Shibboleth consists of a daemon plus an Apache module. These must be configured for Shibboleth to intercept certain requests (see Apache Configuration in SHRINE 4.0.0 Appendix A.4 - More Details: Apache Configuration). When a request is intercepted, Shibboleth will decide whether the user (1) needs to login at the configured IdP (which will present a login form to the user), or (2) is already logged in (and Shibboleth will let the request be served as if it wasn't there to intercept it).
While the user is logged in, upon each HTTP request, Shibboleth will provide to the Apache and Tomcat servers information about the user from the idP, such as the username with which the user logged in at the idP.
Shibboleth Configuration is documented in full at https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2063695920/Configuration
entityID: the ID of our Service Provider (SP)
attributePrefix must be set to "
AJP_" so that the attributes from the "
attribute-map.xml" file (see below) are passed to Tomcat as request attributes (as opposed to request headers). See also SHRINE 4.0.0 Appendix A.5 - More Details: Tomcat Configuration on the same topic.
REMOTE_USER xml attribute of
<ApplicationDefaults> should be populated, in the form of a list of at least one attribute name; the first of which should normally be "
userId", which is defined in
<Sessions> configuration documentation is available at https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334342/Sessions
The following specifies the
entityID of the idP to use for authentication. Get it from the idP metadata. We also specify that we speak only
When logging out, only log out of the local Shibboleth session:
Setting the status-reporting-service URL (relative to the hostname) to "/Shibboleth.sso/Status":
Setting the session diagnostic service to "/Shibboleth.sso/Session":
The IdP's metadata should be stored in a file called
idp-metadata.xml. It should be obtained from the IdP admin(s):
You can customize the error pages, at least with an email
attribute-map.xml file (as set by the "path" xml attribute) will specify which attributes are extracted from the IdP's response and the name of the request headers or attributes they will be available to the Servlet code. More on this file below:
We left the following elements and the file
<AttributeFilter> it points to unchanged:
This points to the key pair we created above:
We left the following elements and the files they point to unchanged. See https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334523/SecurityPolicyProvider, "By default, it's supplied in a separate file (security-policy.xml) because the settings are rarely altered" and https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335163/ProtocolProvider, "This is not a part of the configuration that requires changes, it's a point of extensibility.")
If needed, refer to
Get it from your IdP.
The path of this file is specified in the
<AttributeExtractor> element in
shibboleth2.xml. This file specifies the SAML content that your SP turns into "attributes". These will be made available to the
ServletRequest running on Tomcat. For Shrine SSO, the only attribute needed here is the user id returned by the idP, mapped to the "
userId" id so it matches the
REMOTE_USER attribute in
IMPORTANT: you must specify exactly one attribute whose id is "
userId". The Shrine SP code will look for a request attribute of that
id to populate the username in the code (which appears in the user account "badge" at the top-right corner of the UI).