Adfsshibboleth

ADFS Step-by-Step Guide: Federation with
Shibboleth Federation Services

Microsoft Corporation
Published: August 2008
Authors: Chris Cox (Oxford Computer Group) and Philip Brusten (K.U. Leuven University,
Belgium)
Editor: Fran Tooke
Abstract
Active Directory Federation Services (ADFS) and Shibboleth are two federation technologies that
allow web browser users in one organization to access web-based applications in another.
Shibboleth is open source software developed by Internet2, a US-based advanced networking
consortium, and ADFS is a component of Microsofts Windows Server 2003 R2 and Windows
Server 2008 systems.
This step-by-step guide walks you through how to configure the federation relationships between
Microsoft and Internet2 technologies in a test lab environment. This guide assumes an already
existing set of ADFS machines and then describes, in detail, the process to install and configure
Shibboleth to work as both an Identity Provider (IdP) to an ADFS FS-R (resource federation
server) and as a Service Provider (SP) to an ADFS FS-A (account federation server). The
platform chosen for this Shibboleth test lab was Debian 4.0 (etch) which uses a software
repository system and thus the installation instructions may need adjusting for other platforms.
The post-installation configuration steps, however, are applicable across other platforms.
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are
fictitious, and no association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2008 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, SharePoint, MS-DOS, Windows, Windows NT, and Windows Server
are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Contents
ADFS Step-by-Step Guide: Federation with Shibboleth Federation Services.................................5
About this guide........................................................................................................................... 5
Prerequisites and requirements............................................................................................... 5
Introduction........................................................................................................................... 7
Active Directory Federation Services.......................................................................................8
Shibboleth................................................................................................................................ 9
Overcoming the language barrier........................................................................................... 11
Preparing the environment.................................................................................................. 14
Configure connectivity........................................................................................................ 14
Perform the following steps on ldp.contoso.com.................................................................15
Configure sample Web applications....................................................................................18
Step 1: Configuring ADFS as the Account Partner (Scenario 1)...................................................19
Configure the ADFS Account Federation Server (FS-A)........................................................20
Configure the trust policy....................................................................................................... 20
Token-signing certificate......................................................................................................... 21
Organizational claims............................................................................................................. 22
Account stores....................................................................................................................... 22
Define a resource partner...................................................................................................... 23
Configure outgoing claim mappings.......................................................................................23
Step 2: Configuring and Testing Shibboleth as the Service Provider (Scenario 1)........................24
Perform the following steps on sp.contoso.com.....................................................................24
Testing the Federation Scenario 1..........................................................................................29
Step 3: Configuring Shibboleth as the Identity Provider (Scenario 2)...........................................30
Configure the Shibboleth IdP................................................................................................. 30
Step 4: Configuring and Testing ADFS as the Resource Partner (Scenario 2).............................36
Confirming the trust policy...................................................................................................... 36
Add a new account partner.................................................................................................... 37
Test the Federation Scenario 2..............................................................................................37
Appendix A: Preparing the SP Debian Platform............................................................................38
Appendix B: Setting up Apache 2.2.3............................................................................................ 38
Appendix C: Installing a Shibboleth SP.........................................................................................40
Appendix D: Trace log of HTTP Headers SP to FS-A...................................................................45
Appendix E: Installing Tomcat and Apache 2.2.3..........................................................................55
Appendix F: Installing OpenLDAP................................................................................................ 61

Appendix G: Installing Shibboleth IdP........................................................................................... 64
Appendix H: Trace log of HTTP Headers IdP to FS-R..................................................................69
Appendix I: Disabling CRL Checking............................................................................................83
ADFS Step-by-Step Guide: Federation with

Shibboleth Federation Services
About this guide
This guide provides step-by-step instructions to configure an identity federation deployment
between Microsoft Active Directory Federation Services (ADFS) and Shibboleth Federation
Services by using the WS-Federation identity federation protocol, the Web Services Federation
Language (WS-Federation) (http://go.microsoft.com/fwlink/?LinkId=89385) and the WSFederation Passive Requestor Profile (WS-F PRP) (http://go.microsoft.com/fwlink/?
LinkId=89387). In this deployment, each product performs both the account partner role (IdP) and
the resource partner role (SP).
You can use the lab environment that is outlined in this guide to configure federation between
ADFS and Shibboleth and to determine how to deploy federation between the two technologies in
your business.
Note
It is important to follow the steps in this document in the order that they are presented.
Prerequisites and requirements

