Tuesday, June 04, 2013

Shibboleth IDP and Kerberos


Shibboleth IDP can use Kerberos as authentication mechanism, but Shibboleth IDP still need a LDAP or any database system to get the user's data and to release the attributes to the Shibboleth SP. To setup a Kerberos mechanism in Shibboleth IDP, we need at least:
  • Working Kerberos System.
  • Working Kerberos client in the Shibboleth IDP server. /etc/krb5.conf is configured properly.
  • Working Shibboleth IDP server.
At first, we need to install Kerberos Login Handler in the working Shibboleth IDP server. The Original file and documentation can be found here.

Kerberos Login Handler Installation

  1. Download the handler from here, download the newest version of the jar file, at the moment is 1.0
  2. Copy kerberos-login-handler-1.0.jar to IDP lib source directory
    cp kerberos-login-handler-1.0.jar $IDP_SRC/lib
  3. Follow the installation instruction from here.
  4. Edit the attribute-resolver.xml in $IDP_DIR/conf/ and change the LDAP connector to the following example:
  5. <resolver:AttributeDefinition id="principalName" xsi:type="ad:PrincipalName" dependencyOnly="true"/>
        <resolver:AttributeDefinition id="krb_principalname" xsi:type="ad:Mapped" sourceAttributeID="principalName" dependencyOnly="true" >
            <resolver:Dependency ref="principalName" />
                    <ad:DefaultValue passThru="true" /><!-- this is usefull for bypass the mapping for ldap login -->
        <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
            ldapURL="ldaps://ldap.example.com" baseDN="ou=it,o=example" principal="cn=query_user,ou=it,o=example"
            <resolver:Dependency ref="krb_principalname" />
  6. re-deploy the Shibboleth application using this command:
    keep the default value, don't accept to change the configuration file.
  7. edit relying-party.xml in the $IDP_DIR/conf/ and change the DefaultRelyingParty as follows:
    <rp:DefaultRelyingParty provider="https://idp.example.com/idp/shibboleth" defaultSigningCredentialRef="IdPCredential"

Example krb5.conf

This file is used by kerberos client and Shibboleth IDP kerberos login handler to login using kerberos. When user can login using command "kinit username", the Shibboleth kerberos login handler should also have no problem to authenticate using kerberos. The most common problems are wrong principal, wrong keytab and principal not registered yet in the kerberos database.
        default_realm = EXAMPLE.COM
        clockskew = 300
        debug = true

        EXAMPLE.COM = {
                kdc = kdc.example.com
                admin_server = kdc.example.com

        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

Browser configuration

Before we can use the kerberos authentication, we need to configure the browser in the client.


  • type about:config on the address bar and enter.
  • on the search bar, type auth and enter.
  • set the delegation-uris and trusted-uri to the Shibboleth IDP server address, example idp.example.com. Separate by comma for another IDP server.
  • on windows, if we are not using active directory as kerberos server, change using-native-gsslib to false.

Internet Explorer

  • open Internet Options from Tools menu.
  • Select security tab, select Local intranet and press Sites button.
  • Press Advanced button.
  • Add the Shibboleth IDP server, wildcards are also supported e.g *.example.com


  • To configure chrome, we need to run chrome using this parameter:
chrome --auth-server-whitelist="*.example.com"
  • If above command is not working, we can add the whitelist in the Local Machine or Local Intranet security zone (Windows Only) -> the configuration is same like configuring Kerberos for Internet Explorer.


  • No additional configuration is needed on Mac.
  • Not works on Windows.


1 comment:

idp shibboleth said...

Quite a useful resource since the original file and document have been made available for the benefit of the users.