Shibboleth IdP SLO part 3 (Configuration)

July 30, 2012

Shibboleth IdP SLO part 3 (Configuration)

LDAPS Connection

To be able to connect to LDAPS, the shibboleth must already has the LDAP SSL certificate. To do so, get the LDAP SSL certificate from the administrator or export it from another server which already have the certificate.

To export:

keytool -export -keystore /etc/java-1.5.0-sun/security/cacerts -alias ldap -file ldap.cer

To import into the new Shibboleth IdP, we must import in to the current java keystore file:

keytool -import -trustcacerts -alias "ldap" -file ldap.cer -keystore /usr/lib/jvm/jdk1.6.0_30/jre/lib/security/cacerts

login.config

Edit IDP_HOME/conf/login.config

edu.vt.middleware.ldap.jaas.LdapLoginModule required
      host="ldap.example.com"
      port="636"
      ssl="true"
      base="ou=users,o=myorg"
      serviceCredential="PASSWORD"
      serviceUser="cn=ldap_proxy,ou=misc,o=myorg"
      subtreeSearch=true
      userField="cn"

attribute-resolver.xml

attribute-resolver.xml is used to get data from database or LDAP or kerberos, make sure that the id in AttributeDefinition is the same value with the attributeID in attribute-filter.xml
Edit IDP_HOME/conf/attribute-resolver.xml and enable the following:

<resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonEntitlement"
   sourceAttributeID="eduPersonEntitlement">
     <resolver:Dependency ref="myLDAP" />
     <resolver:AttributeEncoder xsi:type="enc:SAML1String"
   name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
     <resolver:AttributeEncoder xsi:type="enc:SAML2String"
   name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
   friendlyName="eduPersonEntitlement" />
</resolver:AttributeDefinition>
 
<resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" 
 sourceAttributeID="uid">
 <resolver:Dependency ref="myLDAP" />
 <resolver:AttributeEncoder xsi:type="enc:SAML1String"
 name="urn:mace:dir:attribute-def:uid" />
 <resolver:AttributeEncoder xsi:type="enc:SAML2String"
 name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String"
   name="urn:mace:dir:attribute-def:mail" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
   name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName"
  scope="example.com" sourceAttributeID="uid">
   <resolver:Dependency ref="myLDAP" />
   <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
  name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
   <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
  name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
  friendlyName="eduPersonPrincipalName" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonScopedAffiliation"
 scope="example.com" sourceAttributeID="eduPersonAffiliation">
<resolver:Dependency ref="myLDAP" />
 <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
 name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
 <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
 name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
</resolver:AttributeDefinition>
 
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory"
 xmlns="urn:mace:shibboleth:2.0:resolver:dc"
    ldapURL="ldaps://ldap.example.com" baseDN="ou=users,o=myorg"
    principal="cn=ldap_proxy,ou=misc,o=myorg" principalCredential="PASSWORD">
    <FilterTemplate>
        <![CDATA[
            (uid=$requestContext.principalName)
        ]]>
    </FilterTemplate>
</resolver:DataConnector>

attribute-filter.xml

attribute-filter.xml is used to define which attribute will be released to the Shibboleth SP.
Edit IDP_HOME/conf/attribute-filter.xml and enable the following:

<afp:AttributeFilterPolicy id="releaseToAllMembers">
        <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

        <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
                <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="eduPersonEntitlement">
                <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

</afp:AttributeFilterPolicy>

<afp:AttributeFilterPolicy id="releaseToSpesificSP">
       <afp:PolicyRequirementRule xsi:type="basic:OR">
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://typo3.example.com/shibboleth" />
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://wordpress.example.com/shibboleth" />
       </afp:PolicyRequirementRule>

    <afp:AttributeRule attributeID="uid">
                <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="mail">
                <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

</afp:AttributeFilterPolicy>

relying-party.xml

Edit IDP_HOME/conf/relying-party.xml and enable the following:

<MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
      metadataURL="https://typo3.example.com/Shibboleth.sso/Metadata"
      backingFile="/opt/shibboleth-idp/metadata/typo3-metadata-backingFile.xml">
  <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
   <MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata" maxValidityInterval="604800" />
   <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
       trustEngineRef="shibboleth.MetadataTrustEngine" requireSignedMetadata="false" />
    <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
    <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
   </MetadataFilter>
  </MetadataFilter>
</MetadataProvider>

<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
            <security:Certificate>/opt/shibboleth-idp/credentials/typo3.pem</security:Certificate>
        </security:Credential>
</security:TrustEngine>

Download the SSL certificate from typo3 SP and save as /opt/shibboleth-idp/credentials/typo3.pem

logging.xml

To activate log rotation, add MaxHistory in file IDP_HOME/conf/logging.xml, for example:

<logger name="org.springframework" level="DEBUG"/>

<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
 <MaxHistory>7</MaxHistory>
 <FileNamePattern>$IDP_HOME$/logs/idp-process-%d{yyyy-MM-dd}.log.gz</FileNamePattern>
</rollingPolicy>

Reference

CSRDU

<< Shibboleth IdP SLO part 2 (Installation) | Shibboleth SP part 1 (Installation) >>

Search This Blog

versuch.net

Shibboleth IdP SLO part 3 (Configuration)

LDAPS Connection

login.config

attribute-resolver.xml

attribute-filter.xml

relying-party.xml

logging.xml

Reference

Comments

Popular Posts

VGA out for cubieboard

Add unsupported device to Observium (Fiberhome OLT)