The deployment comprises two halves. Each half is a complete deployment of Microsoft and
Shibboleth technology, respectively. This deployment uses six computers, as follows:
Account federation server: A. Datum Corporation (adfsaccount.adatum.com)
Account client: A. Datum Corporation (adfsclient.adatum.com)
Resource federation server: Trey Research (adfsresource.treyresearch.net)
Resource Web server: Trey Research (adfsweb.treyresearch.net)
Note
NB A complete set of virtual machines for the ADFS deployment, as described above can
be created through the completion of the Step-by-Step Guide for Active Directory which is
located at the following link: http://go.microsoft.com/fwlink/?LinkID=125831.
The details of each computer are described in the following table:
Computer name
ADFS
Operating system
client/server
requirement
IP settings
DNS settings
IP address:
Preferred:
role
adfsclient
Client
Windows XP with Service

Pack 2 (SP2) or later
Computer name
ADFS
Operating system
client/server
requirement
IP settings
DNS settings
192.168.1.1
192.168.1.3
Subnet mask:
Alternate:
255.255.255.0
192.168.1.4
IP address:
Preferred:
192.168.1.2
192.168.1.4
role
versions
adfsweb
Web server
Windows Server 2003 R2,

Standard Edition, or
Enterprise Edition
Subnet mask:
255.255.255.0
adfsaccount
adfsresource
Federation
server and
domain
controller

Enterprise Edition
Federation
server and
domain
controller

Enterprise Edition
IP address:
Preferred:
192.168.1.3
192.168.1.3
Subnet mask:
255.255.255.0
IP address
Preferred:
192.168.1.4
192.168.1.4
Subnet mask:
255.255.255.0
Note
Make sure to set both the preferred and alternate Domain Name System (DNS) server
settings on the client. If both types of values are not configured as specified, the ADFS
scenario will not function.
Note
All four computers from the original ADFS Step-by-Step Guide are used in this
deployment. However, a single ADFS federation server can perform both the account and
the resource federation server roles, which eliminates one computer from the
deployment, if necessary. If you use this configuration, move the client computer to the
Trey Research domain, and add Adam Carter to Active Directory in Trey Research.
In addition, you must have two virtual machines that are running Debian 4.0 (etch) or a platform
of your choice, but one on which you can install the ADFS extensions.
Shibboleth Identity Provider (IdP): Contoso Ltd (idp.contoso.com)
Shibboleth Service Provider (SP): Constoso Ltd (sp.contoso.com
Notes
Both scenarios that are presented in this step-by-step guide (for example, Shibboleth as
an SP and then as an IdP), require that the Debian platforms are already installed, along
6
with Shibboleth, Tomcat, Apache, and OpenLDAP. Instructions for installing each of these
components are provided in the appendices.
If you plan to configure virtual machines exactly as used for this document, follow the
appendices where appropriate and then return to the correct step in the main body of the
instructions.
The scenarios will guide you through the process of setting up the public key
infrastructure (PKI) requirements for federation on the Shibboleth partner by using a root
certification authority (CA). Since certificate revocation lists will not be available,
Appendix I: Disabling CRL Checking also shows you how to disable CRL checking, which
is necessary to ensure that ADFS works successfully with this guide.
The details of each computer are described in the following table:

Full computer name
Platform
Shibboleth role
IP settings
SP.contoso.com
Debian 4.0 (etch)
Shibboleth Federation IP address:

Server SP
192.168.1.5
IdP.contoso.com
Debain 4.0 (etch)
Shibboleth Federation IP address:

Server IdP
192.168.1.6
By, using these six computers, the guide configures federation between the two fictitious
companies.
This guide will present two scenarios:
Scenario 1: ADFS account federation server (FS-A) provides authentication services to

