This guide confuigures our IdP to ‘talk’ to our SP. There is a video here: https://www.youtube.com/watch?v=VcKBr00Axs4
This guide assumes the following:
- You have a working Identity Provider
- You have completed the installation and configuration of the Shibboleth Service Provider
- Your working directory is the root of your IdP installation. Usually
/opt/shibboleth-idp
Lets get started.
- First we need a copy of the Service Provider metadata for our IdP.
sudo -u tomcat8 curl https://shib-idp.lan/Shibboleth.sso/Metadata --output metadata/sp-metadata.xml
- Now we need to tell our IdP where to find this metadata file.
- In a text editor, open
conf/metadata-providers.xml
and add the following
<MetadataProvider id="sp-metadata" xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml"/>
Save and close conf/metadata-providers.xml
Next up, we define some more attributes in conf/attribute-resolver.xml
. We already defined displayName. uid and mail are defined by default in the IdP.
<resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn"> <resolver:Dependency ref="myLDAP"/> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false"/> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false"/> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName"> <resolver:Dependency ref="myLDAP"/> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false"/> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false"/> </resolver:AttributeDefinition>
- And now modify
conf/ldap.properties
so that the data connector can return the defined attributes above.
idp.attribute.resolver.LDAP.returnAttributes = uid,displayName,mail,surname,givenName
- You should now be able to authenticate but we need to configure attribute release specific to our SP. We do this in
conf/attribute-filter.xml
by adding the following. Obviously change the requester value to the entityID of your SP. uid attribute release to everybody is already defined.
<AttributeFilterPolicy id="our-sp"> <PolicyRequirementRule xsi:type="Requester" value="https://shib-idp.lan/sp"/> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="surname"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> </AttributeFilterPolicy>
- Restart the IdP and check the
conf/idp-process.log
for errors.
sudo service tomcat8 restart && tail -f logs/idp-process.log
Now we need to revisit our SP and reconfigure it to request attributes from our IdP. (I should have done this when I configured the SP, bah!)
- In a text editor open
/etc/shibboleth/attribute-map.xml
and paste in the following
<Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/> <Attribute name="urn:mace:dir:attribute-def:uid" id="mail"/> <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/> <Attribute name="urn:mace:dir:attribute-def:uid" id="displayName"/> <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> <Attribute name="urn:mace:dir:attribute-def:uid" id="sn"/> <Attribute name="urn:oid:2.5.4.4" id="sn"/> <Attribute name="urn:mace:dir:attribute-def:uid" id="givenName"/> <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
- Restart shibd by issuing
sudo service shibd restart
- Check
/var/log/shibboleth/shibd.log for errors
- Lastly add the mail, displayName and givenName attributes to your test user in Apache Directory Studio.
- Check your attribute release by starting a web browser and opening https://yourhostname.domain/Shibboleth.sso/Login
if your log in was successful, navigate to https://yourhostname.domain/Shibboleth.sso/Session and you should see a summary of attributes released to your SP.