Saturday, January 31, 2015

Steps to install shibboleth idp on windows with tomcat


1. download zip file for shibboleth-idp installation from
http://shibboleth.net/downloads/identity-provider, do not use the latest 3.0, which is not yet stable as well as well documented. Use 2.4. and unzip it to a folder

2. check java -version to be sure it is 1.7.0 or above

3. execute install.bat, and enable https connection with 9443. Set the identity of your idp, for example
https://torn00461340a.amer.global.corp.sap/idp/shibboleth

4. download tomcat 7 (port 9080 and 9443 are used), and add the server into eclipse

5. add idp.xml as mentioned in https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare
Set unpackwar to true to avoid an error in eclipse server start.

6. start tomcat from eclipse , and be sure the below query works
http://localhost:9080/idp/status
http://localhost:9080/idp/profile/Metadata/SAML


7 backup and update relying-party.xml MetadataProvider section as below

     <metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">
         <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:FilesystemMetadataProvider"
                                   metadataFile="C:\opt\shibboleth-idp/metadata/idp-metadata.xml"
                                   maxRefreshDelay="P1D" />
              <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FilesystemMetadataProvider"
                                   metadataFile="C:\opt\shibboleth-idp/metadata/testshib.xml"
                                    />
    </metadata:MetadataProvider>

8 open IDP_HOME/conf/handler.xml, comment out LoginHandler RemoteUser element, and uncomment LoginHandler UsernamePassword element.

9 Open the file IDP_HOME/conf/login.config and uncomment Example LDAP authentication element. Pay attention to the "file:///" part.
   <!-- Login Handlers
    <ph:LoginHandler xsi:type="ph:RemoteUser">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
    </ph:LoginHandler>
 -->
    <!--  Username/password login handler -->
 
    <ph:LoginHandler xsi:type="ph:UsernamePassword"
                  jaasConfigurationLocation="file:///C:\opt\shibboleth-idp/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>

10 download Windows AD LDS and install it on Windows 7. Use the below online help to to install it - "Office 365 Single Sign-On with Shibboleth 2 whitepaper"
http://www.microsoft.com/en-ca/download/details.aspx?id=35464


11. update login.config with the below info based on AD LDS installation
      edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="ldap://localhost:389"
      baseDn="CN=torn00461340a,DC=SAP"
 userFilter="cn={0}"
 subtreeSearch="true"
          ssl="false"
 tls="false"
 bindDn="cn=ShibbolethServiceAccount,cn=torn00461340a,dc=SAP"
 bindCredential="password";

12 open attribute.resolver.xml, and update LDAP connector element as below
    <!-- Example LDAP Connector -->
 
    <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
        ldapURL="ldap://localhost:389"
        baseDN="CN=torn00461340a,DC=SAP"
        principal="cn=ShibbolethServiceAccount,cn=torn00461340a,dc=SAP"
        principalCredential="password">
        <dc:FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName)
            ]]>
        </dc:FilterTemplate>
    </resolver:DataConnector>
 

13. update attribute-resolver.xml to include assertion required by SP.
for example, the mail attribute
<resolver:AttributeDefinition id="email" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="mail">
  <resolver:Dependency ref="ADLDS" />

  <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
        name="urn:mace:dir:attribute-def:mail" />

  <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
        name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>


14.update attribute-filter.xml with below segment to allow idp to  release the attribute of givenName to service provider
   <afp:AttributeFilterPolicy id="releaseAttriToTestSP">
        <afp:PolicyRequirementRule xsi:type="basic:ANY" />

        <afp:AttributeRule attributeID="givenName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>


15. Update relying-party.xml to test with testshib to verify the SP can redirect to your IDP and prompt you to input username and password.

              <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FilesystemMetadataProvider"
                                   metadataFile="C:\opt\shibboleth-idp/metadata/testshib.xml"
                                    />

After inputting user name and password, it shows a screen says "Shibboleth-protected TestShib Content. You can also verify the givenName is sent to SP by IDP by using Firefox saml tracer plugin.

Sunday, January 18, 2015

Receive native side notification by javascript using cordova plugin

Usually, the cordova plugin is used to invoke native api from javascript. However, it can also be used by javascript to listen for native side notification. This feature is already used in several cordova build in plugins, such as device motion plugin at https://github.com/apache/cordova-plugin-device-motion.

The basic idea is when calling the cordova plugin's callback method, it also an option to keep the callback alive, so after the cordova plugin API is initially called from javascritp to native side, the native code can keep the callback method in its data member. Whenever the native code needs to send a notification to javascript, it can just call this saved callback method with the notification data, also specify the callback method should be kept alive on javascirpt side in order to get following notification, otherwise, the javascript will delete the callback after it receives the first callback method from native side.

A sample callback made from Android native code are as below

   PluginResult result = new PluginResult(PluginResult.Status.OK, "This is notification data");
   result.setKeepCallback(true);

   _callbackContext.sendPluginResult(result);

Serve static web content by tomcat

The following steps can be used to server static web content by tomcat server, the static web content includes html, image, and js, jsp files.

1. create a subfolder under tomcat's webapps folder, for example, mytestfolder
2. copy html file and js file into the folder, for example, index.html
3. visit localhost:8080/mytestfolder/index.hmtl to visit the html file

In addition, jsp files can also be put in the folder and serve the client request without any servlet configuration change.

Sometimes when debugging tomcat, an error of ""Several ports (8080, 8009) required by Tomcaat v8.0 Server at localhost are already in use", to solve the issue, going to tomcat bin folder and run the below commend to close the running tomcat instance.


bash shutdown.sh

Friday, January 2, 2015

Enable browser cross domain request on Chrome and IE

When testing javascript, sometimes it is helpful to enable cross domain request on browser. This can be done on Chrome and IE

Chrome
1. When starting chrome from command line, add the parameter of "--disable-web-security".
Note you may find it does not work. That is because there are some chrome process already running. Some processes will keep running even if you close all chrome browser. Be sure to kill all chrome process from windows task manager, and then start Chrome with this parameter.
Once it is enabled, the browser will show a warning message saying the security is suffered.

IE
Open tools/Internet Option menu, select security tab, click on Custom level button. From settings, enable "Access data source across domains"