Service Provider Single Server Configuration
| Code Block |
|---|
|
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
clockSkew="180">
<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://pcr360.<customer.url>/shibboleth-sp"
REMOTE_USER="eppn subject-id pairwise-id persistent-id"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="falsetrue" cookieProps="httphttps"
redirectLimit="exact">
<!--
Configures SSO for a default IdP. To properly allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="<CUSTOMER_ENTITY_SERVER>"
discoveryProtocol="SAMLDS"
discoveryURL="https://ds.example.org/DS/WAYF">
SAML2
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Administrative logout. -->
<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
<!-- Status Extensionreporting service. that-->
generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGeneratorStatus" Location="/MetadataStatus" signingacl="false127.0.0.1 ::1"/>
<!-- StatusSession reportingdiagnostic service. -->
<Handler type="StatusSession" Location="/StatusSession" aclshowAttributeValues="127.0.0.1 ::1false"/>
<!-- Session diagnostic serviceJSON feed of discovery information. -->
<Handler type="SessionDiscoveryFeed" Location="/Session" showAttributeValues="false"DiscoFeed"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add your own attributes with values that can be plugged into the
templates, e.g., helpLocation below.
-->
<Errors supportContact="help@pcr.com"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of locally maintained metadata. -->
<!-- MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/-->
<!-- Example of remotely supplied metadata with a local backup. -->
<MetadataProvider type="XML" validate="true"
<!-- In most cases this should be updated to the Customer's metadata URL -->
url="httpurl="http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFilePath="sfsucustomer-metadata.xml" maxRefreshDelay="7200">
<DiscoveryFilter type="BlacklistExclude" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolvers for separate signing/encryption keys. -->
<CredentialResolver type="File" use="signing"
key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption"
key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
|
...
Service Provider Multiple Server Configuration
/etc/shibboleth/shibboleth2.xml
| Code Block |
|---|
|
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
clockSkew="180">
<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://pcr360.<customer.url>/shibboleth-sp"
REMOTE_USER="eppn subject-id pairwise-id persistent-id"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="falsetrue" cookieProps="httphttps"
redirectLimit="exact">
<!--
Configures SSO for a default IdP. To properly allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="<CUSTOMER_ENTITY_SERVER>"
discoveryProtocol="SAMLDS"
discoveryURL="https://ds.example.org/DS/WAYF">
SAML2
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Administrative logout. -->
<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
<!-- Status Extensionreporting service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGeneratorStatus" Location="/MetadataStatus" signingacl="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add your own attributes with values that can be plugged into the
templates, e.g., helpLocation below.
-->
<Errors supportContact="help@pcr.com"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of locally maintained metadata. -->
<!-- MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/-->
<!-- Example of remotely supplied metadata with a local backup. -->
<MetadataProvider type="XML" validate="true"
<!-- In most cases this <!-- In most cases this should be updated to the Customer'sCustomers metadata URL -->
url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFilePath="sfsucustomer-metadata.xml" maxRefreshDelay="7200">
<DiscoveryFilter type="BlacklistExclude" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolvers for separate signing/encryption keys. -->
<CredentialResolver type="File" use="signing"
key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption"
key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
<!-- Example Application Override for specifying a configuration with Multiple Virtual Hosts -->
<ApplicationOverride
id="pcr360test"
entityID="https://<TEST_SERVER>pcr360-test.<customer.url>/shibboleth-sp"
REMOTE_USER="uid">
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem"
handlerSSL="false"> <SSO entityIDcheckAddress="<CUSTOMER_ENTITY_TEST_SERVER>false" handlerSSL="true" cookieProps="https"
discoveryProtocolredirectLimit="SAMLDSexact">
<!--
discoveryURL="https://ds.example.org/DS/WAYF"> Configures SSO for a OVERRIDE IdP.
SAML2 -->
</SSO> <SSO entityID="<CUSTOMER_ENTITY_SERVER>"
discoveryProtocol="SAMLDS"
<Logout>SAML2 Local</Logout> <Handler type="MetadataGenerator" LocationdiscoveryURL="/Metadata" signing="false"/>https://ds.example.org/DS/WAYF">
SAML2
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
</SSO>
<Handler type="Session" Location="/Session" showAttributeValues="false"/> <Logout>SAML2 Local</Logout>
<Handler<LogoutInitiator type="DiscoveryFeedAdmin" Location="/DiscoFeedLogout/Admin"/>
acl="127.0.0.1 ::1" />
</Sessions> <Handler <Errors
supportContact="help@pcr.com"type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
logoLocation<Handler type="/shibboleth-sp/logo.jpgSession" Location="/Session" showAttributeValues="false"/>
styleSheet <Handler type="DiscoveryFeed" Location="/shibboleth-sp/main.cssDiscoFeed"/>
</Sessions>
<MetadataProvider
<Errors supportContact="help@pcr.com"
type="XML" urihelpLocation="<CUSTOMER_METADATA_SERVER>/about.html"
backingFilePath styleSheet="InCommon-metadata.xml"/shibboleth-sp/main.css"/>
<MetadataProvider reloadIntervaltype="XML" validate="180000" />true"
<AttributeExtractor type="XML" validate="true" pathurl="attribute-maphttp://md.incommon.org/InCommon/InCommon-metadata.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter typebackingFilePath="XML" validate="true" path="attribute-policycustomer-test-metadata.xml"/>
<CredentialResolver type="File" key="sp-key-test.pem" certificate="sp-cert-test.pem"/> </ApplicationOverride> </ApplicationDefaults>maxRefreshDelay="7200">
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider <DiscoveryFilter type="XMLExclude" validatematcher="trueEntityAttributes" pathtrimTags="security-policy.xml"/>true"
<!-- Low-level configuration about protocols and bindings available for use. --> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" use="signing"
key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption"
key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
</ApplicationOverride>
<!-- END Application Override -->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
|
Troubleshooting
If for some reason, you are getting an error with authentication, you may want to turn off validation.
| Code Block |
|---|
opensaml::FatalProfileException at (https://pcr360.ucla.edu/Shibboleth.sso/SAML2/POST)
A valid authentication statement was not found in the incoming message. |
Authenticating with Microsoft, for example, doesn’t use valid SAML2, and this can cause problems. Open /etc/shibboleth/shibboleth2.xml and modify the “validate” parameter. See the code snippet below:
| Code Block |
|---|
<MetadataProvider type="XML" validate="false"
url="
https://shbqa.ais.ucla.edu/idp/shibboleth"
backingFilePath="customer-test-metadata.xml"
maxRefreshDelay="7200">
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="
http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="
http://refeds.org/category/hide-from-discovery"
/>
</MetadataProvider> |