resources protected by Shibboleth Service Provider (SP)
Scenario 2: Shibboleth acts as the account provider (IdP) to access ADFS protected
resources on a resource federation server (FS-R)
Introduction
Federated identity and access management builds on the Web Services technology wave, which
describes the technology and business arrangements necessary for richly connecting users,
applications, and systems within and across organizational boundaries, by using the Internet and
its associated standard communication mechanisms. Participants in federated systems may use
different technologies with different security approaches and programming models, yet they can
still integrate their businesses without substantial custom integration. In this federated system,
each organization continues to manage its own identities, but is capable of securely sharing and
accepting identities and credentials from other organizations. The goal of federated identity is to
allow businesses and partners that trust each other in the real world to mirror that trust in their
digital systems.
A number of federation technologies have been developed that are designed to exchange identity
information in the form of claims - across organizational boundaries to allow Single Sign-On
(SSO) and authorization to Web-based applications. They provide a secure framework to transmit
7
attributes about a Web-browsing individual to local or remote Web resources. When a user
accesses a resource by using federated identity, the user's own home domain can send
information about that user to the resource which can then be used to determine appropriate
access to the resource.
ADFS and Shibboleth are examples of these federation technologies and this guide documents
step-by-step guidance for configuring interoperability. We will provide a level-set on the two
technologies and a brief discussion with respect to terminology overcoming the language
barrier.
Active Directory Federation Services

Active Directory serves as a primary identity and authentication service in many organizations
and by employing Active Directory Federation Services (ADFS), organizations can extend their
existing Active Directory infrastructures to provide access to resources that are offered by trusted
partners across the Internet. These trusted partners can include external third parties or other
departments or subsidiaries in the same organization.
ADFS is tightly integrated with Active Directory. ADFS retrieves user attributes from
Active Directory (also Active Directory Application Mode), and authenticates users against
Active Directory. ADFS also uses Windows integrated authentication.
ADFS supports distributed authentication and authorization over the Internet and can be
integrated into an organization's existing access management solution to translate the terms that
are used in the organization into claims that are agreed on as part of a federation. ADFS can
create, secure, and verify the claims that move between organizations. It can also audit and
monitor the activity between organizations and departments to help ensure secure transactions.
The following are some of the key features of ADFS in Windows Server 2003 R2 and
Windows Server 2008:
Federation and Web SSO. When an organization uses the Active Directory directory service,
it benefits from SSO functionality through Windows integrated authentication within the
organization's security or enterprise boundaries. ADFS extends this functionality to Internetfacing applications, which enables customers, partners, and suppliers to have a similar,
streamlined, Web SSO user experience when they access the organizations Web-based
applications. Furthermore, federation servers can be deployed in multiple organizations to
facilitate business-to-business (B2B) federated transactions between partner organizations.
Web Services (WS)-* interoperability. ADFS provides a federated identity management

solution that interoperates with other security products that support the WS-* Web Services
Architecture. ADFS does this by employing the federation specification of WS-*, called WSFederation. The WS-Federation specification makes it possible for environments that do not
use the Windows identity model to federate with Windows environments.
Extensible architecture. ADFS provides an extensible architecture that supports the

Security Assertion Markup Language (SAML) token type and Kerberos authentication (in the
Federated Web SSO with Forest Trust scenario). ADFS can also perform claim mapping, for
example, it modifies claims by using custom business logic as a variable in an access
request. Organizations can use this extensibility to modify ADFS to coexist with their current
security infrastructure and business policies.
1. User attempts to access ADFS-protected resource on site application server.

2. User is redirected to the FS-R.
3. FS-R directs the user to the FS-A in their home domain.
4. FS-A uses local credentials to validate user and return claims in a SAML token.
5. FS-R validates the signature on the SAML token.
6. FS-R re-signs the SAML token and passes it back.
7 and 8. User is directed back, via the ADFS Web agent, to the resource. Resource uses the
claims for access control and other application-level decisions.
Shibboleth
Shibboleth is a project of Internet2/MACE concerned with the development of architectures,
policy structures, practical technologies, and an open source federation implementation to
support inter-institutional sharing of Web resources subject to access controls. Its primary
audience is within the education and research sector.
Internet2 is a U.S. advanced networking consortium that is led by the education and research
community that consists of comprising universities, partner organizations, laboratories,
government agencies and other institutions of higher learning.
The Shibboleth team consists of Internet2 and a group of campus middleware architects from
Internet2 member schools and corporate partners. Organizations that collaborate in its
development include national and international higher education institutions, their partners,
content providers, and government agencies.
Key concepts within Shibboleth include:
Federated Administration. The Identity Provider (origin) campus (home to the browser user)
provides attribute assertions about that user to the Service Provider (target) site. A trust fabric
9
exists between campuses that allow each site to identify the other speaker, and assign a trust
level. Identity Provider sites are responsible for authenticating their users, but can use any
reliable means to do this.
Access Control Based On Attributes. Access control decisions are made using those
assertions. The collection of assertions might include Identity, but many situations will not
require this. (For example, it allows you to access a resource licensed to use by all active
members of the campus community, and to access a resource available to students in a
particular course.)
Active Management of Privacy. The Identity Provider (origin) site and the browser user
control what information is released to the Service Provider (target). A typical default is merely
"member of community." Individuals can manage attribute release via a Web-based user
interface. Users are no longer at the mercy of the target's privacy policy.
Standards Based. Shibboleth will use OpenSAML at http://go.microsoft.com/fwlink/?

