The Shibboleth 3.0 Enhanced Client Proxy (ECP) to establish the Single-Sign on between Identity Provider (IDP) to Service Provider (SP) non supported browser applications such as Desk Top and Java Client Application.
2. Shibboleth IDP 3.0
3. Shibboleth Native Service Provider 2.5.3
4. Tomcat 8
5. Apache Http Server 2.2
6. Red Hat 6
2. Installed and Configured the Linux Native Service Provider 2.5.3
The following components are involved to configure the shibboleth ECP between IDP to SP:
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shib-idp-sandbox.ops.sfsu.edu/idp/profile/SAML2/SOAP/ECP"/>
1.2.1 Go to the /etc/httpd/conf.d directory and create a file idp.conf
1.2.2 Add the following content in the idp.conf file.
<Location /idp/profile/SAML2/SOAP/ECP>
AuthType Basic
AuthName "Demo Organization- ECP profile"
AuthzLDAPAuthoritative Off
AuthBasicProvider ldap
AuthLDAPURL ldap://<LdapHostName>/<Ldap Ou>?<Authentication Parameter>
AuthLDAPBindDN "<Ldap Admin Bind Dn>"
AuthLDAPBindPassword "<Ldap Bind Password>"
Require valid-user
SSLRequireSSL
</Location>
Replace LdapHostName with your Host Name, Ldap Admin Bind Dn with your admin dn, Ldap Bind Password with you password, Authentication Parameter with your own parameter. My parameter is CN. After replacing the configuration looks as follows:
<Location /idp/profile/SAML2/SOAP/ECP>
AuthType Basic
AuthName "Demo - ECP profile"
AuthzLDAPAuthoritative Off
AuthBasicProvider ldap
AuthLDAPURL ldap://dcs01.example.edu/ou=people,dc=example,dc=edu?cn
AuthLDAPBindDN "CN=shibadmin,OU=Users,DC=example,dc=edu"
AuthLDAPBindPassword "password"
Require valid-user
SSLRequireSSL
</Location>
./shutdown.sh
./startup.sh
/etc/init.d/httpd restart
<SSO entityID="<IDp Entity>" ECP="true"
discoveryProtocol="SAMLDS" discoveryURL="https://shib-idp.example.ed/DS/WAYF">
SAML2 SAML1
</SSO>
<Location /secure>
AuthType shibboleth
ShibCompatWith24 On
ShibRequestSetting requireSession 1
require shib-session
</Location>
Installed Software:
1. JDK 1.82. Shibboleth IDP 3.0
3. Shibboleth Native Service Provider 2.5.3
4. Tomcat 8
5. Apache Http Server 2.2
6. Red Hat 6
Pre-Requisite:
1. Installed and Configured the Shibboleth Identity Provider 3.02. Installed and Configured the Linux Native Service Provider 2.5.3
The following components are involved to configure the shibboleth ECP between IDP to SP:
1. Identity Provider
Login to the IDP server and configure the following components to enable the Enhanced Client Proxy (ECP):
1.1 Defining ECP End Point
Go to the ID_HOME/metadata directory and add the following content in idp.metadata.xml file after <SingleSignOnService closing tag to enable the IDP ECP endpoint:<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shib-idp-sandbox.ops.sfsu.edu/idp/profile/SAML2/SOAP/ECP"/>
1.2 Protect the ECP Endpoint Container Authentication
Enable the Basic Authentication at the Web Server level as follows:1.2.1 Go to the /etc/httpd/conf.d directory and create a file idp.conf
