Configure LDAP Authentication in Shibboleth IdP 3.x

on

Configure LDAP Authentication in Shibboleth IdP 3.x



This guide configures our Shibboleth Identity Provider to use our Apache Directory Sever as an authentication source and user attribute source.

 Before start you need following prerequisite to continue.

  1. Need Shibboleth Identity Provider - or you can follow this guide to install Shibboleth IDP
  2. Need Shibboleth Service Provider - or you can follow this guide to install Shibboleth Service Provider
  3. Need LDAP Server up and running

Let's start

Open a terminal and change directory to your shibboleth IDP installation.
cd /opt/shibboleth-idp
Then open ldap.properties file in conf folder
nano conf/ldap.properties

Add following lines to ldap.properties file

 

idp.authn.LDAP.authenticator = bindSearchAuthenticator
## Connection properties ##
idp.authn.LDAP.ldapURL     = ldap://localhost:389
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL      = false
  
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN = ou=People,dc=pg,dc=nig,dc=ac,dc=jp


idp.authn.LDAP.userFilter = (uid={user})

# bind search configuration
idp.authn.LDAP.bindDN    = cn=admin,dc=nig,dc=ac,dc=jp
idp.authn.LDAP.bindDNCredential  = secret

idp.attribute.resolver.LDAP.returnAttributes = uid,mail,displayName,employeeNumber,postalAddress,telephoneNumber


Open conf/auth/password-authn-config.xml and check <import resources="ldap-authn-config.xml"/> is uncommented.

Attribute Release in Shibboleth IdP 

Form here it explains how to  configure shibboleth idp to release particular data from LDAP to service provider
Copy conf/attribute-resolver-ldap.xml to attribute resolver
cp conf/attribute-resolver-ldap.xml conf/attribute-resolver.xml

Add the following attribute definition to attribute-resolver.xml
nano conf/attribute-resolver.xml

<AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="displayName">
 <Dependency ref="myLDAP" />
 <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
 <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
</AttributeDefinition>

<AttributeDefinition id="employeeNumber" xsi:type="Simple" sourceAttributeID="employeeNumber">
 <Dependency ref="myLDAP" />
 <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
 <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
</AttributeDefinition>

<AttributeDefinition id="postalAddress" xsi:type="Simple" sourceAttributeID="postalAddress">
 <Dependency ref="myLDAP" />
 <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
 <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="postalAddress" encodeType="false" />
</AttributeDefinition>

<AttributeDefinition id="telephoneNumber" xsi:type="Simple" sourceAttributeID="telephoneNumber">
 <Dependency ref="myLDAP" />
 <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
 <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
</AttributeDefinition>
Delete the myLDAP data connector and replace it with

<DataConnector id="myLDAP"
    xsi:type="LDAPDirectory"
    ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
    baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
    principal="%{idp.attribute.resolver.LDAP.bindDN}"
    principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}">
  <FilterTemplate>
    <![CDATA[
    %{idp.attribute.resolver.LDAP.searchFilter}
    ]]>
  </FilterTemplate>
  <ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</ReturnAttributes>
</DataConnector>
Open conf/attribute-filter.xml and add the following attribute filter policy:
nano conf/attribute-filter.xml
<!-- Release some attributes to MY SP. -->
<AttributeFilterPolicy id="dit-sp-ap">
 <PolicyRequirementRule xsi:type="Requester" value="my-sp" />

 <AttributeRule attributeID="uid">
  <PermitValueRule xsi:type="ANY" />
 </AttributeRule>

 <AttributeRule attributeID="mail">
  <PermitValueRule xsi:type="ANY" />
 </AttributeRule>

 <AttributeRule attributeID="displayName">
  <PermitValueRule xsi:type="ANY" />
 </AttributeRule>

 <AttributeRule attributeID="postalAddress">
  <PermitValueRule xsi:type="ANY" />
 </AttributeRule>

 <AttributeRule attributeID="telephoneNumber">
  <PermitValueRule xsi:type="ANY" />
 </AttributeRule>
 <AttributeRule attributeID="employeeNumber">
  <PermitValueRule xsi:type="ANY" />
 </AttributeRule>
</AttributeFilterPolicy>
Restart the IdP and check for error messages:

    service tomcat8 restart && tail -f logs/idp-process.log

    Quick test:

    To View released data from idp go and log in to service provider:

    IF your configuration correct shibboleth IDP shows following permission window to get your confirmation:

    Shibboleth idp attribute release confirmation

    Comments

    Post a Comment