Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract
Active Directory Federation Services (ADFS) and Shibboleth are two federation technologies that
allow web browser users in one organization to access web-based applications in another.
Shibboleth is open source software developed by Internet2, a US-based advanced networking
consortium, and ADFS is a component of Microsofts Windows Server 2003 R2 and Windows
Server 2008 systems.
This step-by-step guide walks you through how to configure the federation relationships between
Microsoft and Internet2 technologies in a test lab environment. This guide assumes an already
existing set of ADFS machines and then describes, in detail, the process to install and configure
Shibboleth to work as both an Identity Provider (IdP) to an ADFS FS-R (resource federation
server) and as a Service Provider (SP) to an ADFS FS-A (account federation server). The
platform chosen for this Shibboleth test lab was Debian 4.0 (etch) which uses a software
repository system and thus the installation instructions may need adjusting for other platforms.
The post-installation configuration steps, however, are applicable across other platforms.
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are
fictitious, and no association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2008 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, SharePoint, MS-DOS, Windows, Windows NT, and Windows Server
are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Contents
ADFS Step-by-Step Guide: Federation with Shibboleth Federation Services.................................5
About this guide........................................................................................................................... 5
Prerequisites and requirements............................................................................................... 5
Introduction........................................................................................................................... 7
Active Directory Federation Services.......................................................................................8
Shibboleth................................................................................................................................ 9
Overcoming the language barrier........................................................................................... 11
Preparing the environment.................................................................................................. 14
Configure connectivity........................................................................................................ 14
Perform the following steps on ldp.contoso.com.................................................................15
Configure sample Web applications....................................................................................18
Step 1: Configuring ADFS as the Account Partner (Scenario 1)...................................................19
Configure the ADFS Account Federation Server (FS-A)........................................................20
Configure the trust policy....................................................................................................... 20
Token-signing certificate......................................................................................................... 21
Organizational claims............................................................................................................. 22
Account stores....................................................................................................................... 22
Define a resource partner...................................................................................................... 23
Configure outgoing claim mappings.......................................................................................23
Step 2: Configuring and Testing Shibboleth as the Service Provider (Scenario 1)........................24
Perform the following steps on sp.contoso.com.....................................................................24
Testing the Federation Scenario 1..........................................................................................29
Step 3: Configuring Shibboleth as the Identity Provider (Scenario 2)...........................................30
Configure the Shibboleth IdP................................................................................................. 30
Step 4: Configuring and Testing ADFS as the Resource Partner (Scenario 2).............................36
Confirming the trust policy...................................................................................................... 36
Add a new account partner.................................................................................................... 37
Test the Federation Scenario 2..............................................................................................37
Appendix A: Preparing the SP Debian Platform............................................................................38
Appendix B: Setting up Apache 2.2.3............................................................................................ 38
Appendix C: Installing a Shibboleth SP.........................................................................................40
Appendix D: Trace log of HTTP Headers SP to FS-A...................................................................45
Appendix E: Installing Tomcat and Apache 2.2.3..........................................................................55
Note
NB A complete set of virtual machines for the ADFS deployment, as described above can
be created through the completion of the Step-by-Step Guide for Active Directory which is
located at the following link: http://go.microsoft.com/fwlink/?LinkID=125831.
The details of each computer are described in the following table:
Computer name
ADFS
Operating system
client/server
requirement
IP settings
DNS settings
IP address:
Preferred:
role
adfsclient
Client
Computer name
ADFS
Operating system
client/server
requirement
IP settings
DNS settings
192.168.1.1
192.168.1.3
Subnet mask:
Alternate:
255.255.255.0
192.168.1.4
IP address:
Preferred:
192.168.1.2
192.168.1.4
role
versions
adfsweb
Web server
Subnet mask:
255.255.255.0
adfsaccount
adfsresource
Federation
server and
domain
controller
Federation
server and
domain
controller
IP address:
Preferred:
192.168.1.3
192.168.1.3
Subnet mask:
255.255.255.0
IP address
Preferred:
192.168.1.4
192.168.1.4
Subnet mask:
255.255.255.0
Note
Make sure to set both the preferred and alternate Domain Name System (DNS) server
settings on the client. If both types of values are not configured as specified, the ADFS
scenario will not function.
Note
All four computers from the original ADFS Step-by-Step Guide are used in this
deployment. However, a single ADFS federation server can perform both the account and
the resource federation server roles, which eliminates one computer from the
deployment, if necessary. If you use this configuration, move the client computer to the
Trey Research domain, and add Adam Carter to Active Directory in Trey Research.
In addition, you must have two virtual machines that are running Debian 4.0 (etch) or a platform
of your choice, but one on which you can install the ADFS extensions.
Notes
Both scenarios that are presented in this step-by-step guide (for example, Shibboleth as
an SP and then as an IdP), require that the Debian platforms are already installed, along
6
with Shibboleth, Tomcat, Apache, and OpenLDAP. Instructions for installing each of these
components are provided in the appendices.
If you plan to configure virtual machines exactly as used for this document, follow the
appendices where appropriate and then return to the correct step in the main body of the
instructions.
The scenarios will guide you through the process of setting up the public key
infrastructure (PKI) requirements for federation on the Shibboleth partner by using a root
certification authority (CA). Since certificate revocation lists will not be available,
Appendix I: Disabling CRL Checking also shows you how to disable CRL checking, which
is necessary to ensure that ADFS works successfully with this guide.
Platform
Shibboleth role
IP settings
SP.contoso.com
IdP.contoso.com
By, using these six computers, the guide configures federation between the two fictitious
companies.
This guide will present two scenarios:
Scenario 2: Shibboleth acts as the account provider (IdP) to access ADFS protected
resources on a resource federation server (FS-R)
Introduction
Federated identity and access management builds on the Web Services technology wave, which
describes the technology and business arrangements necessary for richly connecting users,
applications, and systems within and across organizational boundaries, by using the Internet and
its associated standard communication mechanisms. Participants in federated systems may use
different technologies with different security approaches and programming models, yet they can
still integrate their businesses without substantial custom integration. In this federated system,
each organization continues to manage its own identities, but is capable of securely sharing and
accepting identities and credentials from other organizations. The goal of federated identity is to
allow businesses and partners that trust each other in the real world to mirror that trust in their
digital systems.
A number of federation technologies have been developed that are designed to exchange identity
information in the form of claims - across organizational boundaries to allow Single Sign-On
(SSO) and authorization to Web-based applications. They provide a secure framework to transmit
7
attributes about a Web-browsing individual to local or remote Web resources. When a user
accesses a resource by using federated identity, the user's own home domain can send
information about that user to the resource which can then be used to determine appropriate
access to the resource.
ADFS and Shibboleth are examples of these federation technologies and this guide documents
step-by-step guidance for configuring interoperability. We will provide a level-set on the two
technologies and a brief discussion with respect to terminology overcoming the language
barrier.
Federation and Web SSO. When an organization uses the Active Directory directory service,
it benefits from SSO functionality through Windows integrated authentication within the
organization's security or enterprise boundaries. ADFS extends this functionality to Internetfacing applications, which enables customers, partners, and suppliers to have a similar,
streamlined, Web SSO user experience when they access the organizations Web-based
applications. Furthermore, federation servers can be deployed in multiple organizations to
facilitate business-to-business (B2B) federated transactions between partner organizations.
request. Organizations can use this extensibility to modify ADFS to coexist with their current
security infrastructure and business policies.
Shibboleth
Shibboleth is a project of Internet2/MACE concerned with the development of architectures,
policy structures, practical technologies, and an open source federation implementation to
support inter-institutional sharing of Web resources subject to access controls. Its primary
audience is within the education and research sector.
Internet2 is a U.S. advanced networking consortium that is led by the education and research
community that consists of comprising universities, partner organizations, laboratories,
government agencies and other institutions of higher learning.
The Shibboleth team consists of Internet2 and a group of campus middleware architects from
Internet2 member schools and corporate partners. Organizations that collaborate in its
development include national and international higher education institutions, their partners,
content providers, and government agencies.
Key concepts within Shibboleth include:
Federated Administration. The Identity Provider (origin) campus (home to the browser user)
provides attribute assertions about that user to the Service Provider (target) site. A trust fabric
9
exists between campuses that allow each site to identify the other speaker, and assign a trust
level. Identity Provider sites are responsible for authenticating their users, but can use any
reliable means to do this.
Access Control Based On Attributes. Access control decisions are made using those
assertions. The collection of assertions might include Identity, but many situations will not
require this. (For example, it allows you to access a resource licensed to use by all active
members of the campus community, and to access a resource available to students in a
particular course.)
Active Management of Privacy. The Identity Provider (origin) site and the browser user
control what information is released to the Service Provider (target). A typical default is merely
"member of community." Individuals can manage attribute release via a Web-based user
interface. Users are no longer at the mercy of the target's privacy policy.
A Framework for Multiple, Scaleable Trust and Policy Sets (Federations). Shibboleth
uses Federations to specify a set of parties who have agreed to a common set of policies. (A
site can be in multiple Federations, though.) This moves the trust framework beyond bilateral
agreements, while provide flexibility when different situations require different policy sets.
The Shibboleth software implements the OASIS SAML v1.1 specification, but in December 2005,
Internet2 announced that it developed a new extension of Shibboleth to support
Windows Server 2003 R2 by using WS-Federation, the passive requestor profile, and the passive
responder interoperability profile.
The new extension, that was implemented in Shibboleth versions 1.3c and later, provides
interoperability with ADFS, by allowing sites that are using ADFS to participate in Shibbolethbased federations and vice versa.
10
These terms are similar and tend to be used interchangeably. An attribute can be thought of as a
piece of information that describes something about a user; their name, affiliation etc. That piece
of information is passed to a federation partner in the form of a claim. However, claims could also
include other information, for examples, that a user authenticated at a particular time, or that they
used a particular authentication strength.
Account federation server (Shibboleth: IdP)
Federation servers in the account partner are used to authenticate local user accounts and then
issue security tokens that can be used to access Web-based applications that are hosted in
resource partners. In addition, federation servers in the account partner issue cookies to users to
maintain login status. These cookies enable SSO capabilities so that users do not have to enter
credentials each time that they visit different Web-based applications in the resource partners.
In ADFS, the account partner is known as the account federation server (FS-A). In Shibboleth, it
is known as the Identity Provider or IdP.
Resource federation server (Shibboleth: SP)
Federation servers at the resource partner validate the security tokens that are issued by the
federation servers at the account partner. Federation servers at the resource partner also issue
security tokens that are meant for the Web-based applications in the resource partner. In addition,
federation servers in the resource partner issue cookies to the user accounts, which come from
the account partner. These cookies enable SSO capabilities so that users do not have to log in
again at their federation servers in the account partner when the users attempt to access different
Web-based applications at the resource partner.
In ADFS, the resource partner is known as the resource federation server (FS-R). In Shibboleth, it
is known as the service provider (SP).
Trust Policy (Shibboleth: Metadata)
Trust policiesexpressed as XML metadata in Shibbolethare what the federation partners use
to find each other and establish secure communications. As a minimum, they contain the unique
names of the federation partners, the Internet addresses where requests should be sent, and the
certificates that should be used to validate the SAML tokens that are exchanged.
An ADFS server defines itself to its federation partners through a trust policy which is set up and
viewed in the ADFS administration console. It can be exported to an XML file for easy import into
another ADFS server. Each ADFS server can act as both an FS-A and an FS-R and the trust
policy contains the details for both. Federation partners will automatically select the correct
options when they import the trust policy XML file during federation partner configuration.
A Shibboleth implementation defines itself to its federation partners through metadata in
metadata.xml files which can be loaded into another Shibboleth system. Typically, a Shibboleth
system is either an IdP or an SP.
Organizational Claims (Shibboleth: resolver.xml)
Organizational claims are the superset of claims that an organization wishes to pass to/receive
from its federation partners. A specific federation partnership may only require a subset of the
available organizational claims.
12
In ADFS, organizational claims are defined within an organizations trust policy in the
administration console. They are defined as one of two types; group or custom.
In Shibboleth the superset of claims that may be released by the system is declared in the XML
file resolver.xml. All claims in Shibboleth are analogous to the custom claim type in ADFS.
Account Stores (Shibboleth: resolver.xml)
Neither ADFS or Shibboleth stores information about users itself. They both rely on separate
identity stores to provide valid identity information. ADFS can retrieve identity information from
Active Directory or Active Directory Application Mode (ADAM) in order to populate claims.
Account stores are defined under the organizations trust policy and define mappings between
each claim and the directory source of the information required to populate it. Typically, this would
be an attribute or group(s).
In Shibboleth, the mapping of claims back to an identity store is handled by the XML file
resolver.xml. It defines the type of store, along with appropriate connection information as well as
the attribute/claim mappings. Typically, it will use an LDAP directory or a database as the identity
store. For this proof of concept, we used a simple mySQL database.
