Guide to using PAPI as the SSO system for Shibboleth 

Installing PAPI as an SSO for a Shibboleth IdP
==============================================

Following these instructions, you can configure
the SSO service of Shibboleth IdP as a PoA of
PAPI. It makes available to the IdP the
identity of the principal, as long as the PAPI
assertion contains its value in the 'uid' field. 

Any other field in the assertion is not passed.

These instructions assume the following:

- You have installed at least a PAPI AS and a GPoA following the
  instructions of
  http://papi.rediris.es/rep/PerlQuickInstall.txt

- You hace downloaded the PAPIFilter jar file from: 
  ftp://ftp.rediris.es/rediris/papi/java/papifilter.jar

  and the PAPI-Shib wrapper filter from:
  ftp://ftp.rediris.es/rediris/papi/java/PAPIShibWrapperFilter.jar

- You have installed a Shibboleth IdP in this host under 
  http://.../shibboleth-idp


$ mkdir /usr/local/PAPI/PAPIFilter
$ ps -ef | md5sum | cut -c1-32 > /usr/local/PAPI/PAPIFilter/lkey
$ cat /var/log/messages | md5sum | cut -c1-32 > /usr/local/PAPIFilter/hkey
$ touch /usr/local/PAPI/PAPIFilter/cookies.txt
$ chown -R tomcat5 /usr/local/PAPI/PAPIFilter

$ cp papifilter.jar $CATALINA_HOME/shared/lib
$ cp PAPIShibWrapperFilter.jar $CATALINA_HOME/shared/lib
$ cd $CATALINA_HOME/common/lib
$ wget http://www.bouncycastle.org/download/bcprov-jdk15-132.jar

* Copy the AS public key to /usr/local/PAPI/PAPIFilter/MyAS_pubkey.pem
* Copy the GPoA public key to /usr/local/PAPI/PAPIFilter/_GPoA_pubkey.pem

In that directory, create the file PoAconf.xml copying the
following and changing poahost, ashost, etc:

<<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- 	Configuration file for PAPI filter in Tomcat
	Version: 0.2	06/07/2006
	Author: Ajay Daryanani Arjandas
-->
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">

<properties>
	<!-- Recognized AS's. For each AS, define: description, file path, public & private key files and URL, with the format: ASname.parameter  -->
<!--
	<entry key="MyAS.desc">Test AuthServer</entry>
	<entry key="MyAS.pubkeyName">/usr/local/PAPI/PAPIFilter/MyAS_pubkey.pem</entry>
	<entry key="MyAS.URL">http://ashost/cgi-bin/AuthServer</entry>
-->

	<!-- Cookie encrypting/decrypting AES key files -->
	<entry key="PoAkeys.lkeyName">/usr/local/PAPI/PAPIFilter/lkey</entry>
	<entry key="PoAkeys.hkeyName">/usr/local/PAPI/PAPIFilter/hkey</entry>

	<!-- PoA configuration values -->
	<entry key="PoAconf.serviceID">id_papifilter</entry>
	<entry key="PoAconf.location">/shibboleth-idp/SSO</entry>
	<entry key="PoAconf.path">/usr/local/PAPI/PAPIFilter/</entry>
	<entry key="PoAconf.cookieFile">cookies.txt</entry>
	<entry key="PoAconf.cookieMaxAge">604800</entry>
	<entry key="PoAconf.Cookie_Reject">any => accept</entry>
	<entry key="PoAconf.Lcook_Timeout">300000</entry>
	<entry key="PoAconf.acceptURL">$CATALINA_HOME/conf/PAPI/blueball.gif</entry>
	<entry key="PoAconf.rejectURL">$CATALINA_HOME/conf/PAPI/redball.gif</entry>
	<entry key="PoAconf.rejectMessage">You don't have the right cookies</entry>
	<entry key="PoAconf.POST_Method">manual</entry>
	<entry key="PoAconf.URL_Timeout">50000</entry>
	<entry key="PoAconf.PAPI_Filter">any => accept</entry> 
	<entry key="PoAconf.attSeparator">,</entry>
	<entry key="PoAconf.valSeparator">-</entry>
	<entry key="PoAconf.attValSeparator">=</entry>

	<!-- Parent GPoA values -->
	<entry key="ParentGPoA.URL">http://poahost/gpoa/PAPI/cookie_handler.cgi</entry> 
	<entry key="ParentGPoA.pubkeyName">/usr/local/PAPI/PAPIFilter/_GPoA_pubkey.pem</entry>
</properties>
<<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>>


* Add the following lines to 
  $CATALINA_HOME/webapps/shibboleth-idp/WEB-INF/web.xml
  just before the last '</web-app>'


<<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>>

  <filter>
    <filter-name>PAPI Filter</filter-name>
    <filter-class>es.rediris.papi.filter.PAPIFilter</filter-class>
    <init-param>
      <param-name>PAPI.configFile</param-name>
      <param-value>/usr/local/PAPI/PAPIFilter/PoAconf.xml</param-value>
    </init-param>
  </filter>

  <filter-mapping>
    <filter-name>PAPI Filter</filter-name>
    <url-pattern>/SSO</url-pattern>
  </filter-mapping>

  <filter>
    <filter-name>PAPI Shib Wrapper Filter</filter-name>
    <filter-class>es.rediris.papi.filter.PAPIShibWrapperFilter</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>PAPI Shib Wrapper Filter</filter-name>
    <url-pattern>/SSO</url-pattern>
  </filter-mapping>

<<<<<<<<<<<<<<<<<<<<<< CUT HERE >>>>>>>>>>>>>>>>>>>>>>