Home > Uncategorized > WordPress and Shibboleth

WordPress and Shibboleth

There are a few issues to get into before going ahead and making WordPress work with Shibboleth (this will come later once I’ve installed Shibboleth and got it working.)

What is Shibboleth?

Wikipedia entry says this:

Shibboleth is a ‘single-sign in’, or logging-in system for computer networks and the internet. It allows people to sign in, using just one ‘identity’, to various systems run by ‘federations’ of different organizations or institutions. The federations are often universities or public service organizations.

Apache2 Shibboleth Module

Before we can do anything, we need to build the module for our Apache2 webserver so that we can use Shibboleth authentication. The Shibboleth site gives full detail on how to do this on Solaris and this will be the documentation I shall be following:

I have used the Apache2 http server downloaded and installed as packages from the Sunfreeware software site (dowload here if you don’t want to register), so I am hoping that this build will work with it. These packages are installed in /usr/local and the following were needed.

binutils-2.21.1a-sol10-sparc-local  libgcc-3.4.6-sol10-sparc-local
gdbm-1.9.1-sol10-sparc-local        libiconv-1.14-sol10-sparc-local
libintl-3.4.0-sol10-sparc-local     libidn-1.25-sol10-sparc-local
libssh2-1.4.2-sol10-sparc-local     libintl-3.4.0-sol10-sparc-local
perl-5.12.3-sol10-sparc-local       jpeg-8d-sol10-sparc-local
apache-2.2.22-sol10-sparc-local     libtool-2.4.2-sol10-sparc-local
curl-7.26.0-sol10-sparc-local       libxml2-2.8.0-sol10-sparc-local
db-4.7.25.NC-sol10-sparc-local      mysql-5.0.67-sol10-sparc-local
expat-2.0.1-sol10-sparc-local       openldap-2.4.30-sol10-sparc-local
freetds-0.91-sol10-sparc-local      openssl-1.0.1c-sol10-sparc-local
freetype-2.4.2-sol10-sparc-local    php-5.3.16-sol10-sparc-local
gcc-3.4.6-sol10-sparc-local         sasl-2.1.25-sol10-sparc-local
gd-2.0.35-sol10-sparc-local         zlib-1.2.7-sol10-sparc-local

These could be split into install for Apache-Wordpress and install for Shibboleth but I will leave them as they are for now. From the Shibboleth Native Solaris build page, I downloaded the following and proceeded to compile them as per instruction. There are issues with following the page – mainly that they don’t work!

Here are the compilation lines I used:

/usr/sfw/bin/gtar zxf boost-1.51.tar.gz
chown -R bin:bin boost_1_51_0/
mv boost_1_51_0/ /usr/local

/usr/sfw/bin/gtar zxf log4shib-1.0.5.tar.gz
cd log4shib-1.0.5
setenv CC gcc
setenv CXX g++
setenv PATH $PATH":/usr/local/bin"
./configure --disable-static --disable-doxygen
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install
cd ..

/usr/sfw/bin/gtar zxf xerces-c-3.1.1.tar.gz
cd xerces-c-3.1.1
setenv LD_LIBRARY_PATH /usr/local/lib
./configure --enable-netaccessor-socket
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install
cd ..

/usr/sfw/bin/gtar zxf xml-security-c-1.7.0.tar.gz
cd xml-security-c-1.7.0
./configure --with-openssl=/usr/local/ssl --with-xerces
/usr/sfw/bin/gmake

At this point if you get an error like this

o   -lxerces-c -lsocket -lm   -L/usr/local/ssl/lib -lcrypto -lssl
../libtool: line 6031: cd: yes/lib: No such file or directory
libtool: link: cannot determine absolute directory name of `yes/lib'
gmake[2]: *** [libxml-security-c.la] Error 1
gmake[2]: Leaving directory `/var/tmp/SSO/SHIB/xml-security-c-1.7.0/xsec'

Then edit the ‘Makefile’ and ‘xsec/Makefile’ files and remove the ‘-Lyes/lib’ setting for LDFLAGS and ‘-Iyes/include’ setting for the CPPFLAGS.

vi Makefile
vi xsec/Makefile
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install
cd ..

