OKTA integration issue with Shibboleth SP

2
votes

I am doing a POC where I need to integrate the Shibboleth SP with OKTA idp provider.I have completed all below steps documented on OKTA official site for this integration.

  1. Install Shibboleth Service Provider 2.Configure the webserver to use Shibboleth 3.Configure Shibboleth to protect a specific folder Create an Okta SAML 2.0 Template application 4.Modify Shibboleth to use the metadata obtained from the Okta application 5.Modify the attribute-map.xml file within Shibboleth to set the appropriate header variables 6.Restart everything

But there are details missing from the step 5 where I need to modify the atrribute-map.xml. when I fire my protected URI(hosted on apache) it is getting redirected to OKTA login page. But after user enters the user-id and password and clicks login I get a spinner on my browser and it never takes me to my protected site URI hosted on Apache. Any clues to fix this attribute-mapping in Shibboleth SP is highly appreciated.

2
shibbolethokta

2 Answers

0
votes

If the page is not being redirected to SP, he problem need not be with attributes-map.xml

  • Endpoints could be incorrectly configured. Check {web app uri}/Shibboleth.sso/Metadata to see if the endpoint URLs are correctly defined.
  • Check Shibboleth2.xml if entityID is correctly defined, this is the web application that Shibboleth is protecting.
  • Check {web app uri}/Shibboleth.sso/Session this displays if all the attributes that are being sent from Okta. You can make it display the values too by changing Shibboleth2.xml since it is just POC.
  • Finally comes attributes-map.xml where you can configure attributes as agreed with Okta. There are some default attributes like NameID that are pre-configured here. You can see the format in attribute-map.xml and in /Shibboleth.sso/Session and code to make use accordingly. For example formatter="$NameQualifier!$SPNameQualifier!$Name"

If you are adding custom attributes a simple element as shown below should work as long as the name is matching the attribute name that Okta is sending.

0
votes

This issue was resolved by doing proper configuration on the OKTA side .OKTA provides sam2.0 template app for integration with shibboleth .The below mentioned parameters of this template app were properly configured.

  • Post Back URL -
  • Name ID Format - Transient
  • Recipient -
  • Audience Restriction -
  • authnContextClassRef - PasswordProtectedTransport
  • Response - Signed
  • Assertion - Signed
  • Request - Compressed
  • Destination -
  • Attribute Statements - username|${user.userName}

Then our integration was succesful