Categories
Shibboleth

Configure LDAP Authentication and Attribute Release in Shibboleth IdP

This guide configures our Shibboleth Identity Provider to use our Apache Directory Sever as an authentication source and user attribute source. Simply, this is an exercise in modifying text files. This can be a little tricky because the XML is case sensitive and has to be correct. There is an accompanying video on YouTube at https://www.youtube.com/watch?v=pX2RkBTqnyQ

I presume:

  • You are working with a clean [installation](https://www.fukr.org.uk/blog/shibboleth-identity-provider-installation-on-ubuntu-16-04/) of the Identity Provider software.
  • You are proxying the IdP with Apache httpd via AJP: https://www.fukr.org.uk/blog/running-shibboleth-idp-proxied-with-apache-httpd-via-mod_proxy_ajp/
  • You have [configured and populated your Apache Directory Server](https://www.fukr.org.uk/blog/configure-ldap-on-apache-directory-server/)
  • You have sudo access to modify the files in this guide

Lets crack on

  • Open a terminal and change directory to the base of your Identity Provider installation(usually /opt/shibboleth-idp). All of the subsequent documentation assumes this.
cd /opt/shibboleth-idp
  • My LDAP server is running on the same host as the IdP. Open conf/ldap.properties and modify the following lines:
idp.authn.LDAP.authenticator = bindSearchAuthenticator
idp.authn.LDAP.ldapURL = ldap://localhost:389
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL = false
idp.authn.LDAP.baseDN = ou=people,ou=potato
idp.authn.LDAP.userFilter = (uid={user})
idp.authn.LDAP.bindDN = uid=admin,ou=system
idp.authn.LDAP.bindDNCredential = secret
idp.attribute.resolver.LDAP.returnAttributes = displayName,uid,mail
  • Save your file and exit your text editor. Note. in the video I omitted to paste in the ‘startTLS’ and ‘useSSL’ lines which is crucial. Sorry!

The IdP’s password authentication by default is configured for LDAP as a backend. You can check this by doing the following.

  • Open conf/authn/password-authn-config.xml and make sure that <import resource=”ldap-authn-config.xml”/> is uncommented.

Now we configure the attribute resolver.

Rename conf/attribute-resolver.xml to conf/attribute-resolver-default.xml

sudo mv conf/attribute-resolver.xml conf/attribute-resolver-default.xml

Copy conf/attribute-resolver-ldap.xml to attribute-resolver.xml

sudo cp conf/attribute-resolver-ldap.xml conf/attribute-resolver.xml
  • Change the owner of the new file:
sudo chown tomcat8 conf/attribute-resolver.xml
  • Open attribute-resolver.xml and add the following attribute definition:
<resolver:AttributeDefinition xsi:type="ad:Simple"
                              id="displayName"
                              sourceAttributeID="displayName">
    <resolver:Dependency ref="myLDAP"/>
    <resolver:AttributeEncoder xsi:type="enc:SAML1String"
                               name="urn:mace:dir:attribute-def:displayName"
                               encodeType="false"/>
    <resolver:AttributeEncoder xsi:type="enc:SAML2String"
                               name="urn:oid:2.16.840.1.113730.3.1.241"
                               friendlyName="displayName"
                               encodeType="false"/>
</resolver:AttributeDefinition>
  • Delete the myLDAP data connector and replace it with
<resolver:DataConnector id="myLDAP"
                        xsi:type="dc:LDAPDirectory"
                        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
                        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
                        principal="%{idp.attribute.resolver.LDAP.bindDN}"
                        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}">
    <dc:FilterTemplate>
        <![CDATA[
            %{idp.attribute.resolver.LDAP.searchFilter}
        ]]>
    </dc:FilterTemplate>
    <dc:ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</dc:ReturnAttributes>
</resolver:DataConnector>

Because we don’t have a service provider installed we need to allow an attribute to be released to anyone. This is for testing purposes later.

  • Open conf/attribute-filter.xml and add the following attribute filter policy:
<AttributeFilterPolicy id="anyone">
    <PolicyRequirementRule xsi:type="ANY"/>
    <AttributeRule attributeID="uid">
        <PermitValueRule xsi:type="ANY"/>
    </AttributeRule>
</AttributeFilterPolicy>
  • Restart the IdP and check for error messages
 sudo service tomcat8 restart && tail -f logs/idp-process.log
  • Do a ctrl-c to exit

We should now be ready for some testing. The tool we are going to use is bin/aacli.sh. In the form of

sudo bin/aacli.sh --url https://yourfullyqualifiedhostname/idp --principal yourtestuser --requester anythingyoulike

In my case I use:

bin/aacli.sh --url https://shib-idp.lan/idp --requester blah --principal testuser

If using a self-signed certificate in Apache httpd, you must add it to the java keystore:

sudo keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -noprompt -alias lan-self-cert -file /etc/ssl/certs/shib-idp.lan.crt

If all went well you should see something similar to the JSON below.

{
  "requester": "blah",
  "principal": "testuser",
  "attributes": [
                  {
                    "name": "uid",
                    "values": [
                               "StringAttributeValue{value=testuser}"
                              ]
                   }
                ]
}