Shibboleth Service Provider Configuration
Login as a root or Sudo user and configure the service provider. After installing the service provider, the config files are available in the /etc/shibboleth directory.
Copy IDP Metadata
Copy the idp-metada.xml from the identity provider server location. The default location from the idp server is /opt/shibboleth-idp/metadata/idp-metada.xml
Configure the shibboleth2.xml file
Go to the /etc/shibboleth directory and edit the shibboleth2.xml file.
Configure the entityID
<ApplicationDefaults entityID="https://<Service Provider Host Name>/shibboleth" REMOTE_USER="<Unique ID>">
The unique id is uid or samAccountName. This attribute is available in the SAML response.
Configure SSO
<SSO entityID="https://<Idp Host Name>/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://<Idp Host Name>/DS/WAYF">
SAML2 SAML1
</SSO>
Configure Status Handler
By default Status handler is invoked from the browser using local ip address. If you want to invoke based on the static IP, Please add the static ip in acl attribute.
<Handler type="Status" Location="/Status" acl="127.0.0.1 192.168.252.151"/>
I have added my sp static IP in the acl attribute. The ip address is 192.168.252.151.
Configure Session Handler
By default showAttributeValues value is false. If you want to see the session attributes in the runtime, please enable from false to true value.
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
Configure the IDP Metadata
Replace with your IDP Host name and Specify the IDP metada xml file name in the backingFilePath attribute
<MetadataProvider type="XML" uri="https://<IDP Host Name>/idp/profile/Metadata/SAML"
backingFilePath="idp-metadata.xml" reloadInterval="7200">
</MetadataProvider>
Configure the Certificate Key and Cert File
By default Self Signed certicate is created after installing the service provider. If you want to modify the self signed certificate with signed certificate, please modify key and certicate files. If you don't want to modify leave as it is.
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
Shibboleth2.xml configuration completed.
Export LD_LIBRARY_PATH
By default shibboleth library files are not available in the LD_LIBRARY_PATH. This LD_LIBRARY_PATH is required to test our configuration files are accurate or any error.
export LD_LIBRARY_PATH=/opt/shibboleth/lib64:$LD_LIBRARY_PATH
Disable the Suse Linux Firewall.
By default Suselinux fire wall is enforced. The shibboleth Unix Listener throws exception after starting the shibboleth server and you can not access the /Status page. Run the setenforce 0 to disable the suse linux firewall and It will disable the firewall temporarily. If you want to disable the permanently as follows.
Edit the /etc/sysconfig/selinux file and modify from SELINUX=enforcing to SELINUX=disabled.
Testing the Shibboleth Configuration
[root@sp shibboleth]# shibd -t
overall configuration is loadable, check console for non-fatal problems
If your not able to see above message, please fix the errors and try the above command.
Restarting Shibboleth SP
service shibd restart
Testing the Shibboleth Installation
Open the Browser and paste the following url to verify our installation and configuration is success or failure
https://127.0.0.1/Shibboleth.sso/Status
If you see the Session Status Handler Page, Your Installation and confugurations are correct. Your not able to see the Status Page, Please trouble shoot as follows.
1) Check whether your disable suselinu firewall.
2) Check whether your setup LD_LIBRARY_PATH
3) Check more info in the log.
Log Files Location
/var/log/shibboleth/shibd.log
/var/log/shibboleth/shibd_warn.log
/var/log/shibboleth/transaction.log
/var/log/shibboleth/signature.log
>>Follow the Static IP and Firewall Configuration
Login as a root or Sudo user and configure the service provider. After installing the service provider, the config files are available in the /etc/shibboleth directory.
Copy IDP Metadata
Copy the idp-metada.xml from the identity provider server location. The default location from the idp server is /opt/shibboleth-idp/metadata/idp-metada.xml
Configure the shibboleth2.xml file
Go to the /etc/shibboleth directory and edit the shibboleth2.xml file.
Configure the entityID
<ApplicationDefaults entityID="https://<Service Provider Host Name>/shibboleth" REMOTE_USER="<Unique ID>">
The unique id is uid or samAccountName. This attribute is available in the SAML response.
Configure SSO
<SSO entityID="https://<Idp Host Name>/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://<Idp Host Name>/DS/WAYF">
SAML2 SAML1
</SSO>
Configure Status Handler
By default Status handler is invoked from the browser using local ip address. If you want to invoke based on the static IP, Please add the static ip in acl attribute.
<Handler type="Status" Location="/Status" acl="127.0.0.1 192.168.252.151"/>
I have added my sp static IP in the acl attribute. The ip address is 192.168.252.151.
Configure Session Handler
By default showAttributeValues value is false. If you want to see the session attributes in the runtime, please enable from false to true value.
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
Configure the IDP Metadata
Replace with your IDP Host name and Specify the IDP metada xml file name in the backingFilePath attribute
<MetadataProvider type="XML" uri="https://<IDP Host Name>/idp/profile/Metadata/SAML"
backingFilePath="idp-metadata.xml" reloadInterval="7200">
</MetadataProvider>
Configure the Certificate Key and Cert File
By default Self Signed certicate is created after installing the service provider. If you want to modify the self signed certificate with signed certificate, please modify key and certicate files. If you don't want to modify leave as it is.
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
Shibboleth2.xml configuration completed.
Export LD_LIBRARY_PATH
By default shibboleth library files are not available in the LD_LIBRARY_PATH. This LD_LIBRARY_PATH is required to test our configuration files are accurate or any error.
export LD_LIBRARY_PATH=/opt/shibboleth/lib64:$LD_LIBRARY_PATH
Disable the Suse Linux Firewall.
By default Suselinux fire wall is enforced. The shibboleth Unix Listener throws exception after starting the shibboleth server and you can not access the /Status page. Run the setenforce 0 to disable the suse linux firewall and It will disable the firewall temporarily. If you want to disable the permanently as follows.
Edit the /etc/sysconfig/selinux file and modify from SELINUX=enforcing to SELINUX=disabled.
Testing the Shibboleth Configuration
[root@sp shibboleth]# shibd -t
overall configuration is loadable, check console for non-fatal problems
If your not able to see above message, please fix the errors and try the above command.
Restarting Shibboleth SP
service shibd restart
Testing the Shibboleth Installation
Open the Browser and paste the following url to verify our installation and configuration is success or failure
https://127.0.0.1/Shibboleth.sso/Status
If you see the Session Status Handler Page, Your Installation and confugurations are correct. Your not able to see the Status Page, Please trouble shoot as follows.
1) Check whether your disable suselinu firewall.
2) Check whether your setup LD_LIBRARY_PATH
3) Check more info in the log.
Log Files Location
/var/log/shibboleth/shibd.log
/var/log/shibboleth/shibd_warn.log
/var/log/shibboleth/transaction.log
/var/log/shibboleth/signature.log
>>Follow the Static IP and Firewall Configuration
No comments:
Post a Comment