Federation Partners
An ADFS server defines its federation partners through the ADFS administration console.
Federation partners are defined as either Account Partners or Resource Partners.
Shibboleth defines its federation partners through metadata.xml files. They are either Identity
Providers (IdP) or Service Providers (SP). Each partner may be defined in a separate XML file, or
the entire federation may be combined into a single XML file. This makes it relatively
straightforward to implement a new Shibboleth system with full knowledge of the entire federation
that it is joining.
Claims Mapping (Shibboleth: Attribute Acceptance Policy & Attribute Release Policy)
Attributes names used internally within an institution may be different to those exchanged over
the wire between federation partners. A mapping process can be configured to map the internal
attribute names with the names agreed between the federation partners.
Outgoing Claims
ADFS FS-A sets up outgoing claims as part of the Resource Partner definition in the ADFS
administration console. This configuration is known as outgoing group and custom claims
mapping. The Shibboleth IdP uses its Attribute Release Policy as defined in the arps.site.xml
configuration file.
Incoming Claims
The ADFS FS-R sets up incoming claims as part of the Account Partner definition in the ADFS
administration console. It is known as incoming claims mapping. The Shibboleth SP uses its
Attribute Acceptance Policy as defined in the AAP.xml configuration file.
Home Realm Discovery (Shibboleth: Where are you from (WAYF)?)
Shibboleth supports, as part of its architecture, the concept of a centralized discovery service
called the Where are you from? or WAYF server. When a user attempts to access a Shibbolethprotected resource, they can be directed to the WAYF server which will ask them where they are
from (their home domain) and then redirect them to the Identity Provider for that domain.
13
ADFS does not have an equivalent component, but relies instead on each FS-R that performs
home realm discovery itself, based on the FS-A that it knows about; for example, the bilateral
agreements that have been set up with its federation partners.
This does not have to look any different from the Web users perspective but will rely on a
common implementation of an ADFS home realm discovery Web page across the federation.
Shibboleth
Note
Important: For the remainder of this guide the coding steps you should follow are
detailed in a shaded boxed format. Code values of interest are shown in italicized text.
Configure connectivity
Establish IP Connectivity
Ensure that the following computers have IP connectivity:
export CA=/root/CA
mkdir $CA
Root CA
15
Notes
Now that we have a root CA, we are in a position to create the SSL and token-signing
certificate necessary for Shibboleth as an IdP. When configuring Shibboleth as an SP
only a SSL certificate is required.
Note that with ADFS a token-signing certificate is always required, irrespective of the role
of the federation server. However, with Shibboleth the SP does not re-write and re-sign
the SAML token as does the ADFS FS-R. Therefore, no token-signing certificate is
required by the Shibboleth SP
Generate a certificate for IdP.contoso.com to be used for both SSL and token-signing purposes
and send the certificate signing request (idp.contoso.com.csr) to the CA (which is on the same
server actually) and copy it to /root/ca.
Note
It is perfectly possible to create two separate certificates, one for each purpose, but since
they are both for server authentication, one will suffice here).
export PKI=/etc/pki/
mkdir $PKI
export C=idp.contoso.com
openssl req -out $PKI/$C.csr -pubkey -new -keyout $PKI/$C.key nodes
...
Common Name (eg, YOUR name) []:idp.contoso.com
...
The certificate must now be signed by using the private key of the root CA you created above. To
do this, follow these steps.
export C=idp.contoso.com
Copy the signed certificate to an appropriate location, in this case /etc/pki on the IdP.
cp $CA/$C.crt $PKI/
Note
In order for our Tomcat Web server to use the certificate created and signed above it
must be presented in pkcs12 format.
Create a pkcs12 format for it, needed for the Tomcat Web server.
16
export PKI=/etc/pki/
mkdir $PKI
export C=sp.contoso.com
openssl req -out $PKI/$C.csr -pubkey -new -keyout $PKI/$C.key nodes
...
Common Name (eg, YOUR name) []:sp.contoso.com
...
Send the certificate signing request (sp.contoso.com.csr) to the CA (on the IdP.contoso.com) and
copy it to /root/ca.
Perform the following steps on IdP.contoso.com
Sign the certificate signing request.
export C=sp.contoso.com
Copy the certificate you signed to $PKI (i.e. /etc/pki) on the SP.
[We copied it across the two virtual machines via the host computer]
Note
You must be logged onto the client desktops as an Administrator to perform these
actions.
To add host names and addresses to the ADFS client and host computers
1. Locate the hosts file. In Windows XP, the location of the file is
C:\windows\system32\drivers\etc\hosts.
2. Right-click the file, and then click Open. Choose Notepad to open the file.
3. On the ADFS client computer, add this line under the localhost entry:
17
192.168.1.5
sp.contoso.com
192.168.1.6
idp.contoso.com
4. On the client computer used to test access to a resource protected by an FS-R (for this
guide the local host machine was used), add the following entries to the host file
192.168.1.2
adfsweb.treyresearch.net
192.168.1.4
adfsresource.treyresearch.net
192.168.1.5
sp.contoso.com
192.168.1.6
idp.contoso.com
mkdir /var/www/secure
<!--#printenv -->
18
The ADFS FS-A defines itself, its own configuration, and that of its resource partners in the trust
policy. The trust policy is managed using the ADFS snap-in to the Microsoft Management Console
(MMC).
Token-signing certificate
The FS-A uses a token-signing certificate to sign the SAML tokens it passes to the SP. This has
to be included in the partner metadata XML file (adatum-metadata.xml) on the Shibboleth side so
that incoming SAML tokens can be verified by the SP. It can be extracted from the exported trust
policy XML file and pasted into the Shibboleth metadata.
Follow this procedure to export the A. Datum trust policy to an xml file and copy the token-signing
verification certificate data to a file to be transferred to the Shibboleth SP.
To export the A. Datum trust policy
1. Click Start, point to All Programs, point to Administrative Tools, and then click Active
Directory Federation Services.
2. In the console tree, double-click Federation Service, right-click Trust Policy, and then
click Export.
20
3. Browse to a location, name the file you will export, and then click Save.
4. Click OK.
5. Open the saved .xml file in Notepad and copy the <X509Certificate> node as shown
below.
<X509Certificate>MIIC0DCCAbygAwIBAgIQ4B+bbxPCYoVPdGkNqYQ79TAJBgUrDgMCHQUAMCgxJjAkBgNVBAMTH
UZlZGVyYXRpb24gU2VydmVyIGFkZnNhY2NvdW50MB4XDTA4MDMyMDIxMDkzOFoXDTA5MDMyMTAzMDkzOFowKDEmMCQ
GA1UEAxMdRmVkZXJhdGlvbiBTZXJ2ZXIgYWRmc2FjY291bnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBA
QCnjxLNHe1TmGuB/
+lFqNij1ryejrV8rJkjZgwaWNEG1dOisz38piIpTBKNWqNBpGR1JHu8037oCSXghayxX0ChvKGBKVxoZWpVHOORywf
Le/C1TD4x54PjZspfGMbSR/W5LbK5YUwo4TTKi8iLJZVLHfBfaGp9U5viYv79LpLexUea4j3tc8L7qv/imxfHdLhtB
QH5HBZ4/wTOh5/gSVX6AFjpC/kSDQ5LJuScrJr5A4XIlppjWwoSafXNrhzw17iI03yw38n/BokA/t46qmx+z4ui3nz
bTY7sHluarrcqRB9ly8newCUUT1dZb+nhK1YoDoC3UiIOEHg/wqjqweidAgMBAAEwCQYFKw4DAh0FAAOCAQEAlj9xt
te9YK9IB2kc/zQtURYryJV8GxTaYaGkPWI+W3MPK1FNUSSLNLtfknhYpPkAr7PJUjDyaHKF3pOYIkTy7iS8ZVCLIFQ
RnJsMS3j6PQo2IL+RruNDCIFsxg8yWghx7Yref7bUF5Mndc3KggTmDSPqoCGb67Dr0ypwTaGxAfXCUL1gqp4zIV2ys
ILL20VLjra2bV2h0+svca90Ux9bfDOeNaCfPNKiIEEx4tMFUAX0snsAc4ocaRai+MnaO4JjxCYuEdI9Fc7GDRf3Vm0
e9CipWkN4XgXbu74EtMIRQelLQ7z4kIfWGGqmH2UJ/itnAuw/Q6rqpBS0daaEB3FXdQ==</X509Certificate>
Notes
The trust policy can be exported into an XML file for easy import into an ADFS resource
partner. However, the format is not out-of-the-box compatible with the format of the
partner metadata required by Shibboleth, although you should be able to write a
transformation to accomplish this.
In the meantime, the above information from the trust policy is required from the FS-A to
set up the correct metadata (adatum-metadata.xml) in the Shibboleth SP.
Organizational claims
Organizational claims are the superset of claims that the FS-A can pass to resource partners.
Each resource partner definition will reference an agreed subset of the organizational claims, by
using agreed semantics. The adfsaccount.adatum.com computer, that acts as the FS-A already
has a couple of resource partners and now we will add a new one for contoso.com. It also has a
number of organization claims which do not have to be modified or edited for this guide.
Account stores
In order for a federation server to operate as an account partner (FS-A), you must configure an
account store. In our case, the local Active Directory store has already been added and a number
of claims extractions have also already been configured. We will use these existing claims.
Security Principal/Attribute
Organization Claim
Authenticated Users
Adatum
Group
Company
Affiliation
Custom
21
Security Principal/Attribute
Organization Claim
displayName
DisplayName
Custom
givenName
givenName
Custom
Custom
Purchasing Admins@adatum.com
Purchasing Administrator
Group
Purchasing Dept@adatum.com
Purchasing Agent
Group
sn
Surname
Custom
telephoneNumber
Telephone
Custom
Title
Position
Group
TokenAppUser@adatum.com
TokenApp
Group
Identity Claim
userPrincipalName
upn
Custom
10. On the Completing the Add Resource Partner Wizard page, click Finish.
Affiliation
Custom
company
DisplayName
Custom
displayName
givenName
Custom
givenName
Custom
Position
Custom
title
Surname
Custom
sn
Telephone
Custom
telephone
upn
Custom
userPrincipalName
Identity Claim
Identity Claim
If you want to create extra outgoing claim mappings, follow these instructions.
Create additional outgoing claim mappings
1. Right-click Contoso, point to New, and then click Outgoing Group Claim Mapping.
2. In Create a New Outgoing Group Claim Mapping, in Organization group claims,
ensure that an appropriate organization claim is specified, in Outgoing group claim
name, type claimName and then click OK.
Note
For detailed instruction on how to install Shibboleth as a Service Provider (SP), refer to
Appendix C: Installing a Shibboleth SP and then follow the link back to this location and
follow the steps below
...
<RequestMapProvider
type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapPro
vider">
<RequestMap applicationId="default">
<Host name="sp.contoso.com">
<Path name="secure"
authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapProvider>
...
<Applications id="default" providerId="urn:federation:sp.contoso.com"
homeURL="https://sp.contoso.com"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
...
<CredentialsProvider
type="edu.internet2.middleware.shibboleth.common.Credentials">
<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
<FileResolver Id="defcreds">
<Key>
<Path>/etc/pki/sp.contoso.com.key</Path>
</Key>
<Certificate>
24
<Path>/etc/pki/sp.contoso.com.crt </Path>
</Certificate>
</FileResolver>
</Credentials>
</CredentialsProvider>
Once you have finished the general configuration, you must perform additional Active Directory
Federation Services (ADFS)-specific configuration within the same file
(/etc/shibboleth/shibboleth.xml).
For additional help on this section, visit the following URL: http://go.microsoft.com/fwlink/?
LinkID=125821
Edit the file as follows:
<Extensions>
<Library path="/opt/shibbolethsp/libexec/xmlproviders.so" fatal="true"/>
<Library path="/opt/shibboleth-sp/libexec/adfs.so"
fatal="true"/>
</Extensions>
Inside the application section that you want to ADFS-enable, or in the top-level default, locate the
tag <md:AssertionConsumerService> and edit as follows:
Note
The index value in the following must be unique for the set.
25
Note
The ResponseLocation tag is used during a Active Directory Federation Services
(ADFS)-initiated Single Sign-On (SSO) logout and specifies where to send the browser
after you terminate the session.
