Shibboleth integration

0
votes

currently We have CAS SSO to our existing .net application, but now client is asking for Shibboleth SSO instead CAS. I'm totally new to Shibboleth.

Client has given the below details:

entityid= urn:mace:incommon:xxx.edu metadata URL for test environment is: https://shibboleth-test.xxx.edu/idp/shibboleth

By using guidelines from Shibboleth site, below are the steps i followed.

  1. Installed Shibbolth Service provider (shibboleth-sp-2.6.1.4-win64.msi)
  2. Installed Java with JCE
  3. Installed Shibboleth Idp (in which jetty also checked)(shibboleth-identity-provider-3.3.3-x64.msi)
  4. Web Application with self signed certificate

  5. attached my Shibboleth2.xml file

    <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"   xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180">  <InProcess logger="native.logger">   <ISAPI normalizeRequest="true" safeHeaderNames="true">           
 <Site id="2" name="shibboleth-test.xxx.edu" scheme="https" port="443" />
 </ISAPI>  </InProcess>   <RequestMapper type="Native">   <RequestMap>  <Host name="shibboleth-test.xxx.edu" scheme="https" port="443">
        <Path name="secure" authType="shibboleth" requireSession="true"/>
    </Host>           
</RequestMap></RequestMapper><ApplicationDefaults entityID="urn:mace:incommon:xxx.edu" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">  <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID=""urn:mace:incommon:xxx.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
    <!-- SAML and local-only logout. -->
    <Logout>SAML2 Local</Logout>
    <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
    <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
    <!-- Status reporting service. -->
    <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 <my system IP">/>
    <!-- Session diagnostic service. -->
    <Handler type="Session" Location="/Session" showAttributeValues="false"/>
    <!-- JSON feed of discovery information. -->
    <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root@localhost"
    helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/>      <!-- Map to extract attributes from SAML assertions. -->        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

    <AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/> </ApplicationDefaults>
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> </SPConfig>

  6. Problems I'm facing......

    When i try to access https://shibboleth-test.xxx.edu/Shibboleth.sso/Status getting error no metadataprovider available.

Noticed Problems:

1.when i try to add Metadataprovider Shibboleth daemon 2 service is getting stopped and unable to start.if i remove it's is running.

2.Shibboleth Idp 3 deamon is getting stopped very frequently

  1. When i run 'SC interrogate shibd_idp' in command prompt, results are control service failed 1062 the service has not been started.

I donno what is wrong with my work. Can any one please tell me what are the steps to be followed to accomplish this integration.

Thanks in advance,

Hema

2
single-sign-onshibboleth

2 Answers

0
votes

There will be a tag in shibboleth2.xml called metadata provider, you will need to open that. If you have done this but shill service is not getting started then you can check the log and give additional info in question.

Another reason I can think of is connection problem. Try downloading idP's metadata and store it physically in the SP configuration folder. Manually map the file, using following tag <MetadataProvider type="XML" file="partner-metadata.xml"/>

0
votes

All the issues has been resolved after we upgraded from Shibboleth 2.6 to 3.0.2. we are getting the Shibboleth Identity provider login page.We are able to see the attributes in Session.Now we are working on how to retrieve the attributes in our application and how to redirect to our application home page.Currently we created 1 sample html page under secure folder in our application. once we logged in we are able to this html page.But when i tried to redirect to our application home page, it's giving 500 error. Can any one knows like how to redirect to our app home page and retrieve the attributes in the application.