I suppose here you already have a server with a working Shibboleth 2.1 IdP at this address:
https://your-idp-host/idp/shibboleth
We will explain now how to configure simpleSAMLphp 1.3 as a Service Provider (SP) relying on the Shibboleth IdP for the user's authentications.
First of all you have to install simplesaml:
cd /var svn co http://simplesamlphp.googlecode.com/svn/trunk simplesamlphp cd simplesaml cp -r config-templates/*.php config/ cp -r metadata-templates/*.php metadata/
/var/simplesamlphp/www
to this url (using https is not required):
http://your-sp-host/simplesaml
To accomplish this task, you can simply add this directive in your apache configuration:
Alias /simplesaml /var/simplesamlphp/www
Now you have to configure it as a SP:
/var/simplesamlphp/metadata/saml20-sp-hosted.php and add this metadata to the array:'your-sp-id' => array( 'host' => 'your-sp-host', 'certificate' => 'server.crt', 'privatekey' => 'server.pem', ),
your-sp-id is the string used to identify your SP to other IdP, you can change it if you want.server.crt and server.pem are public and private keys of your SP certificate located in /var/simplesamlphp/cert/. This certificate will be published in the SP metadata and then will be used by Shibboleth to encrypt the transmitted data (assertions)./var/simplesamlphp/metadata/saml20-idp-remote.php and add this metadata to the end of the file:$metadata['https://your-idp-host/idp/shibboleth'] = array ( 'name' => 'The sexy name of your IdP', 'description' => 'The description of your idp', 'SingleSignOnService' => 'https://your-idp-host/idp/profile/SAML2/Redirect/SSO', 'certFingerprint' => 'xxx', );
certFingerprint can be calculated from your Shibboleth IdP certificate this way:cat idp.crt | openssl x509 -fingerprint | grep SHA1 | sed "s/^[^=]*=//g" | sed "s/://g"
(In a default shibboleth installation, idp.crt is located in shibboleth-idp/credentials/)
Last step is to configure Shibboleth to handled simpleSAMLphp specificities:
shibboleth-idp/conf/relying-party.xml and just after the DefaultRelyingParty entry, add this XML block:<RelyingParty id="your-sp-id" provider="https://your-idp-host/idp/shibboleth" defaultSigningCredentialRef="IdPCredential" > <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptNameIds="never" encryptAssertions="never" /> </RelyingParty>
This part of code will override the default profile only for your SP. It will disable the encryption of the NameIDs which is not yet supported in simpleSAMLphp. More informations about the NameIDs problem can be found in this thread. In addition, there is also a discussion about removing the NameIDs encryption in the default shibboleth idp configuration.
Notice : in the next 2.2 shibb release, NameIDs encryption will be disabled by default in the shibboleth configuration.
shibboleth-idp/conf/relying-party.xml:<MetadataProvider id="MDSIMPLSAMLPHP" xsi:type="ResourceBackedMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"> <MetadataResource xsi:type="resource:FilesystemResource" file="/path/to/your/sp/metadata/shibboleth-idp/metadata/yoursp-metadata.xml" /> </MetadataProvider>
I used the ResourceBackedMetadataProvider type which just reads data from a static file because Shibboleth 2.1 doesn't support yet HTTP proxies for the ''FileBackedHTTPMetadataProvider'' type. So you'll have also to configure a crontab to retrieve periodically fresh metadata from your SP. For example your can use this:
0 * * * * wget http://your-sp-host/simplesaml/saml2/sp/metadata.php -O /path/to/your/sp/metadata/shibboleth-idp/metadata/yoursp-metadata.xml
Now you should be ready to test it ! Try to open
http://your-sp-host/simplesaml/example-simple/saml2-example.php
Discussion
hay I am traying to test shibboleth2, i have installed idp2.1.2 with Sp2.1 and i can't configure one mini-fedetation just for the two parts, when I change the relaying-part.xml i get a sax exeption and error (187) can you help me, with any information for example where do I have to create the new MetadataProvider for referencing the SP and how to do for editing a sp-metadata.xml in the idp part
Best regard :)
You have in the example Shib2.1 configuration encryptNameIds=“never” AND encryptAssertions=“never”. While the further is inevitable, the latter is clearly a security risk and you should NOT do that. However, it is a little more difficult to configure: you need to tell the IdP in the Metadata about the SP that this SP does not just use its certificate to sign (use=“signing”) but also to encrypt (delete that “use” attribute, or make another certificate section with use=“encryption”). On the simpleSAMLphp end, you need to make sure PHP is able to decrypt things, so you need to install the mcrypt php library package (it is called php5-mcrypt on Ubuntu) and restart your Apache. Cheers, Martin
I've configured everything like you said but I keep having the same problem: In the simpleSAMLphp page appears
//Debug information The debug information below may be of interest to the administrator / help desk: Status = urn:oasis:names:tc:SAML:2.0:status:Responder #0 {main} //after i successfully authenticated in IdP server. I checked the logs and i found this:
Can you help me?
solved, bad attribute definitions…