Create a MetadataProvider element for A.Datum
<MetadataProvider
type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
uri="/opt/shibboleth-sp/etc/shibboleth/adatum-metadata.xml "/>
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata
/opt/shibboleth-sp/share/xml/shibboleth/saml-schema-metadata-2.0.
urn:mace:shibboleth:metadata:1.0 @-PKGXMLDIR-@/shibboleth-metadata1.0.xsd http://www.w3.org/2000/09/xmldsig# @-PKGXMLDIR-@/xmldsig-coreschema.xsd"
Name="urn:federation:partners"
validUntil="2010-01-01T00:00:00Z">
<EntityDescriptor entityID="urn:federation:Adatum">
<IDPSSODescriptor
protocolSupportEnumeration="http://schemas.xmlsoap.org/ws/2003/07/secext "
>
26
<Extensions>
<shibmd:Scope>adatum.com</shibmd:Scope>
</Extensions>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIC0DCCAbygAwIBAgIQ4B+bbxPCYoVPdGkNqYQ79TAJBgUrDgMCHQUAMCgxJjAk
BgNVBAMTHUZlZGVyYXRpb24gU2VydmVyIGFkZnNhY2NvdW50MB4XDTA4MDMyMDIx
MDkzOFoXDTA5MDMyMTAzMDkzOFowKDEmMCQGA1UEAxMdRmVkZXJhdGlvbiBTZXJ2
ZXIgYWRmc2FjY291bnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn
jxLNHe1TmGuB/+lFqNij1ryejrV8rJkjZgwaWNEG1dOisz38piIpTBKNWqNBpGR1
JHu8037oCSXghayxX0ChvKGBKVxoZWpVHOORywfLe/C1TD4x54PjZspfGMbSR/W5
LbK5YUwo4TTKi8iLJZVLHfBfaGp9U5viYv79LpLexUea4j3tc8L7qv/imxfHdLht
BQH5HBZ4/wTOh5/gSVX6AFjpC/kSDQ5LJuScrJr5A4XIlppjWwoSafXNrhzw17iI
03yw38n/BokA/t46qmx+z4ui3nzbTY7sHluarrcqRB9ly8newCUUT1dZb+nhK1Yo
DoC3UiIOEHg/wqjqweidAgMBAAEwCQYFKw4DAh0FAAOCAQEAlj9xtte9YK9IB2kc
/zQtURYryJV8GxTaYaGkPWI+W3MPK1FNUSSLNLtfknhYpPkAr7PJUjDyaHKF3pOY
IkTy7iS8ZVCLIFQRnJsMS3j6PQo2IL+RruNDCIFsxg8yWghx7Yref7bUF5Mndc3K
ggTmDSPqoCGb67Dr0ypwTaGxAfXCUL1gqp4zIV2ysILL20VLjra2bV2h0+svca90
Ux9bfDOeNaCfPNKiIEEx4tMFUAX0snsAc4ocaRai+MnaO4JjxCYuEdI9Fc7GDRf3
Vm0e9CipWkN4XgXbu74EtMIRQelLQ7z4kIfWGGqmH2UJ/itnAuw/Q6rqpBS0daaE B3FXdQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleSignOnService
Binding="http://schemas.xmlsoap.org/ws/2003/07/secext "
Location="https://adfsaccount.adatum.com/adfs/ls/ "/>
</IDPSSODescriptor>
</EntityDescriptor>
</EntitiesDescriptor>
27
The Attribute Acceptance Policy is an incoming attribute filter that defines which incoming claims
will be accepted for processing. The only claim we will configure here is
'REMOTE_USER=adamcar@adatum.com' (Identity claim UPN).
Edit /etc/shibboleth/AAP.xml as follows:
<AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:1.0 /opt/shibbolethsp/share/xml/shibboleth/shibboleth.xsd">
</AttributeAcceptancePolicy>
The instructions to install Shibboleth as an IdP differ slightly for that of an SP, hence there
are two appendices for the install.
For clarification, the platform for an IdP is Java-based (which requires the Java runtime
environment, servlet container, == crossplatform). The SP on the other hand is written
in C++ (there are versions for Unix and Windows) and requires a Web Server (apache or
IIS).
29
<IdPConfig
xmlns="urn:mace:shibboleth:idp:config:1.0"
xmlns:cred="urn:mace:shibboleth:credentials:1.0"
xmlns:name="urn:mace:shibboleth:namemapper:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0
../schemas/shibboleth-idpconfig-1.0.xsd"
AAUrl="https://idp.contoso.com:8443/shibboleth-idp/AA"
resolverConfig="file:/usr/local/shibboleth-idp/etc/resolver.xml"
defaultRelyingParty="urn:federation:partners"
providerId="urn:federation:idp.contoso.com">
The defaultRelyingParty property is simply a custom-defined name for the global metadata within
which each partner will have their own separate section.
Edit the file to add a RelyingParty element matching the defaultRelyingParty name:
<RelyingParty name="urn:federation:partners" signingCredential="cred">
30
<NameID nameMapping="shm_adfs"/>
</RelyingParty>
Edit the file to add a name mapping element that will generate the user principal name
(UPN) Identity claim for ADFS
<NameMapping
xmlns="urn:mace:shibboleth:namemapper:1.0"
id="shm_adfs"
format="http://schemas.xmlsoap.org/claims/UPN"
class="edu.internet2.middleware.shibboleth.common.provider.UPNNameIde
ntifierMapping"
handleTTL="28800" scope="contoso.com"/>
Edit the file to specify a fileresolver for the key pair that will sign the SAML assertions
<FileResolver Id="cred">
<Key>
<Path>file:/etc/pki/idp.contoso.com.key</Path>
</Key>
<Certificate>
<Path>file:/etc/pki/idp.contoso.com.crt</Path>
</Certificate>
</FileResolver>
Edit the file to add a protocol handler, this is the Shibboleth IdP endpoint for ADFS
<ProtocolHandler
implementation="edu.internet2.middleware.shibboleth.idp.provider.ADFS_SSO
Handler">
<Location>https?://[^:/]+(:443)?/shibboleth-idp/ADFS </Location>
</ProtocolHandler>
Edit the file to add a MetadataProvider element that will reference the metadata file which
contains the trust settings for your ADFS resource partner.
<MetadataProvider
type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
uri="file:/usr/local/shibboleth-idp/etc/treyresearch-metadata.xml "/>
<EntitiesDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:
../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.
../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig#
../schemas/xmldsig-core-schema.xsd"
Name="urn:federation:partners"
validUntil="2010-01-01T00:00:00Z">
<EntityDescriptor entityID="urn:federation:treyresearch">
<SPSSODescriptor
protocolSupportEnumeration="http://schemas.xmlsoap.org/ws/2003/07/secext "
>
<AssertionConsumerService index="1" isDefault="true"
Binding="http://schemas.xmlsoap.org/ws/2003/07/secext "
Location="https://adfsresource.treyresearch.net/adfs/ls/ "/>
</SPSSODescriptor>
</EntityDescriptor>
</EntitiesDescriptor>
Next, configure the attribute store. The attributes must be resolved from our SP and linked to an
ID so that the attributes can be understood by Active Directory Federation Services (ADFS) and
used as an identity claim, custom claim or group claim.
Modify the /usr/local/shibboleth-idp/etc/resolver.xml file as follows:
<AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="urn:mace:shibboleth:resolver:1.0"
xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 shibboleth-resolver1.0.xsd">
<SimpleAttributeDefinition id="sn"
namespace="http://schemas.xmlsoap.org/claims" sourceName="sn">
<DataConnectorDependency requires="directory"/>
32
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="CommonName"
namespace="http://schemas.xmlsoap.org/claims" sourceName="sn">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="mail"
namespace="http://schemas.xmlsoap.org/claims" sourceName="mail">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="Group"
namespace="http://schemas.xmlsoap.org/claims"
sourceName="eduPersonAffiliation">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<JNDIDirectoryDataConnector id="directory">
<Search filter="uid=%PRINCIPAL%">
<Controls searchScope="SUBTREE_SCOPE" returningObjects="false" />
</Search>
<Property name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory" />
<Property name="java.naming.provider.url"
value="ldap://localhost/dc=contoso,dc=com" />
<Property name="java.naming.security.principal"
value="cn=admin,dc=contoso,dc=com" />
<Property name="java.naming.security.credentials" value="p@ssw0rd" />
<Property name="java.naming.referral" value="follow" />
<Property name="java.naming.ldap.derefAliases" value="never" />
</JNDIDirectoryDataConnector>
</AttributeResolver>
Once you have configured the resolver as in the above example, you should test it. A test tool
called resolvertest is available for this purpose.
Test the resolver
33
cd $IDP_HOME/bin
./resolvertest --resolverxml=file:///usr/local/shibbolethidp/etc/resolver.xml --user=philip
Received the following from the Attribute Resolver:
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AttributeName="mail"
AttributeNamespace="http://schemas.xmlsoap.org/claims"><AttributeValue>ph
ilip@contoso.com</AttributeValue></Attribute>
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AttributeName="sn"
AttributeNamespace="http://schemas.xmlsoap.org/claims"><AttributeValue>Br
usten</AttributeValue></Attribute>
<SimpleAttributeDefinition id="mail"
namespace="http://schemas.xmlsoap.org/claims" sourceName="mail">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AttributeName="CommonName"
AttributeNamespace="http://schemas.xmlsoap.org/claims"><AttributeValue>Br
usten</AttributeValue></Attribute>
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AttributeName="Group"
34
AttributeNamespace="http://schemas.xmlsoap.org/claims"><AttributeValue>me
mber</AttributeValue><AttributeValue>staff</AttributeValue><AttributeValu
value="com.sun.jndi.ldap.LdapCtxFactory" />
AttributeValue>employee</AttributeValue></Attribute>
In order to release these attributes to the partners of this IdP, you have to add the attributes to the
Attribute Release Policy (ARP). To make it simple, we will release all attributes to all trusted
partners.
Edit $IDP_HOME/etc/arps/arp.site.xml
Restart Tomcat.
/etc/init.d/tomcat restart
35
11. On the Accepted UPN Suffixes page, in Add a new suffix, type contoso.com, click
Add, and then click Next.
12. On the Enable this Account Partner page, click Next.
13. On the Completing the Add Account Partner Wizard page, click Finish.
Install an SSH server, so you can access the server through SSH.
apt-get install openssh-server -y
37
Install ntpdate and openntpd to synchronize with a time server, the Security Assertions Markup
Language (SAML) assertions have to be verified within a given time.
apt-get install ntpdate openntpd
Enable Secure Sockets Layer (SSL) and include module and reload.
a2enmod ssl
a2enmod include
apache2ctl graceful
SSLEngine
sp.contoso.com
On
SSLCertificateFile
/etc/pki/sp.contoso.com.crt
SSLCertificateKeyFile
/etc/pki/sp.contoso.com.key
SSLCertificateChainFile
/etc/pki/rootCA.crt
38
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews +Includes
AllowOverride None
Order allow,deny
allow from all
ErrorLog /var/log/apache2/error.log
LogLevel warn
Change /etc/apache2/sites-available/default.
NameVirtualHost
<VirtualHost
*:80
*:80>
39
apache2ctl graceful
wget http://shibboleth.internet2.edu/downloads/log4shib/1.0/log4shib1.0.tar.gz
wget http://apache.spegulo.be/xerces/c/xerces-c-src-current.tar.gz
1.4.0.tar.gz
wget
http://shibboleth.internet2.edu/downloads/opensaml/cpp/1.1.1/opensaml1.1.1.tar.gz
40
wget
http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/1.3.1/shibbole
th-sp-1.3.1.tar.gz
Xerces
cd $SHIB_INSTALL/xerces-c-src_2_8_0/src/xercesc/
./runConfigure -p linux -r pthread -P $SHIB_HOME
make
make install
XML security
cd $SHIB_INSTALL/xml-security-c-1.4.0/
./configure --without-xalan --prefix=$SHIB_HOME
make
make install
OpenSAML
cd $SHIB_INSTALL/opensaml-1.1.1/
./configure --with-log4shib=$SHIB_HOME --prefix=$SHIB_HOME -C
41
make
make install
Shibboleth-SP
cd $SHIB_INSTALL/shibboleth-1.3.1
#./configure --prefix=$SHIB_HOME --with-log4shib=$SHIB_HOME/
./configure --prefix=$SHIB_HOME --with-log4shib=$SHIB_HOME/ --withapxs22=/usr/bin/apxs2
make
make install
parameters.
