Shibboleth is one of a most popular SAML2 IDP that is widely used. I tried to configure shibboleth as SAML2 IDP. In this post i am going to share these steps with you. I hope that would be useful for you also. My Operating System was Ubunutu.
Step 1. Download latest version of shibboleth IDP from here
Step 2. Extract in to your file system.
Step 3. Go to root directory and run install script. This would install shibboleth in to given location in your file system. You would be promoted with few questions as in following.
Please note : If you are not provided a fully qualified hostname during installation, It would create an error. Basically it should exactly match the format suggested by shibboleth. i.e. idp.example.org (There is a regex pattern in build.xml file. You can modify it as you want)
The installation path that is given, lets call it as IDP_HOME. Also this installation would create a key store which can be found at IDP_HOME/credentials directory and war file which can be found at IDP_HOME/war directory.
Step 4. First let configure a user store with shibboleth. We can use LDAP based existing user store for this.
Open login.config file which can be found at IDP_HOME/conf directory and configure your LDAP user store details. Following is the sample configurations for my LDAP user store
ShibUserPassAuth { edu.vt.middleware.ldap.jaas.LdapLoginModule required ldapUrl="ldap://localhost:10389" bindDn="uid=admin,ou=system" bindCredential="secret" baseDn="ou=users,ou=system" ssl="false" userFilter="uid={0}" ; };
Step 5. Enable username/password login handler from handler.xml file which can be found at IDP_HOME/conf directory.
<ph:LoginHandler xsi:type="ph:UsernamePassword" jaasConfigurationLocation="file:///home/asela/idp/shibboleth/conf/login.config"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod> </ph:LoginHandler>
Step 6. Configure logging level from logging.xml file can be found at IDP_HOME/conf directory. All the logs files would be saved at IDP_HOME/logs. This would probably help you to trouble shooting the issues.
Step 7. Now let deploy idp.war file in a web application server. Here i am using Apache Tomcat for this.
Copy IDP_HOME/war/idp.war in to <TOMCAT_HOME>/webapps directory
Step 8. Enable HTTPS in tomcat. Locate the server.xml at <TOMCAT_HOME>/conf directory and configure HTTPS connector. Sample configuration would be as follows.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation" scheme="https" SSLEnabled="true" clientAuth="false" keystoreFile="/home/asela/idp/shibboleth/credentials/idp.jks" keystorePass="password" />
Step 10. Start tomcat server by running catalina script.
Step 11. Check status of the server by using
https://localhost:8443/idp/status
How you are done with configuration the Shibboleth….. There are some additional steps that may important for you….
Please note, By default, Shibboleth adds Transient ID as NameID in the Subject element of the SAML Assertion.
(The Transient ID attribute definition exposes a randomly generated, short-lived, opaque identifier that can later be mapped back to the user by a Transient principal connector.)
However, if you want to add the login name in to the SAML Assertion , you need to do following configuration.
Step 12. Configure principal id as the NameID in SAML Assertion.
Please comment following default configuration in IDP_HOME/conf/attribute-resolver.xml file.
<!--resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId"> <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </resolver:AttributeDefinition-->
Please add following configuration to replace above
<resolver:AttributeDefinition id="principalId" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </resolver:AttributeDefinition>
Step 13. Configure new policy for principal id.
Please comment following default configuration in IDP_HOME/conf/attribute-resolver.xml file.
<!--afp:AttributeFilterPolicy id="releaseTransientIdToAnyone"> <afp:PolicyRequirementRule xsi:type="basic:ANY"/> <afp:AttributeRule attributeID="transientId"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy-->
Please add following configuration to replace above
<afp:AttributeFilterPolicy id="releasePrincipalIdToAnyone"> <afp:PolicyRequirementRule xsi:type="basic:ANY"/> <afp:AttributeRule attributeID="principalId"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>