Pages

Thursday, May 2, 2013

Service Provider Registering with Identity Provider Configuration Continuation

Identity Provider Configuration

Login as a root or sudo user to configure the identity provider attributes.

1. Configure attribute-resolver.xml

Go to the /opt/shibboleth-idp/conf directory and edit the attribute-resolver.xml file.

1.1 Define LDAP Connector Configuration

Uncomment the <resolver:DataConnector and modify the configuration as per your environment.

<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
        ldapURL="ldap://<Ldap Host Name>"
        baseDN="ou=people,dc=liyaqat,dc=com"
        principal="cn=Manager,dc=liyaqat,dc=com"
        principalCredential="<Password>">
        <dc:FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName)
            ]]>
        </dc:FilterTemplate>
    </resolver:DataConnector>

1.2 Define the Target ID

    <resolver:DataConnector xsi:type="dc:ComputedId"
                            id="computedID"
                            generatedAttributeID="computedID"
                            sourceAttributeID="uid"
                            salt="your random string here">
        <resolver:Dependency ref="myLDAP" />
    </resolver:DataConnector>

1.3 Defining the attribute

Uncomment the sn,givenname,uid attrubutes.

 The attribute-resolver.xml file configuration completed.

2. Configure attribute-filter.xml

Go to the /opt/shibboleth-idp/conf directory and edit the attribute-filter.xml file.

 2.1 Defining the Attribute Filter Policy for specific Service Provider

We are releasing the uid, givenName, and surname. These attributes are configured in the attribute-filter.xml file.

<afp:AttributeFilterPolicy>
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://<Service Provider Host Name>/shibboleth" />

        <afp:AttributeRule attributeID="givenName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="uid">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="surname">
            <afp:PermitValueRule xsi:type="basic:ANY"/>
        </afp:AttributeRule>
   </afp:AttributeFilterPolicy>

3. Configure relying-party.xml

Go to the /opt/shibboleth-idp/conf directory and edit the relying-party.xml file.

3.1 Download the Service Provider Metadata

 Replace the service provider host with your host name and paste the url into the browser. It will ask to save the file and save the file in /tmp directory and copy the sp metadata file to /opt/shibboleth-idp/metadata directory.

https://<Service Provider Host>/Shibboleth.sso/Metadata. For example the metadata url is https://sp.liyaqat.com/Shibboleth.sso/Metadata

3.2 Configure the Metada in relying-party.xml file

Edit the relying-party.xml file and search the MetadataProvider and add the following content under metadata section.

<metadata:MetadataProvider id="sp.liyaqat.com" xsi:type="metadata:FilesystemMetadataProvider"
                          metadataFile="/opt/shibboleth-idp/metadata/sp-liyaqat-com-metadata.xml"/>


Configure the id and metadataFile location. I have highlighted configuration details in red colour.

4. Restarting the IDP Server

Run the following commands to restart the apache web server and tomcat server.

service httpd restart
service tomcat6 restart

5. Testing the Relying Party Configuration

Go to the /opt/shibboleth-idp/bin directory and run the aacli.sh command and it will display the SAML response attribute to sending from idp to SP.

 ./aacli.sh --configDir=../conf --principal=<userName> --requester=https://<Service Provider Host Name>/shibboleth

The example principal is liyaqat and service provider host name is sp.liyaqat.com

After running the above command and it will display the saml response attribute releasing from IDP to Shibboleth SP. The Sample is given below.

<?xml version="1.0" encoding="UTF-8"?><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
   <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">liyaqat</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">sahull</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">liyaqat</saml2:AttributeValue>
   </saml2:Attribute>
</saml2:AttributeStatement>


>>Follow the Testing Shibboleth Sp Registering with IDP

No comments:

Post a Comment