Setting up a new Shibboleth IdP to work with an existing SAML SP

To answer your five (5) questions, without loss of generality, we assume that

(I) the metadata file of SAML IdP is idpsaml-metadata.xml

(II) the metadata file of SAML SP is sp-example-org.xml

Q&A

  1. Where to put the SP XML information in the IdP installation

Answer: /opt/shibboleth-idp/metadata/sp-example-org.xml

  1. Where to put the SP certificate in the IdP installation (or setup/configure a path to a certificate)

Answer: The metadata file of SAML SP consists of the SP certificate.
SAML IdP will extract SP certificate from SAML SP’s metadata (e.g., sp-example-org.xml)

  1. Where to get the IdP certificate (I think the default setup generates something for me? Unclear)

Answer: The metadata file of SAML IdP consists of all the IdP certificates (which have been generated by the default setup of SAML IdP).

You need to place the metadata file of SAML IdP (e.g., idpsaml-metadata.xml) into the SAML SP’s home directory, e.g., /etc/shibboleth/idpsaml-metadata.xml

  1. Where the IdP login path is

Answer: Usually SAML SP uses HTTP-POST endpoint as SAML IdP login path, e.g.,

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://IdP-Server-URL/idp/profile/SAML2/POST/SSO"/>

You also need to configure Shibboleth IdP with LDAP user authentication.

/opt/shibboleth-idp/conf/idp.properties

/opt/shibboleth-idp/conf/ldap.properties

/opt/shibboleth-idp/conf/attribute-filter.xml

/opt/shibboleth-idp/conf/attribute-resolver-full.xml

  1. Whether or not there’s anything else I need to configure to get the two talking

Answer: To allow SAML IdP to provide identity authentication for SAML SP, both SAML IdP and SAML SP need to exchange their metadata.
Then you need to configure SAML IdP with SAML SP.

SAML IdP
/opt/shibboleth-idp/conf/metadata-providers.xml

/opt/shibboleth-idp/conf/relying-party.xml

SAML SP

/etc/shibboleth/shibboleth2.xml

/etc/shibboleth/attribute-map.xml

Remarks:

How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the sample configuration files for Shibboleth IdP and SP.

Leave a Comment