Service Provider Registering with Identity Provider Configuration Continuation

Identity Provider Configuration

Login as a root or sudo user to configure the identity provider attributes.

1. Configure attribute-resolver.xml

Go to the /opt/shibboleth-idp/conf directory and edit the attribute-resolver.xml file.

1.1 Define LDAP Connector Configuration

Uncomment the <resolver:DataConnector and modify the configuration as per your environment.

<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
        ldapURL="ldap://<Ldap Host Name>"
        baseDN="ou=people,dc=vphuc,dc=local"
        principal="cn=Manager,dc=vphuc,dc=local"
        principalCredential="<Password>">
        <dc:FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName)
            ]]>
        </dc:FilterTemplate>
    </resolver:DataConnector>

1.2 Define the Target ID

    <resolver:DataConnector xsi:type="dc:ComputedId"
                            id="computedID"
                            generatedAttributeID="computedID"
                            sourceAttributeID="uid"
                            salt="your random string here">
        <resolver:Dependency ref="myLDAP" />
    </resolver:DataConnector>

Set the salt value used by the data connector. 

# openssl rand -base64 36

1.3 Defining the attribute

Uncomment the sn,givenname,uid attrubutes.

    <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String"
              name="urn:mace:dir:attribute-def:uid" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
              name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
    </resolver:AttributeDefinition>
   
    <resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String"
              name="urn:mace:dir:attribute-def:mail" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
              name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String"
              name="urn:mace:dir:attribute-def:sn" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
              name="urn:oid:2.5.4.4" friendlyName="sn" />
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName"
     sourceAttributeID="givenName">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String"
             name="urn:mace:dir:attribute-def:givenName" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
              name="urn:oid:2.5.4.42" friendlyName="givenName" />
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation"
      sourceAttributeID="eduPersonAffiliation">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String"
               name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
               name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" />
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName"
              scope="vphuc.local" sourceAttributeID="uid">
        <resolver:Dependency ref="myLDAP" />
             <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
                name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
                name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">
        <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier"
              nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
              nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    </resolver:AttributeDefinition>

 The attribute-resolver.xml file configuration completed.

2. Configure attribute-filter.xml

Go to the /opt/shibboleth-idp/conf directory and edit the attribute-filter.xml file.

 2.1 Defining the Attribute Filter Policy for specific Service Provider

We are releasing the uid, givenName, and surname,eduPersonAffiliation, eduPersonPrincipalName, eduPersonTargetedID. These attributes are configured in the attribute-filter.xml file.

    <!--  Release the transient ID to anyone -->
    <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

        <afp:AttributeRule attributeID="transientId">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>
  
    <afp:AttributeFilterPolicy>
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
            value="https://sp.vphuc.local/shibboleth" />

        <afp:AttributeRule attributeID="givenName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="uid">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="surname">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="eduPersonAffiliation">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="eduPersonPrincipalName">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="eduPersonTargetedID">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
   </afp:AttributeFilterPolicy>

3. Configure relying-party.xml

Go to the /opt/shibboleth-idp/conf directory and edit the relying-party.xml file.

3.1 Download the Service Provider Metadata

 Replace the service provider host with your host name and paste the url into the browser. It will ask to save the file and save the file in /tmp directory and copy the sp metadata file to /opt/shibboleth-idp/metadata directory.

https://<Service Provider Host>/Shibboleth.sso/Metadata. For example the metadata url is https://sp.vphuc.local/Shibboleth.sso/Metadata

3.2 Configure the Metada in relying-party.xml file

Edit the relying-party.xml file and search the MetadataProvider and add the following content under metadata section.

<metadata:MetadataProvider id="sp.vphuc.local" xsi:type="metadata:FilesystemMetadataProvider"
                          metadataFile="/opt/shibboleth-idp/metadata/sp-vphuc-local-metadata.xml"/>


Configure the id and metadataFile location. I have highlighted configuration details in red colour.

4. Restarting the IDP Server

Run the following commands to restart the apache web server and tomcat server.

service httpd restart
service tomcat6 restart

5. Testing the Relying Party Configuration

Go to the /opt/shibboleth-idp/bin directory and run the aacli.sh command and it will display the SAML response attribute to sending from idp to SP.

 ./aacli.sh --configDir=../conf --principal=<userName> --requester=https://<Service Provider Host Name>/shibboleth

The example principal is liyaqat and service provider host name is sp.liyaqat.com

After running the above command and it will display the saml response attribute releasing from IDP to Shibboleth SP. The Sample is given below.

<?xml version="1.0" encoding="UTF-8"?>
    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">liyaqat
        </saml2:AttributeValue></saml2:Attribute>
  
        <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">sahull
            </saml2:AttributeValue>
        </saml2:Attribute>
  
        <saml2:Attribute FriendlyName="givenName"
        Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">liyaqat
            </saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>

Nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

Configuring DHCP Relay service on the FortiGate unit

[Resolved] Amazon EC2 Redhat 7 using 6GB for the root space