Integration with OnePass on Linux (CUHK Login via ADFS)

• Service Provider using Linux versions stated at https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2067399657/SystemRequirements#Linux/Unix
• Apache is being started with SSL enabled
• SSO and SLO should be signed
• Assertion should be signed and encrypted
• Signing algorithm should be SHA256 for the federation
• The application server time must be kept up-to-date and accurate
• Logout button should be enhanced for global sign out OnePass session

• To get a copy of the appropriate repository file for your system, see https://shibboleth.net/downloads/service-provider/RPMS/ for a simple drop down form that will generate a copy for you. Per the note above, RHEL 7 systems must use the CentOS 7 repository.
• Installation varies by OS, but usually you just drop the definition file into a directory such as /etc/yum.repos.d
• yum install shibboleth.x86_64 (for 64-bit machine, for 32-bit machine, use package “shibboleth”)
• SELinux enabled but permissive / SELinux disabled
• Restart shibboleth service and apache service
• Verify Shibboleth installation with
  – yum info shibboleth.x86_64
  – Open a web browser, go to https://localhost/Shibboleth.sso/Status (case sensitive), it should return an XML document with:
  <Status><OK/></Status>

**The configuration below is for your reference only. Some parameters and paths may be different with different Shibboleth versions / sub-versions. Kindly double-check the corresponding path name/certificate name in your configuration file.

• Default configuration files should be found in /etc/shibboleth/
• An apache configuration file for Shibboleth should be found in /etc/httpd/conf.d/shib.conf
• In /etc/shibboleth, update below information on shibboleth2.xml

• Restart shibd and httpd after configuration, and check any error at /var/log/shibboleth/
• Sample shibboleth2.xml for Linux host and OnePass testing environment

• Core Attributes (The attributes are released by default)
  • such as Email Address, Role (Staff/Student/Alumni), Display Name

For more information about the specifics of the attributes released, please contact ITSC Service Desk.

• Provide your CADS no. to OnePass Team
• The entity ID of your application
• Metadata URL (The default is https://{yourhostname}/Shibboleth.sso/Metadata), must be accessible from campus network
• The core attributes would be passed to your application by default, additional attributes need by request
• Include OnePass Logout URL plus your application logout together for your logout button
• OnePass team would import your metadata and have configuration on OnePass Testing platform, email notification with testing accounts would be sent to you once ready for test
• Test completion, vulnerability scanning must be pass before migrating to OnePass Production environment.
• Please schedule the production with OnePass Team 3 working days in advance.

• Remember to clean up your browser cache first, it’ll be good to use incognito or InPrivate mode for testing
• Assume PHP is installed in your server
• By default, your server’s path /secure is protected by OnePass. If you want to change it, please refer to /etc/httpd/conf.d/shib.conf
• The core attributes would be passed to your application by default, additional attributes need by request
• Create a test.php in your /secure/test.php to show phpinfo()
  <% php phpinfo() %>
• Open a browser to access https://{yourhostname}/secure/test.php
• You will be redirected to OnePass login page, key in valid Login ID and password
• You should be able to authenticate and find your Login ID in server variable NameID and REMOTE_USER
  e.g. for php to get the LoginID using php variable: echo ‘LoginID:’ . $_SERVER[‘NameID’]
• Logout, you will be redirected to OnePass Logout page. Access your website again and see if you have to fill in your credential to login OnePass