The following installtion is based on : https://www.cybera.ca/news-and-events/tech-radar/getting-started-on-shibboleth/


Definitions :

	- SP : Service Provider
	- IDP : Identity Provider
	- LDAP : Lightweight Directory Access Protocol


Requirements :

	- Ubuntu 16.04
	- Apache 2.4
	- Java Openjdk 1.8 (set JAVA_HOME env variable accordingly)
	- Tomcat 8
	- Nuxeo 8.4 SNAPSHOT


Preparation : 

	- Modify /etc/hosts by adding the following line :

		127.0.0.1	localhost sp.shibboleth.com ldap.shibboleth.com idp.shibboleth.com


LDAP Setup :

	sudo apt-get install slapd
	sudo apt-get install ldap-utils
	sudo dpkg-reconfigure slapd

	- Question while configuration :

		1. Omit OpenLDAP server configuration?: No
		2. DNS domain name: ldap.shibboleth.com
		3. Organization name: Nuxeo
		4. Administrator password: Nuxeo
		5. Confirm password: Nuxeo
		6. Database backend to use: HDB
		7. Do you want the database to be removed when slapd is purged?: No
		8. Move old database?: Yes
		9. Allow LDAPv2 protocol? No

	- Add a new user :

		ldapadd -x -D "cn=admin,dc=ldap,dc=shibboleth,dc=com" -w Nuxeo <<EOF
		dn: cn=nuxeo,dc=ldap,dc=shibboleth,dc=com
		objectClass: inetOrgPerson
		cn: nuxeo
		uid: nuxeo
		UserPassword: nuxeo
		mail: test@nuxeo.com
		sn: nuxeo
		EOF


IdP Setup :

	cd /tmp
	wget http://shibboleth.net/downloads/identity-provider/2.4.5/shibboleth-identityprovider-2.4.5-bin.tar.gz
	tar -zxvf shibboleth-identityprovider-2.4.5-bin.tar.gz
	cd shibboleth-identityprovider-2.4.5
	sudo ./install.sh

	- Question while installation :

		1. Where should the Shibboleth Identity Provider software be installed?: /opt/shibboleth-idp
		2. What is the fully qualified hostname of the Shibboleth Identity Provider server?: idp.shibboleth.com
		3. A keystore is about to be generated for you. Please enter a password that will be used to protect it: password

	- Configuration :

		* Modify /opt/shibboleth-idp/conf/logging.xml :
			
			<!-- Logs IdP, but not OpenSAML, messages -->
			<logger name="edu.internet2.middleware.shibboleth" level="ALL"/>
			<!-- Logs OpenSAML, but not IdP, messages -->
			<logger name="org.opensaml" level="ALL"/>
			<!-- Logs LDAP related messages -->
			<logger name="edu.vt.middleware.ldap" level="ALL"/>

		* Change shutdown port for tomcat 8 :

			<Server port="8006" shutdown="SHUTDOWN">

		* Create /etc/tomcat8/Catalina/localhost/idp.xml with the following content :

			<Context docBase="/opt/shibboleth-idp/war/idp.war"
			         privileged="true"
			         antiResourceLocking="false"
			         antiJARLocking="false"
			         unpackWAR="false"
			         swallowOutput="true" />

		* Modify /opt/shibboleth-idp/conf/handler.xml to disable the RemoteUser handler and enable the UsernamePassword one :

			<!-- Login Handlers -->
			...
			  <!--
			  <ph:LoginHandler xsi:type="ph:RemoteUser">
			    <ph:AuthenticationMethod>
			      urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
			    </ph:AuthenticationMethod>
			  </ph:LoginHandler>
			  -->

			  <ph:LoginHandler xsi:type="ph:UsernamePassword"
			                   jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
			    <ph:AuthenticationMethod>
			      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
			    </ph:AuthenticationMethod>
			  </ph:LoginHandler>
			...

