Skip to content

duketwo/Shib-Idp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

cb0e8da · Oct 17, 2017
Apr 21, 2017
Oct 10, 2017
Oct 7, 2017
Oct 7, 2017
Aug 7, 2017
Jul 10, 2017
Jun 9, 2017
Jul 10, 2017
Oct 17, 2017
Oct 17, 2017
Oct 6, 2017

Repository files navigation

Shib-Idp

Installation

Requirements

  1. Any Docker supported OS which is capable of running Linux-based Docker containers
  2. Docker
    (https://docs.docker.com/engine/installation/linux/debian/)
  3. Docker-Compose
    (https://docs.docker.com/compose/install/)
  4. Git
    (https://www.digitalocean.com/community/tutorials/how-to-install-git-on-debian-8)

Featuring

  • Jetty as Servlet/JSP-Container und Webserver for Shibboleth
  • phpLDAPadmin to administrate the LDAP directory
  • OpenLDAP as directory service for Shibboleth
  • Shibbleth IdP provides Single Sign-On services

How to use

  1. Create initial base configuration:
    chmod +x ./init.sh && ./init.sh
    Create a note of the backchannel and cookie password!

  2. Edit docker-compose environment variables:
    JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD: <Backchannel-Passwort from step 1>

  3. Configure ./config/idp/conf/idp.properties file
    3.1. Set the IdP scope:
          # Set the scope used in the attribute resolver for scoped attributes
          idp.scope= example.org
    3.2. Configure trackSPSessions attribute to allow SLO (Single-Logout):
          # Track information about SPs logged into
          idp.session.trackSPSessions = true

  4. Add metadata providers


5. Set a AttributeFilterPolicy within the ./config/idp/conf/attribute-filter.xml file.
6. Configure attribute resolver
7. Configure attribute filter

Cheatsheet

  1. Letsencrypt cert conversion to p12 format:
    openssl pkcs12 -export -out idp-browser.p12 -inkey privkey.pem -in cert.pem -certfile chain.pem

  2. Letsencrypt cert conversion to HAProxy pem:
    cd haproxy/certs
    DOMAIN='yourdomain.net' bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > $DOMAIN.pem'
    chmod -R go-rwx .

  3. LDAP credentials:
    LDAP user: cn=admin,dc=shib
    LDAP pw: toor

  4. Create selfsigned TLS cert and convert to p12 format:
    cd ./config/idp/credentials
    openssl req -nodes -new -x509 -keyout jetty.key -out jetty.crt
    openssl pkcs12 -passout pass: -inkey jetty.key -in jetty.crt -export -out idp-browser.p12

  5. LDAP memberOf search example:
    (&(objectClass=*)(memberOf=cn=students,ou=groups,dc=shib))
    (&(objectClass=*)(memberOf=cn=professors,ou=groups,dc=shib))

  6. Disable IdP Assertion encryption: (./config/idp/conf/relying-party.xml)


References used

https://github.com/dinkel/docker-openldap
https://github.com/dinkel/docker-phpldapadmin
https://github.com/Unicon/shibboleth-idp-dockerized

XML listings

  1. Disable assertion encryption
    <util:list id="shibboleth.RelyingPartyOverrides">
        <!--
        Override example that identifies a single RP by name and configures it
        for SAML 2 SSO without encryption. This is a common "vendor" scenario.
        -->
        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example-federation.us">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>
    </ut
  1. AttributeFilterPolicy example
<AttributeFilterPolicy id="https://sp.example-federation.us">
  <PolicyRequirementRule xsi:type="Requester" value="https://sp.example-federation.us" />
  <AttributeRule attributeID="uid">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="mail">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="memberOf">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
  <AttributeRule attributeID="eduPersonAffiliation">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
</AttributeFilterPolicy>

License

MIT

About

Dockerized Shibboleth-IdP

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published