Search code examples
samlshibbolethidp

Setting up a new Shibboleth IdP to work with an existing SAML SP

Hopefully this isn't a duplicate or too broad. I just have a feeling I need a bit more information than anything else I've been able to find.

I have a program/server that already has a functioning SAML SP built in to it. I'm trying to get it connected to a test Shibboleth IdP (V3.3.3) on an internal server running Windows Server. I have it installed and connected to our Active Directory users. The documentation was great for getting to that point.

Now I have no earthly clue how to proceed. I see a lot of information about exchanging configuration/XML info and certificates between SPs and IdPs. I believe I have a valid SP XML and certificate to give to the IdP, but I don't know:

  1. Where to put the SP XML information in the IdP installation
  2. Where to put the SP certificate in the IdP installation (or setup/configure a path to a certificate)
  3. Where to get the IdP certificate (I think the default setup generates something for me? Unclear)
  4. Where the IdP login path is
  5. Whether or not there's anything else I need to configure to get the two talking

1 through 4 are probably my biggest confusions that I can't seem to find info on. The Shibboleth documentation seems to assume I am far more familiar with configuring an IdP than I am. It tells me where to configure literally anything/everything possible, but I don't know what I should be configuring.

Anyhow, thanks for any help on this. I've been wasting a pitiful amount of time trying to figure this out.

Solution

  • To answer your five (5) questions, without loss of generality, we assume that

    (I) the metadata file of SAML IdP is idpsaml-metadata.xml

    (II) the metadata file of SAML SP is sp-example-org.xml

    Q&A

    1. Where to put the SP XML information in the IdP installation

    Answer: /opt/shibboleth-idp/metadata/sp-example-org.xml

    1. Where to put the SP certificate in the IdP installation (or setup/configure a path to a certificate)

    Answer: The metadata file of SAML SP consists of the SP certificate. SAML IdP will extract SP certificate from SAML SP's metadata (e.g., sp-example-org.xml)

    1. Where to get the IdP certificate (I think the default setup generates something for me? Unclear)

    Answer: The metadata file of SAML IdP consists of all the IdP certificates (which have been generated by the default setup of SAML IdP).

    You need to place the metadata file of SAML IdP (e.g., idpsaml-metadata.xml) into the SAML SP's home directory, e.g., /etc/shibboleth/idpsaml-metadata.xml

    1. Where the IdP login path is

    Answer: Usually SAML SP uses HTTP-POST endpoint as SAML IdP login path, e.g.,

    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://IdP-Server-URL/idp/profile/SAML2/POST/SSO"/>

    You also need to configure Shibboleth IdP with LDAP user authentication.

    /opt/shibboleth-idp/conf/idp.properties

    /opt/shibboleth-idp/conf/ldap.properties

    /opt/shibboleth-idp/conf/attribute-filter.xml

    /opt/shibboleth-idp/conf/attribute-resolver-full.xml

    1. Whether or not there's anything else I need to configure to get the two talking

    Answer: To allow SAML IdP to provide identity authentication for SAML SP, both SAML IdP and SAML SP need to exchange their metadata. Then you need to configure SAML IdP with SAML SP.

    SAML IdP /opt/shibboleth-idp/conf/metadata-providers.xml

    /opt/shibboleth-idp/conf/relying-party.xml

    SAML SP

    /etc/shibboleth/shibboleth2.xml

    /etc/shibboleth/attribute-map.xml

    Remarks:

    How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the sample configuration files for Shibboleth IdP and SP.