Month: April 2017

Categories
Shibboleth

Configure Shibboleth IdP for our Service Provider

This guide confuigures our IdP to ‘talk’ to our SP. There is a video here: https://www.youtube.com/watch?v=VcKBr00Axs4

This guide assumes the following:

  • You have a working Identity Provider
  • You have completed the installation and configuration of the Shibboleth Service Provider
  • Your working directory is the root of your IdP installation. Usually /opt/shibboleth-idp

Lets get started.

  • First we need a copy of the Service Provider metadata for our IdP.
sudo -u tomcat8 curl https://shib-idp.lan/Shibboleth.sso/Metadata --output metadata/sp-metadata.xml
  • Now we need to tell our IdP where to find this metadata file.
  • In a text editor, open conf/metadata-providers.xml and add the following
<MetadataProvider id="sp-metadata"
                  xsi:type="FilesystemMetadataProvider"
                  metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml"/>

Save and close conf/metadata-providers.xml

Next up, we define some more attributes in conf/attribute-resolver.xml. We already defined displayName. uid and mail are defined by default in the IdP.

<resolver:AttributeDefinition xsi:type="ad:Simple"
                              id="surname"
                              sourceAttributeID="sn">
    <resolver:Dependency ref="myLDAP"/>
    <resolver:AttributeEncoder xsi:type="enc:SAML1String"
                               name="urn:mace:dir:attribute-def:sn"
                               encodeType="false"/>
    <resolver:AttributeEncoder xsi:type="enc:SAML2String"
                               name="urn:oid:2.5.4.4"
                               friendlyName="sn"
                               encodeType="false"/>
</resolver:AttributeDefinition>

<resolver:AttributeDefinition xsi:type="ad:Simple"
                              id="givenName"
                              sourceAttributeID="givenName">
    <resolver:Dependency ref="myLDAP"/>
    <resolver:AttributeEncoder xsi:type="enc:SAML1String"
                               name="urn:mace:dir:attribute-def:givenName"
                               encodeType="false"/>
    <resolver:AttributeEncoder xsi:type="enc:SAML2String"
                               name="urn:oid:2.5.4.42"
                               friendlyName="givenName"
                               encodeType="false"/>
</resolver:AttributeDefinition>
  • And now modify conf/ldap.properties so that the data connector can return the defined attributes above.
idp.attribute.resolver.LDAP.returnAttributes = uid,displayName,mail,surname,givenName
  • You should now be able to authenticate but we need to configure attribute release specific to our SP. We do this in conf/attribute-filter.xml by adding the following. Obviously change the requester value to the entityID of your SP. uid attribute release to everybody is already defined.
<AttributeFilterPolicy id="our-sp">
  <PolicyRequirementRule xsi:type="Requester"
                         value="https://shib-idp.lan/sp"/>
  <AttributeRule attributeID="mail">
    <PermitValueRule xsi:type="ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ANY"/>
  </AttributeRule>
</AttributeFilterPolicy>
  • Restart the IdP and check the conf/idp-process.log for errors.
sudo service tomcat8 restart && tail -f logs/idp-process.log

Now we need to revisit our SP and reconfigure it to request attributes from our IdP. (I should have done this when I configured the SP, bah!)

  • In a text editor open /etc/shibboleth/attribute-map.xml and paste in the following
<Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
<Attribute name="urn:mace:dir:attribute-def:uid" id="mail"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
<Attribute name="urn:mace:dir:attribute-def:uid" id="displayName"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<Attribute name="urn:mace:dir:attribute-def:uid" id="sn"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:mace:dir:attribute-def:uid" id="givenName"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
  • Restart shibd by issuing
sudo service shibd restart
  • Check /var/log/shibboleth/shibd.log for errors
  • Lastly add the mail, displayName and givenName attributes to your test user in Apache Directory Studio.
  • Check your attribute release by starting a web browser and opening https://yourhostname.domain/Shibboleth.sso/Login

if your log in was successful, navigate to https://yourhostname.domain/Shibboleth.sso/Session and you should see a summary of attributes released to your SP.