This guide configures our Shibboleth Identity Provider to use our Apache Directory Sever as an authentication source and user attribute source. Simply, this is an exercise in modifying text files. This can be a little tricky because the XML is case sensitive and has to be correct. There is an accompanying video on YouTube at https://www.youtube.com/watch?v=pX2RkBTqnyQ
I presume:
- You are working with a clean [installation](https://www.fukr.org.uk/blog/shibboleth-identity-provider-installation-on-ubuntu-16-04/) of the Identity Provider software.
- You are proxying the IdP with Apache httpd via AJP: https://www.fukr.org.uk/blog/running-shibboleth-idp-proxied-with-apache-httpd-via-mod_proxy_ajp/
- You have [configured and populated your Apache Directory Server](https://www.fukr.org.uk/blog/configure-ldap-on-apache-directory-server/)
- You have sudo access to modify the files in this guide
Lets crack on
- Open a terminal and change directory to the base of your Identity Provider installation(usually
/opt/shibboleth-idp
). All of the subsequent documentation assumes this.
cd /opt/shibboleth-idp
- My LDAP server is running on the same host as the IdP. Open
conf/ldap.properties
and modify the following lines:
idp.authn.LDAP.authenticator = bindSearchAuthenticator idp.authn.LDAP.ldapURL = ldap://localhost:389 idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = false idp.authn.LDAP.baseDN = ou=people,ou=potato idp.authn.LDAP.userFilter = (uid={user}) idp.authn.LDAP.bindDN = uid=admin,ou=system idp.authn.LDAP.bindDNCredential = secret idp.attribute.resolver.LDAP.returnAttributes = displayName,uid,mail
- Save your file and exit your text editor. Note. in the video I omitted to paste in the ‘startTLS’ and ‘useSSL’ lines which is crucial. Sorry!
The IdP’s password authentication by default is configured for LDAP as a backend. You can check this by doing the following.
- Open
conf/authn/password-authn-config.xml
and make sure that<import resource=”ldap-authn-config.xml”/>
is uncommented.
Now we configure the attribute resolver.
Rename conf/attribute-resolver.xml
to conf/attribute-resolver-default.xml
sudo mv conf/attribute-resolver.xml conf/attribute-resolver-default.xml
Copy conf/attribute-resolver-ldap.xml
to attribute-resolver.xml
sudo cp conf/attribute-resolver-ldap.xml conf/attribute-resolver.xml
- Change the owner of the new file:
sudo chown tomcat8 conf/attribute-resolver.xml
- Open
attribute-resolver.xml
and add the following attribute definition:
<resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName" sourceAttributeID="displayName"> <resolver:Dependency ref="myLDAP"/> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false"/> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false"/> </resolver:AttributeDefinition>
- Delete the myLDAP data connector and replace it with
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"> <dc:FilterTemplate> <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]]> </dc:FilterTemplate> <dc:ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</dc:ReturnAttributes> </resolver:DataConnector>
Because we don’t have a service provider installed we need to allow an attribute to be released to anyone. This is for testing purposes later.
- Open
conf/attribute-filter.xml
and add the following attribute filter policy:
<AttributeFilterPolicy id="anyone"> <PolicyRequirementRule xsi:type="ANY"/> <AttributeRule attributeID="uid"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> </AttributeFilterPolicy>
- Restart the IdP and check for error messages
sudo service tomcat8 restart && tail -f logs/idp-process.log
- Do a ctrl-c to exit
We should now be ready for some testing. The tool we are going to use is bin/aacli.sh
. In the form of
sudo bin/aacli.sh --url https://yourfullyqualifiedhostname/idp --principal yourtestuser --requester anythingyoulike
In my case I use:
bin/aacli.sh --url https://shib-idp.lan/idp --requester blah --principal testuser
If using a self-signed certificate in Apache httpd, you must add it to the java keystore:
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -noprompt -alias lan-self-cert -file /etc/ssl/certs/shib-idp.lan.crt
If all went well you should see something similar to the JSON below.
{ "requester": "blah", "principal": "testuser", "attributes": [ { "name": "uid", "values": [ "StringAttributeValue{value=testuser}" ] } ] }