/usr/sfw/bin/gtar zxf xmltooling-1.5.1.tar.gz
cd xmltooling-1.5.1
./configure --with-log4shib=/usr/local --with-curl=/usr/local \
--with-openssl=/usr/local/ssl --with-boost=/usr/local/boost_1_51_0
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install
cd ..

/usr/sfw/bin/gtar zxf opensaml-2.5.0.tar.gz
cd opensaml-2.5.0
./configure --with-log4shib=/usr/local --with-boost=/usr/local/boost_1_51_0 \
--with-openssl=/usr/local/ssl

If you get an error like the following:

checking xmltooling/XMLToolingConfig.h presence... yes
checking for xmltooling/XMLToolingConfig.h... yes
configure: error: unable to link with XMLTooling, or version was too old

Then edit the ‘configure’ script and remove the XMLTooling check:

if ac_fn_cxx_try_link "$LINENO"; then :

else
  as_fn_error $? "unable to link with XMLTooling, or version was too old" "$LINE
NO" 5
fi

Then run the configure again.

./configure --with-log4shib=/usr/local --with-boost=/usr/local/boost_1_51_0 \
--with-openssl=/usr/local/ssl
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install
cd ..

/usr/sfw/bin/gtar zxf shibboleth-sp-2.5.0.tar.gz
cd shibboleth-sp-2.5.0
./configure --with-log4shib=/usr/local --with-boost=/usr/local/boost_1_51_0 \
--enable-apache-22 --with-apxs22=/usr/local/apache2/bin/apxs

Again if you come across the configuration error message:

checking xmltooling/base.h presence... yes
checking for xmltooling/base.h... yes
configure: error: unable to link with XMLTooling, or version was too old

Then edit the configure script, removing the lines:

if ac_fn_cxx_try_link "$LINENO"; then :

else
  as_fn_error $? "unable to link with XMLTooling, or version was too old" "$LINE
NO" 5
fi

If you get the the configuration error message:

checking for saml/saml2/metadata/Metadata.h... yes
configure: error: unable to link with OpenSAML, or version was too old

Again edit this out from the configure script:

if ac_fn_cxx_try_link "$LINENO"; then :

else
  as_fn_error $? "unable to link with OpenSAML, or version was too old" "$LINENO
" 5
fi

We know that we are using the latest XMLTooling and OpenSAML! Run the configure script again:

./configure --with-log4shib=/usr/local --with-boost=/usr/local/boost_1_51_0 \
--enable-apache-22 --with-apxs22=/usr/local/apache2/bin/apxs
/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install

After a long while, if the compilation drops out with this error:

Undefined                       first referenced
 symbol                             in file
xmltooling::AbstractPKIXTrustEngine::validate(x509_st*, stack_st*, xmltooling::CredentialResolver const&, xmltooling::CredentialCriteria*) const../shibsp/.libs/libshibsp.so
non-virtual thunk to xmltooling::AbstractPKIXTrustEngine::validate(x509_st*, stack_st*, xmltooling::CredentialResolver const&, xmltooling::CredentialCriteria*) const../shibsp/.libs/libshibsp.so
ld: fatal: symbol referencing errors. No output written to .libs/shibd
collect2: ld returned 1 exit status
gmake[2]: *** [shibd] Error 1

Then do a make clean and run the configure script again with a path to XMLTooling:

/usr/sfw/bin/gmake clean
 ./configure --with-log4shib=/usr/local --with-openssl=/usr/local/ssl \
--with-boost=/usr/local/boost_1_51_0 --enable-apache-22 \
--with-apxs22=/usr/local/apache2/bin/apxs --with-xmltooling=/usr/local/lib -C

/usr/sfw/bin/gmake
/usr/sfw/bin/gmake install

Make sure you have openssl in your PATH because when you perform the make install, it will need to generate the certificate for your Shibboleth server. However, don’t worry if it fails to generate the certificate at install, you can manually do this by running the keygen.sh (-b) script in the /usr/local/etc/shibboleth directory.

Apache2 Shibboleth Module
Now that we have compiled and installed the Shibboleth SP software, if it has not added the module in our Apache2 configuration file, we need to add the following:

LoadModule mod_shib /usr/local/lib/shibboleth/mod_shib_22.so
<Location /Shibboleth.sso>
        SetHandler shib
</Location>

Restart Apache to see if it starts up OK and that the module has been successfully compiled and installed.

