Federation with Shibboleth SP (Apache module)
Posted in Federation, shibboleth on October 11th, 2011 by aldaris – Comments OffWhen you want to achieve Federation between different organizations, you often find yourself in a situation where the products used by the parties are different. Before we go any further I should make the terminology clear:
Identity Provider (IdP): The IdP holds all information about the user (for example in LDAP), and also it is the IdP’s job to authenticate the users, and decide on what kind of informations it shares about the users with other providers.
Service Provider (SP): The easiest way to think about the SP as an extra layer in front of the webapplication. The SP’s job is to authorize pagerequests, and if there is no authenticated session at the SP, initiate an authentication request to the IdP.
Today the goal is to achieve SSO between an OpenAM IdP and a Shibboleth SP with the simplest settings as possible.
This tutorial assumes that you already have a configured OpenAM instance running under idp.example.com.
This tutorial was done with Ubuntu 11.04. If you have other OS/version it’s possible that the paths/steps will be different for you.
Install the Shibboleth SP Apache module: apt-get install libapache2-mod-shib2 Open the /etc/shibboleth/shibboleth2.xml configuration file using a text editor In SPConfig -> InProcess -> ISAPI -> change the Site tag to:You need to configure Apache as well to make this setup work:
Make sure, that there is an sp.example.com VirtualHost in your Apache config If you want to use .htaccess you need to enable the AllowOverride AuthConfig in the VirtualHost config Create an index.php file in your docroot containing: Create a .htaccess file in your docroot containing: AuthType shibboleth ShibRequireSession On require shibboleth Enable the Apache Shibboleth module: a2enmod shib2 Restart Apache: /etc/init.d/apache2 restart Registering the SP at the IdPIf you’ve done everything right so far, then you can access your Shibboleth SP Metadata at http://sp.example.com/Shibboleth.sso/Metadata. In case the Metadata does not contain a certificate check the logs at /var/log/shibboleth/shibd.log, also please remember that whenever you change the Shibboleth config you need to restart the Shibboleth service:
/etc/init.d/shibd restartNOTE: OPENAM-792 can cause you troubles while importing the metadata. Make sure you either have the fix for this issue, or you have removed the Extensions tag from the Metadata before uploading it.
If everything is OK with your Metadata open the OpenAM admin console and click on the Register Remote Service Provider link on the Common Tasks pane.
You can either upload the Metadata or provide the URL on the config page. Leave the attribute mapping empty Click on the Configure button Go to the Federation page then open the SP’s page in the Entity Providers table Go to the Assertion Processing tab In the Attribute Map list add the following value: urn:oasis:names:tc:SAML:2.0:attrname-format:uri| urn:oid:0.9.2342.19200300.100.1.1=uid Save the configuration and log out How to testYou just need to open a random URL under sp.example.com, and the htaccess config you created will make sure that the user is authenticated at the IdP. Opening such URLs should result in a redirect to the IdP presenting a login screen for you. After submitting the valid credentials you should be redirected back to the SP application to the originally requested URL. On the phpinfo page you should see the HTTP_UID server variable holding the user’s name.
In case you want to use the REMOTE_USER CGI variable in your applications, you can achieve that by modifying the Shibboleth configuration: in SPConfig -> ApplicationDefaults add HTTP_UID to the beginning of the REMOTE_USER attribute.
