In my last blog post, we went through, how we can configure Shibboleth IDP as an Federated IDP for WSO2 Identity Server.
Today lets see how we can configure Identity Server with testshib (https://testshib.org/) which is also shibboleth IDP that is available online for testing purposes.
Configure Identity Server as SP in testshib IDP
testshib has been already configured. You only need to upload the service provider metadate file for the Identity Server.
Step 1. You need to create the metadata file of Identity Server by manually. You can find sample matedata file from here. Please download save it in to your machine.
Step 2. You need to upload the metadata file in to testshib using this url. Once you uploaded, testship will validate the file. If there are any issues, It would display as errors.
Configure shibboleth as SAML2 SSO Federated IDP
Steps are same as in my previous blog post.. but step 2 is different… let me write it again in here.
Step 2. Register new Federated IDP
You need provide a name for IDP configuration
You need to update the public certificate of the testship. You can find the certificate from here. You need to download it in to your machine and upload it. This is need for signature validation of the SAML Assertion.
Go to “SAML2 Web SSO Configuration” and Register following details.
1. Enable – You can enable and set as default
2. Identity Provider Entity Id – This must be the entity Id of the testshib IDP which is following
https://idp.testshib.org/idp/shibboleth
3. Service Provider Entity Id – This must be the Identity Server’s Entity Id. You can use the value that we have configure in the wso2is.xml metadata file. It is “wso2is”
4. SSO URL : This is testshib IDP url. As we are hoping to use HTTP-Redirect binding to send the SAML Auth request from Identity Server to shibboleth. So we are using following url as SSO URL
https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
5. Enable Assertion Encryption – We need to tick on this to decrypt the Encrypted SAML Assertion. Because testshib always sends an Encrypted SAML Assertion
6. Enable Assertion Signing – We can tick on this to verify the signature of the SAML Assertion.
Lets keep other configurations with default values.
Now, you will be redirected to the testship login page and you can login with given username/password.
Configure claim mapping
This is additional steps to retrieve the attributes that are sent by the testship in to our application.
Step 1. Configure IDP claim mapping using Testship-IDP configurations. Here i have mapped few attributes in the SAML Assertion from testshib in to WSO2 local claim uris.
Sample attribute statement that is returned from testshib can be found below… You can map the “Name” value to any local claim uri as in above screen shot.
<saml2:AttributeStatement> <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myself</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Member</saml2:AttributeValue> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Staff</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">And I</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml2:AttributeValue> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Me Myself</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="cn" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Me Myself And I</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="wso2is">oBSAHlLEAa+Ia5uvGLUhQYYZa9g=</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="telephoneNumber" Name="urn:oid:2.5.4.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">555-5555</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>
Step 2. Configure SP claim mapping using my SP configurations. Here i have decided to return local claim uris in to my application.