LinkID=125885 for the message and assertion formats, and protocol bindings which is based
on SAML at http://go.microsoft.com/fwlink/?LinkID=125886 developed by the Oasis Security
Services Technical Committee at http://go.microsoft.com/fwlink/?LinkID=125887.
A Framework for Multiple, Scaleable Trust and Policy Sets (Federations). Shibboleth
uses Federations to specify a set of parties who have agreed to a common set of policies. (A
site can be in multiple Federations, though.) This moves the trust framework beyond bilateral
agreements, while provide flexibility when different situations require different policy sets.
A Standard (yet extensible) AttributeValue Vocabulary. Shibboleth has defined a standard

set of attributes. The first set is based on the eduPerson object class
(http://go.microsoft.com/fwlink/?LinkID=125890) that includes widely used person attributes in
higher education.
The Shibboleth software implements the OASIS SAML v1.1 specification, but in December 2005,
Internet2 announced that it developed a new extension of Shibboleth to support
Windows Server 2003 R2 by using WS-Federation, the passive requestor profile, and the passive
responder interoperability profile.
The new extension, that was implemented in Shibboleth versions 1.3c and later, provides
interoperability with ADFS, by allowing sites that are using ADFS to participate in Shibbolethbased federations and vice versa.
10
1. User attempts to access Shibboleth-protected resource on SP site application server.

2 and 3. User is redirected to the Handle Service at their IdP (there is no WAYF server in this
scenario).
4. User authenticates at their IdP by using local credentials.
5. Handle service generates unique ID (Handle) and redirects the user to Service Provider site's
Assertion Consumer Service (ACS). ACS validates the supplied assertion, creates a session, and
transfers to Attribute Requestor (AR).
6, 7, 8. AR uses the Handle to request attributes from the IdP site's Attribute Authority. The
attribute authority responds with attribute assertions subject to attribute release policies.
9 and 10. User is directed back to resource. Resource uses attributes for access control and
other application-level decisions.
Overcoming the language barrier

