how to configure Apache with Shibboleth to use ADFS

780 views
Skip to first unread message

Monty wig

unread,
Nov 14, 2011, 1:45:56 PM11/14/11
to us...@shibboleth.net
Hello,

I am a newbie to Shibboleth and working on a project where I need to set up Apache with Shibboleth to get authenticated by ADFS and wondering if anyone has ever done it before and can provide some inputs where to start and how...

Thanks
Monty

Cantor, Scott

unread,
Nov 14, 2011, 1:59:13 PM11/14/11
to us...@shibboleth.net

If you're new to SAML in general, you need to digest a lot of conceptual
bits to understand the interop issues involved, or you're likely to
struggle. Starting with a pure Shibboleth environment and/or testshib.org
as an IdP is a better starting point.

The specific issues associated with ADFS are to some extent documented in
the wiki (search yourself, link not handy). Microsoft has a white paper on
the subject, but it's very much overly complicated.

-- Scott

--
To unsubscribe from this list send an email to users-un...@shibboleth.net

Roland Tanner

unread,
Nov 14, 2011, 2:22:48 PM11/14/11
to Shib Users
Hi,

I have shibd (version 2.3.1) running on an Apache2 server for
authentication of UK academic institutions. (Installed via apt-get on a
Debian Lenny server.)

I'm finding that over time the server quickly accumulates an increasing
number of connections in CLOSE_WAIT state which never completely close.
Here's and example output from netstat.

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 38 0 localserver:41904 some-idp.ac.uk:5057 CLOSE_WAIT
tcp 38 0 localserver:39484 some-idp.ac.uk:8443 CLOSE_WAIT

tcp 38 0 localserver:39484 someother-idp.ac.uk:8443 CLOSE_WAIT

The only thing that clears these connections is a forced close of shibd
(eg by killing the process or a force-restart). Restarting networking
with, eg, '/etc/init.d/networking restart' fails to clear them, and in
fact networking won't close down while the connections remain open.

Any ideas about a solution? So far, it does not seem to happen so often
as to exhaust the available connections, but the possibility of
crashing/blocking the server seems to be there if they accumulate like
this. From what I understand, CLOSE_WAIT status gets stuck if the local
application does not close the connection, after receiving a request to
close from the remote server.

Many thanks in advance,
Roland

Cantor, Scott

unread,
Nov 14, 2011, 2:56:42 PM11/14/11
to us...@shibboleth.net
On 11/14/11 2:22 PM, "Roland Tanner" <rol...@tannerritchie.com> wrote:
>
>I'm finding that over time the server quickly accumulates an increasing
>number of connections in CLOSE_WAIT state which never completely close.

Socket programming is not my area of expertise, so anybody that thinks the
code is wrong is encouraged to help fix it and supply patches. There's not
much chance I'm going to do anything without specific suggestions as to
what's broken, since the socket loop is all just copied from other
examples.

I would note that if you run in prefork, the SP is never going to work
well anyway. Switching to a modern MPM like prefork will greatly reduce
the connections and the churn and probably lessen the impact.


-- Scott

Roland Tanner

unread,
Nov 14, 2011, 3:36:47 PM11/14/11
to Shib Users
On 11/14/11 2:22 PM, "Roland Tanner" <rol...@tannerritchie.com> wrote:
> I'm finding that over time the server quickly accumulates an increasing
> number of connections in CLOSE_WAIT state which never completely close.

On 11-11-14 02:56 PM, Cantor, Scott wrote:
> I would note that if you *run in prefork*, the SP is never going to work
> well anyway. Switching to a modern MPM *like prefork* will greatly reduce


> the connections and the churn and probably lessen the impact.
>
>
> -- Scott

Thanks Scott for quick reply. If it's a bug I can live with it, but I
wasn't sure if I had just misconfigured something. Can I just ask for a
bit of clarification on the last para? Do you mean 'switching to a
modern MPM like Worker'. This server runs a few sites which are mainly
written in PHP, which doesn't properly support the multi-thread MPM (a
fairly major flaw in PHP, to say the least), so we may have no option
but default Apache prefork, although I guess we could test to see how
stable it is...

Roland

Cantor, Scott

unread,
Nov 14, 2011, 4:04:24 PM11/14/11
to us...@shibboleth.net
On 11/14/11 3:36 PM, "Roland Tanner" <rol...@tannerritchie.com> wrote:
>
>Thanks Scott for quick reply. If it's a bug I can live with it, but I
>wasn't sure if I had just misconfigured something.

I don't know if it's a bug, but no, it's not anything you'd configure.

> Can I just ask for a
>bit of clarification on the last para? Do you mean 'switching to a
>modern MPM like Worker'.

I mean worker mode, yes. The SP is heavily designed around more web
threads, fewer processes. You go from hundreds of sockets and shibd
threads to 10-20 on a heavily accessed site.

> This server runs a few sites which are mainly
>written in PHP, which doesn't properly support the multi-thread MPM (a
>fairly major flaw in PHP, to say the least), so we may have no option
>but default Apache prefork, although I guess we could test to see how
>stable it is...

My understanding is that most people these days run PHP with an out of
process interpreter that's long lived, so the threading bugs in PHP don't
affect Apache.

-- Scott

Roland Tanner

unread,
Nov 14, 2011, 4:37:24 PM11/14/11
to Shib Users

> My understanding is that most people these days run PHP with an out of
> process interpreter that's long lived, so the threading bugs in PHP don't
> affect Apache.

Thanks - I understand: replace mod_php5 with php5-cgi, and
multi-threaded Apache should be fine... will try that out.

Luis Rodríguez Fernández

unread,
Nov 15, 2011, 3:52:14 AM11/15/11
to Shib Users
Hi Monty,

I am agree with Scott. If you are new to SAML you would need to read a
few docs in order to understand how the standard works. I would
recommend you the technical overview: look for the
sstc-saml-tech-overview-2.0-cd-02.pdf

If you are a little bit impatient these are the main steps that I
followed (Apache 2.2 with Shibboleth SP, over Ubuntu Natty, and ADFS
2.0 as IdP):

1. Install Shibboleth SP in your machine (apt-get install libapache2-mod-shib2)
2. Configure the Shibboleth module for your Apache
3. Configure the Shibboleth SP. For this step you will need a metadata
file provided for your IdP (ADFS)
4 Register your host in the IdP (here I can not help you so much, for
us the IdP is a black box...)

Enable Apache Web Server for SSL is a must!

In this link you have everything really well explained:
http://dev.e-taxonomy.eu/trac/wiki/ShibbolethSP2InstallDebianLenny
(thank you guys!)

Hope it helps,

Luis

2011/11/14 Cantor, Scott <cant...@osu.edu>:

--
"Los caminos del usuario son inescrutables…"

-- Rick Cook

Peter Schober

unread,
Nov 15, 2011, 7:01:04 AM11/15/11
to us...@shibboleth.net
* Luis Rodríguez Fernández <uo6...@gmail.com> [2011-11-15 09:52]:

> In this link you have everything really well explained:
> http://dev.e-taxonomy.eu/trac/wiki/ShibbolethSP2InstallDebianLenny
> (thank you guys!)

That's already out of that. Also on Debian (and mostly also Ubuntu)
get the latest libapache2-mod-shib2 package from the backports
(e.g. `apt-get -t squeeze-backports install libapache2-mod-shib2`) and
read
/usr/share/doc/libapache2-mod-shib2/README.Debian.gz
/usr/share/doc/apache2.2-common/README.Debian.gz
-peter

Reply all
Reply to author
Forward
0 new messages