1.2.2 Add the following content in the idp.conf file.
<Location /idp/profile/SAML2/SOAP/ECP>
AuthType Basic
AuthName "Demo Organization- ECP profile"
AuthzLDAPAuthoritative Off
AuthBasicProvider ldap
AuthLDAPURL ldap://<LdapHostName>/<Ldap Ou>?<Authentication Parameter>
AuthLDAPBindDN "<Ldap Admin Bind Dn>"
AuthLDAPBindPassword "<Ldap Bind Password>"
Require valid-user
SSLRequireSSL
</Location>
Replace LdapHostName with your Host Name, Ldap Admin Bind Dn with your admin dn, Ldap Bind Password with you password, Authentication Parameter with your own parameter. My parameter is CN. After replacing the configuration looks as follows:
<Location /idp/profile/SAML2/SOAP/ECP>
AuthType Basic
AuthName "Demo - ECP profile"
AuthzLDAPAuthoritative Off
AuthBasicProvider ldap
AuthLDAPURL ldap://dcs01.example.edu/ou=people,dc=example,dc=edu?cn
AuthLDAPBindDN "CN=shibadmin,OU=Users,DC=example,dc=edu"
AuthLDAPBindPassword "password"
Require valid-user
SSLRequireSSL
</Location>
1.3 Restarting the Tomcat Server
Go to the tomcat_home/bin directory and execute the following commands to stop and start the tomcat server../shutdown.sh
./startup.sh
1.4 Restart the Apache Web Server
Login as a root and execute the following command to restart the apache web server ./etc/init.d/httpd restart
2. Service Provider
Login as a root in service provider machine and perform the following tasks to enable the ECP.2.1 Enabling the ECP
I have installed the shibboleth sp in /apps/shibboleth-sp directory. Go to the Shibboleth-sp/etc/shibboleth directory and edit the shibboleth2.xml file and add the ECP="true" parameter under <SSO section.<SSO entityID="<IDp Entity>" ECP="true"
discoveryProtocol="SAMLDS" discoveryURL="https://shib-idp.example.ed/DS/WAYF">
SAML2 SAML1
</SSO>
2.2 Protecting the Resource
After installing the shibboleth service provide and apache22.config file generated in the /apps/shibboleth-sp/etc/shibboleth directory. I have renamed apache22.config file to shib.conf and copy to /etc/httpd/conf.d directory. By default /secure application is protected in the shib.conf file. I am using the default configuration as it is and configuration is given below:<Location /secure>
AuthType shibboleth
ShibCompatWith24 On
ShibRequestSetting requireSession 1
require shib-session
</Location>
2.3 Restart the Apache Web Server
/etc/init.d/httpd restartTesting the ECP through Java
Sample Code
The following sample code needs to be executed to test the ecp configuration and also modify the idPUrl to your actual Url, spUrl to your actual Sp Url, User Name with your user name and password with your password:
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.opensaml.DefaultBootstrap;
import org.opensaml.xml.ConfigurationException;
import de.tudarmstadt.ukp.shibhttpclient.ShibHttpClient;
public class ShibEcpTestClient {
private static String idpBaseUrl="https://shib-idp.example.edu";
private static String spUrl="https://shib-sp.example.edu";
private static String userName="<User Name>";
private static String password="<Password>";
public static void main(String[] args) {
// TODO Auto-generated method stub
System.setProperty("org.apache.commons.logging.Log","org.apache.commons.logging.impl.SimpleLog");
System.setProperty("org.apache.commons.logging.simplelog.showdatetime","true");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http","DEBUG");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http.wire","DEBUG");
try {
DefaultBootstrap.bootstrap();
} catch (ConfigurationException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
HttpClient client= new ShibHttpClient(idpBaseUrl+"/idp/profile/SAML2/SOAP/ECP", userName, password);
HttpGet req = new HttpGet(spUrl+"/secure");
try
{
HttpResponse res = client.execute(req);
InputStream ins= res.getEntity().getContent();
BufferedReader br= new BufferedReader(new InputStreamReader(ins));
String readLine=null;
while((readLine=br.readLine()) != null)
{
System.out.println("Read Line Data :"+readLine);
}
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.opensaml.DefaultBootstrap;
import org.opensaml.xml.ConfigurationException;
import de.tudarmstadt.ukp.shibhttpclient.ShibHttpClient;
public class ShibEcpTestClient {
private static String idpBaseUrl="https://shib-idp.example.edu";
private static String spUrl="https://shib-sp.example.edu";
private static String userName="<User Name>";
private static String password="<Password>";
public static void main(String[] args) {
// TODO Auto-generated method stub
System.setProperty("org.apache.commons.logging.Log","org.apache.commons.logging.impl.SimpleLog");
System.setProperty("org.apache.commons.logging.simplelog.showdatetime","true");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http","DEBUG");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http.wire","DEBUG");
try {
DefaultBootstrap.bootstrap();
} catch (ConfigurationException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
HttpClient client= new ShibHttpClient(idpBaseUrl+"/idp/profile/SAML2/SOAP/ECP", userName, password);
HttpGet req = new HttpGet(spUrl+"/secure");
try
{
HttpResponse res = client.execute(req);
InputStream ins= res.getEntity().getContent();
BufferedReader br= new BufferedReader(new InputStreamReader(ins));
String readLine=null;
while((readLine=br.readLine()) != null)
{
System.out.println("Read Line Data :"+readLine);
}
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
Thanks for putting this together! Glad to know someone like you who shares the same interest! I'm very curiously why adding the ECP end point in idp-metadata.xml file is a manual step. Once it's configured in the relying-party.xml, shouldn't it be generated automatically?
ReplyDelete