1. download zip file for shibboleth-idp installation from
http://shibboleth.net/downloads/identity-provider, do not use the latest 3.0, which is not yet stable as well as well documented. Use 2.4. and unzip it to a folder
2. check java -version to be sure it is 1.7.0 or above
3. execute install.bat, and enable https connection with 9443. Set the identity of your idp, for example
https://torn00461340a.amer.global.corp.sap/idp/shibboleth
4. download tomcat 7 (port 9080 and 9443 are used), and add the server into eclipse
5. add idp.xml as mentioned in https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare
Set unpackwar to true to avoid an error in eclipse server start.
6. start tomcat from eclipse , and be sure the below query works
http://localhost:9080/idp/status
http://localhost:9080/idp/profile/Metadata/SAML
7 backup and update relying-party.xml MetadataProvider section as below
<metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">
<metadata:MetadataProvider id="IdPMD" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="C:\opt\shibboleth-idp/metadata/idp-metadata.xml"
maxRefreshDelay="P1D" />
<metadata:MetadataProvider id="URLMD" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="C:\opt\shibboleth-idp/metadata/testshib.xml"
/>
</metadata:MetadataProvider>
8 open IDP_HOME/conf/handler.xml, comment out LoginHandler RemoteUser element, and uncomment LoginHandler UsernamePassword element.
9 Open the file IDP_HOME/conf/login.config and uncomment Example LDAP authentication element. Pay attention to the "file:///" part.
<!-- Login Handlers
<ph:LoginHandler xsi:type="ph:RemoteUser">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
</ph:LoginHandler>
-->
<!-- Username/password login handler -->
<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///C:\opt\shibboleth-idp/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
10 download Windows AD LDS and install it on Windows 7. Use the below online help to to install it - "Office 365 Single Sign-On with Shibboleth 2 whitepaper"
http://www.microsoft.com/en-ca/download/details.aspx?id=35464
11. update login.config with the below info based on AD LDS installation
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://localhost:389"
baseDn="CN=torn00461340a,DC=SAP"
userFilter="cn={0}"
subtreeSearch="true"
ssl="false"
tls="false"
bindDn="cn=ShibbolethServiceAccount,cn=torn00461340a,dc=SAP"
bindCredential="password";
12 open attribute.resolver.xml, and update LDAP connector element as below
<!-- Example LDAP Connector -->
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://localhost:389"
baseDN="CN=torn00461340a,DC=SAP"
principal="cn=ShibbolethServiceAccount,cn=torn00461340a,dc=SAP"
principalCredential="password">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
13. update attribute-resolver.xml to include assertion required by SP.
for example, the mail attribute
<resolver:AttributeDefinition id="email" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="mail">
<resolver:Dependency ref="ADLDS" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:mail" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
14.update attribute-filter.xml with below segment to allow idp to release the attribute of givenName to service provider
<afp:AttributeFilterPolicy id="releaseAttriToTestSP">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
15. Update relying-party.xml to test with testshib to verify the SP can redirect to your IDP and prompt you to input username and password.
<metadata:MetadataProvider id="URLMD" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="C:\opt\shibboleth-idp/metadata/testshib.xml"
/>
After inputting user name and password, it shows a screen says "Shibboleth-protected TestShib Content. You can also verify the givenName is sent to SP by IDP by using Firefox saml tracer plugin.
9 Open the file IDP_HOME/conf/login.config and uncomment Example LDAP authentication element. Pay attention to the "file:///" part.
<!-- Login Handlers
<ph:LoginHandler xsi:type="ph:RemoteUser">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
</ph:LoginHandler>
-->
<!-- Username/password login handler -->
<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///C:\opt\shibboleth-idp/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
10 download Windows AD LDS and install it on Windows 7. Use the below online help to to install it - "Office 365 Single Sign-On with Shibboleth 2 whitepaper"
http://www.microsoft.com/en-ca/download/details.aspx?id=35464
11. update login.config with the below info based on AD LDS installation
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://localhost:389"
baseDn="CN=torn00461340a,DC=SAP"
userFilter="cn={0}"
subtreeSearch="true"
ssl="false"
tls="false"
bindDn="cn=ShibbolethServiceAccount,cn=torn00461340a,dc=SAP"
bindCredential="password";
<!-- Example LDAP Connector -->
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://localhost:389"
baseDN="CN=torn00461340a,DC=SAP"
principal="cn=ShibbolethServiceAccount,cn=torn00461340a,dc=SAP"
principalCredential="password">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
13. update attribute-resolver.xml to include assertion required by SP.
for example, the mail attribute
<resolver:AttributeDefinition id="email" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="mail">
<resolver:Dependency ref="ADLDS" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:mail" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
<afp:AttributeFilterPolicy id="releaseAttriToTestSP">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
15. Update relying-party.xml to test with testshib to verify the SP can redirect to your IDP and prompt you to input username and password.
<metadata:MetadataProvider id="URLMD" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="C:\opt\shibboleth-idp/metadata/testshib.xml"
/>
After inputting user name and password, it shows a screen says "Shibboleth-protected TestShib Content. You can also verify the givenName is sent to SP by IDP by using Firefox saml tracer plugin.
Hi Jonathan,
ReplyDeleteThis is a great post. Can you tell me what Windows version you were using?
Thanks,
Bernard
Windows 7
ReplyDeleteThanks. I just realized that it wasn't the IDP part that I needed but rather the SP part. Do you by any chance have info on that?
DeleteThanks again,
Bernard