Shibboleth setup in Windows:
1. Pre Requiste Softwares Installation.
2. SP Installation.
3. SP Configuration.
4. IDP Installation.
5. IDP Configuration.
1) Pre Requiste
Softwares Installation:
1) Install JDK
1.6 and configure the JAVA_HOME path.
2) Install the
IIS on Windows XP, Vista, Except on Windows 7 -- as IIS will be available in Windows
7 by default.
In case of
Windows 7, IIS Services needs to be enabled.
For enabling
the IIS services,
Server Manager is not available in
Windows 7. So we have to go to, Start-->Control
Panel-->Programs-->Turn windows features on or off(Programs and
Features). Expand all, Enable the IIS services & filters.
To Check
whether the IIS is started or not
Start-->
All programs--> Accessories--> Commandprompt--> Rightclick, run as
Adminstrator-->type "iisreset"
should restart the iis server. Otherwise we didnt installed the IIS.
2. SP Installation:
Download the latest shibboleth sp version 2.5.1 from http://shibboleth.net/downloads/service-provider/latest/win32/shibboleth-sp-2.5.1-win32.msi
Install the SP by setting the installation path as
c:\opt\shibboleth-sp
Check whether the shibboleth services
are up or not.
Start-->
run command--> type "services.msc"
shibboleth
service should be up, otherwise reinstall it.
Type --
http://127.0.0.1/Shibboleth.sso/Status
You
should see a bundle of xml's.
Else,
1.If any errors on blacklist or whitelist
line, remove the blacklist or whitelist
line based on the error from shibboleth2.xml
3. SP Configuration:
Do the configurations,
as per the section 2.5.
Note: Do the below change in
the 13th Page,
In the 4th point,
Change the current one to the below one. ( Don't include the discoveryProtocol,discoveryURL
attributes in <SSO> and Don't use the value SAML1. )
<SSO
entityID="https://shib-idp.umsystem.edu/idp/shibboleth">SAML2
</SSO>
check whether the sp is configured correctly or not by hitthing
the url,
If the XML is downloaded properly,
Configuration is correct.
4. IDP Installation:
Download the latest IDP (.war) file, http://shibboleth.net/downloads/identity-provider/latest/shibboleth-identityprovider-2.3.8.msi
Install the IDP by setting the installation path as
c:\opt\shibboleth-idp
5.IDP Configuration:
i) Enable the MetaDataprovider in
relying-party.xml and make the changes as below.
<metadata:MetadataProvider
id="SPDOTNET"
xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="https://172.16.8.173/Shibboleth.sso/Metadata"
backingFile="C:\opt\shibboleth-idp\metadata\173dotnet-metadata.xml"/>
ii) set IDP_HOME to home directory of IDP
(C:\opt\shibboleth-idp) in Environment Variables.
iii) Remove all the
entries for authentication except "UsernamePassword" and
"PreviousSession" in Login
Handlers section of handler.xml
iv) Add following
for detail debug trace in logging.xml
<logger
name="edu.internet2.middleware.shibboleth.common.attribute">
<level value="DEBUG"
/>
</logger>
Sample Shibolth2.xml file:
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!--
The InProcess section contains settings affecting web server modules.
Required for IIS, but can be removed when using other web servers.
-->
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!--
To customize behavior for specific resources on IIS, and to link vhosts or
resources to ApplicationOverride settings below, use the XML syntax below.
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo for help.
Apache users should rely on web server options/commands in most cases, and can remove the
RequestMapper element. See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
-->
<RequestMapper type="Native">
<RequestMap>
<!--
The example requires a session for documents in /secure on the containing host with http and
https on the default ports. Note that the name and port in the <Host> elements MUST match
Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
-->
<Host name="sp.example.org">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
<!-- Example of a second vhost mapped to a different applicationId. -->
<!--
<Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
-->
</RequestMap>
</RequestMapper>
<!--
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
Resource requests are mapped by the RequestMapper to an applicationId that
points into to this section (or to the defaults here).
-->
<ApplicationDefaults entityID="https://xyz.com/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<!-- <SSO entityID="https://idp.example.org/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO> -->
<SSO entityID="https://facebook.com/sso/saml2/idp/metadata.php" ECP="true">
SAML2
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>
-->
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
<MetadataProvider type="XML" uri="https:///facebook.com/sso/saml2/idp/metadata.php"
backingFilePath="timetrack-metadata.xml" reloadInterval="7200">
</MetadataProvider>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<!-- <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>-->
<CredentialResolver type="File" key="C:/opt/Apache2.2/conf/privatekey.key" certificate="C:/opt/Apache2.2/conf/pulse.photoninfotech.com.crt"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!--
The InProcess section contains settings affecting web server modules.
Required for IIS, but can be removed when using other web servers.
-->
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!--
To customize behavior for specific resources on IIS, and to link vhosts or
resources to ApplicationOverride settings below, use the XML syntax below.
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo for help.
Apache users should rely on web server options/commands in most cases, and can remove the
RequestMapper element. See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
-->
<RequestMapper type="Native">
<RequestMap>
<!--
The example requires a session for documents in /secure on the containing host with http and
https on the default ports. Note that the name and port in the <Host> elements MUST match
Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
-->
<Host name="sp.example.org">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
<!-- Example of a second vhost mapped to a different applicationId. -->
<!--
<Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
-->
</RequestMap>
</RequestMapper>
<!--
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
Resource requests are mapped by the RequestMapper to an applicationId that
points into to this section (or to the defaults here).
-->
<ApplicationDefaults entityID="https://xyz.com/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<!-- <SSO entityID="https://idp.example.org/idp/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO> -->
<SSO entityID="https://facebook.com/sso/saml2/idp/metadata.php" ECP="true">
SAML2
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>
-->
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
<MetadataProvider type="XML" uri="https:///facebook.com/sso/saml2/idp/metadata.php"
backingFilePath="timetrack-metadata.xml" reloadInterval="7200">
</MetadataProvider>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<!-- <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>-->
<CredentialResolver type="File" key="C:/opt/Apache2.2/conf/privatekey.key" certificate="C:/opt/Apache2.2/conf/pulse.photoninfotech.com.crt"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
No comments:
Post a Comment