Versions Compared

Old Version 4

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version Current

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This appendix is designed to guide system admins installing Single-Sign-On (SSO) for Shrine (using Shibboleth).

Very Basic Overview

...

Shibboleth consists of a Daemon plus an apache module. This Apache module must be configured for Shibboleth to intercept certain requests. When a request is intercepted, Shibboleth will decide whether the user (1) needs to login at the configured idP (which will present a login form to the user), or (2) is already logged in (and Shibboleth will let the request be served as if it wasn't there to intercept it)

<SSO entityID="https://idp.example.org/idp/shibboleth"
> discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">

becomes:

<SSO entityID="http://sso.med.harvard.edu/adfs/services/trust">
< SAML2

Installation Layout

apache

Shibboleth

tomcat

Configuration

  • Accessing data received from the idP (Request Headers)

shibboleth2.xml

attribute-map.xml

sp.conf

Developer tools

  • SAML 

Serving Metadata

Certificate

of SSO

IdP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called a SP (for Service Provider).

In this implementation of SSO, the SP consists of the Shibboleth SP version 3 software. See https://shibboleth.atlassian.net/wiki/spaces/SP3/overview .

Upon successful login at the IdP, the IdP will send information about the user back to the SP as "attributes".

Among other things, The SP must be configured to specify which of these attributes should be passed to the shrine code (in the form of HTTP servlet request attributes and/or headers).

Shibboleth config Documentation

This is not required reading, but if you want to jump in depth, this is the official Shibboleth configuration documentation

https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335529/GettingStarted

Developer tools

  • SAML : "SAML DevTools extension" for Chrome. These tools let you view encoded SAML content. 

A Decent Book on SAML

  • Stefan Rasmusson: "SAML 2.0; Designing Secure Identity Federation". Just one of many books on the topic.

Next Step: 

SHRINE 4.0.0 Appendix A.1 - Installing the Software StackAppendix: a Decent Book