Setting up iDP and SP
So the server that your WordPress install is on needs the Shibboleth daemon (the software we just compiled and install) running. First thing to do is to write a startup/shutdown script for the shibd process.

vi /etc/init.d/shid

#!/sbin/sh

case "$1" in
'start')
        /usr/local/sbin/shibd &        
        ;;
'stop')
        pkill -INT shibd
        ;;
esac

cd /etc/rc3.d
ln -s ../init.d/shibd S99shibd

Then test out the script:

./shibd start
ps -ef|grep shib
    root  2942 19382   0 12:07:02 pts/1       0:00 grep shib
    root  2940  2693   0 12:06:57 ?           0:00 /usr/local/sbin/shibd

/etc/init.d/shibd stop
ps -ef|grep shib
    root  2996 19382   0 12:12:45 pts/1       0:00 grep shib

Firstly you need to configure your iDP to recognise your SP. Log onto your iDP server and edit the attribute-filter.xml, adding your entry to the section with your server:

<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://SERVER.DOMAIN/shibboleth" />

where SERVER.DOMAIN is your WP server fully qualified.

Now we configure Shibboleth SP on our WP server:

vi /usr/local/etc/shibboleth/shibboleth2.xml

making sure the details of y/our iDP is in there, and that under the entry for your WP server, you have ‘uid’ within the REMOTE_USER variable.

We need to allow the uid to be passed to us so we also need to edit the attributes in attribute-map.xml, adding these lines or checking that they are present:

    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid">
        <AttributeDecoder xsi:type="StringAttributeDecoder"/>
    </Attribute>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid">
        <AttributeDecoder xsi:type="StringAttributeDecoder"/>
    </Attribute>

You will also need to add your SP’s metadata into your iDP. To do that go to your WordPress server to fetch the metadata: https://WP.DOMAIN.COM/Shibboleth.sso/Metadata

This should come down as a file, and you should insert the content into a file called local-metadata.xml with the metadata directory in the Shibboleth install.

WordPress Shibboleth plugin

The WordPress Shibboleth plugin is available to download and install here. We will ignore the fact that it is over 2 years old – shall we? We will ignore the fact it mentions WordPress MU (not Multsite – MS) too! (Well until we come across a problem with using it on WordPress MS installation.)

After a lot of Googling for help on getting the Shibboleth plugin to work – I’ve managed to modified the code sufficiently so that it does the job for me with WordPress Multisite 3.4.2 (I’m sure it will work with 3.5 too.) You can download it here: shibboleth-new.zip

Once the Shibboleth plugin has been activated, it should look like this in the Network Dashboard:

In the Settings menu you should have a Shibboleth entry, clicking on it will open up the settings page for Shibboleth. Fill in the Session Initiator URL to be your WordPress server/Shibboleth.sso/Login. The Logout URL should be the same with /Logout. I have also filled in the Password Change URL as we do have a password changing page for our LDAP users. Other options are up to you. Select the Allow sitewide redirects.

For the User Profile Data, I have set the following:

Username uid
First name givenName
Last name sn
Nickname uid
Display Name displayName
Email Address mail

All are managed except the first (Username). The rest of the Shibboleth plugin configuration is not filled in.

Document Root Configuration
Back on the WordPress server (Apache2), in the document root directory, make a directory ‘shibboleth-sp’. Put a logout image here for when a user logs off the system, called ‘logo.jpg’.

Edit the .htaccess file to have these lines:

RewriteRule ^Shibboleth\.sso - [L]

# BEGIN Shibboleth
AuthType Shibboleth
Require Shibboleth
# END Shibboleth
Categories: Uncategorized Tags:
  1. Jark
    November 10th, 2012 at 14:14 | #1

    Thanks for the blog, nice to see how it works in the background.

    The shibboleth plugin you mentioned definitely works on a default WordPress installation on the st-andrews.ac.uk domain, with some small modifications. I can send you the modified version if you want.

    • Son Truong
      November 12th, 2012 at 15:38 | #2

      Thanks Jark. I am sure it does, but I have been working on the Multisite version (the WordPress MS hosting this site!) After a few months of scouring the internet for info and hacking the plugin, I’ve managed to integrate WP MS with Shibboleth. This post is still in progress and I will detail and publish how it is done.

  1. No trackbacks yet.