Monday, May 28, 2012

Login to WSO2 Carbon servers via Shibboleth SAML2 IDP


 
In my previous post,  I went through step by step to configure the shibboleth as a SAML2 IDP.  Now lets try to use Shibboleth SAML2 IDP in a real word use case. In this blog post i am going to configure WSO2 Carbon product as a SSO service provider for  Shibboleth IDP. Any WSO2 Carbon server can act as a SAML2 SSO relying party components. 

This type of scenario actually useful when you want to login to management console of several WSO2 Carbon products that had been deployed as cluster; where users want to experience SSO. 

User experience would be as follows. 

1. User type WSO2 Carbon product management console url
2. User redirected to  the shibboleth login console 
3. User enter his user name and password associate with shibboleth IDP account   
4. User now has redirected to WSO2 Carbon product management console.

(But still i could not setup single logout with Shibboleth :( . Therefore you want to exit from the browser to logout from Shibboleth)

Here we want to understand one thing very carefully.  i.e User, who has an account in shibboleth IDP, must be also exist in the user store of the WSO2 Carbon server. Why?  For authentication, we do not want to duplicate the user accounts. Yes...!  Actually authentication would be successful at the WSO2 Carbon server without even a user store. But;  to login to the WSO2 Carbon management console, authentication is not enough, users are needed to authorize to access the management console.  Therefore after successful  authentication by using SSO,  WSO2 Carbon server performs an authorization check with respect to its own user store.  Therefore user must be in that user store also. (basically user Id and access control list).  But credentials do not want to be there. 

Therefore basically, you need to syn shibboleth IDP with WSO2 Carbon user store. For this we can have two options. 

1. Use provisioning mechanism such as SCIM (SCIM would be supported by WSO2Carbon server 4.0.0 version) 
2. Share same user store for shibboleth IDP and WSO2 Carbon servers. Most of the cases,  shibboleth IDP is backed by LDAP or AD. Therefore we can easily configure WSO2 Carbon servers to connect to that LDAP or AD.   But authentication check would be always happened at the shibboleth IDP. 



Now lets go with configurations. 

First configure at shibboleth IDP side,

Step 1.  Configure new relying party for carbon servers under the "RelyingPartyGroup"  in relying-party.xml which can be found at IPD_HOME/conf directory.   Sample configuration would be as follows 

<rp:RelyingParty id="carbonServer"
        defaultSigningCredentialRef="IdPCredential" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
    <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" signResponses="always" signAssertions="never" 
                                 encryptAssertions="never" encryptNameIds="never"/>
</rp:RelyingParty>


Here i have configured only to sign the SAML2 response.


Step 2. Configure SAML2 meta data configuration by using a new meta data config file at IPD_HOME/metadata directory.  In this directory, I created a new file called carbon.xml and configure followings.

<EntityDescriptor entityID="carbonServer" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://localhost:9443/acs" />
    </SPSSODescriptor>
</EntityDescriptor> 

Please make sure  NameIDFormat, Binding in ACS and Location of ACS are configured according to your own configurations

Step 3. Configure new meta data configuration file under the "RelyingPartyGroup"  in relying-party.xml which can be found at IPD_HOME/conf directory.   Sample configuratio cn would be as follows 
Here we have pointed to the new meta data config file.

<MetadataProvider id="carbonMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
    metadataFile="/home/asela/shibboleth/metadata/carbon.xml" maintainExpiredMetadata="true" />


Now lets configure Service provider side,  WSO2 Carbon server.

WSO2 Carbon server can be configured with different authenticators.   AuthenticationAdmin (which uses user name and password) is the default Carbon Server Authenticator. Therefore we need to change those configurations and enable Shibboleth related SAML2 SSO authenticator.  Actually there is existing SAML2 SSO authenticator that can be found at this SVN location. But it seems to be that default SAML2 SSO authenticator would not work with Shibboleth out of the box. Therefore you need to write a new authenticator for shibboleth. It would be really easy, because we only need to do small modifications to the existing SAML2 SSO authenticator source code.  Therefore I did that simple modification.  You can find the modified source from here.  And the patched jar files from here.  

Lets see how we can do this.  please note here i am using Carbon 3.2.3 based servers.


Step 1.  Install following patched SAML SSO authenticator jars  with WSO2 Carbon server by copying them in to  <CARBON_HOME>/repository/components/dropins

org.wso2.carbon.identity.authenticator.saml2.sso-3.2.1.jar 
org.wso2.carbon.identity.authenticator.saml2.sso.ui-3.2.2.jar  
org.wso2.carbon.identity.authenticator.saml2.sso.stub-3.2.0.jar

Step 2.  Configure authenticators.xml file which can be found at <CARBON_HOME>/repository/conf/advanced  directory. Sample configuration would be as follows


    <Authenticator name="SAML2SSOAuthenticator">
        <Priority>10</Priority>
        <Config>
            <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
            <Parameter name="ServiceProviderID">carbonServer</Parameter>
            <Parameter name="IdentityProviderSSOServiceURL">https://localhost:8443/idp/profile/SAML2/Redirect/SSO</Parameter>
        </Config>
    </Authenticator>

Here please note following two parameters must be according your configurations.

ServiceProviderID -> This must be same value that you have configured as RelyingParty Id.
IdentityProviderSSOServiceURL  -->  This must be the SSO redirect url of shibboleth IDP

Step 3. Start the server and try to login to management console,  you would probably redirected to  shibboleth  IDP login page..   


1 comment:

  1. Hi
    It's clear and thanks about your paper.
    I did it and every thing works well.
    I use wso2 LDAP for shibboleth.
    I redirected to shibboleth login page (I redirect to https://idp.example.org:8443/idp/AuthnUserPassword).
    But when I use admin/admin, I got this error:

    Authentication/Authorization Failure

    This might be due to different reasons.
    This Authentication Request is malformed or is not issued by an valid issuer.
    You are not autherized to sign-in to this service. Please contact the administrator of your organization.
    This service is not enabled for your organization. Please contact the administrator of your organization.

    Should I do more configuration.
    Please help me.
    Thanks...

    ReplyDelete