Setting up a new Shibboleth IdP to work with an existing SAML SP

左心房为你撑大大i 提交于 2019-12-28 04:32:06

问题


Hopefully this isn't a duplicate or too broad. I just have a feeling I need a bit more information than anything else I've been able to find.

I have a program/server that already has a functioning SAML SP built in to it. I'm trying to get it connected to a test Shibboleth IdP (V3.3.3) on an internal server running Windows Server. I have it installed and connected to our Active Directory users. The documentation was great for getting to that point.

Now I have no earthly clue how to proceed. I see a lot of information about exchanging configuration/XML info and certificates between SPs and IdPs. I believe I have a valid SP XML and certificate to give to the IdP, but I don't know:

  1. Where to put the SP XML information in the IdP installation
  2. Where to put the SP certificate in the IdP installation (or setup/configure a path to a certificate)
  3. Where to get the IdP certificate (I think the default setup generates something for me? Unclear)
  4. Where the IdP login path is
  5. Whether or not there's anything else I need to configure to get the two talking

1 through 4 are probably my biggest confusions that I can't seem to find info on. The Shibboleth documentation seems to assume I am far more familiar with configuring an IdP than I am. It tells me where to configure literally anything/everything possible, but I don't know what I should be configuring.

Anyhow, thanks for any help on this. I've been wasting a pitiful amount of time trying to figure this out.


回答1:


To answer your five (5) questions, without loss of generality, we assume that

(I) the metadata file of SAML IdP is idpsaml-metadata.xml

(II) the metadata file of SAML SP is sp-example-org.xml

Q&A

  1. Where to put the SP XML information in the IdP installation

Answer: /opt/shibboleth-idp/metadata/sp-example-org.xml

  1. Where to put the SP certificate in the IdP installation (or setup/configure a path to a certificate)

Answer: The metadata file of SAML SP consists of the SP certificate. SAML IdP will extract SP certificate from SAML SP's metadata (e.g., sp-example-org.xml)

  1. Where to get the IdP certificate (I think the default setup generates something for me? Unclear)

Answer: The metadata file of SAML IdP consists of all the IdP certificates (which have been generated by the default setup of SAML IdP).

You need to place the metadata file of SAML IdP (e.g., idpsaml-metadata.xml) into the SAML SP's home directory, e.g., /etc/shibboleth/idpsaml-metadata.xml

  1. Where the IdP login path is

Answer: Usually SAML SP uses HTTP-POST endpoint as SAML IdP login path, e.g.,

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://IdP-Server-URL/idp/profile/SAML2/POST/SSO"/>

You also need to configure Shibboleth IdP with LDAP user authentication.

/opt/shibboleth-idp/conf/idp.properties

/opt/shibboleth-idp/conf/ldap.properties

/opt/shibboleth-idp/conf/attribute-filter.xml

/opt/shibboleth-idp/conf/attribute-resolver-full.xml

  1. Whether or not there's anything else I need to configure to get the two talking

Answer: To allow SAML IdP to provide identity authentication for SAML SP, both SAML IdP and SAML SP need to exchange their metadata. Then you need to configure SAML IdP with SAML SP.

SAML IdP /opt/shibboleth-idp/conf/metadata-providers.xml

/opt/shibboleth-idp/conf/relying-party.xml

SAML SP

/etc/shibboleth/shibboleth2.xml

/etc/shibboleth/attribute-map.xml

Remarks:

How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the sample configuration files for Shibboleth IdP and SP.



来源:https://stackoverflow.com/questions/50650374/setting-up-a-new-shibboleth-idp-to-work-with-an-existing-saml-sp

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!