As we can see from the preceding sections, ADFS and Shibboleth are very similar in their
approach to federation and address the same problem space. However, as with many crossplatform or cross-technology interoperability scenarios we have something of a language barrier
to overcome. A lot of the terminology that is used in the ADFS documentation is not the same as
that used in the Shibboleth documentation. Someone familiar with either one of the technologies
will not necessarily recognize the equivalent components of the other. As a simple example, an
ADFS FS-A is the functional equivalent of the Shibboleth Identity Provider (IdP), and the ADFS
FS-R is the equivalent of the Shibboleth Service Provider (SP).As we get into the more detailed
configuration of the systems this becomes more of an issue.
This section describes some of the common components in both their ADFS and Shibboleth
contexts.
Claims, Assertions, and Attributes
11
These terms are similar and tend to be used interchangeably. An attribute can be thought of as a
piece of information that describes something about a user; their name, affiliation etc. That piece
of information is passed to a federation partner in the form of a claim. However, claims could also
include other information, for examples, that a user authenticated at a particular time, or that they
used a particular authentication strength.
Account federation server (Shibboleth: IdP)
Federation servers in the account partner are used to authenticate local user accounts and then
issue security tokens that can be used to access Web-based applications that are hosted in
resource partners. In addition, federation servers in the account partner issue cookies to users to
maintain login status. These cookies enable SSO capabilities so that users do not have to enter
credentials each time that they visit different Web-based applications in the resource partners.
In ADFS, the account partner is known as the account federation server (FS-A). In Shibboleth, it
is known as the Identity Provider or IdP.
Resource federation server (Shibboleth: SP)
Federation servers at the resource partner validate the security tokens that are issued by the
federation servers at the account partner. Federation servers at the resource partner also issue
security tokens that are meant for the Web-based applications in the resource partner. In addition,
federation servers in the resource partner issue cookies to the user accounts, which come from
the account partner. These cookies enable SSO capabilities so that users do not have to log in
again at their federation servers in the account partner when the users attempt to access different
Web-based applications at the resource partner.
In ADFS, the resource partner is known as the resource federation server (FS-R). In Shibboleth, it
is known as the service provider (SP).
Trust Policy (Shibboleth: Metadata)
Trust policiesexpressed as XML metadata in Shibbolethare what the federation partners use
to find each other and establish secure communications. As a minimum, they contain the unique
names of the federation partners, the Internet addresses where requests should be sent, and the
certificates that should be used to validate the SAML tokens that are exchanged.
An ADFS server defines itself to its federation partners through a trust policy which is set up and
viewed in the ADFS administration console. It can be exported to an XML file for easy import into
another ADFS server. Each ADFS server can act as both an FS-A and an FS-R and the trust
policy contains the details for both. Federation partners will automatically select the correct
options when they import the trust policy XML file during federation partner configuration.
A Shibboleth implementation defines itself to its federation partners through metadata in
metadata.xml files which can be loaded into another Shibboleth system. Typically, a Shibboleth
system is either an IdP or an SP.
Organizational Claims (Shibboleth: resolver.xml)
Organizational claims are the superset of claims that an organization wishes to pass to/receive
from its federation partners. A specific federation partnership may only require a subset of the
available organizational claims.
12
In ADFS, organizational claims are defined within an organizations trust policy in the
administration console. They are defined as one of two types; group or custom.
In Shibboleth the superset of claims that may be released by the system is declared in the XML
file resolver.xml. All claims in Shibboleth are analogous to the custom claim type in ADFS.
Account Stores (Shibboleth: resolver.xml)
Neither ADFS or Shibboleth stores information about users itself. They both rely on separate
identity stores to provide valid identity information. ADFS can retrieve identity information from
Active Directory or Active Directory Application Mode (ADAM) in order to populate claims.
Account stores are defined under the organizations trust policy and define mappings between
each claim and the directory source of the information required to populate it. Typically, this would
be an attribute or group(s).
In Shibboleth, the mapping of claims back to an identity store is handled by the XML file
resolver.xml. It defines the type of store, along with appropriate connection information as well as
the attribute/claim mappings. Typically, it will use an LDAP directory or a database as the identity
store. For this proof of concept, we used a simple mySQL database.
Federation Partners
An ADFS server defines its federation partners through the ADFS administration console.
Federation partners are defined as either Account Partners or Resource Partners.
Shibboleth defines its federation partners through metadata.xml files. They are either Identity
Providers (IdP) or Service Providers (SP). Each partner may be defined in a separate XML file, or
the entire federation may be combined into a single XML file. This makes it relatively
straightforward to implement a new Shibboleth system with full knowledge of the entire federation
that it is joining.
Claims Mapping (Shibboleth: Attribute Acceptance Policy & Attribute Release Policy)
Attributes names used internally within an institution may be different to those exchanged over
the wire between federation partners. A mapping process can be configured to map the internal
attribute names with the names agreed between the federation partners.
Outgoing Claims
ADFS FS-A sets up outgoing claims as part of the Resource Partner definition in the ADFS
administration console. This configuration is known as outgoing group and custom claims
mapping. The Shibboleth IdP uses its Attribute Release Policy as defined in the arps.site.xml
configuration file.
Incoming Claims
The ADFS FS-R sets up incoming claims as part of the Account Partner definition in the ADFS
administration console. It is known as incoming claims mapping. The Shibboleth SP uses its
Attribute Acceptance Policy as defined in the AAP.xml configuration file.
Home Realm Discovery (Shibboleth: Where are you from (WAYF)?)
Shibboleth supports, as part of its architecture, the concept of a centralized discovery service
called the Where are you from? or WAYF server. When a user attempts to access a Shibbolethprotected resource, they can be directed to the WAYF server which will ask them where they are
from (their home domain) and then redirect them to the Identity Provider for that domain.
13
ADFS does not have an equivalent component, but relies instead on each FS-R that performs
home realm discovery itself, based on the FS-A that it knows about; for example, the bilateral
agreements that have been set up with its federation partners.
This does not have to look any different from the Web users perspective but will rely on a
common implementation of an ADFS home realm discovery Web page across the federation.
Preparing the environment

