Monday, July 30, 2012

Shibboleth IdP SLO part 3 (Configuration)

LDAPS Connection

  • To be able to connect to LDAPS, the shibboleth must already has the LDAP SSL certificate. To do so, get the LDAP SSL certificate from the administrator or export it from another server which already have the certificate.
To export:
keytool -export -keystore /etc/java-1.5.0-sun/security/cacerts -alias ldap -file ldap.cer
To import into the new Shibboleth IdP, we must import in to the current java keystore file:
keytool -import -trustcacerts -alias "ldap" -file ldap.cer -keystore /usr/lib/jvm/jdk1.6.0_30/jre/lib/security/cacerts

login.config

  • Edit IDP_HOME/conf/login.config
edu.vt.middleware.ldap.jaas.LdapLoginModule required
      host="ldap.example.com"
      port="636"
      ssl="true"
      base="ou=users,o=myorg"
      serviceCredential="PASSWORD"
      serviceUser="cn=ldap_proxy,ou=misc,o=myorg"
      subtreeSearch=true
      userField="cn"

attribute-resolver.xml

  • attribute-resolver.xml is used to get data from database or LDAP or kerberos, make sure that the id in AttributeDefinition is the same value with the attributeID in attribute-filter.xml
  • Edit IDP_HOME/conf/attribute-resolver.xml and enable the following:
<resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonEntitlement"
   sourceAttributeID="eduPersonEntitlement">
     <resolver:Dependency ref="myLDAP" />
     <resolver:AttributeEncoder xsi:type="enc:SAML1String"
   name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
     <resolver:AttributeEncoder xsi:type="enc:SAML2String"
   name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
   friendlyName="eduPersonEntitlement" />
</resolver:AttributeDefinition>
 
<resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" 
 sourceAttributeID="uid">
 <resolver:Dependency ref="myLDAP" />
 <resolver:AttributeEncoder xsi:type="enc:SAML1String"
 name="urn:mace:dir:attribute-def:uid" />
 <resolver:AttributeEncoder xsi:type="enc:SAML2String"
 name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String"
   name="urn:mace:dir:attribute-def:mail" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String"
   name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName"
  scope="example.com" sourceAttributeID="uid">
   <resolver:Dependency ref="myLDAP" />
   <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
  name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
   <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
  name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
  friendlyName="eduPersonPrincipalName" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonScopedAffiliation"
 scope="example.com" sourceAttributeID="eduPersonAffiliation">
<resolver:Dependency ref="myLDAP" />
 <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString"
 name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
 <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString"
 name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
</resolver:AttributeDefinition>
 
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory"
 xmlns="urn:mace:shibboleth:2.0:resolver:dc"
    ldapURL="ldaps://ldap.example.com" baseDN="ou=users,o=myorg"
    principal="cn=ldap_proxy,ou=misc,o=myorg" principalCredential="PASSWORD">
    <FilterTemplate>
        <![CDATA[
            (uid=$requestContext.principalName)
        ]]>
    </FilterTemplate>
</resolver:DataConnector>

attribute-filter.xml

  • attribute-filter.xml is used to define which attribute will be released to the Shibboleth SP.
  • Edit IDP_HOME/conf/attribute-filter.xml and enable the following:
<afp:AttributeFilterPolicy id="releaseToAllMembers">
        <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

        <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
                <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="eduPersonEntitlement">
                <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

</afp:AttributeFilterPolicy>

<afp:AttributeFilterPolicy id="releaseToSpesificSP">
       <afp:PolicyRequirementRule xsi:type="basic:OR">
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://typo3.example.com/shibboleth" />
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://wordpress.example.com/shibboleth" />
       </afp:PolicyRequirementRule>

    <afp:AttributeRule attributeID="uid">
                <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="mail">
                <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

</afp:AttributeFilterPolicy>

relying-party.xml

  • Edit IDP_HOME/conf/relying-party.xml and enable the following:
<MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
      metadataURL="https://typo3.example.com/Shibboleth.sso/Metadata"
      backingFile="/opt/shibboleth-idp/metadata/typo3-metadata-backingFile.xml">
  <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
   <MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata" maxValidityInterval="604800" />
   <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
       trustEngineRef="shibboleth.MetadataTrustEngine" requireSignedMetadata="false" />
    <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
    <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
   </MetadataFilter>
  </MetadataFilter>
</MetadataProvider>

<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
            <security:Certificate>/opt/shibboleth-idp/credentials/typo3.pem</security:Certificate>
        </security:Credential>
</security:TrustEngine>
  • Download the SSL certificate from typo3 SP and save as /opt/shibboleth-idp/credentials/typo3.pem

logging.xml

  • To activate log rotation, add MaxHistory in file IDP_HOME/conf/logging.xml, for example:
<logger name="org.springframework" level="DEBUG"/>

<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
 <MaxHistory>7</MaxHistory>
 <FileNamePattern>$IDP_HOME$/logs/idp-process-%d{yyyy-MM-dd}.log.gz</FileNamePattern>
</rollingPolicy>

Reference

No comments: