Technical

How can I configure Shibboleth for SAML authentication?

Follow
Note: SSO is an Professional / Enterprise license feature

This guide will help you configure Shibboleth for Asset Bank using Apache on a debian Wheezy server.

Install and enable shibboleth apache module 

apt-get install libapache2-mod-shib2

a2enmod shib2

apache2ctl restart

Configuration

Shibboleth Configuration

Edit /etc/shibboleth/shibboleth2.xml

Find and edit the ApplicationDefaults or create an ApplicationOverride with the following (replace the first tag name with ApplicationOverride if you are creating an override):

<ApplicationDefaults entityID="http://my.assetbank.domain/shibboleth"
    REMOTE_USER="eppn persistent-id targeted-id"
    attributePrefix="AJP_"
    homeURL="http://my.assetbank.domain/asset-bank/action/ssoAuthenticate"
    >

<CredentialResolver type="File" key="/etc/ssl/shibboleth/sp-key.pem"
    certificate="/etc/ssl/shibboleth/sp-cert.pem"/>

<Sessions lifetime="28800" timeout="600" checkAddress="false" relayState="cookie" handlerSSL="false">

Create a private key and certificate

You can use the recommended keygen.sh even though it's not included in Wheezy:

cd /etc/ssl/shibboleth
wget https://raw.githubusercontent.com/craigpg/shibboleth-sp2/master/configs/keygen.sh
chmod +x keygen.sh
./keygen.sh
rm keygen.sh

Note: once generated, the sp-key.pem and sp-cert.pem may need to be manually moved into /etc/ssl/shibboleth if they are not saved there automatically.

Apache configuration

Make sure that Asset Bank is not accessible through another virtualhost or through tomcat directly. Shibboleth authentication is enabled at the apache level. Add the following in a preferably SSL-enabled virtualhost:

ProxyPass /asset-bank/ ajp://localhost:8009/asset-bank/ retry=0
<Location /asset-bank>
    AuthType shibboleth
    require shibboleth
</Location>

Asset Bank Configuration

Edit your ApplicationSettings.properties file and make sure these settings have the correct values

sso-enabled=true
sso-plugin-class=ShibbolethSSOPlugin

import-remote-users-on-the-fly=true
update-remote-users-on-sso-login=true
update-remote-users-groups-on-sso-login=true

Copy ShibbolethSSOSettings-standard.properties to ShibbolethSSOSettings.properties and edit it according to your Identity Provider metadata

# Username parameter is required
username=login

# Following are optional, but will enhance user profile on first SSO login
display-name=cn
email=email
forename=firstName
surname=lastName
memberof=memberOf

From version 3.1638.8 you can also set the shibboleth endpoint if it's not configured in your base domain. This is used for logout actions.

# Endpoint is the absolute path to the Shibboleth instance. This URL should end with Shibboleth.sso
# If this is not populated, it will default to the base domain appended with Shibboleth.sso
# eg. http://my.assetbank.com/Shibboleth.sso
# endpoint=

Restart required services

You need to restart Asset Bank, the Shibboleth service and apache.

service tomcat6 restart
apache2ctl -t
apache2ctl restart
service shibd restart

Test your configuration

You can test the configuration by following the instructions detailed at http://www.testshib.org/register.html

Related articles

Comments

0 comments

Please sign in to leave a comment.