42
#
ShibSchemaDir /opt/shibboleth-sp/share/xml/shibboleth
ShibConfig /opt/shibboleth-sp/etc/shibboleth/shibboleth.xml
#
# Used for example logo and style sheet in error templates.
#
<IfModule mod_alias.c>
<Location /shibboleth-sp>
Allow from all
</Location>
Alias /shibboleth-sp/main.css /opt/shibbolethsp/share/doc/shibboleth/main.css
Alias /shibboleth-sp/logo.jpg /opt/shibbolethsp/share/doc/shibboleth/logo.jpg
</IfModule>
#
# Configure the module for content
#
# You can now do most of this in shibboleth.xml using the RequestMap
# but you MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
#
<Location /secure>
AuthType shibboleth
ShibRequireSession On
require valid-user
</Location>
43
apache2ctl configtest
Syntax OK
Reload
apache2ctl graceful
44
Location:
https://adfsaccount.adatum.com/adfs/ls/clientlogon.aspx?wa=wsignin1.0&wreply=https%3A%2F
%2Fsp.contoso.com%2FShibboleth.sso%2FADFS&wct=2008-0513T15%3A10%3A52Z&wctx=cookie&wtrealm=urn%3Afederation%3Asp.contoso.com
Content-Length: 521
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
---------------------------------------------------------https://adfsaccount.adatum.com/adfs/ls/clientlogon.aspx?wa=wsignin1.0&wreply=https%3A%2F
%2Fsp.contoso.com%2FShibboleth.sso%2FADFS&wct=2008-0513T15%3A10%3A52Z&wctx=cookie&wtrealm=urn%3Afederation%3Asp.contoso.com
GET
/adfs/ls/clientlogon.aspx?wa=wsignin1.0&wreply=https%3A%2F%2Fsp.contoso.com
%2FShibboleth.sso%2FADFS&wct=2008-05-13T15%3A10%3A52Z&wctx=cookie&wtrealm=urn%3Afederation
%3Asp.contoso.com
HTTP/1.1
Host: adfsaccount.adatum.com
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,
*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
45
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 315
---------------------------------------------------------https://adfsaccount.adatum.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wreply=https%3A%2F
%2Fsp.contoso.com%2FShibboleth.sso%2FADFS&wct=2008-0513T15%3A10%3A52Z&wctx=cookie&wtrealm=urn%3Afederation%3Asp.contoso.com
GET
/adfs/ls/auth/integrated/?wa=wsignin1.0&wreply=https%3A%2F%2Fsp.contoso.com
%2FShibboleth.sso%2FADFS&wct=2008-05-13T15%3A10%3A52Z&wctx=cookie&wtrealm=urn%3Afederation
%3Asp.contoso.com
HTTP/1.1
Host: adfsaccount.adatum.com
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,
*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
GET
46
/adfs/ls/auth/integrated/?wa=wsignin1.0&wreply=https%3A%2F%2Fsp.contoso.com
%2FShibboleth.sso%2FADFS&wct=2008-05-13T15%3A10%3A52Z&wctx=cookie&wtrealm=urn%3Afederation
%3Asp.contoso.com
HTTP/1.1
Host: adfsaccount.adatum.com
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,
*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
GET
/adfs/ls/auth/integrated/?wa=wsignin1.0&wreply=https%3A%2F%2Fsp.contoso.com
%2FShibboleth.sso%2FADFS&wct=2008-05-13T15%3A10%3A52Z&wctx=cookie&wtrealm=urn%3Afederation
%3Asp.contoso.com
HTTP/1.1
Host: adfsaccount.adatum.com
Accept:
47
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,
*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAFoAAAAYABgAcgAAAAAAAABAAAAADgAOAEAAAAAMAAwATgAAAAAAAAAAAAAABYIIAGEAZA
BhAG0AYwBhAHIARABQADIAMgAxADgAgQNfUiNpsawAAAAAAAAAAAAAAAAAAAAAY9ChESutgoeXDL5Tj1QR4dIRtv3Z
JnOl
HTTP/1.x 200 OK
Date: Tue, 13 May 2008 15:11:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie:
_WebSsoAuth=eNrNVltzqlwS9adYnseUh7uAlaSGm4gCioCKNVVfbWCDiFwEFPDXfxiTTJJzzkxmnsYXN72btVevbn
r3YwmS45grS1hUUZb231eK+DT4iyR9ghiNqCEJCHRIooQ3ZGnIDAmf8BjSA5QP3EFfKcszVNKyAmn1NMBRlBmi1BAj
LIwaY9iYwHevPsXT4Fyk4wD6sAC3Q8bAB9U5GfQ1cMiKNSzKzvg0wDpDlH42NMkxLcc3tneQDJRROU5BAstx5Y1NTl
PH2E90DN4CGDw/vsQmZKkf3QxlX88qHgZZAf/EsnNYpIuCC6ob148+ozefV1Tu7Ecw9eAKllUReTf894O+uDx/ibnM
f3pZWmVl1v0nj8hn5y/Pv8dHvkT2dqJ/iW4QwA/KbjeLoy4tQTYF5f5Vv9vOXb8k8oqOQlB9oDZ4XgmKe5rixHFDuo
FEMTF2LBj9JBW+8/SI/Ab3ne/r0a/kqz1Mq8h7QTUrUMGke+5/tv+HivnsrMFqn/m/1s8np3EdpX5Wl29JMs/uAXrV
65Pe1Yri37yDCBb9SVYkoDt9X1X5GEFKbw8TUP7sdCozkP/MihDxjiBKSsRe6oPnrlITDxT/uFfsh8x9hn3T4/1o5N
8p8qZX1eXYPVfw68b/QwCfGfbfV7fXngZykZ3zwWdrmQMPfoPX4Cv4GhzP8LnKYpiCPH+T7vPuV+svhg8amlGYdsEW
8F7975Tquv5ZEy9MutpDEZRFOge/jMIfg/tb0L8V+POjANIs7bJ2jK4fyrDPHcOsiKp98gdIDMHQG+QQNt7Qw8j0x6
CPfODzTZhPzIoSDMs9wF6QVjCAxa0/9O2V8jT48b1O/fxoFSAtuw6YlB/W/x0PmF7gMcuhPyzfwnmh9H24P6iDfCQn
RmHX+f4Xnd41ukPcqwaBwPWaZtesJls4IYEdrdJ9YuVLNuz62kfPR+Rd2279sRbes3d3nGUw8eXNg49IlwlkJa4K0w
Bl+U2pRaJZtipZHWKDykym0ZEidnI7tK+iKbnR3BnhM7ySq/0ZCfK5eV03cwQiKGVd3JF92uUZLPQZb0UbnKhEGDdp
QqA7FJFLyCZLfrew26WVacLSqOVRYhq4KE8xHjWwgDKsgLFK6goekHKUamgsNsDnyNrVVudENTKb9keQWe+mO8nC9x
hOnGSJBdL6ihhxOg3ntSJXKBEkk5NOV0vpcGZURs2cY00HiKnsrzbIY1ly2VQR4l0LZnzI2dzxmoSHIEfInPayCUQe
bNLBrLUsx+ec1E3WzQpzutoEIrdXpAZilo+uEJluI53liYiskpxVBYYnz5JePz3dRf8g9OMctvcMbCmUFUEF7ivhds
8Ht5YKnzVFEVBREDi3Dbla4blQMUj+wXWbpeBk66Uvx/rJMWjW4jrOdiGGmjA1bE4TwmZ24GI+1Nc8p1lTe3fcyevW
2a5yFydDG1+3frJuFXkS71J97+D6xd9QqMaTW9HiSE3UWk1UGk2Mr4tJdrNRLzaLu77a6rkoJZpgyBxmS1yj+atkHe
+2s70vHy9uxFvdGt9tldDZrBIPnxwcnMXc1KjDUIo0DpUF8ySbikuIhsRzHWeOVHix5m77cy7rYjWE9NCo+rRTNpHP
PPJw7NIXHbCihYdizRSz+LALa7DRJRnzF1F5JZg8UnKLn+ubk87n8gqbTc8MStCZYG7DPWibLSrsL3OZn6+bbLfJ19
PFYtXWgQoRAbNEsqHI5WFX5oGsueYK2VCqO6ccu85Iy5pHTKTOdmt1GvABkHPWpi6Rc6FZNVdhY0NAHojKY1T6dEGi
pAmmvrqveGNKTfkdidTWYk8hobnejrjJIReQ2BQNSp2dTa+YFRRHbpVjnh82dWaCYKsX+2uN0ZGCEm1NMCnCZzGHVO
TolDQPV/IcEenVtRy6nB7PoCi804pnjy2TwlqwbQvzd+5Dup9jTiZmAmFHykKahkh9OpxqGPlcqPEcJ9WC4UzmNdlV
LzrhuIXAGRJ3PLBNVUHWmbMKj8cecjUq; path=/adfs/ls/; secure;
HttpOnly
48
Set-Cookie:
_WebSsoAuth0=e+UU7WzNyI0FHCDHy43ysCG05Ryb6LZpqrpaBXG6d/JlzBX0cmYfxBZM5xMiXzhKbLV0ZDK7taAqE
2OVzkrNJA6jpZHhivqwKs66KCiTsgmZdhPuG9opYEC79oTSUt8j5mFoJaK5PGWC7I5osUDbvLaA3HDBVrBVLDzl5FV
Z422pqCqOrtVDAXB3je/Rh/LiARa1G9YNxEV3fQvBUp9HiiQ1ZKVNbG6LlmnJeWTmgRWIHrQULMjZoRGcs+Qr7MSjZ
XEVEOsEhawQ5ZtYJ7fh1j3TpFRpysqAR9Wgr2SsBBtZPiVT3J4hUZVy5xoxRsUp503UB0DiicnWN24f/9cv+265f/X
Ieyf4V494v//f5v5nrPeXN2Ixz0fZocvA7jakGWboYkR3Ofo061MMjXsB0et9nSW7KfsC/ajoxp6saHucyFm29s/Xu
alnDrEhNcSxIYNSJImPOkycoFmSwFgUGxIjjMYIlCWIIdb9ej2s961Rtfeb4beH97jer+NaT+xZBWz71m0+4vK8L9y
mqL8BreGmEw==; path=/adfs/ls/; secure;
HttpOnly
Set-Cookie: _LSCleanup=2008-05-13:15:11:32Zr0urn:federation:sp.contoso.com;
path=/adfs/ls/; secure;
HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 4811
---------------------------------------------------------https://sp.contoso.com/Shibboleth.sso/ADFS
49
wa=wsignin1.0&wresult=%3Cwst%3ARequestSecurityTokenResponse+xmlns%3Awst%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%3E%3Cwst%3ARequestedSecurityToken%3E
%3Csaml%3AAssertion+AssertionID%3D%22_44d33665-4a30-403c-97e8-3d3c84ca5dab%22+IssueInstant
%3D%222008-05-13T15%3A11%3A32Z%22+Issuer%3D%22urn%3Afederation%3Aadatum%22+MajorVersion%3D
%221%22+MinorVersion%3D%221%22+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML
%3A1.0%3Aassertion%22%3E%3Csaml%3AConditions+NotBefore%3D%222008-05-13T15%3A11%3A32Z
%22+NotOnOrAfter%3D%222008-05-13T16%3A11%3A32Z%22%3E%3Csaml%3AAudienceRestrictionCondition
%3E%3Csaml%3AAudience%3Eurn%3Afederation%3Asp.contoso.com%3C%2Fsaml%3AAudience%3E%3C
%2Fsaml%3AAudienceRestrictionCondition%3E%3C%2Fsaml%3AConditions%3E%3Csaml%3AAdvice%3E
%3Cadfs%3ACookieInfoHash+xmlns%3Aadfs%3D%22urn%3Amicrosoft%3Afederation
%22%3ERCIbqH23lW4bfE58k1lr8NqErdY%3D%3C%2Fadfs%3ACookieInfoHash%3E%3C%2Fsaml%3AAdvice%3E
%3Csaml%3AAuthenticationStatement+AuthenticationInstant%3D%222008-05-13T15%3A11%3A32Z
%22+AuthenticationMethod%3D%22urn%3Afederation%3Aauthentication%3Awindows%22%3E%3Csaml
%3ASubject%3E%3Csaml%3ANameIdentifier+Format%3D%22http%3A%2F%2Fschemas.xmlsoap.org
%2Fclaims%2FUPN%22%3Eadamcar%40adatum.com%3C%2Fsaml%3ANameIdentifier%3E%3C%2Fsaml
%3ASubject%3E%3C%2Fsaml%3AAuthenticationStatement%3E%3Csaml%3AAttributeStatement%3E%3Csaml
%3ASubject%3E%3Csaml%3ANameIdentifier+Format%3D%22http%3A%2F%2Fschemas.xmlsoap.org
%2Fclaims%2FUPN%22%3Eadamcar%40adatum.com%3C%2Fsaml%3ANameIdentifier%3E%3C%2Fsaml
%3ASubject%3E%3Csaml%3AAttribute+AttributeName%3D%22Group%22+AttributeNamespace%3D%22http
%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3Etokenapp%3C%2Fsaml
%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3C%2Fsaml%3AAttributeStatement%3E
%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E
%3CSignedInfo%3E%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org
%2F2001%2F10%2Fxml-exc-c14n%23%22+%2F%3E%3CSignatureMethod+Algorithm%3D%22http%3A%2F
%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1%22+%2F%3E%3CReference+URI%3D
%22%23_44d33665-4a30-403c-97e8-3d3c84ca5dab%22%3E%3CTransforms%3E%3CTransform+Algorithm%3D
%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature%22+%2F%3E
%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22+%2F
%3E%3C%2FTransforms%3E%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org
%2F2000%2F09%2Fxmldsig%23sha1%22+%2F%3E%3CDigestValue%3E%2FeabcxxZxRFXeF4aUiRnhmTpP9g%3D
%3C%2FDigestValue%3E%3C%2FReference%3E%3C%2FSignedInfo%3E%3CSignatureValue%3EJoemdGW%2Bd
%2FEvFe9EAtgnf09BWsMiDSsyL4tjkQ5oS8xN%2FrkYpUgUzDSEbiKY62J2tGthu%2FfpKSzVxK%2Fe
%2F05Tvb6UqZpoerNJBTiW23tDekxnm30Z0%2FGse9mPBZOUyPToMCPQwG6mSQ2DGH1B0Q1f5QTf8Ts5za%2B
