Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: typo

...

Note
iconfalse
titleThis Guide assumes
  • A fresh, minimal (e.g. netinst.iso) install of Debian 10 ("Buster") with no "tasks" except openssh-server
    • Ubuntu 18.04 LTS ("xenial") Server works the same as Debian 10 for the purpose of this guide
  • Accessed via SSH or the console (no X11 required nor recommended),
  • Correct server time configuration using NTP (e.g. using systemd-timesyncd or ntpd)
  • Packet filters or firewall rules in place, e.g.:
    • With outgoing (ports TCP/80 and TCP/443) network access:
      • Port 80 for Debian APT updates, i.e., for downloading signed software packages
      • Port 80 and 443 for downloading signed eduID.at Metadata
      • Port 443 is also needed for downloads of the Shibboleth IDP software (though you can move copy that to the server yourself, of course)
      • The IDP will also need to connect to your LDAP Directory Servers for authentication and attribute lookup,
        • either on the standard port TCP/389 for LDAP(+STARTTLS),
        • or on port TCP/636 for LDAPS (which which no formal specification exists),
        • or maybe on the "global catalog" port of your Microsoft Active Directory (only if you need to access that).
      • For NTP you also need outgoing connectivity to the configured NTP servers (e.g. ACOnet's)
    • And incoming HTTPS access (port TCP/443 only, no port 80 necessary nor recommended),
      • also incoming port 22 for access only from a management network, if the server is managed via SSH,
  • All commands in this guide are to be issued by user root (uid=0), and will make of setuidgid as needed to change to other accounts.
  • The shell to use is /bin/bash (you can get fancy with fish/zsh/etc. after finishing the install/configuration)
  • Use of systemd for service management using the amended service unit as described in this documentation

...

Redirect requests to Tomcat's web root ("/") to a URL of your choice, e.g. your institutions institution's home page, replacing "www.example.edu" belowThe Shibboleth IDP application by default will run at /idp, allowing you to easily add and update other content outside of /idp, e.g. logos or CSS stylesheets without having them to integrate them with the "idp" context/application. The document root for that is in /var/lib/tomcat9/webapps/ROOT/ and nothing in the Shibboleth IDP software (or during use of SAML) by default links to / of the server, so you can use that for locally hosted content without interfering with the IDP application itself. For example you will want to add a robots.txt file to prevent unnecessary scanning by well-behaving search bots.

...