Service Provider Registering with Identity Provider Configuration Continuation
Identity Provider Configuration
Login as a root or sudo user to configure the identity provider attributes.
1. Configure attribute-resolver.xml
Go to the /opt/shibboleth-idp/conf directory and edit the attribute-resolver.xml file.
1.1 Define LDAP Connector Configuration
Uncomment the <resolver:DataConnector and modify the configuration as per your environment.
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://<Ldap Host Name>"
baseDN="ou=people,dc=vphuc,dc=local"
principal="cn=Manager,dc=vphuc,dc=local"
principalCredential="<Password>">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
1.2 Define the Target ID
<resolver:DataConnector xsi:type="dc:ComputedId"
id="computedID"
generatedAttributeID="computedID"
sourceAttributeID="uid"
salt="your random string here">
<resolver:Dependency ref="myLDAP" />
</resolver:DataConnector>
Set the salt value used by the data connector.
1.3 Defining the attribute
Uncomment the sn,givenname,uid attrubutes.
<resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:uid" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:mail" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:sn" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:2.5.4.4" friendlyName="sn" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName"
sourceAttributeID="givenName">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:givenName" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:2.5.4.42" friendlyName="givenName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation"
sourceAttributeID="eduPersonAffiliation">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName"
scope="vphuc.local" sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
<resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">
<resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier"
nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
<resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</resolver:AttributeDefinition>
The attribute-resolver.xml file configuration completed.
2. Configure attribute-filter.xml
Go to the /opt/shibboleth-idp/conf directory and edit the attribute-filter.xml file.
2.1 Defining the Attribute Filter Policy for specific Service Provider
We are releasing the uid, givenName, and surname,eduPersonAffiliation, eduPersonPrincipalName, eduPersonTargetedID. These attributes are configured in the attribute-filter.xml file.
<!-- Release the transient ID to anyone -->
<afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY"/>
<afp:AttributeRule attributeID="transientId">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<afp:AttributeFilterPolicy>
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://sp.vphuc.local/shibboleth" />
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="uid">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
3. Configure relying-party.xml
Go to the /opt/shibboleth-idp/conf directory and edit the relying-party.xml file.
3.1 Download the Service Provider Metadata
Replace the service provider host with your host name and paste the url into the browser. It will ask to save the file and save the file in /tmp directory and copy the sp metadata file to /opt/shibboleth-idp/metadata directory.
https://<Service Provider Host>/Shibboleth.sso/Metadata. For example the metadata url is https://sp.vphuc.local/Shibboleth.sso/Metadata
3.2 Configure the Metada in relying-party.xml file
Edit the relying-party.xml file and search the MetadataProvider and add the following content under metadata section.
<metadata:MetadataProvider id="sp.vphuc.local" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="/opt/shibboleth-idp/metadata/sp-vphuc-local-metadata.xml"/>
Configure the id and metadataFile location. I have highlighted configuration details in red colour.
4. Restarting the IDP Server
Run the following commands to restart the apache web server and tomcat server.
service httpd restart
service tomcat6 restart
5. Testing the Relying Party Configuration
Go to the /opt/shibboleth-idp/bin directory and run the aacli.sh command and it will display the SAML response attribute to sending from idp to SP.
./aacli.sh --configDir=../conf --principal=<userName> --requester=https://<Service Provider Host Name>/shibboleth
The example principal is liyaqat and service provider host name is sp.liyaqat.com
After running the above command and it will display the saml response attribute releasing from IDP to Shibboleth SP. The Sample is given below.
Login as a root or sudo user to configure the identity provider attributes.
1. Configure attribute-resolver.xml
Go to the /opt/shibboleth-idp/conf directory and edit the attribute-resolver.xml file.
1.1 Define LDAP Connector Configuration
Uncomment the <resolver:DataConnector and modify the configuration as per your environment.
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://<Ldap Host Name>"
baseDN="ou=people,dc=vphuc,dc=local"
principal="cn=Manager,dc=vphuc,dc=local"
principalCredential="<Password>">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
1.2 Define the Target ID
<resolver:DataConnector xsi:type="dc:ComputedId"
id="computedID"
generatedAttributeID="computedID"
sourceAttributeID="uid"
salt="your random string here">
<resolver:Dependency ref="myLDAP" />
</resolver:DataConnector>
Set the salt value used by the data connector.
# openssl rand -base64 36
1.3 Defining the attributeUncomment the sn,givenname,uid attrubutes.
<resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:uid" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:mail" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:sn" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:2.5.4.4" friendlyName="sn" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName"
sourceAttributeID="givenName">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:givenName" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:2.5.4.42" friendlyName="givenName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation"
sourceAttributeID="eduPersonAffiliation">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName"
scope="vphuc.local" sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
<resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">
<resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier"
nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
<resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</resolver:AttributeDefinition>
The attribute-resolver.xml file configuration completed.
2. Configure attribute-filter.xml
Go to the /opt/shibboleth-idp/conf directory and edit the attribute-filter.xml file.
2.1 Defining the Attribute Filter Policy for specific Service Provider
We are releasing the uid, givenName, and surname,eduPersonAffiliation, eduPersonPrincipalName, eduPersonTargetedID. These attributes are configured in the attribute-filter.xml file.
<!-- Release the transient ID to anyone -->
<afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY"/>
<afp:AttributeRule attributeID="transientId">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<afp:AttributeFilterPolicy>
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://sp.vphuc.local/shibboleth" />
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="uid">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
3. Configure relying-party.xml
Go to the /opt/shibboleth-idp/conf directory and edit the relying-party.xml file.
3.1 Download the Service Provider Metadata
Replace the service provider host with your host name and paste the url into the browser. It will ask to save the file and save the file in /tmp directory and copy the sp metadata file to /opt/shibboleth-idp/metadata directory.
https://<Service Provider Host>/Shibboleth.sso/Metadata. For example the metadata url is https://sp.vphuc.local/Shibboleth.sso/Metadata
3.2 Configure the Metada in relying-party.xml file
Edit the relying-party.xml file and search the MetadataProvider and add the following content under metadata section.
<metadata:MetadataProvider id="sp.vphuc.local" xsi:type="metadata:FilesystemMetadataProvider"
metadataFile="/opt/shibboleth-idp/metadata/sp-vphuc-local-metadata.xml"/>
Configure the id and metadataFile location. I have highlighted configuration details in red colour.
4. Restarting the IDP Server
Run the following commands to restart the apache web server and tomcat server.
service httpd restart
service tomcat6 restart
5. Testing the Relying Party Configuration
Go to the /opt/shibboleth-idp/bin directory and run the aacli.sh command and it will display the SAML response attribute to sending from idp to SP.
./aacli.sh --configDir=../conf --principal=<userName> --requester=https://<Service Provider Host Name>/shibboleth
The example principal is liyaqat and service provider host name is sp.liyaqat.com
After running the above command and it will display the saml response attribute releasing from IDP to Shibboleth SP. The Sample is given below.
<?xml version="1.0" encoding="UTF-8"?>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">liyaqat
</saml2:AttributeValue></saml2:Attribute>
<saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">sahull
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="givenName"
Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">liyaqat
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">liyaqat
</saml2:AttributeValue></saml2:Attribute>
<saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">sahull
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="givenName"
Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">liyaqat
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Nhận xét
Đăng nhận xét