11# Using the SSO demo with a Shibboleth IdP
22
3- Marco Ferrante, University of Genoa (IT)/CTS GARR-IDEM , 2013
3+ Marco Ferrante, University of Genoa (IT), 2013
44
55This doc presumes that your Shibboleth 2.3.x IdP is located on the host myidp.mydomain
66and the IdP configuration is left as in the distribution package as possible.
@@ -46,38 +46,39 @@ If your IdP is already configured to load relying parties metadata from a local
4646just add the demo SP metadata to it. Otherwise, create an XML file in your Shibboleth
4747installazion such as ` $IDP_HOME/metadata/demo.xml ` :
4848
49- <EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0: metadata "
50- xmlns: xsi ="http://www.w3.org/2001/XMLSchema-instance "
51- xsi: schemaLocation ="urn:oasis:names:tc:SAML:2.0: metadata sstc-saml-schema-metadata-2.0.xsd
52- urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2001/04/xmlenc# xenc-schema.xsd
53- http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd">
54- <!-- Copy here the demo SP metadata form https://mysp.mydomain/php-saml-master/demo/metadata.php -->
55- <md: EntityDescriptor xmlns: md ="urn:oasis:names:tc:SAML:2.0: metadata "
56- validUntil="2013-04-06T17:04:01Z" entityID="php-saml">
57- <md: SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0: protocol ">
58- < md:NameIDFormat >
59- urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress
60- </md: NameIDFormat >
61- <md: AssertionConsumerService
62- Binding="urn:oasis:names:tc:SAML:2.0:bindings: HTTP-POST "
63- Location="http://mysp.mydomain/php-saml-master/demo/consume.php " index="1"/>
64- </md: SPSSODescriptor >
65- </md: EntityDescriptor >
66- </EntitiesDescriptor >
49+ <EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
50+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
51+ xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata sstc-saml-schema-metadata-2.0.xsd
52+ urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2001/04/xmlenc# xenc-schema.xsd
53+ http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd">
54+
55+ <!-- Copy here the demo SP metadata form https://mysp.mydomain/php-saml-master/demo/metadata.php -->
56+ <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
57+ validUntil="2013-04-06T17:04:01Z" entityID="php-saml">
58+ <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
59+ <md:NameIDFormat>
60+ urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
61+ </md:NameIDFormat>
62+ <md:AssertionConsumerService
63+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
64+ Location="http://mysp.mydomain/php-saml-master/demo/consume.php"
65+ index="1"/>
66+ </md:SPSSODescriptor>
67+ </md:EntityDescriptor>
68+ </EntitiesDescriptor>
6769
6870Be aware that demo SP metadata have a TTL of one week: adjust the value in the ` validUntil `
6971attribute if you plan longer tests.
7072
7173Now, edit the ` $IDP_HOME/conf/relying-party.xml ` file; just after the ` DefaultRelyingParty `
7274add element, add:
7375
74- <rp:RelyingParty id="php-saml"
75- provider="https://myidp.mydomain/idp/shibboleth"
76- defaultSigningCredentialRef="IdPCredential" >
76+ <rp:RelyingParty id="php-saml"
77+ provider="https://myidp.mydomain/idp/shibboleth"
78+ defaultSigningCredentialRef="IdPCredential" >
7779 <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
78- encryptNameIds="never"
79- encryptAssertions="never"
80- />
80+ encryptNameIds="never"
81+ encryptAssertions="never" />
8182 </rp:RelyingParty>
8283
8384This is due because the php-saml library doesn't support assertion encryption,
@@ -86,11 +87,11 @@ If you have create the SP metadata file, add the reference to it in
8687the same ` relying-party.xml ` : in the ` MetadataProvider[ChainingMetadataProvider] ` element
8788
8889 <metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">
89- <!-- other providers -->
90+ <!-- other providers -->
9091
91- <metadata:MetadataProvider id="PHP-demo" xsi:type="metadata:FilesystemMetadataProvider"
92- metadataFile="/opt/shibboleth-idp/metadata/demo.xml"
93- maxRefreshDelay="P1D" />
92+ <metadata:MetadataProvider id="PHP-demo" xsi:type="metadata:FilesystemMetadataProvider"
93+ metadataFile="/opt/shibboleth-idp/metadata/demo.xml"
94+ maxRefreshDelay="P1D" />
9495
9596 </metadata:MetadataProvider>
9697
@@ -101,17 +102,17 @@ uncomment the `AttributeDefinition` relative to email and add the encoder:
101102 <resolver:Dependency ref="myLDAP" />
102103 <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" />
103104 <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
104- <!-- For php-saml -->
105- <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
105+ <!-- For php-saml -->
106+ <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
106107 </resolver:AttributeDefinition>
107108
108109Finally, let the new NameID be passed to the SP; in the ` $IDP_HOME/conf/attribute-filter.xml ` file,
109110add the following policy:
110111
111112 <afp:AttributeFilterPolicy id="test-php-saml">
112- <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="php-saml" />
113- <afp:AttributeRule attributeID="email">
113+ <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="php-saml" />
114+ <afp:AttributeRule attributeID="email">
114115 <afp:PermitValueRule xsi:type="basic:ANY" />
115- </afp:AttributeRule>
116+ </afp:AttributeRule>
116117 </afp:AttributeFilterPolicy>
117118
0 commit comments