Skip to main content

Shibboleth SAML

About 2 min

Shibboleth SAML Configuration

This section shows how to configure Datawiza as Service Provider (SP) in Shibboleth.

Configure Shibboleth Identity Provider to release the persistent NameID

  1. Enable the generation of the computed persistent-id with:

    • vim /opt/shibboleth-idp/conf/saml-nameid.properties

      # Active Directory has the UserID into "sAMAccountName"
idp.persistentId.sourceAttribute = sAMAccountName
idp.persistentId.encoding = BASE32
idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator

    • vim /opt/shibboleth-idp/conf/saml-nameid.xml

      • Uncomment the line:

        <ref bean="shibboleth.SAML2PersistentGenerator" />

    • vim /opt/shibboleth-idp/credentials/secrets.properties

      idp.persistentId.salt = ### result of command 'openssl rand -base64 36' ###

Configure the attribute resolver

Make sure you have defined AttributeDefinition in conf/attribute-resolver.xml.

    <!-- ========================================== -->
    <!--      Attribute Definitions                 -->
    <!-- ========================================== -->

    <AttributeDefinition xsi:type="Simple" id="sAMAccountName">
	    <InputDataConnector ref="myLDAP" attributeNames="sAMAccountName"/>
	    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="sAMAccountName" encodeType="false"/>
    </AttributeDefinition>

Connect the SP with the IdP

Create a local metadata file: /opt/shibboleth-idp/conf/datawiza.xml

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://test.datawiza.com/saml/metadata">
  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
    <KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data xmlns="http://www.w3.org/2000/09/xmldsig#">
          <X509Certificate xmlns="http://www.w3.org/2000/09/xmldsig#">#Replace with your own certificate#</X509Certificate>
        </X509Data>
      </KeyInfo>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.datawiza.com/saml/slo" ResponseLocation="https://test.datawiza.com/saml/slo"></SingleLogoutService>
    <NameIDFormat></NameIDFormat>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.datawiza.com/saml/acs" index="1"></AssertionConsumerService>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://test.datawiza.com/saml/acs" index="2"></AssertionConsumerService>
  </SPSSODescriptor>
</EntityDescriptor>
  • Note: Replace the https://test.datawiza.com with your public domain.

Connect the SP to the IdP by adding its metadata on the metadata-providers.xml configuration file:

    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/conf/datawiza.xml"/>

Make sure you have AttributeFilterPolicy defined in conf/attribute-filter.xml.

    <AttributeFilterPolicy id="example-afp">
	    <PolicyRequirementRule xsi:type="Requester" value="https://test.datawiza.com/saml/metadata" />
        <AttributeRule attributeID="sAMAccountName" permitAny="true" />
        <AttributeRule attributeID="userPrincipalName" permitAny="true" />
        <AttributeRule attributeID="mail" permitAny="true" />
        <AttributeRule attributeID="displayName" permitAny="true" />
        <AttributeRule attributeID="sn" permitAny="true" />
        <AttributeRule attributeID="givenName" permitAny="true" />
        <AttributeRule attributeID="cn" permitAny="true" />

    </AttributeFilterPolicy>
  • Note: Replace the https://test.datawiza.com with your public domain.

Restart Jetty to apply changes:

systemctl restart jetty.service

Summary

This session shows how to configure Datawiza as Service Provider (SP) in Shibboleth. And the Metadata Url we need should be like: https://test.datawiza.com/idp/shibboleth, replace the https://test.datawiza.com with your public domain.

Copyright © 2024 Datawiza Technologies Inc