%2Fs6nM0kDxadA4wbMRumLQoU7d6e8VZHZET2h123qGE9aEVz%2FQknHgKwIGt03fmFqN7tPEju8L8LoYlw7f
%2FSIhzUapkGEb9nICkZyaJBgAUAlzmgjfp%2F4p7coFe%2F%2BU4Y1TVGGkup4NS9borSHRWfDAhIExe1Td0R
%2FG7yiN9B3i4tmp9LC8B4uENw%3D%3D%3C%2FSignatureValue%3E%3CKeyInfo%3E%3CX509Data%3E
%3CX509Certificate%3EMIIC0DCCAbygAwIBAgIQ4B
%2BbbxPCYoVPdGkNqYQ79TAJBgUrDgMCHQUAMCgxJjAkBgNVBAMTHUZlZGVyYXRpb24gU2VydmVyIGFkZnNhY2NvdW
50MB4XDTA4MDMyMDIxMDkzOFoXDTA5MDMyMTAzMDkzOFowKDEmMCQGA1UEAxMdRmVkZXJhdGlvbiBTZXJ2ZXIgYWRm
c2FjY291bnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnjxLNHe1TmGuB%2F
%2BlFqNij1ryejrV8rJkjZgwaWNEG1dOisz38piIpTBKNWqNBpGR1JHu8037oCSXghayxX0ChvKGBKVxoZWpVHOORy
wfLe%2FC1TD4x54PjZspfGMbSR%2FW5LbK5YUwo4TTKi8iLJZVLHfBfaGp9U5viYv79LpLexUea4j3tc8L7qv
%2FimxfHdLhtBQH5HBZ4%2FwTOh5%2FgSVX6AFjpC%2FkSDQ5LJuScrJr5A4XIlppjWwoSafXNrhzw17iI03yw38n
%2FBokA%2Ft46qmx%2Bz4ui3nzbTY7sHluarrcqRB9ly8newCUUT1dZb%2BnhK1YoDoC3UiIOEHg
50
%2FwqjqweidAgMBAAEwCQYFKw4DAh0FAAOCAQEAlj9xtte9YK9IB2kc%2FzQtURYryJV8GxTaYaGkPWI
%2BW3MPK1FNUSSLNLtfknhYpPkAr7PJUjDyaHKF3pOYIkTy7iS8ZVCLIFQRnJsMS3j6PQo2IL
%2BRruNDCIFsxg8yWghx7Yref7bUF5Mndc3KggTmDSPqoCGb67Dr0ypwTaGxAfXCUL1gqp4zIV2ysILL20VLjra2bV
2h0%2Bsvca90Ux9bfDOeNaCfPNKiIEEx4tMFUAX0snsAc4ocaRai
%2BMnaO4JjxCYuEdI9Fc7GDRf3Vm0e9CipWkN4XgXbu74EtMIRQelLQ7z4kIfWGGqmH2UJ%2FitnAuw
%2FQ6rqpBS0daaEB3FXdQ%3D%3D%3C%2FX509Certificate%3E%3C%2FX509Data%3E%3C%2FKeyInfo%3E%3C
%2FSignature%3E%3C%2Fsaml%3AAssertion%3E%3C%2Fwst%3ARequestedSecurityToken%3E%3Cwsp
%3AAppliesTo+xmlns%3Awsp%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy
%22%3E%3Cwsa%3AEndpointReference+xmlns%3Awsa%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws
%2F2004%2F08%2Faddressing%22%3E%3Cwsa%3AAddress%3Eurn%3Afederation%3Asp.contoso.com%3C
%2Fwsa%3AAddress%3E%3C%2Fwsa%3AEndpointReference%3E%3C%2Fwsp%3AAppliesTo%3E%3C%2Fwst
%3ARequestSecurityTokenResponse%3E&wctx=cookie
HTTP/1.x 302 Found
Date: Tue, 13 May 2008 15:11:01 GMT
Server: Apache/2.2.3 (Debian) mod_ssl/2.2.3 OpenSSL/0.9.8c
Set-Cookie:
_shibsession_05a9f4fac0e19a42483bc9f26c08873dbf2dbc9a=_8321642afcaed806700b192abd3cf2a5;
path=/
Set-Cookie: _saml_idp=dXJuOmZlZGVyYXRpb246YWRhdHVt; path=/; expires=Tue,
20 May 2008 15:11:01 GMT
Location: https://sp.contoso.com/secure/index.shtml
Content-Length: 334
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
---------------------------------------------------------https://sp.contoso.com/secure/index.shtml
51
https://adfsaccount.adatum.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wreply=https%3A%2F
%2Fsp.contoso.com%2FShibboleth.sso%2FADFS&wct=2008-0513T15%3A10%3A52Z&wctx=cookie&wtrealm=urn%3Afederation%3Asp.contoso.com
Cookie: _saml_idp=dXJuOmZlZGVyYXRpb246YWRhdHVt;
_shibstate_05a9f4fac0e19a42483bc9f26c08873dbf2dbc9a=https%3A%2F%2Fsp.contoso.com%2Fsecure
%2Findex.shtml;
_shibsession_05a9f4fac0e19a42483bc9f26c08873dbf2dbc9a=_8321642afcaed806700b192abd3cf2a5
HTTP/1.x 200 OK
Date: Tue, 13 May 2008 15:11:01 GMT
Server: Apache/2.2.3 (Debian) mod_ssl/2.2.3 OpenSSL/0.9.8c
Accept-Ranges: bytes
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
52
HTTP_SHIB_ATTRIBUTES=
HTTP_SHIB_APPLICATION_ID=default
HTTP_REMOTE_USER=
HTTP_ADFS_GROUP=
PATH=/usr/local/bin:/usr/bin:/bin
SERVER_SIGNATURE=<address>Apache/2.2.3 (Debian) mod_ssl/2.2.3
OpenSSL/0.9.8c Server at sp.contoso.com Port 443</address>
53
ln -s jdk1.6.0_06/jre/ java
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$JAVA_HOME/bin"
else
PATH="/usr/local/bin:/usr/bin:/bin:/usr/games:$JAVA_HOME/bin"
fi
54
Log out and then log in again to see if the Java binaries are now included in the PATH.
java -version
java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Client VM (build 10.0-b22, mixed mode, sharing)
55
start() {
echo "Starting tomcat: "
if [ -x "$CATALINA_HOME/bin/startup.sh" ]; then
su -p -c $CATALINA_HOME/bin/startup.sh
echo "done."
else
echo "Cannot find $CATALINA_HOME/bin/startup.sh, or
it isn't executable"
exit 1
fi
}
stop() {
echo "Shutting down tomcat: "
if [ -x "$CATALINA_HOME/bin/shutdown.sh" ]; then
su -p -c $CATALINA_HOME/bin/shutdown.sh
sleep 1
#killall -9 java
echo "done."
else
echo "Cannot find $CATALINA_HOME/bin/shutdown.sh, or
it isn't executable"
exit 1
fi
}
56
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "Usage: $0 {start|stop|restart}"
esac
exit 0
Configure a Tomcat connector to listen on localhost on port 8009. You have to modify
$CATALINA_HOME/conf/server.xml.
All of the other connectors can be commented, since all other requests will go through Apache.
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="127.0.0.1" enableLookups="false"
redirectPort="443" protocol="AJP/1.3"
tomcatAuthentication="false" />
Restart Tomcat
/etc/init.d/tomcat restart
We will put an Apache Web server in front of the Tomcat servlet container. This Apache Web
server will proxy every HTTPS request to Tomcat and will authenticate for the Single Sign-On
(SSO) and Active Directory Federation Services (ADFS) directories of the Shibboleth IdP webapp
(see later).
57
First, install Apache 2.2.3 and the mod_jk module (necessary for the proxy functionality towards
Tomcat).
apt-get install apache2-mpm-worker libapache2-mod-jk -y
Since we are listening on 443, https, we will enable the Secure Sockets Layer (SSL) module.
a2enmod ssl
Configure Apache with SSL, proxy and authentication. We will be using basic authentication
against a Lightweight Directory Access Protocol (LDAP) server, which will be set up later. First,
we have to enable the mod_authnz_ldap module:
a2enmod authnz_ldap
*:443>
ServerAdmin webmaster@localhost
ServerName
idp.contoso.com
SSLEngine On
SSLCertificateFile
/etc/pki/idp.contoso.com.crt
SSLCertificateKeyFile
/etc/pki/idp.contoso.com.key
SSLCertificateChainFile
/etc/pki/rootCA.crt
<IfModule mod_proxy_ajp.c>
ProxyRequests Off
58
<Proxy ajp://localhost:8009>
Allow from all
</Proxy>
ProxyPass
/shibboleth-idp ajp://localhost:8009/shibboleth-idp
retry=5
</IfModule>
<Location /shibboleth-idp/SSO>
AuthType
Basic
AuthName "idp.contoso.com"
AuthBasicProvider
ldap
AuthzLDAPAuthoritative
off
AuthLDAPURL "ldap://localhost:389/ou=people,dc=contoso,dc=com"
Require
valid-user
</Location>
<Location /shibboleth-idp/ADFS>
AuthType
Basic
AuthName "idp.contoso.com"
AuthBasicProvider
ldap
AuthzLDAPAuthoritative
off
AuthLDAPURL "ldap://localhost:389/ou=people,dc=contoso,dc=com"
Require
valid-user
</Location>
ErrorLog /var/log/apache2/error.log
LogLevel warn
59
You will be prompted for a password. When prompted, type p@ssw0rd. We imported a commonly
used Lightweight Directory Access Protocol (LDAP) schema, called eduPerson.
cd $INSTALL_DIR
wget http://middleware.internet2.edu/dir/schema/ldifs/OpenLDAP_eduPerson-200412.tar.gz
tar xzf OpenLDAP_eduPerson-200412.tar.gz
cp -a eduperson-200412.ldif /etc/ldap/schema/
/etc/ldap/schema/eduperson-200412.ldif
Populate the openldap with some test accounts. Therefore, stop the service which was started
automatically at installation time.
/etc/init.d/slapd stop
dn: cn=admin,dc=contoso,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}/g6P9Mic0qA1v0jTVhahP/rKegcxke10
60
dn: uid=chris,ou=people,dc=contoso,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: eduperson
eduPersonPrincipalName: chris
eduPersonAffiliation: member
eduPersonAffiliation: staff
eduPersonAffiliation: faculty
eduPersonEntitlement: urn:mace:library:y.com
eduPersonEntitlement: urn:mace:library:z.com
uid: chris
givenName: Chris
sn: Cox
cn: Chris Cox
mail: chris@contoso.com
homePhone: 015-7654321
mobile: 06-87654321
ou: people
homePostalAddress: Street 1$1234 PC$Oxford$UK
o: Organisation
description: Descriptive description
userPassword: {SSHA}/g6P9Mic0qA1v0jTVhahP/rKegcxke10
dn: ou=people,dc=contoso,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
dn: uid=philip,ou=people,dc=contoso,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
61
objectClass: eduperson
eduPersonPrincipalName: philip
eduPersonAffiliation: member
eduPersonAffiliation: staff
eduPersonAffiliation: employee
eduPersonEntitlement: urn:mace:library:x.com
uid: philip
givenName: philip
sn: Brusten
cn: Philip Brusten
mail: philip@contoso.com
homePhone: 015-1234567
mobile: 06-12345678
ou: people
homePostalAddress: Street 1$1234 PC$City$Belgium
o: Organisation
description: Descriptive description
userPassword: {SSHA}/g6P9Mic0qA1v0jTVhahP/rKegcxke10
Start LDAP.
/etc/init.d/slapd start
62
Obtain the Shibboleth Active Directory Federation Services (ADFS) extension and extract it to the
custom extension directory of the Shibboleth installation directory.
cd shibboleth-1.3.3-install/custom
wget
http://shibboleth.internet2.edu/downloads/extensions/shib.ADFS.extension-0.9.tar.gz
tar xzf shib.ADFS.extension-0.9.tar.gz
The building of the Shibboleth ADFS extension will fail if there is not a lib directory present in the
extracted adfs directory; therefore create it:
mkdir adfs/lib
The distributed extension is missing a jsp file (adfs.jsp). Add the file before you build the webapp.