		* Configure Shibboleth's LDAP connection for login in /opt/shibboleth-idp/conf/login.config :

			...
			ShibUserPassAuth {
			  edu.vt.middleware.ldap.jaas.LdapLoginModule required
			  ldapUrl="ldap://ldap.shibboleth.com"
			  baseDn="dc=ldap,dc=shibboleth,dc=com"
			  bindDN="cn=admin,dc=ldap,dc=shibboleth,dc=com"
			  bindCredential="Nuxeo"
			  ssl="false"
			  userFilter="uid={0}";
			};
			...

		* Configure the attribute resolver in /opt/shibboleth-idp/conf/attribute-resolver.xml, so the ldap attributes 
		are correctly transmitted as request headers :

			<?xml version="1.0" encoding="UTF-8"?>
			...
			<resolver:AttributeResolver ... >
			  	...
			 	<resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
		        	<resolver:Dependency ref="myLDAP" />
		        	<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" />
		        	<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
    			</resolver:AttributeDefinition>

    			<resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
			        <resolver:Dependency ref="myLDAP" />
			        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" />
			        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
    			</resolver:AttributeDefinition>
    			...
			  	<!-- Example LDAP Connector -->
			  	<resolver:DataConnector xsi:type="LDAPDirectory"
                          xmlns="urn:mace:shibboleth:2.0:resolver:dc"
                          id="myLDAP"
                          ldapURL="ldap://ldap.shibboleth.com"
                          baseDN="dc=ldap,dc=shibboleth,dc=com"
                          principal="cn=admin,dc=ldap,dc=shibboleth,dc=com"
                          principalCredential="Nuxeo"
                          lowercaseAttributeNames="true">
			    	<dc:FilterTemplate>
		      			<![CDATA[
			        		(uid=$requestContext.principalName)
			      		]]>
			    	</dc:FilterTemplate>
			  	</resolver:DataConnector>
			  	...
			</resolver:AttributeResolver>

		* Set correct permissions on the following directories :

			sudo chown tomcat8: /opt/shibboleth-idp/ -R
			sudo chown tomcat8: /usr/share/tomcat8/ -R
			sudo chown tomcat8: /etc/tomcat8/ -R



SP Setup :

	- Download Shibboleth SP (Unofficial distribution for Ubuntu 16.04, but the only one working, probably need to build from sources) :

		sudo curl -k -O http://pkg.switch.ch/switchaai/SWITCHaai-swdistrib.asc
		sudo apt-key add SWITCHaai-swdistrib.asc
		echo 'deb http://pkg.switch.ch/switchaai/ubuntu xenial main' | sudo tee /etc/apt/sources.list.d/SWITCHaai-swdistrib.list > /dev/null
		sudo apt-get update
		sudo apt-get install shibboleth

	- SP configuration :

		* Generate the application-specific Shibboleth key :
			
			shib-keygen

		* Modify /etc/shibboleth/shibboleth2.xml so the following are correct and/or present :


			<ApplicationDefaults entityID="http://sp.shibboleth.com/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">
				...
				<Sessions ...>
	  				...
	  				<SSO entityID="http://idp.shibboleth.com/idp/shibboleth">
	    				SAML2 SAML1
	  				</SSO>
	  				...
				</Sessions>
				...
  				<MetadataProvider type="XML" file="idp-metadata.xml"/>
				...
			</ApplicationDefaults>

		* Retrieve the IDP metadata (WARNING : the metadata may have been generated with urls with HTTPS, replace all with HTTP):

			cd /etc/shibboleth
			sudo wget --no-check-certificate http://idp.shibboleth.com/idp/shibboleth -O idp-metadata.xml


		* Add the SP metadata to the IdP by modifying /opt/shibboleth-idp/conf/relying-party.xml :