Before you begin, you should ensure that you have installed, configured and tested the four
virtual machines according to the original ADFS Step-by-Step Guide, and have created two new
virtual machines required to host Shibboleth as described above. You should therefore have the
following computers:
ADFS
Account federation server: A. Datum Corporation (adfsaccount.adatum.com)
Account client: A. Datum Corporation (adfsclient.adatum.com)
Resource federation server: Trey Research (adfsresource.treyresearch.net)
Resource Web server: Trey Research (adfsweb.treyresearch.net)
Shibboleth
Shibboleth Identity Provider (IdP): Contoso Ltd (idp.contoso.com)
Shibboleth Service Provider (SP): Constoso Ltd (sp.contoso.com
Note
Important: For the remainder of this guide the coding steps you should follow are
detailed in a shaded boxed format. Code values of interest are shown in italicized text.
Configure connectivity
Establish IP Connectivity
Ensure that the following computers have IP connectivity:
ADFS account client: A. Datum Corporation (adfsclient.adatum.com)
ADFS resource federation server: Trey Research (adfsresource.treyresearch.net)

Note
In this deployment, providing a public IP address to this federation server allows the
federation server to perform home realm discovery, which redirects users who
attempt to access without possession of a security token to their home environment
for token acquisition. In environments where this approach presents unacceptable
security risks, use of an ADFS federation server proxy can eliminate the need to
provide a public IP address to a federation server.
ADFS resource Web server: Trey Research (adfsweb.treyresearch.net)
Shibboleth SP: contoso.com (sp.contoso.com)
Shibboleth IdP: contoso.com (idp.contoso.com)

14
Enable Keys and Certificates in Shibboleth

PKI keys and certificates are used by both ADFS and Shibboleth during federation to digitally sign
and verify security tokens. If you complete the steps in the ADFS Step-by-Step Guide, certificates
are already created and configured correctly for ADFS.
The Shibboleth deployment will also require you to configure certificates, in particular Secure
Socket Layer (SSL) and token-signing certificates.
Note
For this guide, a root CA will be installed and configured on IdP.contoso.com. It will not
matter where the root CA is created outside of this guide.
Perform the following steps on ldp.contoso.com

Generate a root certificate and key on the ldp.
To create the Web.config file
export CA=/root/CA
mkdir $CA
openssl req -x509 -new -out $CA/rootCA.crt -keyout $CA/rootCA.key days

1000 -nodes
Generating a 1024 bit RSA private key
...............++++++
..........................++++++
writing new private key to '/root/ca/rootCA.key'
----You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Oxfordshire
Locality Name (eg, city) []:Oxford
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OCG
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:OCG
Root CA
15
Email Address []:
Notes
Now that we have a root CA, we are in a position to create the SSL and token-signing
certificate necessary for Shibboleth as an IdP. When configuring Shibboleth as an SP
only a SSL certificate is required.
Note that with ADFS a token-signing certificate is always required, irrespective of the role
of the federation server. However, with Shibboleth the SP does not re-write and re-sign
the SAML token as does the ADFS FS-R. Therefore, no token-signing certificate is
required by the Shibboleth SP
Generate a certificate for IdP.contoso.com to be used for both SSL and token-signing purposes
and send the certificate signing request (idp.contoso.com.csr) to the CA (which is on the same
server actually) and copy it to /root/ca.
Note
It is perfectly possible to create two separate certificates, one for each purpose, but since
they are both for server authentication, one will suffice here).
export PKI=/etc/pki/
mkdir $PKI
export C=idp.contoso.com
openssl req -out $PKI/$C.csr -pubkey -new -keyout $PKI/$C.key nodes
...
Common Name (eg, YOUR name) []:idp.contoso.com
...
The certificate must now be signed by using the private key of the root CA you created above. To
do this, follow these steps.
export C=idp.contoso.com
openssl x509 -req -in $CA/$C.csr -CA $CA/rootCA.crt -CAkey $CA/rootCA.key

-CAcreateserial -out $CA/$C.crt -days 365
Copy the signed certificate to an appropriate location, in this case /etc/pki on the IdP.
cp $CA/$C.crt $PKI/
Note
In order for our Tomcat Web server to use the certificate created and signed above it
must be presented in pkcs12 format.
Create a pkcs12 format for it, needed for the Tomcat Web server.
16
openssl pkcs12 -export -in $PKI/$C.crt -inkey $PKI/$C.key -out

$PKI/$C.p12 -name "tomcat"
#we used secret as password
Perform the following steps on SP.contoso.com