The file can be downloaded from the following URL, but we have also provided the content:
http://go.microsoft.com/fwlink/?LinkID=125827
adfs.jsp
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<%
response.setHeader("Expires","19-Mar-1971 08:23:00 GMT");
response.setHeader("Cache-control","no-cache");
response.setHeader("Pragma","no-cache");
%>
63
<body onload="document.forms[0].submit()">
<%
if (request.getAttribute("wa") == null
|| request.getAttribute("wreply").equals("")
|| request.getAttribute("wresult") == null)
{
request.setAttribute("requestURL", request.getRequestURI());
request.setAttribute("errorText", "This page cannot be accessed
directly");
request.getRequestDispatcher("/IdPError.jsp").forward(request,
response);
}
%>
<script type="text/javascript">
<!--
64
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the
Continue button once to proceed to the requested site.
</p>
</noscript>
<form id="adfs"
<div>
<input type="hidden" name="wa" value="<bean:write name="wa" />" />
<logic:present name="wctx" scope="request">
<input type="hidden" name="wctx" value="<bean:write name="wctx" />"
/>
</logic:present>
<input type="hidden" name="wresult" value="<bean:write name="wresult" />"
/>
</div>
<noscript>
<div>
<input type="submit" value="Continue" />
</div>
</noscript>
65
</form>
</body>
</html>
The ADFS endpoint must be mapped to the IdP servlet. Add the following servlet-mapping to the
webdiscriptor: /usr/local/shibboleth-1.3.3-install/webAppConfig/dist.idp.xml
<servlet-mapping>
<servlet-name>IdP</servlet-name>
<url-pattern>/ADFS</url-pattern>
</servlet-mapping>
Begin the compilation and installation of the Shibboleth software. Alter the JAVA_HOME
environment variable so it points to our Java SDK. After the compilation is done, change it back to
our Java JRE.
cd $INSTALL_DIR/shibboleth-1.3.3-install/
export JAVA_HOME=/usr/local/jdk1.6.0_06/
./ant
Buildfile: build.xml
init:
install.init:
install:
shibboleth-idp
init:
install.init:
install.idp:
Deploying the java web application.
1) filesystem (default)
66
2) manager
init:
install.init:
install.idp.filesystem.prompt:
Select a home directory for the Shibboleth Identity Provider [default:
/usr/local/shibboleth-idp]
/usr/local/shibboleth-idp
Enter tomcat home directory [default: /usr/local/tomcat]
/usr/local/tomcat
...
BUILD SUCCESSFUL
Total time: 16 seconds
export JAVA_HOME=/usr/local/java
The implementation of Sun's JAXP parser may contain a memory leak. Therefore, the JDK
should endorse the new XML libraries in Tomcat. Copy the jar files /opt/shibbolethidp/endorsed/*.jar which comes with the Shibboleth IdP 1.3 package:
cp -p $SHIB_HOME/endorsed/*.jar $CATALINA_HOME/common/endorsed/
Restart tomcat.
/etc/init.d/tomcat restart
At this point, you should be able perform the Shibboleth IdP Web application by going to
https://idp.contoso.com/shibboleth-idp/Status.
This request should return the following:
AVAILABLE
67
68
/adfs/ls/?wa=wsignin1.0&wreply=https%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp
%2f&wct=2008-05-14T09%3a36%3a51Z&wctx=https%3a%2f%2fadfsweb.treyresearch.net
%3a8081%2fclaimapp%2fDefault.aspx HTTP/1.1
Host: adfsresource.treyresearch.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14)
Gecko/20080404 Firefox/2.0.0.14
Accept:
<head>
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,
*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
HTTP/1.x 200 OK
Date: Wed, 14 May 2008 09:36:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 1844
---------------------------------------------------------https://adfsresource.treyresearch.net/adfs/ls/discoverclientrealm.aspx?
wa=wsignin1.0&wreply=https%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f&wct=200805-14T09%3a36%3a51Z&wctx=https%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp
%2fDefault.aspx
POST
/adfs/ls/discoverclientrealm.aspx?wa=wsignin1.0&wreply=https%3a%2f
%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f&wct=2008-05-14T09%3a36%3a51Z&wctx=https
%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspx HTTP/1.1
Host: adfsresource.treyresearch.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14)
69
Gecko/20080404 Firefox/2.0.0.14
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,
*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
https://adfsresource.treyresearch.net/adfs/ls/?wa=wsignin1.0&wreply=https%3a%2f
%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f&wct=2008-05-14T09%3a36%3a51Z&wctx=https
%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: 529
__VIEWSTATE=
%2FwEPDwUKLTgyMDY2OTM4NQ9kFgJmD2QWAgIBDxAPFgYeDURhdGFUZXh0RmllbGQFC0Rpc3BsYXlOYW1lHg5EYXRh
VmFsdWVGaWVsZAUDVXJpHgtfIURhdGFCb3VuZGdkEBUDDVRyZXkgUmVzZWFyY2gTQS5EYXR1bSBDb3Jwb3JhdGlvbg
tjb250b3NvLmNvbRUDE3VybjpmZWRlcmF0aW9uOnNlbGYVdXJuOmZlZGVyYXRpb246YWRhdHVtHnVybjpmZWRlcmF0
aW9uOmlkcC5jb250b3NvLmNvbRQrAwNnZ2dkZGQTSrBqLko4ADpscpJHBuSzBcnJXQ%3D%3D&RealmList=urn
%3Afederation%3Aidp.contoso.com&RealmSubmissionButton=Submit&__EVENTVALIDATION=
%2FwEWBQLD2JmHDQK984%2BSAQL3tdyuAQKnm8mcBgLJ1%2BzKBkxD%2BdGqs2X7rGlHuk%2BJlc1q2oB1
HTTP/1.x 302 Found
Date: Wed, 14 May 2008 09:36:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: https://idp.contoso.com/shibboleth-idp/ADFS?wa=wsignin1.0&wtrealm=urn
%3afederation%3atreyresearch&wct=2008-05-14T09%3a36%3a57Z&wctx=https%3a%2f
%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f%5chttps%3a%2f%2fadfsweb.treyresearch.net
%3a8081%2fclaimapp%2fDefault.aspx
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 394
---------------------------------------------------------https://idp.contoso.com/shibboleth-idp/ADFS?wa=wsignin1.0&wtrealm=urn%3afederation
%3atreyresearch&wct=2008-05-14T09%3a36%3a57Z&wctx=https%3a%2f%2fadfsweb.treyresearch.net
70
%3a8081%2fclaimapp%2f%5chttps%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp
%2fDefault.aspx
GET /shibboleth-idp/ADFS?wa=wsignin1.0&wtrealm=urn%3afederation%3atreyresearch&wct=200805-14T09%3a36%3a57Z&wctx=https%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f
%5chttps%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspx HTTP/1.1
Host: idp.contoso.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14)
Gecko/20080404 Firefox/2.0.0.14
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,
*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
https://adfsresource.treyresearch.net/adfs/ls/?wa=wsignin1.0&wreply=https%3a%2f
%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f&wct=2008-05-14T09%3a36%3a51Z&wctx=https
%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspx
71
GET /shibboleth-idp/ADFS?wa=wsignin1.0&wtrealm=urn%3afederation%3atreyresearch&wct=200805-14T09%3a36%3a57Z&wctx=https%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f
%5chttps%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspx HTTP/1.1
Host: idp.contoso.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14)
Gecko/20080404 Firefox/2.0.0.14
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,
*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
https://adfsresource.treyresearch.net/adfs/ls/?wa=wsignin1.0&wreply=https%3a%2f
%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f&wct=2008-05-14T09%3a36%3a51Z&wctx=https
%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspx
Authorization: Basic cGhpbGlwOnBAc3N3MHJk
HTTP/1.x 200 OK
Date: Wed, 14 May 2008 09:35:31 GMT
Set-Cookie: JSESSIONID=D30AEB89B24AA5AEEA8E2C6C75FB2D61;
Path=/shibboleth-idp; Secure
Expires: 19-Mar-1971 08:23:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 6913
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
---------------------------------------------------------https://adfsresource.treyresearch.net/adfs/ls/
72
Host: adfsresource.treyresearch.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14)
Gecko/20080404 Firefox/2.0.0.14
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,
*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
https://idp.contoso.com/shibboleth-idp/ADFS?wa=wsignin1.0&wtrealm=urn%3afederation
%3atreyresearch&wct=2008-05-14T09%3a36%3a57Z&wctx=https%3a%2f%2fadfsweb.treyresearch.net
%3a8081%2fclaimapp%2f%5chttps%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp
%2fDefault.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: 5890
wa=wsignin1.0&wctx=https%3A%2F%2Fadfsweb.treyresearch.net%3A8081%2Fclaimapp%2F%5Chttps%3A
%2F%2Fadfsweb.treyresearch.net%3A8081%2Fclaimapp%2FDefault.aspx&wresult=
%3CRequestSecurityTokenResponse+xmlns%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws
%2F2005%2F02%2Ftrust%22%3E%3CAppliesTo+xmlns%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws
%2F2004%2F09%2Fpolicy%22%3E%3CEndpointReference+xmlns%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fws%2F2004%2F08%2Faddressing%22%3E%3CAddress%3Eurn%3Afederation
