=&amp;quot;urn:mace:shibboleth:2.0:metadata&amp;quot;
id=&amp;quot;SPMETADATA&amp;quot; metadataFile=&amp;quot;&amp;lt;SAML_IDP_HOME&amp;gt;/metadata/sp-metadata.xml&amp;quot;/&amp;gt;

In relyingParty.xml, we need to specify the details of IdP’s metadata and any other service provider’s metadata file that relies on our IdP. IdP’s metadata file is already provided in Part I. While specifying the relying party and metadata of SP, the value of Provider attribute in <rp:RelyingParty> tag should be the same as that of EntityId specified in the above metadata file. Also, change encryptAssertions attribute to “never”.

&amp;lt;rp:RelyingParty id=&amp;quot;my.domain.com&amp;quot; provider=&amp;quot;http://my.domain.com/shibboleth&amp;quot; defaultSigningCredentialRef=&amp;quot;IdPCredential&amp;quot;
defaultAuthenticationMethod=&amp;quot;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport&amp;quot;&amp;gt;
&amp;lt;rp:ProfileConfiguration xsi:type=&amp;quot;saml:SAML2SSOProfile&amp;quot; inclu deAttributeStatement=&amp;quot;true&amp;quot;
assertionLifetime=&amp;quot;PT5M&amp;quot; assertionProxyCount=&amp;quot;0&amp;quot;
signResponses=&amp;quot;never&amp;quot; signAssertions=&amp;quot;always&amp;quot;
encryptAssertions=&amp;quot;never&amp;quot; encryptNameIds=&amp;quot;never&amp;quot;
includeConditionsNotBefore=&amp;quot;true&amp;quot;/&amp;gt;
&amp;lt;rp:ProfileConfiguration xsi:type=&amp;quot;saml:SAML2ArtifactResolutio nProfile&amp;quot; signResponses=&amp;quot;never&amp;quot; signAssertions=&amp;quot;always&amp;quot;
encryptAssertions=&amp;quot;never&amp;quot; encryptNameIds=&amp;quot;never&amp;quot;/&amp;gt;
&amp;lt;/rp:RelyingParty&amp;gt;

Modify the /etc/shibboleth/attribute-map.xml file to have a list of all the attributes being released from IdP. There are already a lot of attributes mentioned in the file but are commented out. You can find out your own attribute and uncomment it or you can use the below.

&amp;lt;Attribute name=&amp;quot;urn:mace:dir:attribute-def:uid&amp;quot; id=&amp;quot;uid&amp;quot;/&amp;gt;

8. Protecting and accessing the CQ published resource.
In apache2.conf, enable the dispatcher if not already enabled. You can refer to the existing documentation or this excellent blog can be followed.

We can use shibboleth to secure the published content. Only authenticated users can access a resource, otherwise, the request should not be processed. Below is the block diagram for how the request is processed.

In order to check that SP is working, protect a directory by acquiring a shibboleth session. Add the below in shib.conf (if present in your system) , otherwise, you can specify the same in httpd.conf file. For ubuntu, you can specify it in the file where virtual host entries are present. In my case it was /etc/apache2/sites-available/default . It may vary depending upon the installation structure.

&amp;lt;Location /path/to/secure/content&amp;gt;
# this Location directive is what redirects apache over to the IdP.
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
&amp;lt;/Location&amp;gt;

• Note that the path mentioned in the Location element is relative to the Directory root. A sample configuration can be found at the end of the document.
• Try to access the published page, you should be presented with an IDP login page. Pass the valid credentials to access the page.
• Note that this configuration can be used to protect any cached website/directory. This implementation is not just limited to CQ.

Troubleshooting :

• Please make sure to restart tomcat to reflect the changes you do in IdP’s configuration files. For starting/shutting tomcat , go to <TOMCAT_HOME>/bin and run the startup.sh/shutdown.sh respectively.
• Restart the apache server after every change in the apache.conf files.
• If you have enabled the dispatcher module for CQ, make sure you enable it for CQ cached directory only to avoid unwanted errors.

&amp;lt;Directory /path/to/CQ/cached/content&amp;gt;
&amp;lt;IfModule disp_apache2.c&amp;gt;
SetHandler dispatcher-handler
&amp;lt;/IfModule&amp;gt;
Options FollowSymLinks
AllowOverride None
&amp;lt;/Directory&amp;gt;

When you access the published page, make sure not to specify the port no <4503>.
Sample Virtual Host Entry in the apache configuration.

&amp;lt;VirtualHost *:80&amp;gt;
ServerAdmin webmaster@localhost
ServerName publish.intelligrape.com

DocumentRoot /var/cache/apache2/cq-cache
&amp;lt;Directory /&amp;gt;
Allow from all
Options FollowSymLinks MultiViews
AllowOverride None
&amp;lt;/Directory&amp;gt;

&amp;lt;Location /content&amp;gt;
AuthType shibboleth
ShibRequireSession On
require valid-user
&amp;lt;/Location&amp;gt;

ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
&amp;lt;/VirtualHost&amp;gt;

Reference Links
http://csrdu.org/blog/2011/07/04/shibboleth-idp-sp-installation-configuration/
http://www.jeesty.com/shibboleth
https://wiki.shibboleth.net/confluence/display/SHIB2/Installation
http://www.switch.ch/aai/support/serviceproviders/sp-access-rules.html