HTTP Components¶
Table of Contents
The following services are needed for the HTTP security part:
- Charon Authorisation Service
- Shibboleth Service Provider
- Shibboleth Identity Provider
- EOxServer
To install and configure the HTTP secuirty components, you have to follow these steps:
- Install the Charon Authorisation Service.
- Install the Shibboleth Identity Provider.
- Install the Shibboleth Service Provider.
- Follow the documentation of section Configure Shibboleth SP and IdP.
- Follow the documentation of section Configure the EOxServer Security Components.
Shibboleth Identity Provider¶
The Shibboleth IdP is implemented as an Java Servlet, thus it needs an installed Servlet container. The Shibboleth project offers an installation manual for the Shibboleth IdP on their website. This documentation will provide help for the basic configuration to get the authentication process working with your EOxServer instance and also the installation process for the use with Tomcat and Apache HTTPD. Before you begin with your installation, set up your Tomcat servlet container and install and configure an LDAP service.
Important URLs for your Shibboleth IDP:
- Status message:
https://${IDPHOST}/idp/profile/Status
- Information page:
https://${IDPHOST}/idp/status
- Metadata:
https://${IDPHOST}/idp/profile/Metadata/SAML
Warning: IdP resource paths are case sensitive!
- Download the IdP and unzip the archive.
- Run either ./install.sh (on Linxu/Unix systems) or install.bat (on Windows systems).
- Follow the on-screen instructions of the script.
Your ${IDP_HOME}
directory contains the following directories:
bin
: This directory contains various tools useful in running, testing, or deploying the IdPconf
: This directory contains all the configuration files for the IdPcredentials
: This is were the IdP’s signing and encryption credential, called idp.key and idp.crt, is storedlib
: This directory contains various code libraries used by the tools in bin/logs
: This directory contains the log files for the IdP . Don’t forget to make this writeable for your Tomcat server!metadata
: This is the directory in which the IdP will store its metadata, in a file called idp-metadata.xml. It is recommend you store any other retrieved metadata here as well.war
: This contains the web application archive (war) file that you will deploy into the servlet container
The next step is to deploy the IdP into your Tomcat:
Increase the memory reserved for Tomcat. Recommended values are
-Xmx512m -XX:MaxPermSize=128m
.Add the libraries endorsed by the Shibboleth project to your endorsed Tomcat directories:
-Djava.endorsed.dirs=${IDP_HOME}/lib/endorsed/
Create a new XML document
idp.xml
in${TOMCAT_HOME}/conf/Catalina/ localhost/
.Insert the following content:
<Context docBase="${IDP_HOME}/war/idp.war" privileged="true" antiResourceLocking="false" antiJARLocking="false" unpackWAR="false" swallowOutput="true" />
Dont’t forget to replace
${IDP_HOME}
with the appropriate path.
To use the Apache HTTP server as an proxy for your IdP, you have to generate a certificate and a key file for SSL/TLS first.
Generate a private key:
openssl genrsa -des3 -out server.key 1024
Generate a CSR (Certificate Signing Request):
openssl req -new -key server.key -out server.csr
Make a copy from the the original server key:
cp server.key copy_of_server.key
Remove the Passphrase from your Key:
openssl rsa -in copy_of_server.key -out server.key
Generating a Self-Signed Certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The next step is to configure your Apache HTTP Server:
First you have to enable
mod_proxy_ajp
,mod_proxy
andmod_ssl
.Create a new configuration file for your SSL hosts (for example
ssl_hosts.conf
).Add a new virtual host in your new hosts file. Please note the comments in the virtual host configuration.
<VirtualHost _default_:443> # Set appropriate document root here DocumentRoot "/var/www/" # Set your designated IDP host here ServerName ${IDP_HOST} # Set your designated logging directory here ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 # Important: mod_ssl should not verify the provided certificates SSLVerifyClient optional_no_ca SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW # Set the correct paths to your certificate and key here SSLCertificateFile ${IDP_HOST_CERTIFICATE} SSLCertificateKeyFile ${IDP_HOST_CERTIFICATE_KEY} <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> # AJP Proxy to your IDP servlet ProxyPass /idp/ ajp://localhost:8009/idp/ ProxyPassReverse /idp ajp://localhost:8009/idp SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
Restart your HTTP server.
The next step is to configure our IdP Service with an LDAP service. Please keep in mind that this documentation can only give a small insight into all configuration possibilities of Shibboleth.
Open the handler.xml
Add a new LoginHandler
<LoginHandler xsi:type="UsernamePassword" jaasConfigurationLocation="file://${IDP_HOME}/conf/login.config"> <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod> </LoginHandler>
Remove (or comment out) the LoginHandler element of type RemoteUser.
