Configure Shibboleth as SAML2 IDP

Shibboleth  is one of a most popular SAML2 IDP that is widely used.  I tried to configure shibboleth  as SAML2 IDP. In this post i am going to share these steps with you. I hope that would be useful for you also.  My Operating System  was Ubunutu.

Step 1. Download  latest version of  shibboleth IDP from here

Step 2. Extract in to your file system.

Step 3. Go to root directory and run install script.  This would install shibboleth in to given location in your file system.  You would be promoted with few questions as in following.

Please note :  If you are not provided a  fully qualified hostname during installation, It would create an error.  Basically it should exactly match the format suggested by shibboleth. i.e. idp.example.org (There is a regex pattern in build.xml file. You can modify it as you want)

The installation path that is given,  lets call it as IDP_HOME. Also this installation would create a key store which can be found at  IDP_HOME/credentials directory  and war file which can be found at  IDP_HOME/war directory.

Step 4.  First let configure a user store with shibboleth. We can use LDAP based existing user store for this.

Open login.config file which can be found at IDP_HOME/conf directory and configure your LDAP user store details.  Following is the sample configurations for my LDAP user store

ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://localhost:10389"
bindDn="uid=admin,ou=system"
bindCredential="secret"
baseDn="ou=users,ou=system"
ssl="false"
userFilter="uid={0}"
;
};

Step 5.  Enable username/password login handler from handler.xml file which can be found at IDP_HOME/conf directory.

<ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///home/asela/idp/shibboleth/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>

Step 6. Configure logging level from logging.xml  file can be found at IDP_HOME/conf directory.  All the logs files would be saved at  IDP_HOME/logs.  This would probably help you to trouble shooting the issues.

Step 7.  Now let deploy idp.war file in a web application server.  Here i am using Apache Tomcat for this.

Copy  IDP_HOME/war/idp.war  in to <TOMCAT_HOME>/webapps directory

Step 8.  Enable HTTPS in tomcat.  Locate the server.xml at <TOMCAT_HOME>/conf directory and configure HTTPS connector.  Sample configuration would be as follows.

 <Connector port="8443"
 protocol="org.apache.coyote.http11.Http11Protocol"
 SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
 scheme="https"
 SSLEnabled="true"
 clientAuth="false"
 keystoreFile="/home/asela/idp/shibboleth/credentials/idp.jks"
 keystorePass="password" />

Step 10. Start tomcat server  by running  catalina script.

Step 11. Check status of the server by using

https://localhost:8443/idp/status

How you are done with configuration the Shibboleth…..  There are some additional steps that may important for you….

Please note, By default, Shibboleth adds Transient ID as NameID in the Subject element of the SAML Assertion.

(The Transient ID attribute definition exposes a randomly generated, short-lived, opaque identifier that can later be mapped back to the user by a Transient principal connector.)

However, if you want to add the login name in to the SAML Assertion , you need to do following configuration.

Step 12.   Configure principal id as the NameID in SAML Assertion.

Please comment following default configuration in  IDP_HOME/conf/attribute-resolver.xml  file.

  <!--resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">
 <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
 <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
 </resolver:AttributeDefinition-->

Please add following configuration to replace above

     <resolver:AttributeDefinition id="principalId" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
    </resolver:AttributeDefinition>

Step 13.   Configure new policy for principal id.

Please comment following default configuration in  IDP_HOME/conf/attribute-resolver.xml  file.

  <!--afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
 <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
 <afp:AttributeRule attributeID="transientId">
 <afp:PermitValueRule xsi:type="basic:ANY"/>
 </afp:AttributeRule>
 </afp:AttributeFilterPolicy-->

Please add following configuration to replace above

<afp:AttributeFilterPolicy id="releasePrincipalIdToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY"/>
<afp:AttributeRule attributeID="principalId">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>