			<!-- ========================================== -->
			<!-- Metadata Configuration -->
			<!-- ========================================== -->
			<!-- MetadataProvider the combining other MetadataProviders -->
			<metadata:MetadataProvider id="ShibbolethMetadata"
			                           xsi:type="metadata:ChainingMetadataProvider">
			...
			  <MetadataProvider xsi:type="FilesystemMetadataProvider"
			                    xmlns="urn:mace:shibboleth:2.0:metadata"
			                    id="URLMD"
			                    metadataFile="/opt/shibboleth-idp/metadata/sp.shibboleth.com.xml" />
			...
			</metadata:MetadataProvider>

		* Download the actual SP metadata (WARNING : the metadata may have been generated with urls with HTTPS, replace all with HTTP):

			cd /opt/shibboleth-idp/metadata/
			sudo wget --no-check-certificate http://sp.shibboleth.com/Shibboleth.sso/Metadata -O sp.shibboleth.com.xml



Apache Setup :

	- Create the file /etc/apache2/sites-enabled/idp.shibboleth.com.conf with the following content :

		<VirtualHost *:80>
  			ServerName idp.shibboleth.com
  			<Proxy ajp://localhost:8009/idp/*>
    			Allow from all
  			</Proxy>
  			ProxyPass /idp/ ajp://localhost:8009/idp/
		</VirtualHost>

	- Create the file /etc/apache2/sites-enabled/sp.shibboleth.com.conf with the following content :

		<VirtualHost *:80>

		  	ServerName sp.shibboleth.com

			ProxyPass /nuxeo/ http://sp.shibboleth.com:8180/nuxeo/
		   	ProxyPassReverse /nuxeo/ http://sp.shibboleth.com:8180/nuxeo/
		   	ProxyPreserveHost On

		  	<Location /Shibboleth.sso>
		    	SetHandler shib
		  	</Location>

		  	<Location /nuxeo>
		    	AuthType shibboleth
		    	ShibRequireSession On
		    	require valid-user
		    	ShibUseHeaders On
		  	</Location>

		</VirtualHost>


	- Enable newly created sites :

		sudo a2enmod proxy_ajp
		sudo a2ensite idp.shibboleth.com
		sudo a2ensite sp.shibboleth.com


Nuxeo configuration :

	- Change ports :

		nuxeo.server.http.port=8180
		nuxeo.server.ajp.port=8109
		nuxeo.server.tomcat_admin.port=8105

	- Follow the shibboleth configuration with https://doc.nuxeo.com/display/NXDOC710/Shibboleth+Authentication and set the file shibboleth-login-config.xml
	with the following content :

		<component name="sample.shibboleth.config">

		  <require>org.nuxeo.ecm.platform.usermanager.UserManagerImpl</require>
		  <require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>

		  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
		    point="chain">
		    <authenticationChain>
		      <plugins>
		        <plugin>BASIC_AUTH</plugin>
		        <plugin>SHIB_AUTH</plugin>
		        <plugin>FORM_AUTH</plugin>
		        <plugin>WEBENGINE_FORM_AUTH</plugin>
		        <plugin>ANONYMOUS_AUTH</plugin>
		        <plugin>WEBSERVICES_AUTH</plugin>
		      </plugins>
		    </authenticationChain>
		  </extension>
		<extension
		    target="org.nuxeo.ecm.platform.shibboleth.service.ShibbolethAuthenticationService"
		    point="config">
		    <config>
		      <uidHeaders>
		          <!-- <uidHeader idpUrl="https://idp.testshibboleth.com/idp/shibboleth">principal</uidHeader> -->
		          <default>uid</default>
		      </uidHeaders>

		      <loginURL>http://sp.shibboleth.com/Shibboleth.sso/Login</loginURL>
		      <logoutURL>http://sp.shibboleth.com/Shibboleth.sso/Logout</logoutURL>

		      <fieldMapping header="uid">username</fieldMapping>
		      <fieldMapping header="mail">email</fieldMapping>
		    </config>
		  </extension>
		</component>