Open the login.config
and comment out or delete the other entries that
might exist. Add your own LDAP configuration:
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="${LDAP_HOST}"
port="${LDAP_PORT}"
serviceUser="${LDAP_ADMIN}"
serviceCredential="${LDAP_ADMIN_PASSWORD}"
base="${LDAP_USER_BASE}"
ssl="false"
userField="uid"
subtreeSearch="true";
};
Enable your LDAP directory as attribute provider:
Open the
attribute-resolver.xml
.Add your LDAP:
<resolver:DataConnector id="localLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldap://${LDAP_HOST}:${LDAP_PORT}" baseDN="${LDAP_USER_BASE}" principal="${LDAP_ADMIN}" principalCredential="${LDAP_ADMIN_PASSWORD}"> <FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </FilterTemplate> </resolver:DataConnector>
Configure the IdP to retrieve the attributes by adding new attribute definitions:
<resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId"> <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="displayName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="displayName"> <resolver:Dependency ref="localLDAP"/> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:displayName"/> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName"/> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="givenName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="givenName"> <resolver:Dependency ref="localLDAP"/> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:givenName"/> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:2.5.4.42" friendlyName="givenName"/> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="description" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="description"> <resolver:Dependency ref="localLDAP"/> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:description"/> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:2.5.4.13" friendlyName="description"/> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="cn" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="cn"> <resolver:Dependency ref="localLDAP"/> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:cn"/> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:2.5.4.3" friendlyName="cn"/> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="sn" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="sn"> <resolver:Dependency ref="localLDAP"/> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:sn"/> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:2.5.4.4" friendlyName="sn"/> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="uid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uid"> <resolver:Dependency ref="localLDAP"/> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:uid"/> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:2.5.4.45" friendlyName="uid"/> </resolver:AttributeDefinition>
Add the new attributes to your attribute-filter.xml
by adding a new
AttributeFilterPolicy:
<afp:AttributeFilterPolicy id="attribFilter">
<afp:PolicyRequirementRule xsi:type="basic:ANY"/>
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="description">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="cn">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="sn">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="uid">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
Now you have to check if the generated metadata is correct. To do this, open
the idp-metadata.xml
file. Known issues are:
- Incorrect ports: For example port 8443 at the AttributeService Bindings instead of no specific port.
- Wrong X509Certificate for Attribute Resolver. Use your previously generated
SSL/TLS
${IDP_HOST_CERTIFICATE}
instead.
After this, restart your Shibboleth IdP.
Shibboleth Service Provider¶
The installation procedure for the Shibboleth SP is different for all supported Operating Systems. The project describes the different installation methods in an own installation manual. This documentation will provide help for the basic configuration to get the authentication process working with your EOxServer instance.
Important URLs for your Shibboleth SP:
- Status page:
https://${SPHOST}/Shibboleth.sso/Status
- Metadata:
https://${SPHOST}/Shibboleth.sso/Metadata
- Session summary:
https://${SPHOST}/Shibboleth.sso/Session
- Local logout:
https://${SPHOST}/Shibboleth.sso/Logout
Warning: SP resource paths are case sensitive!
STEP 1
The Shibboleth SP has two relevant configuration files. We begin with the
attribute-map.xml
file, where we configure the mapping of the attributes
received from the IdP to the secured service (in our case the EOxServer):
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- First some useful eduPerson attributes that many sites might use. -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
<!-- A persistent id attribute that supports personalized anonymous access. -->
<!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
<!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
</Attribute>
<!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
<!--
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
<AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
-->
<!-- Third, the new version (note the OID-style name): -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
<!-- Fourth, the SAML 2.0 NameID Format: -->
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
<!--Examples of LDAP-based attributes, uncomment to use these... -->
<Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
<Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
<Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
<Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
<Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
<Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
<Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
<Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
<Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
<Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
<Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
<Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
<Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
<Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
<Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
<Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
<Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
<Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
<Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
<Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
<Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
<Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
<Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
<Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
<Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
<Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
<Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
<Attribute name="urn:oid:2.5.4.12" id="title"/>
<Attribute name="urn:oid:2.5.4.43" id="initials"/>
<Attribute name="urn:oid:2.5.4.13" id="description"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
<Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
<Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
<Attribute name="urn:oid:2.5.4.9" id="street"/>
<Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
<Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
<Attribute name="urn:oid:2.5.4.8" id="st"/>
<Attribute name="urn:oid:2.5.4.7" id="l"/>
<Attribute name="urn:oid:2.5.4.10" id="o"/>
<Attribute name="urn:oid:2.5.4.11" id="ou"/>
<Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
<Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
<Attribute name="urn:oid:2.5.4.45" id="uid"/>
</Attributes>
The next step is to edit the shibboleth2.xml
file: Locate the element
ApplicationDefaults
and set the value of the attribute entityID
to
${SP_HOST}\Shibboleth
.
