Monday, May 28, 2012

Configure Shibboleth as SAML2 IDP

Shibboleth  is one of a most popular SAML2 IDP that is widely used.  I tried to configure shibboleth  as SAML2 IDP. In this post i am going to share these steps with you. I hope that would be useful for you also.  My Operating System  was ubunutu 10.04

Step1. Download  latest version (v2.3.6) of  shibboleth IDP from here 

Step2. Extract in to your file system. 

Step3. Go to root directory and run install script.  This would install shibboleth in to given location in your file system Lets call it as IDP_HOME. Also this installation would create a key store which can be found at  IDP_HOME/credentials directory  and war file which can be found at  IDP_HOME/war directory.


First let configure a user store with shibboleth.  We can use LDAP based user store for this. Here i am using the ApacheDS LDAP user store.  You can find simple steps to create an ApacheDS LDAP server from here.

Step4. Open login.config file which can be found at IDP_HOME/conf directory and configure your LDAP user store.  following is my sample configurations. 

ShibUserPassAuth {

edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://localhost:10389"
bindDn="uid=admin,ou=system"
bindCredential="secret"
baseDn="ou=users,ou=system"
ssl="false"
userFilter="uid={0}"
;

};


Step5.  Enable username/password login handler from handler.xml file which can be found at IDP_HOME/conf directory. 

    <ph:LoginHandler xsi:type="ph:UsernamePassword" 
                  jaasConfigurationLocation="file:///home/asela/Wso2/shibboleth/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>


Step6. Configure logging level from logging.xml  file can be found at IDP_HOME/conf directory.  All the logs files would be saved at  IDP_HOME/logs.  This would probably help you to trouble shooting the issues.

Now let deploy idp.war file in a web application server.  Here i am using apache tomcat for this.  Please use tomcat 6.X.X as shibboleth is not tested with tomcat 7.X.X


Step7. Copy  IDP_HOME/lib/endorsed  directory in to tomcat root directory. 

Step8.  Enable HTTPS in tomcat.  Locate the server.xml at TOMCAT_HOME/conf directory and configure HTTPS connector.  Sample configuration would be as follows. 

<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11Protocol"
           SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
           scheme="https"
           SSLEnabled="true"
           clientAuth="false"
           keystoreFile="/home/asela/shibboleth/credentials/idp.jks"
           keystorePass="changeit" /> 

Step9. Copy idp.war  file in to  TOMCAT_HOME/webapp directory.

Step10. Start tomcat server  by running  catalina script. 

Step11. Check status of the server by using   https://localhost:8443/idp/status
Posted by

1 comment:

  1. Shibboleth idpSeptember 28, 2013 at 9:22 PM

    The steps are crystal clear and can be implemented easily. Make sure to implement the idp shibboleth properly so that it can work seamlessly.

    ReplyDelete

Subscribe to: Post Comments (Atom)