I am not an expert in this, so I might not be able to be of much help. But conveniently, I did just complete this process last week and it seems to work fine. Here are the notes I took along the way, using CAS 4.0.1 and shib 2.4.4:
Configuring Tomcat: https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepare Download the IDP source zip file from: http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/ Extract it to /opt/shibboleth-src/ Download the tomcat6-dta-ssl-1.0.0.jar file from http://shibboleth.internet2.edu/downloads/maven2/edu/internet2/middleware/security/tomcat6/tomcat6-dta-ssl/1.0.0/tomcat6-dta-ssl-1.0.0.jar into the /usr/share/tomcat6/lib folder Edit /usr/share/tomcat6/conf/server.xml, add the following connector: <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation" scheme="https" SSLEnabled="true" clientAuth="true" keystoreFile="/opt/shibboleth-idp/credentials/idp.jks" keystorePass="changemeplease" /> Install the IDP: https://spaces.internet2.edu/display/SHIB2/IdPInstall Run ./install.sh from where you extracted the IDP source from above. --This will installed to /opt/shibboleth-idp by default --Enter the fdn of the server --Enter the password you want to use for the keystore (make sure it's the same one as you used in the tomcat config file change above.) --Restart tomcat after this is done, but before deploying the war file so that the new connector will come online --Move the idp.war file from /opt/shibboleth-idp/war/ into /usr/share/tomcat6/webapps/ To verify that the IDP was installed correctly, browsing to this page: http://servername.domain.edu/idp/profile/Status should say "ok" Connect Shibboleth to CAS: http://www.ja-sig.org/wiki/display/CASUM/Shibboleth-CAS+Integration Download the latest cas-client-x.x.x.zip from http://www.ja-sig.org/downloads/cas-clients/ Copy cas-client-x.x.x/modules/cas-client-core-x.x.x.jar to /opt/shibboleth-src/lib/ Edit /opt/shibboleth-idp/conf/handler.xml, add: <LoginHandler xsi:type="RemoteUser"> <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod> <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod> </LoginHandler to the LoginHandler section. Edit /opt/shibboleth-src/src/main/webapp/WEB-INF/web.xml, add the following to the "context-param" section: <context-param> <param-name>serverName</param-name> <param-value>shib_server.domain.edu</param-value> </context-param> Add the following to the "filter" section: <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://cas_server.domain.edu/cas/login</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/Authn/RemoteUser</url-pattern> </filter-mapping> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://cas_server.domain.edu/cas/</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/Authn/RemoteUser</url-pattern> </filter-mapping> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/Authn/RemoteUser</url-pattern> </filter-mapping> To re-deply Shibboleth after making these changes: run /opt/shibboleth-src/install.sh Hit <return> when prompted for the location for the IDP software install location (answer is for /opt/shibboleth-idp) Hit <return> when asked if you want to overwrite the Shibboleth config (answer is for "no") Move the idp.war file from /opt/shibboleth-idp/war/ to /usr/share/tomcat6/webapps/ When you're testing with testshib.org, if you get random errors trying to deploy the war after changing the relying-party.xml file while following the instructions at https://www.testshib.org/testshib-two/configure.jsp - make sure the file used in "something like testshib.xml" is owned by tomcat:tomcat ALSO COMMENT: Make sure to copy relying-party.xml.prod back to relying-party.xml when done testing!! If you're pointing to a CAS with a self-signed cert, you can run this: /usr/lib/jvm/java-1_6_0-ibm-1.6.0/jre/bin/keytool -import -aliasmyalias -keystore /usr/java/latest/jre/lib/security/cacerts -file /home/installers/my_root.cer (where my_root.cer is a b64 version of the self-signed root CA cert) if you get errors like: SEVERE: Servlet.service() for servlet RemoteUserAuthHandler threw exception Throwable occurred: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by OU=Organizational CA, O=MY_ROOT is not trusted ... If you get errors like: Unable to establish security of incoming assertion. Look at your /opt/shibboleth-idp/conf/relying-party.xml file and make sure your AnonymousRelyingParty and DefaultRelyingParty providers match the actual hostname, etc. http://groups.google.com/group/shibboleth-users/browse_thread/thread/e3665fb0f9b23265?pli=1 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