STEP 2
The next step is to configure your Apache HTTP Server. To do this, you have to generate a certificate and a key file for your SSL/TLS Shibboleth SP Host first (see Shibboleth IdP section). Then add a virtual host to your Apache HTTP Server:
<VirtualHost _default_:443>
# Include the apache22.conf from Shibboleth
include ${SP_HOME}/apache22.config
# Set appropriate document root here
DocumentRoot "/var/www/"
# Set your designated IDP host here
ServerName ${IDP_HOST}
# Set your designated logging directory here
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
# Important: mod_ssl should not verify the provided certificates
SSLVerifyClient optional_no_ca
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Set the correct paths to your certificate and key here
SSLCertificateFile ${SP_HOST_CERTIFICATE}
SSLCertificateKeyFile ${SP_HOST_CERTIFICATE_KEY}
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
STEP 3
Open shibboleth2.xml
and change the entityID
in the element
ApplicationDefaults
to your ${SP_HOST}
. Restart your SP and try to access
your SP Metadata https://${SPHOST}/Shibboleth.sso/Metadata
Configure Shibboleth SP and IdP¶
Download SP Metadata and store it locally as
${SP_METADATA_FILE}
.Open the
relying-party.xml
of the Shibboleth IdP and change the Metadata Provider entry to<!-- MetadataProvider the combining other MetadataProviders --> <metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider"> <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:ResourceBackedMetadataProvider"> <!-- This is usually set correctly by the IdP installation script --> <metadata:MetadataResource xsi:type="resource:FilesystemResource" file="${IDP_METADATA_FILE}"/> </metadata:MetadataProvider> <!-- This is the new MetadataProvider for your SP metadata --> <MetadataProvider id="URLMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" metadataFile="${SP_METADATA_FILE}"> <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata"> <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata"> <RetainedRole>samlmd:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataFilter> </MetadataProvider> </metadata:MetadataProvider>
Add the
${SP_HOST_CERTIFICATE}
to your Java Keystore:keytool -import -file ${SP_HOST_CERTIFICATE} -alias ${SP_HOST} -keystore ${JAVA_JRE_HOME}\lib\security\cacerts
Open
shibboleth2.xml
of your Shibboleth SP add a new SessionInitiator to theSessions
element:<!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). --> <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://{IDP_HOST}/idp/shibboleth"> <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/> <SessionInitiator type="Shib1" acsIndex="5"/> </SessionInitiator>
Then add a new MetadataProvider:
<!-- Chains together all your metadata sources. --> <MetadataProvider type="Chaining"> <MetadataProvider type="XML" uri="https://{IDP_HOST}/idp/profile/Metadata/SAML" backingFilePath="federation-metadata.xml" reloadInterval="7200"> </MetadataProvider> </MetadataProvider>
Alternatively you can reference the metadata from your local IdP:
<!-- Chains together all your metadata sources. --> <MetadataProvider type="Chaining"> <MetadataProvider type="XML" path="${IDP_HOME}/metadata/idp-metadata.xml" </MetadataProvider> </MetadataProvider>
Restart your IdP, the SP and the Apache HTTPD
Configure the EOxServer Security Components¶
This section describes the configuration of the EOxServer security components.
General Configuration Options¶
The configuration of the EOxServer security components is done in the
eoxserver.conf
configuration file of your EOxServer instance. All security
related configuration is done in the section [services.auth.base]
:
pdp_type
: Determines the Policy Decision Point type; defaults tonone
which deactivates authorisation. Currently, only the typecharonpdp
is implemented.authz_service
: The URL of the Authorisation Service.attribute_mapping
: The file path to a dictionary with a mapping from identity attributes received from the Shibboleth IdP to a XACMLAuthzDecisionQuery. If the key is set todefault
, a standard dictionary is used.serviceID
: Identifier for the EOxServer instance to an external Authorisation Service. Is used as resource ID in an XACMLAuthzDecisionQuery. If the key is set todefault
, the host name will be used.allowLocal
: If set toTrue
, the security components will alloways allow access to requests from the local machine. Use with care!
Adding new Subject attributes to the EOxServer Security Components¶
In order to register new Subject attributes from your LDAP to the IDMS, you have to configure the Shibboleth IdP, the Shibboleth SP, and the EOxServer. Let’s assume we want to add the new attribute foo.
Shibboleth IdP
Add a new AttributeResolver to your attribute-resolver.xml
configuration
file:
<resolver:AttributeDefinition id="foo" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="description">
<resolver:Dependency ref="localLDAP"/>
<resolver:AttributeEncoder xsi:type="SAML1String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:description"/>
<resolver:AttributeEncoder xsi:type="SAML2String"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="foo"
friendlyName="foo"/>
</resolver:AttributeDefinition>
Add or extend a AttributeFilterPolicy in your attribute-filter.xml
configuration file:
<afp:AttributeFilterPolicy id="fooFilter">
<afp:PolicyRequirementRule xsi:type="basic:ANY"/>
<afp:AttributeRule attributeID="foo">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
Shibboleth SP
Add the new attribute to the attribute-map.xml
<Attribute name="foo" id="foo"/>
EOxServer
Make a copy of the default attribute dictionary (
{$EOXSERVER_CODE_DIRECTORY)/conf/defaultAttributeDictionary
).Add the attribute:
foo=foo
Register the new dictionary in the EOxServer configuration.