1. download zip file for shibboleth-idp installation from
http://shibboleth.net/downloads/identity-provider, do not use the latest 3.0, which is not yet stable as well as well documented. Use 2.4. and unzip it to a folder
2. check java -version to be sure it is 1.7.0 or above
3. execute install.bat, and enable https connection with 9443. Set the identity of your idp, for example
https://torn00461340a.amer.global.corp.sap/idp/shibboleth
4. download tomcat 7 (port 9080 and 9443 are used), and add the server into eclipse
5. add idp.xml as mentioned in https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare
Set unpackwar to true to avoid an error in eclipse server start.
6. start tomcat from eclipse , and be sure the below query works
http://localhost:9080/idp/status
http://localhost:9080/idp/profile/Metadata/SAML
7 backup and update relying-party.xml MetadataProvider section as below
<metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">
<metadata:MetadataProvider id="IdPMD" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="C:\opt\shibboleth-idp/metadata/idp-metadata.xml"
maxRefreshDelay="P1D" />
<metadata:MetadataProvider id="URLMD" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="C:\opt\shibboleth-idp/metadata/testshib.xml"
/>
</metadata:MetadataProvider>
8 open IDP_HOME/conf/handler.xml, comment out LoginHandler RemoteUser element, and uncomment LoginHandler UsernamePassword element.
9 Open the file IDP_HOME/conf/login.config and uncomment Example LDAP authentication element. Pay attention to the "file:///" part.
<!-- Login Handlers
<ph:LoginHandler xsi:type="ph:RemoteUser">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
</ph:LoginHandler>
-->
<!-- Username/password login handler -->
<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///C:\opt\shibboleth-idp/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
10 download Windows AD LDS and install it on Windows 7. Use the below online help to to install it - "Office 365 Single Sign-On with Shibboleth 2 whitepaper"
http://www.microsoft.com/en-ca/download/details.aspx?id=35464
11. update login.config with the below info based on AD LDS installation
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://localhost:389"
baseDn="CN=torn00461340a,DC=SAP"
userFilter="cn={0}"
subtreeSearch="true"
ssl="false"
tls="false"
bindDn="cn=ShibbolethServiceAccount,cn=torn00461340a,dc=SAP"
bindCredential="password";
12 open attribute.resolver.xml, and update LDAP connector element as below
<!-- Example LDAP Connector -->
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://localhost:389"
baseDN="CN=torn00461340a,DC=SAP"
principal="cn=ShibbolethServiceAccount,cn=torn00461340a,dc=SAP"
principalCredential="password">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
13. update attribute-resolver.xml to include assertion required by SP.
for example, the mail attribute
<resolver:AttributeDefinition id="email" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="mail">
<resolver:Dependency ref="ADLDS" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:mail" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
14.update attribute-filter.xml with below segment to allow idp to release the attribute of givenName to service provider
<afp:AttributeFilterPolicy id="releaseAttriToTestSP">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
15. Update relying-party.xml to test with testshib to verify the SP can redirect to your IDP and prompt you to input username and password.
<metadata:MetadataProvider id="URLMD" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="C:\opt\shibboleth-idp/metadata/testshib.xml"
/>
After inputting user name and password, it shows a screen says "Shibboleth-protected TestShib Content. You can also verify the givenName is sent to SP by IDP by using Firefox saml tracer plugin.
9 Open the file IDP_HOME/conf/login.config and uncomment Example LDAP authentication element. Pay attention to the "file:///" part.
<!-- Login Handlers
<ph:LoginHandler xsi:type="ph:RemoteUser">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
</ph:LoginHandler>
-->
<!-- Username/password login handler -->
<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///C:\opt\shibboleth-idp/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
10 download Windows AD LDS and install it on Windows 7. Use the below online help to to install it - "Office 365 Single Sign-On with Shibboleth 2 whitepaper"
http://www.microsoft.com/en-ca/download/details.aspx?id=35464
11. update login.config with the below info based on AD LDS installation
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://localhost:389"
baseDn="CN=torn00461340a,DC=SAP"
userFilter="cn={0}"
subtreeSearch="true"
ssl="false"
tls="false"
bindDn="cn=ShibbolethServiceAccount,cn=torn00461340a,dc=SAP"
bindCredential="password";
<!-- Example LDAP Connector -->
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://localhost:389"
baseDN="CN=torn00461340a,DC=SAP"
principal="cn=ShibbolethServiceAccount,cn=torn00461340a,dc=SAP"
principalCredential="password">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
13. update attribute-resolver.xml to include assertion required by SP.
for example, the mail attribute
<resolver:AttributeDefinition id="email" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="mail">
<resolver:Dependency ref="ADLDS" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:mail" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
<afp:AttributeFilterPolicy id="releaseAttriToTestSP">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
15. Update relying-party.xml to test with testshib to verify the SP can redirect to your IDP and prompt you to input username and password.
<metadata:MetadataProvider id="URLMD" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="C:\opt\shibboleth-idp/metadata/testshib.xml"
/>
After inputting user name and password, it shows a screen says "Shibboleth-protected TestShib Content. You can also verify the givenName is sent to SP by IDP by using Firefox saml tracer plugin.
Hi Jonathan,
ReplyDeleteThis is a great post. Can you tell me what Windows version you were using?
Thanks,
Bernard
Windows 7
ReplyDeleteThanks. I just realized that it wasn't the IDP part that I needed but rather the SP part. Do you by any chance have info on that?
DeleteThanks again,
Bernard
Good blog. Keep sharing. I love them Are you also searching for Pay For Essay Online? we are the best solution for you. We are best known for delivering online essay writing services to students without having to break the bank
ReplyDeleteGood blog. I learned a lot from this blog. Are you also searching for University Assignment Help ? we are the best solution for you. We are best known for delivering cheap essays to students without having to break the bank
ReplyDeleteGood blog. Keep sharing. I love them Are you also searching for Cheap assignment services? we are the best solution for you. We are best known for delivering cheap assignment services to students without having to break the bank
ReplyDeleteYour blogs are great.Are you also searching for nursing pico writing help? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.
ReplyDelete