Child pages
  • Installing a Shibboleth 3.x IdP

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Create /etc/tomcat/Catalina/localhost/idp.xml with the following content:

    No Format
          <Context docBase="/opt/shibboleth-idp/war/idp.war"
                   privileged="true"
                   antiResourceLocking="false"
                   antiJARLocking="false"
                   unpackWAR="false"
                   swallowOutput="true" />
    


...

  • We strongly recommend controlling the attribute release through the automatic release rules generated by the Tuakiri Federation Registry further below.
  • If desired, the following two policies can help with testing an IdP while its being deployed (before it is fully registered into Tuakiri and before the automatic attribute release is configured).
    These policies release:
    • All required attributes to the Tuakiri Federation Registry - necessary for logging in the Federation Registry.
    • All available attributes to the Tuakiri Attribute Reflector - very useful for testing.

      Code Block
      languagehtml/xml
      collapsetrue
          <AttributeFilterPolicy id="federationRegistryPolicy" >
              <PolicyRequirementRule xsi:type="Requester" value="https://registry.tuakiri.ac.nz/shibboleth" />
      
              <AttributeRule attributeID="displayName">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="surname">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="givenName">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="email">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="homeOrganization">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="homeOrganizationType">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="eduPersonTargetedID">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="auEduPersonSharedToken">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
          </AttributeFilterPolicy>
      
          <AttributeFilterPolicy id="attributesValidatorPolicy" >
              <PolicyRequirementRule xsi:type="Requester" value="https://attributes.tuakiri.ac.nz/shibboleth" />
      
              <AttributeRule attributeID="displayName">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="commonName">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="surname">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="givenName">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="email">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="eduPersonPrincipalName">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="eduPersonScopedAffiliation">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="eduPersonAffiliation">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="eduPersonAssurance">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="eduPersonPrimaryAffiliation">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="homeOrganization">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="homeOrganizationType">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="organizationName">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="eduPersonTargetedID">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="auEduPersonSharedToken">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="eduPersonEntitlement">
                  <PermitValueRule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" />
              </AttributeRule>
      
              <AttributeRule attributeID="auEduPersonAffiliation">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="auEduPersonLegalName">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
      
             </AttributeRule> 
              <AttributeRule attributeID="mobileNumber">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="postalAddress">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="organizationalUnit">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
              </AttributeRule>
              <AttributeRule attributeID="telephoneNumber">
                  <PermitValueRule xsi:type="ANY"  permitAny="true"/>
      
             </AttributeRule>
      
          </AttributeFilterPolicy>
      


  • You may also wish to configure additional attribute release policies - e.g., if establishing bilateral relations with some service providers outside Tuakiri or if registering your IdP into another federation that does not generate a per-SP attribute filter (in that case, releasing a set of attributes to all hosts in the federation via an RequesterInEntityGroup rule might be a good choice). For more information on such configuration, please see the Shibboleth Project IdP attribute filter documentation.

...

Step 3: Register the following additional endpoints as Single Logout Service in your IdP metadata the Federation Registry, with the following bindings names and URL values (substituting your IdP hostname in the URLs):

BindingURL
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirecthttps://idp.example.org/idp/profile/SAML2/Redirect/SLO
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSThttps://idp.example.org/idp/profile/SAML2/POST/SLO
urn:oasis:names:tc:SAML:2.0:bindings:SOAPhttps://idp.example.org:8443/idp/profile/SAML2/SOAP/SLO


Note

On IdP 3.2.1 only, it may be necessary to apply a fix to the Logout webflow.  The issue has already been fixed upstream and the fix will be included with IdP 3.3.0 once released - this patch is to be applied to 3.2.1 only.

To avoid getting a NullPointerException from stale HttpRequest objects, make the following change to /opt/shibboleth-idp/system/flows/logout/logout-flow.xml:

Code Block
languagediff
--- /root/inst/shibboleth-identity-provider-3.2.1/system/flows/logout/logout-flow.xml      2015-12-19 21:48:00.000000000 +1300
+++ system/flows/logout/logout-flow.xml    2016-09-13 12:53:04.632080786 +1200
@@ -70,21 +70,21 @@
         <transition on="proceed" to="NextRelyingPartyContext" />
     </action-state>
     <view-state id="LogoutView" view="logout">
-        <on-entry>
+        <on-render>
             <evaluate expression="WriteAuditLog" />
             <evaluate expression="environment" result="viewScope.environment" />
             <evaluate expression="opensamlProfileRequestContext" result="viewScope.profileRequestContext" />
             <evaluate expression="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.session.context.LogoutContext))" result="viewScope.logoutContext" />
             <evaluate expression="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.profile.context.MultiRelyingPartyContext))" result="viewScope.multiRPContext" />
             <evaluate expression="T(net.shibboleth.utilities.java.support.codec.HTMLEncoder)" result="viewScope.encoder" />
             <evaluate expression="flowRequestContext.getExternalContext().getNativeRequest()" result="viewScope.request" />
             <evaluate expression="flowRequestContext.getExternalContext().getNativeResponse()" result="viewScope.response" />
             <evaluate expression="flowRequestContext.getActiveFlow().getApplicationContext().containsBean('shibboleth.CustomViewContext') ? flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.CustomViewContext') : null" result="viewScope.custom" />
-        </on-entry>
+        </on-render>
         <transition on="propagate" to="LogoutPropagateView" />
         <transition on="end" to="LogoutCompleteView" />
     </view-state>
     <!-- Terminus -->

Please see https://issues.shibboleth.net/jira/browse/IDP-956 for further information.

...