Like in the primary implementation, the entire configuration files are in the Appendix and the principle remains about the same, that is:
- Getting the IdP to communicate with the SP
First load the SP metadata in the metadata element within the file C:\ANSIdP\conf\relying-party.xml. The SP metadata (some-metadata.xml) is first downloaded by browsing
https://lonfp2.ans.local/Shibboleth.sso/Metadata and renaming the downloaded file into some-metadata.xml.
Then update the relying-party.xml and idp-metadata.xml files within C:\ANSIdP \metadata by adding the port number 8443 in front of all https://rips4.ans.local within URLs; and in any other files. Example: entityID="https://rips4.ans.local:8443/idp/shibboleth instead of
entityID="https://rips4.ans.local/idp/shibboleth. Basically, the port number of the IdP hostname should be specified everywhere throughout the configuration process.
- Configure attributes to be released to the Service Provider
First define in C:\ ANSIdP \conf\attribute-resolver.xml users’ attributes which must be retrieved from the LDAP server and resolved.
Then specify in C:\ANSIdP\conf\attribute-filter.xml which retrieved and resolved users’attributes must be effectively released to the Service Provider.
- Creation of user login and authentication system
This is done by setting up the Username/password method on the appropriate
LoginHandler element within the handler.xml in C:\ ANSIdP\conf. The last LoginHandler at the bottom of the file should also be enabled to provide the single sign on mechanism.
login.config within C:\ ANSIdP\conf is the LDAP JAAS configuration file. Its content is defined on a basis of the LDAP server deployment.
- LDAP Server installation and deployment
As stated before, instead of deploying OpenDJ LDAP server near the IdP (i.e. in Windows Server 2003 box), this is done near the SP (i.e. in Windows Server 2008 box).
The installation process is similar to the one in the primary implementation apart from the FQDN that is set to lonfp2.ans.local in this case and the first dc=example.
The overview of these installation settings is:
• Fully Qualified Hostname: lonfp2.ans.local
• Base DN: dc=example,dc=com
• Root User DN: cn=Directory Manager
• Password: somepassword
• Ldapurl: lonfp2.ans.local or 172.28.28.31
• Port:389
• Administration Connector Port:4444
• LDAP secure access: disabled
• Runtime options: Default
• Directory data: dc=example,dc=com & importation of 20 entries templates
• Start Server when configuration has completed: enabled
• Run the server as Windows Service: Disabled
As the LDAP server and the IdP are not in the same box, the LDAP connection handler is configured to allow remote connection to the SP-box IP address 172.28.28.31 since the IdP-box IP address is 172.28.28.33. That configuration is achieved by running on command line C:\OpenDJ-2.7.0-20130627\opendj\bat\dsconfig.bat, authenticating with the installation parameters and following the instructions appropriately to add and enable the IP address 172.28.28.31 & the port 389 within the LDAP connection handler.
- IdP connection to the LDAP server
This is done in attribute-resolver.xml, by defining the LDAP Connector within the
DataConnector element in respect to the LDAP installation and configuration as below:
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://lonfp2.ans.local:389"
baseDN="dc=example,dc=com"
principal="cn=Directory Manager"
principalCredential="somepassword">
<FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName) ]]>
</FilterTemplate>
</resolver:DataConnector>
- Login and authentication configuration
This is achieved in C:\ANSIdP\conf\login.config, in respect to the above LDAP server installation and the configuration is as below:
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required ldapUrl="ldap:// lonfp2.ans.local:389"
base="dc=example,dc=com"
ssl="false"
userField="uid"
subtreeSearch="true"
principal="cn=Directory Manager"
ServiceCredential="somepassword";
};
- Enabling JAAS and LDAP processes to write in idp-process.log
Modify C:\ANSIdP\conf\logging.xml by adding the following codes:
<logger name="edu.vt.middleware.ldap.jaas.JaasAuthenticator" level="DEBUG" />
<logger name="edu.vt.middleware.ldap" level="DEBUG"/>
This helps to diagnose JAAS and LDAP based errors and mistakes.
- Configuration and customization of ANS- IdP login page
Like in the primary implementation, the file to be modified is login.jsp, located at
\shibboleth-identityprovider-2.4.0-bin\shibboleth-identityprovider-2.4.0\src\main\webapp
(the IdP installation package). The login.jsp content of the current implementation is also included in the Appendix. After the configuration, the IdP installation is updated as in the primary implementation.
- Configuration and customization of ANS- IdP logout page
This part has not been dealt with during the primary implementation because the process of configuring the login page is similar to the process of configuring the logout page; that is by configuring accordingly logout.jsp within the same directory and applying the configuration the same way. A login back link and other options are also configured in that jsp file to better accommodate the browsing interface.
The configuration result of both login page and logout page will be viewed from the initial SSO and logout tests and the configurations contents in the Appendix.
6.2.6 Integration of many protected resources to Shibboleth, SSO & logout tests