Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Service Provider Single Server Configuration

  • /etc/shibboleth/shibboleth2.xml

Code Block
languagexml
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
          xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
          clockSkew="180">

    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />


    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://pcr360.<customer.url>/shibboleth-sp"
                         REMOTE_USER="eppn subject-id pairwise-id persistent-id"
                         cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">

        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="https"
                  redirectLimit="exact">

            <!--
            Configures SSO for a default IdP. To properly allow for >1 IdP, remove
            entityID property and adjust discoveryURL to point to discovery service.
            You can also override entityID on /Login query string, or in RequestMap/htaccess.
            -->
            <SSO entityID="<CUSTOMER_ENTITY_SERVER>"
                 discoveryProtocol="SAMLDS" 
                 discoveryURL="https://ds.example.org/DS/WAYF">
              SAML2
            </SSO>

            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout>

            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            
            <!-- Administrative logout. -->
            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <!--
        Allows overriding of error template information/filenames. You can
        also add your own attributes with values that can be plugged into the
        templates, e.g., helpLocation below.
        -->
        <Errors supportContact="help@pcr.com"
                helpLocation="/about.html"
                styleSheet="/shibboleth-sp/main.css"/>

        <!-- Example of locally maintained metadata. -->
        <!-- MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/-->

        <!-- Example of remotely supplied metadata with a local backup. -->
        <MetadataProvider type="XML" validate="true"
            url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
            backingFilePath="customer-metadata.xml" maxRefreshDelay="7200">
            <DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true"
                             attributeName="http://macedir.org/entity-category"
                             attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             attributeValue="http://refeds.org/category/hide-from-discovery" />
        </MetadataProvider>

        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
        <CredentialResolver type="File" use="signing"
                            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
        <CredentialResolver type="File" use="encryption"
                            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>

    </ApplicationDefaults>

    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>


Service Provider Multiple Server Configuration

  • /etc/shibboleth/shibboleth2.xml

Code Block
languagexml
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
          xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
          clockSkew="180">

    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />


    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://pcr360.<customer.url>/shibboleth-sp"
                         REMOTE_USER="eppn subject-id pairwise-id persistent-id"
                         cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">

        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="https"
                  redirectLimit="exact">

            <!--
            Configures SSO for a default IdP. To properly allow for >1 IdP, remove
            entityID property and adjust discoveryURL to point to discovery service.
            You can also override entityID on /Login query string, or in RequestMap/htaccess.
            -->
            <SSO entityID="<CUSTOMER_ENTITY_SERVER>"
                 discoveryProtocol="SAMLDS" 
                 discoveryURL="https://ds.example.org/DS/WAYF">
              SAML2
            </SSO>

            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout>

            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

             <!-- Administrative logout. -->
            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <!--
        Allows overriding of error template information/filenames. You can
        also add your own attributes with values that can be plugged into the
        templates, e.g., helpLocation below.
        -->
        <Errors supportContact="help@pcr.com"
                helpLocation="/about.html"
                styleSheet="/shibboleth-sp/main.css"/>

        <!-- Example of locally maintained metadata. -->
        <!-- MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/-->

        <!-- Example of remotely supplied metadata with a local backup. -->
        <MetadataProvider type="XML" validate="true"
                          <!-- In most cases this should be updated to the Customers metadata URL -->
                          url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
                          backingFilePath="customer-metadata.xml" maxRefreshDelay="7200">
            <DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true"
                             attributeName="http://macedir.org/entity-category"
                             attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             attributeValue="http://refeds.org/category/hide-from-discovery" />
        </MetadataProvider>

        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
        <CredentialResolver type="File" use="signing"
                            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
        <CredentialResolver type="File" use="encryption"
                            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>

		<!-- Example Application Override for specifying a configuration with Multiple Virtual Hosts -->
        <ApplicationOverride
            id="pcr360test"
            entityID="https://pcr360-test.<customer.url>/shibboleth-sp"
            REMOTE_USER="uid">
  
            <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="https"
                  redirectLimit="exact">

            	<!--
           		Configures SSO for a OVERRIDE IdP.
            	-->
            	<SSO entityID="<CUSTOMER_ENTITY_SERVER>"
                     discoveryProtocol="SAMLDS" 
                     discoveryURL="https://ds.example.org/DS/WAYF">
                  SAML2
                </SSO>
                <Logout>SAML2 Local</Logout>
                <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
                <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
                <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
                <Handler type="Session" Location="/Session" showAttributeValues="false"/>
                <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
            </Sessions>
  
           <Errors supportContact="help@pcr.com"
                   helpLocation="/about.html"
                   styleSheet="/shibboleth-sp/main.css"/>

            <MetadataProvider type="XML" validate="true"
                              url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
                              backingFilePath="customer-test-metadata.xml" 
                              maxRefreshDelay="7200">
                <DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true"
                                 attributeName="http://macedir.org/entity-category"
                                 attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                                 attributeValue="http://refeds.org/category/hide-from-discovery" />
            </MetadataProvider>
 
            <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
            <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
            <CredentialResolver type="File" use="signing"
                                key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
            <CredentialResolver type="File" use="encryption"
                                key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
        </ApplicationOverride>
        <!-- END Application Override -->
    </ApplicationDefaults>

    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>


Troubleshooting

If for some reason, you are getting an error with authentication, you may want to turn off validation.

Code Block
opensaml::FatalProfileException at (https://pcr360.ucla.edu/Shibboleth.sso/SAML2/POST)

A valid authentication statement was not found in the incoming message.

Authenticating with Microsoft, for example, doesn’t use valid SAML2, and this can cause problems. Open /etc/shibboleth/shibboleth2.xml and modify the “validate” parameter. See the code snippet below:

Code Block
  <MetadataProvider type="XML" validate="false"
                              url="
https://shbqa.ais.ucla.edu/idp/shibboleth"
                              backingFilePath="customer-test-metadata.xml"
                              maxRefreshDelay="7200">
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
                                 attributeName="
http://macedir.org/entity-category"
                                 attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                                 attributeValue="
http://refeds.org/category/hide-from-discovery"
/>
</MetadataProvider>