Pages

Tuesday, April 30, 2013

Shibboleth Identity Provider Configuration

 Idp Server Configuration

Go to the /opt/shibboleth-idp/conf directory and modify the following files to configure the IDP Server.
  • login.config
      It is a JAAS Ldap authentication config file. It is being used to search the user in LDAP and also authenticated the user in ldap. The configuration details is given below.

 ShibUserPassAuth {

      edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="ldap://<Host Name>:<Port>"
      baseDn="<Ldap Base DN>"
      serviceUser="<Admin DN>"
      serviceCredential="<Admin Password>"
      ssl="false"
      tls="false"
      subtreeSearch="true"
      userFilter="uid={0}";
};

If Ldap accepting the SSL Connection, please modify the following parameters to compatible with ldap ssl protocol. They are

ssl="true"
tls="true"
ldapUrl="ldaps://<Host Name>:<Port>"

The Sample Configuration is given below.

ShibUserPassAuth {

      edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="ldap://idp.liyaqat.com"
      baseDn="ou=people,dc=liyaqat,dc=com"
      serviceUser="CN=Manager,dc=liyaqat,dc=com"
      serviceCredential="password"
      ssl="false"
      tls="false"
      subtreeSearch="true"
      userFilter="uid={0}";
};
  • handler.xml
       It is being used configure the authentication scheme. By default shibboleth authentication scheme is RemoteUser. Please comment the RemoteUser Authentication Scheme and Un comment the UserNamePassword Authentication Scheme as follows.

Commented Authentication Scheme
  <!--
    <ph:LoginHandler xsi:type="ph:RemoteUser">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
    </ph:LoginHandler>
    -->

Un Commented Authentication Scheme
 
<ph:LoginHandler xsi:type="ph:UsernamePassword"
                  jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>

  • relying-party.xml
      Edit the relying-party.xml file and Modify the following lines parameters.

     EntityID Configuration
     
  <rp:AnonymousRelyingParty provider="https://<IDP Host Name>/idp/shibboleth" defaultSigningCredentialRef="IdPCredential"/>

    <rp:DefaultRelyingParty provider="https://<IDP Host Name>/idp/shibboleth" defaultSigningCredentialRef="IdPCredential">

     IDP Metada Configuration

        <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:FilesystemMetadataProvider"
                                   metadataFile="<IDP_HOME>/metadata/idp-metadata.xml"
                                   maxRefreshDelay="P1D" />


    IDP Certicate Configuration

    <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
        <security:PrivateKey><IDP_HOME>/credentials/idp.key</security:PrivateKey>
        <security:Certificate><IDP_HOME>/credentials/idp.crt</security:Certificate>
    </security:Credential>

  • attribute-resolver.xml
       This configuration required while configuring the Service Provider Registering with IDP Server.
  • attribute-filter.xml
This configuration required while configuring the Service Provider Registering with IDP Server.

Follow the Static IP Configuration

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)