%3Atreyresearch%3C%2FAddress%3E%3C%2FEndpointReference%3E%3C%2FAppliesTo%3E
%3CRequestedSecurityToken%3E%3CAssertion+xmlns%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML
%3A1.0%3Aassertion%22+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aassertion
%22+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aprotocol%22+xmlns%3Axsd%3D
%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%22+xmlns%3Axsi%3D%22http%3A%2F%2Fwww.w3.org
%2F2001%2FXMLSchema-instance%22+AssertionID%3D
%22_eaed99c0df7a1e97c68f66324c5fcde6%22+IssueInstant%3D%222008-05-14T09%3A35%3A31.798Z
%22+Issuer%3D%22urn%3Afederation%3Aidp.contoso.com%22+MajorVersion%3D%221%22+MinorVersion
%3D%221%22%3E%3CConditions+NotBefore%3D%222008-05-14T09%3A35%3A31.797Z%22+NotOnOrAfter%3D
%222008-05-14T09%3A40%3A31.798Z%22%3E%3CAudienceRestrictionCondition%3E%3CAudience%3Eurn
%3Afederation%3Atreyresearch%3C%2FAudience%3E%3C%2FAudienceRestrictionCondition%3E%3C
%2FConditions%3E%3CAuthenticationStatement+AuthenticationInstant%3D%222008-0514T09%3A35%3A31.797Z%22+AuthenticationMethod%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML
%3A1.0%3Aam%3Aunspecified%22%3E%3CSubject%3E%3CNameIdentifier+Format%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fclaims%2FUPN%22+NameQualifier%3D%22urn%3Afederation
%3Aidp.contoso.com%22%3Ephilip%40contoso.com%3C%2FNameIdentifier%3E%3CSubjectConfirmation
%3E%3CConfirmationMethod%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Acm%3Abearer%3C
73
%2FConfirmationMethod%3E%3C%2FSubjectConfirmation%3E%3C%2FSubject%3E%3C
%2FAuthenticationStatement%3E%3CAttributeStatement%3E%3CSubject%3E%3CNameIdentifier+Format
%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%2FUPN%22+NameQualifier%3D%22urn
%3Afederation%3Aidp.contoso.com%22%3Ephilip%40contoso.com%3C%2FNameIdentifier%3E
%3CSubjectConfirmation%3E%3CConfirmationMethod%3Eurn%3Aoasis%3Anames%3Atc%3ASAML
%3A1.0%3Acm%3Abearer%3C%2FConfirmationMethod%3E%3C%2FSubjectConfirmation%3E%3C%2FSubject
%3E%3CAttribute+AttributeName%3D%22mail%22+AttributeNamespace%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3CAttributeValue%3Ephilip%40contoso.com%3C
%2FAttributeValue%3E%3C%2FAttribute%3E%3CAttribute+AttributeName%3D%22sn
%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E
%3CAttributeValue%3EBrusten%3C%2FAttributeValue%3E%3C%2FAttribute%3E
%3CAttribute+AttributeName%3D%22CommonName%22+AttributeNamespace%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3CAttributeValue%3EBrusten%3C%2FAttributeValue%3E%3C
%2FAttribute%3E%3CAttribute+AttributeName%3D%22Group%22+AttributeNamespace%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3CAttributeValue%3Emember%3C%2FAttributeValue%3E
%3CAttributeValue%3Estaff%3C%2FAttributeValue%3E%3CAttributeValue%3Eemployee%3C
%2FAttributeValue%3E%3C%2FAttribute%3E%3C%2FAttributeStatement%3E%3Cds%3ASignature+xmlns
%3Ads%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%0D%0A%3Cds%3ASignedInfo
%3E%0D%0A%3Cds%3ACanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org
%2F2001%2F10%2Fxml-exc-c14n%23%22%3E%3C%2Fds%3ACanonicalizationMethod%3E%0D%0A%3Cds
%3ASignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsasha1%22%3E%3C%2Fds%3ASignatureMethod%3E%0D%0A%3Cds%3AReference+URI%3D
%22%23_eaed99c0df7a1e97c68f66324c5fcde6%22%3E%0D%0A%3Cds%3ATransforms%3E%0D%0A%3Cds
%3ATransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23envelopedsignature%22%3E%3C%2Fds%3ATransform%3E%0D%0A%3Cds%3ATransform+Algorithm%3D%22http%3A%2F
%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22%3E%3Cec%3AInclusiveNamespaces+xmlns%3Aec%3D
%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22+PrefixList%3D
%22code+ds+kind+rw+saml+samlp+typens+%23default+xsd+xsi%22%3E%3C%2Fec
%3AInclusiveNamespaces%3E%3C%2Fds%3ATransform%3E%0D%0A%3C%2Fds%3ATransforms%3E%0D%0A%3Cds
%3ADigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22%3E
%3C%2Fds%3ADigestMethod%3E%0D%0A%3Cds%3ADigestValue%3ETwuvUTi0PVHHCOtvc6%2B3qCrIMAw%3D%3C
%2Fds%3ADigestValue%3E%0D%0A%3C%2Fds%3AReference%3E%0D%0A%3C%2Fds%3ASignedInfo%3E%0D%0A
%3Cds%3ASignatureValue%3E%0D%0Au3lf8%2FP2XWRtX1yv
%2FLqvVVlw9UehLtgdD4SnVDb1OIaawizifCTq2PLWdRVfjNB4hRCMA1b%2B5j%2Bp%0D%0AqHg%2B4kjg53M%2FfC
%2BHuzKJLN0QxTXm497dVmt6KLxvQDQA4hL7ZAKKL%2FjEC4OAHOE%2FbD03UeXxt20Q%0D
%0AFk1tSpDsy1RMWk3%2FUv0%3D%0D%0A%3C%2Fds%3ASignatureValue%3E%0D%0A%3Cds%3AKeyInfo%3E%0D
%0A%3Cds%3AX509Data%3E%0D%0A%3Cds%3AX509Certificate%3E%0D
%0AMIICKzCCAZQCCQCjY1CwYLEyqjANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVSzEUMBIGA1UE%0D
%0ACBMLT3hmb3Jkc2hpcmUxDzANBgNVBAcTBk94Zm9yZDEMMAoGA1UEChMDT0NHMRQwEgYDVQQDEwtP%0D
%0AQ0cgUm9vdCBDQTAeFw0wODA1MTMxNjIyMTBaFw0wOTA1MTMxNjIyMTBaMFwxCzAJBgNVBAYTAlVL%0D
%0AMRQwEgYDVQQIEwtPeGZvcmRzaGlyZTEPMA0GA1UEBxMGT3hmb3JkMQwwCgYDVQQKEwNPQ0cxGDAW%0D
%0ABgNVBAMTD2lkcC5jb250b3NvLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0%2BzuZSih%0D
%0AxOjJhjXHiEJYYVKKXbWC1zQ2gLUB5HIY7Dehe%2BPbkpy3R234rsYXnpcCJ4LSyvjpqGX7Wb3hqnSH%0D
%0AH33mo9H5HxMF1MGhuTLH0DaUApDoCEE2dq2S%2BxcjXfc5Y7mOTQyE%2BPLgmlAyca4GEVXUJuqpj02D%0D
74
%0Aj4AnuI7RJ9cCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBQWlNTKwvm1j%2F9%2FiDkhLwKHFPbtQqPkPu6%0D
%0ApH%2BuNAiIW9XnlYAoNpMVKFEiegODqU0XKOil%2BzNvjpt%2B8VJ7Ch4XNZ4x8JKL4FxjcwXcLSE8DEHE%0D
%0AaR%2B0v%2Bp9oum8P1ELyPWiNnp1I2UsTLKBYKmm2z%2BNY%2BHmIURrrPEpvIvVgD939g%3D%3D%0D%0A%3C
%2Fds%3AX509Certificate%3E%0D%0A%3C%2Fds%3AX509Data%3E%0D%0A%3C%2Fds%3AKeyInfo%3E%3C%2Fds
%3ASignature%3E%3C%2FAssertion%3E%3C%2FRequestedSecurityToken%3E%3C
%2FRequestSecurityTokenResponse%3E
HTTP/1.x 200 OK
Date: Wed, 14 May 2008 09:36:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie:
_WebSsoAuth=eNqdVml3qkoW9adkeT+6DCA44EqymkEGBRQZVL68xVAMMkqBiL+
+MSbpJH3v6/Tzi1WHU/vss+vUqXqCdprMKQhBWUV59vAxEtnn/l8k7qKYTxBD1HOJIWGT3tDBwXQ4crApOsXIGYqi/
QcRwhqIGazsrHruj1B0NkTHQ4zQUXKOT+Zj0nrzKZ/7dZnNfeCB0r4FmVclaEsAgV26Yf9Bto95aYISdp+e+1hniLK
vhkuaZHB+43yHym0YwXlmpwDOK3euUbI0xx7Ruf2eRv/l6TVDJs+86GaAD0pe0cDPS/Anrp3DOluXlF/dGH/ywdB3n
zdUqvYikLlgC2BVRu4N/yPQN5eXsKoKOEcQ2/NhA5zHz6k/ZqCaz9AZhriJHaV2USBPyNfl3+a/j4h8y/Wdg3eObhC
30HPmFkHL69IFb3LezHc508gtc5j71ac96r9827PIKx7dPKs6x+4/fUK+w74HyvM46urCzwUbhj+MFWTICBNOlkdwK
yuCukX6ajcwInTx/B7pC+6HMG85vqlUhSCrIvcVVavsCqTd/OGr/U8lO57jWFcGX51lUIW59z+qLp3XGSyAG/kR8N6
LRKudI3Crt5nSrRK9G27nUz5weZnaHYVbdXTFAd0QpDZ87MSCuV085mVwLwmIGBul/1KEURIV//oi/29g30X5CI38n
SwvT1oUZHZVl28V8UGnaZrHBn9l0WmEIiiJdA4ejIJf/fsq4N024uWJsbM864CT6PpJrgcqCfIyqsL0D5AYgqE3yCG
4uEMXI7Jf/QfkE58fwnxhVkJ7CEMbe0XaAh+UtwPzYGzF5/6vn7W0lye9tDPYNYkUfhr/fzxAdgZJXgBvCN/TeaX0c
7g/qIN8JsdGQdcK/olOHxrdIUw7qcHLMTa8+Lrb0Jzg1QoaXPnBRpOx61SA3fn77PmEfGjbjT/Xwsfu3R23yjKrLN1
rKFndqKSYhb5Pjip/sNXoVscGRF0hR8PKJwodCbiY7aMRxpbooG1bmUxzbyq5lyI+NqdEOqmSixhuvFjBtRBEXF3nY
UMMAntptscQWUcEKi3iNbch4cTLeCWpY4eaYB6tKo1iLA5GsMML2CDmeZVYROQadWmsOOkglwTcSP4mAOi22QsOTh+
nByVlxVhUmWuiG3iGILFlN6wxmujh0U/2LmdL00PGursEplm7Ojqz3FCasvFY+yg2WiMtE7PGSXU6mbic6E/0Et3kX
FrKdEPF53Mhd82baHgWG10n18mxSDabGbbacqbg8rjWNO6AjkLBLjw5G/Dy5MwF4mratatDKVxYNXh+vov+SeinFWj
vO7AfoyRrV/Z9xNyuQv926sGLLIoMemQYypkEVCPSVCCqfJ1iAqq6PjHebD3flNp2sdCpJR0YJRvIjKAalMzEl+WVS
uhAMWlK1oXYSizebA/7beGMiMAYma2Xmq3Ic7GVKa21V87efnm0dApwDdqsWeoqH6lW1heYopv2q02/2RaNfL3b/nm
MLh9NbFj1sFzllhieXYVSFzStUmwQLDYU231Xc6Yb05S0IgvQqruxS1Rnkw3JJas7Y88KGS1aLsYysuFFo2SusUulJ
uVDjeMnJ25vDXgeX075A8LVe0vRBmWLmRMrGMmDPb1BkMRpgRFGZrk+1NoRupnU3YX1iG0v8NB4aBofd2fFbZVLkOh
tMLW2ApzF4sQ/Wlg8u3Y06EVCLIiDx4eWi/PyOfMo0W2jA/S30pYfUz7Fwo2vpyLOWnIRTYjjIlI2jVCpYwJAwWul0
IoOonTBmbCRLN9w6GAKE8agt8HxMGFtEO7OmrMywHKvXfKmrbPkEOJMES93Le/q6InjEArwUrTyUWEsim4yvZyncek
boTvWE/26T70tArKAXEZEqTnuhFsWLC+R8X6AMlSzoKhvNUMRXX2pFLc1AXoJ1SszRlnO3s5kQTMHIx4E9pjkCY2cC
atIxNFrfhJQgWwofeZiI7JMIig7CJLROjIWEGE3Y8fRho2L1dU9L92iFBqN; path=/adfs/ls/; secure;
HttpOnly
Set-Cookie:
_WebSsoAuth0=3URaiB4KtNkzxM7jnB09PemXgalefSwpFyQ2IxacFOFj0dRP+pXE3Kpx1rOqPa+kBF/oGrQxM+dKG
xvlpuQrB7BTTn5NMKfSQWsnKRgoX0l8P/UCGezp8x7VN+klIk/6arXOTx7bchK+XlO83oZlEyVaUZ1MQ2Eu5cUGZ0/
YVLOVtg2m6iJL2dRRVwNMYCqk5JC1jBzEWYEf5VaHCOAbdXcYq2Rd7zIizrIt2x1EllgO5KVDH3YzUeSAnp1WI9wGx
iiQnpDvJ/tuuZ965KMT/KdHfDwC3p/GL1jvr+4yxKc4ersNJ9MhQfj40Ham7tAnADlyfOACj+z1/v4B2Ot+WO/n76L
eb55bvVGP6v3346bH9OiyhhXI/g2uJEZ+; path=/adfs/ls/; secure; HttpOnly
75
76
%22+AuthenticationMethod%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aam%3Aunspecified
%22%3E%3Csaml%3ASubject%3E%3Csaml%3ANameIdentifier+Format%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fclaims%2FUPN%22%3Ephilip%40contoso.com%3C%2Fsaml%3ANameIdentifier
%3E%3C%2Fsaml%3ASubject%3E%3C%2Fsaml%3AAuthenticationStatement%3E%3CSignature+xmlns%3D
%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%3CSignedInfo%3E
%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-excc14n%23%22+%2F%3E%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org
