Prepare Shibboleth SP for Production deployment
This document assumes you have installed, configured and run Shibboleth SP successfully in a test environment. If not please visit the Setup guide.
Attributes
Plan ahead for attributes needed for your application. You have to obtain the permission from the respective data stewards.
If you already obtained the approval during test, you are probably ok. However check with AIS.
shibboleth.xml
providerId
You may have a chosen a providerId in test that may not be applicable in production. Choose a new providerId. You have to provide this id to IdP (AIS).
providerId is just an identifier of your SP instance. Choose something meaningful that relates to your application.
Read the article about choosing a providerId at https://spaces.internet2.edu/display/SHIB/EntityNaming
<Applications id="yourappname"
providerId="https://prod.yourhost.ucla.edu/yourappname"
homeURL="https://yourhost.ucla.edu/index.html"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
WAYF url
Change wayfURL to point to production. This is the Single Sign On service of the IdP.
<SessionInitiator isDefault="true"
id="yourappname"
Location="/index.html"
Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
wayfURL="https://shb.ais.ucla.edu/shibboleth-idp/SSO">
SSL
If you are encrypting your traffic on your server you will need to turn your ssl settings back on in your shibboleth.xml file. Remember to add handlerSSL="true" and redirectToSSL="443" back into your shibboleth.xml file. Also if you set handlerSSL="true" to force https be sure to add cookieProps="; path=/; secure" to ensure secure cookies. It will look like something below.
<Sessions lifetime="28800" timeout="3600" checkAddress="false" consistentAddress="true"
handlerURL="/Shibboleth.sso" handlerSSL="true"
cookieProps="; path=/; secure" idpHistory="true" idpHistoryDays="7">
Metadata
Our production metadata is maintained by InCommon. Download the production metadata file from this site http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml and save it on the server. AIS IdP is registered under entityId urn:mace:incommon:ucla.edu.
Change uri to the correct location of this metadata file.
<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
uri="/etc/shibboleth/InCommon-metadata.xml"/>
- The metadata carries an expiration date (validUntil parameter) and will expire monthly. It means you will have to refresh the metadata every month. We strongly recommend that you refresh the metadata daily to ensure that you have the most up-to-date keys and registered information. Visit the instructions on How to refresh InCommon metadata
Certificate
You will be using a production strength certificate issued either by a federation like InCommon or certificates issued by a commercial provider. We expect most of the SPs in UCLA to use Bilateral approach. Visit this site for more info on Bilateral vs Federated approach
Purchase a SSL server certificate from commercial providers like Verisign, Thawte or Godaddy. Share your SSL certificate with the IdP (Do not send the private key).
Configure Credentials path to correct locations of production key & certificate.
<CredentialUse TLS="prod_credentials" Signing="prod_credentials" />
<CredentialsProvider type="edu.internet2.middleware.shibboleth.common.Credentials">
<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
<FileResolver Id="prod_credentials">
<Key>
<Path>/etc/shibboleth/my.prod.key</Path>
</Key>
<Certificate>
<Path>/etc/shibboleth/my.prod.crt</Path>
</Certificate>
</Credentials>
</CredentialsProvider>