%2F2000%2F09%2Fxmldsig%23rsa-sha1%22+%2F%3E%3CReference+URI%3D%22%23_93c01f44-0dc4-4a9db3e7-2b1707198000%22%3E%3CTransforms%3E%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org
%2F2000%2F09%2Fxmldsig%23enveloped-signature%22+%2F%3E%3CTransform+Algorithm%3D%22http%3A
%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22+%2F%3E%3C%2FTransforms%3E
%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22+%2F
%3E%3CDigestValue%3EjkUdkzWPBFHduN0gzG%2BPSM1z7Hs%3D%3C%2FDigestValue%3E%3C%2FReference%3E
%3C%2FSignedInfo%3E%3CSignatureValue%3ERNJntZTdwAMQPQ9Inhff92tf%2BRSByT1%2B4ut
%2FjUZo6NBiH3InXi21Dr0%2ByyyM9mod7LcxpkjwqlLqQLc%2FUckEKsOHgiFuuohw4%2BgaJVyjh
%2FOi40LEkOFP9s6dnGNlukbA61dBQNwNUEYUgW3psw
%2FVvKlZ4icUurUKFLYMr4sPLfPge0RwXHb3Bj7YNmDIkIQCzlTU3n%2F
%2FkZawDU26ThjflXcFaL7YnDcWlsmnyKjb8oUNwrwdDajIwSwLJlVu39Q766cFIf6Tr0PoFmrMBwAkvvpMcti4wGD
12z6z6jplPP81KRFVHcG3Swwc%2BBihHapdMn%2BGM6vFgIK7antYrHxDQg%3D%3D%3C%2FSignatureValue%3E
%3CKeyInfo%3E%3CX509Data%3E%3CX509Certificate
%3EMIIC0jCCAb6gAwIBAgIQGum1H0Qcf45PRdfVLyyEETAJBgUrDgMCHQUAMCkxJzAlBgNVBAMTHkZlZGVyYXRpb24
gU2VydmVyIGFkZnNyZXNvdXJjZTAeFw0wODAzMjAyMTE1NTVaFw0wOTAzMjEwMzE1NTVaMCkxJzAlBgNVBAMTHkZlZ
GVyYXRpb24gU2VydmVyIGFkZnNyZXNvdXJjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALK9peyQW5c
4tvVDh9JDTb5dZhCSiJE5M%2FPGIUrCzkcAmVAfsSFG6qFXZ%2BGG3J7GY%2FFuXZNS%2Bry1V6Zg2M%2BXBP%2F
%2FlbyeUhiVrOYuSjscnLSouu2DyxsYwd0mkjWvNcyNxglTyg7ZRHs8kI6fjZ1k8zDh9BEl4E4YdGhZc3GMvndAIcy
iYsfRLRG5AfADsPfTmI3DZMpi64jEiNPwHtQ54esHdyLhZiYILx3ChwLZfUbBg7slCUBRgjY6DaehWvSbKUeJXSxow
yunlYh3CpkJWyGcT0qFF%2FAeGLiKf0H5IIcl7xv7krfUhc5TlTzXmdR%2Feng9Ji4rSbc6FJpDGL9kX
%2B0CAwEAATAJBgUrDgMCHQUAA4IBAQAFRVe0xhQzC50DFaR8MHSV
%2B2Gega59G4S98HKiI30zoqH0H9wAT8c129rlisMb%2F%2FnBT%2F5H
%2FHW8D5iPDkpKzcvJcprHwSDPiSh0Yp0wXC4WdFbWB7qTx
%2BVQzf1lrE9184EFLi35IVTqTz91ctwbO8tyvKLl3ETSsa1VoFra12oVLfNYeWNqfu4Cqrb0ublpCsMz93X7dgMeX
BvX0TPmxi9qTKKOoqdDyFL3OOAGTyhrwilSptqVUNCxrxaevdHPt8KSRg7QEnmDmbQK%2B1HCt%2FrF%2FOM
%2FYI8p3jMyTs%2FeGwQWY5Q9uuWn4knnRDdfVD4J%2BMJbBYW8IIFeTnqK23aeU2gL%3C%2FX509Certificate
%3E%3C%2FX509Data%3E%3C%2FKeyInfo%3E%3C%2FSignature%3E%3C%2Fsaml%3AAssertion%3E%3C%2Fwst
%3ARequestedSecurityToken%3E%3Cwsp%3AAppliesTo+xmlns%3Awsp%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%22%3E%3Cwsa%3AEndpointReference+xmlns
%3Awsa%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F08%2Faddressing%22%3E%3Cwsa
%3AAddress%3Ehttps%3A%2F%2Fadfsweb.treyresearch.net%3A8081%2Fclaimapp%2F%3C%2Fwsa
%3AAddress%3E%3C%2Fwsa%3AEndpointReference%3E%3C%2Fwsp%3AAppliesTo%3E%3C%2Fwst
%3ARequestSecurityTokenResponse%3E&wctx=https%3A%2F%2Fadfsweb.treyresearch.net
%3A8081%2Fclaimapp%2FDefault.aspx
77
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: https://adfsweb.treyresearch.net:8081/claimapp/Default.aspx
Set-Cookie:
_WebSsoAuth=eNqdVmt3qkoS/StZno+uBBB84Eqyhoc8FFDkofJlFo8GWp7SIOKvvxiTTJJ1z8yZ+4nqonrXrt3VBc
/IzdI5gxCoaljkD5+WzL8M/k2TPk6EFPWIBz71SLl08OiRYPo48ogpPiXoGY7jgwcZoQbIOardvH4ZjHB89oiPHwnK
xOk5OZmPaec9pnoZNFU+D0EAKveWZF5XoKsAAm7lx4MH1T0WlQ0q1L96GRC9A+bfHZcszdH8xvkOVbgIonnuZgDNa3
9uMKoyJ57wuftRxuD1+a1CrsgDeHOgB62oWRAWFfgd1z5gna8rJqxvjL/EEPhHzDsq0wQQ5D7YAlRX0L/hfyb6EfIa
13WJ5hjmBiFqgff0tfSnHNTzGT4jMD91YeaWJfaMfd/
+Y/33GbEftX5wCM7wBnFLPeduGYyiqXzwLufNfZczg35VoCKsv5zR4PXHmcGgfPKLvO4D+2f2jP2E/UhUFAns+yIsJ
BfFf5gryrERIZ2cgBJWDkSmQ4d6b1gQX7x8ZPqG+ynMe43vKtUxyGvov6EatVuDrF8/fPf/rmXHc5Lo2+B7sArquAj
+R9dl8yZHJfBhCEHw0SRG4x2BX7+vtH6XHNxw+5jqQSiqzO0p3Lqjbw7kxyBz0VMvFirc8qmoontLIMzaaIPXMoYpL
P/1Tf6/gf0Q5TM19t9keX02YJS7dVO9d8QnnbZtn1ryjUWvEY7hNNYHBAhGvwb3XSC4HcTrM+fmRd4Dp/D6Ra4HJo2
KCtZx9htIAiPwG+QjuPiPPkHlvwYP2Bc+fwjzjVmF3EcUu8Qb0haEoLpdmAdrK78Mfv3ZSHt9Nis3R/2QyNAX+//jA
fIzSIsSBI/oo5w3Sn8O9xt1sK/keBj1o+Cf6PSp0R3CdtMGvB4TK0iuuw0rSEGj4dFVHG4MlbhOJdTfv6+Rz9intr3
9tRc+T+8euNWWee2YQcuo+kan5TwOQ3pUh8OtwXYmMaSaGjtaTjHRWCiRcr6HI4Kv8GHXdSqdFcFU8S9lcmxPqXLSF
R+z/GSxQmspgkLTFHFLDSN3aXfHGFtDClcWyVrY0GgS5KKWNonHTIiA1bVWsxYHK9qRJWox+7xKHQr6VlNZK0E5qBW
FNkq4iQC+bfeSR7LH6UHLeDmRde6amhaZY1jiuC1vjSZmfAzTvS+4yvSQ8/4uRVnerY7erLC0tmoD3j3KrdEqy9RuS
FqfTia+IIcTs8I3hZBVKtsyyflcqv3wplqRJ0bXyXVyLNPNZkastoIt+SJptK0/ZGEsuWWg5kNRnZyFSF5N+3F1qKQ
Lr0cvL3fRvwj9vALd/QT2Y5zm3dq9W9ztUxjebj14VWWZw48cx3iTiGlllolkXWwyQsJ1P6TGm20Q2krXLRYms2Qjq
+IjlZN0i1G55LK8MikbaTbLqKaUOKkj2t1hvy29ERVZI7sLMruTRSFxcq1z9to52C+PjskAocXbNc9c1SPTqeaC0Ez
bffOZN9+iVa933z/P0ddjyC2vH5arwpHjs68x+oJldYaPosWG4fv3esH1NssoK7oEnb4b+1R9tvmYXvKmNw6cmDPgc
jFWsY0oWxV3TXwms5kQGYI4OQl7ZyiK5HIqHjCh2TuaMaw6wp440Ugd7tkNhqVeB6wY2tX60BhH5OdK/y1sRnx3QYc
2wLPkuDtrfqddotTsoqmzldAskSfh0SGS2bWnwS5SakEdAjF2fFJUz3nAyH4HDyjcKltxzIQMjzahmckk76glnFDHB
dQ2rVTrYwogKeiU2IEHWbmQXNwqTmh5bDRFKWex2+h4mPAuiHdnw1tZYLk3LkXbNXl6iEmuTJa7TvRN/CQIGANEBa5
CXBrLsp9OL+dpUoVW7I/N1Lzus2CLgTyil5CqDM+fCMuSFxU62Q9xjmkXDPOjZxiq7y+dEbY2wC+xfuXGOC+425kqG
fZwJILIHdMiZdAzaQVlEr8WJwmX6JYxZz4xoqsUItXDsJw1sbGESbsZP4YbPilXV/+89MtKag1+A40Y;
path=/claimapp; secure;
HttpOnly
Set-Cookie:
_WebSsoAuth0=P5R4u+eoXSB4O3Z6Mi9DW7+GRFotaGJGLQQFkmPZNk/mlSb8uvXWs7o7r5SUXJgGcgm7ECqXGBW2E
moHsNNOYUNxp8rDGy8tOaReaXI/DSIV7NnzHjc32QXSJ3O1WhengO8EhVyvGdHs4qqFqVHWJ9vSuEt1ccE5kDb1bGV
so6m+yDM+8/TVkJC4GqsEbK1iB3lWkke1MxEGxFbfHcY63TS7nEryfMv3F5GnlkN16bGH3UyWBWDmp9WIdIE1ipRn7
OfNvnvutx77nAT/mRGfPwEfv8avfwEUrBJW; path=/claimapp; secure; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 176
---------------------------------------------------------https://adfsweb.treyresearch.net:8081/claimapp/Default.aspx
78
79
HTTP/1.x 200 OK
Date: Wed, 14 May 2008 09:36:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 6360
Resulting page from the claimapp when logged in with the user philip.
SSO Sample
[ Sign Out | Refresh without viewstate data]
Page Information
NameValueType
Simplified Path
https://adfsweb.treyresearch.net:8081/claimapp/Default.aspxS.String
User.Identity
NameValueType
Type nameSSO.SingleSignOnIdentityS.String
(IIdentity)User.Identity
NameValueType
Namephilip@contoso.comS.String
AuthenticationTypeWebSSOS.String
IsAuthenticatedTrueS.Boolean
(SingleSignOnIdentity)User.Identity
NameValueType
Namephilip@contoso.comS.String
NameTypehttp://schemas.xmlsoap.org/claims/UPNS.String
SecurityPropertyCollectionSSO.Auth.SecurityPropertyCollection
SSO.Auth.SecurityPropertyCollection
AuthenticatingAuthorityurn:federation:idp.contoso.comS.Uri
AuthenticationMethodurn:oasis:names:tc:SAML:1.0:am:unspecifiedS.Uri
AuthenticationTypeWebSSOS.String
80
IsAuthenticatedTrueS.Boolean
SignInUrl
https://adfsresource.treyresearch.net/adfs/ls/?wa=wsignin1.0&wreply=https%3a%2f
%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f&wct=2008-05-14T09%3a36%3a59Z&wctx=https
%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspxS.String
SignOutUrl
https://adfsresource.treyresearch.net/adfs/ls/?wa=wsignout1.0
S.String
WindowsIdentitynullnull
SingleSignOnIdentity.SecurityPropertyCollection
UriClaim TypeClaim Value
http://schemas.xmlsoap.org/claims/UPNUPNphilip@contoso.com
Dim tpFileName
Dim trUri
Dim tp
' TrustPolicy
Dim tr
' TrustedRealm
81
Dim revFlags
Dim found
be changed")
WScript.StdErr.WriteLine("RevocationFlags - One of the following:")
WScript.StdErr.WriteLine("
None")
WScript.StdErr.WriteLine("
CheckEndCert")
WScript.StdErr.WriteLine("
CheckEndCertCacheOnly")
WScript.StdErr.WriteLine("
CheckChain")
WScript.StdErr.WriteLine("
CheckChainCacheOnly")
WScript.StdErr.WriteLine("
CheckChainExcludeRoot")
WScript.StdErr.WriteLine("
CheckChainExcludeRootCacheOnly")
WScript.Quit
End Sub
82
Dim ArgObj
Set ArgObj = WScript.Arguments
= ArgObj.Item(1)
revFlags
= GetRevFlags(ArgObj.Item(2))
83
'
' Create factories
'
Set tpf =
CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
Set cf
= CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")
'
' Load the TrustPolicy
'
Set tp
'
' Find the realm and set the revocation flags
'
found = 0
If (tp.TrustPolicyEntryUri = trUri) Then
'
' Hosted realm attributes
'
WScript.StdOut.WriteLine("Changing the setting for this Federation service: " & trUri)
found = 1
tp.VerificationMethod.RevocationCheckFlags = revFlags
Else
'
' Trusted Realms
'
For Each tr in tp.TrustedRealms
If (tr.TrustPolicyEntryUri = trUri) Then
WScript.StdOut.WriteLine("Changing the setting for this Account partner: " &
trUri)
found = 1
tr.VerificationMethod.RevocationCheckFlags = revFlags
Exit For 'since the Uri is unique
End If
Next
84
If (found = 0) Then
WScript.StdOut.WriteLine("Error: " & trUri & " is neither this Federation Service
nor an Account partner.")
WScript.Quit
End If
End If
tp.Write(tpFileName)
WScript.StdOut.WriteLine("done.")
TpCrlChk.vbs c:\ADFS\TrustPolicy.xml
urn:federation:idp.contoso.com None
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
TpCrlChk.vbs c:\ADFS\TrustPolicy.xml
urn:federation:treyresearch None
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
85
86