We must create a SSL certificate for use by the Web server on the Shibboleth SP and we will
request this from the root CA on IdP.contoso.com.
Make the request for the SSL certificate for sp.contoso.com.
export PKI=/etc/pki/
mkdir $PKI
export C=sp.contoso.com
openssl req -out $PKI/$C.csr -pubkey -new -keyout $PKI/$C.key nodes
...
Common Name (eg, YOUR name) []:sp.contoso.com
...
Send the certificate signing request (sp.contoso.com.csr) to the CA (on the IdP.contoso.com) and
copy it to /root/ca.
Perform the following steps on IdP.contoso.com
Sign the certificate signing request.
export C=sp.contoso.com
openssl x509 -req -in $CA/$C.csr -CA $CA/rootCA.crt -CAkey $CA/rootCA.key

-CAcreateserial -out $CA/$C.crt -days 365
Copy the certificate you signed to $PKI (i.e. /etc/pki) on the SP.
[We copied it across the two virtual machines via the host computer]
Note
You must be logged onto the client desktops as an Administrator to perform these
actions.
To add host names and addresses to the ADFS client and host computers
1. Locate the hosts file. In Windows XP, the location of the file is
C:\windows\system32\drivers\etc\hosts.
2. Right-click the file, and then click Open. Choose Notepad to open the file.
3. On the ADFS client computer, add this line under the localhost entry:
17
192.168.1.5
sp.contoso.com
192.168.1.6
idp.contoso.com
4. On the client computer used to test access to a resource protected by an FS-R (for this
guide the local host machine was used), add the following entries to the host file
192.168.1.2
adfsweb.treyresearch.net
192.168.1.4
adfsresource.treyresearch.net
192.168.1.5
sp.contoso.com
192.168.1.6
idp.contoso.com
5. Save and close both files.
Configure sample Web applications

In order to test the scenario presented in the next section, in which Shibboleth is deployed as a
SP to protect a Web-hosted application, we set up a very simple test application, by using Apache
2.2.3 and Server Side Includes.
Note
Instructions to set up Apache 2.2.3 are provided in Appendix E: Installing Tomcat and
Apache 2.2.3. When you have completed those instructions return to this point to create
the Web application, detailed below.
Once Apache is installed and configured, you must create the Web application to be hosted by
the SP.
Create an application
mkdir /var/www/secure
Create a homepage to be protected by the SP: /var/www/secure/index.shtml.

Note
The home page can have any content you want to create.

18
Step 1: Configuring ADFS as the Account

Partner (Scenario 1)
In this section, we will detail how to configure the Shibboleth federation services.
Note
Before completing the steps in this section, you must have already completed the section
titled Preparing the Environment detailed above. The original Active Directory Federation
Services (ADFS) Step-by-Step Guide did not employ a root CA to issue the token-signing
certificate, instead certificates were self-signed. This means that in scenario 1, it would
normally be necessary to establish a federated trust between A. Datum (by using ADFS)
and Contoso (by using Shibboleth). In this case, you can ensure that the Shibboleth
Service Provider (SP) has access to the public key of the FS-As token-signing certificate.
There is no root CA chain to also bring across.
The ADFS FS-A provides a Security Assertions Markup Language (SAML) security token that
contains the ADFS claim set that is verified by Shibboleth. The Identity and Attribute assertions
both received by the SP are then mapped by the SP to request headers* (similar to organization
claims in ADFS) which makes them available in the environment variables, which the application
can use to make authorization decisions.
*In the world of ADFS this would be known as incoming claim mappings.
The illustration below describes the components that will be used to install and configure.
Configure the ADFS Account Federation Server (FS-A)

Although ADFS is already installed and configured on the four ADFS virtual machines, it must
have more work to configure it to federate with its new Shibboleth resource partner
contoso.com.
19
The ADFS FS-A defines itself, its own configuration, and that of its resource partners in the trust
policy. The trust policy is managed using the ADFS snap-in to the Microsoft Management Console
(MMC).
Configure the trust policy

A trust policy defines parameters that will be applied to all federation servers within the same
ADFS security realm (server or farm). Separate security realms have separate trust policies. The
trust policy is the cornerstone of the ADFS configuration at each organization, and is configured
on the computers on which the Federation Service is installed.
One of the most important settings in the trust policy is the Federation Service endpoint URL.
This is the URL of the Federation Service and it is used whenever redirects to it must occur. For
example, when the FS-R has to redirect the client to be authenticated, FS-R redirects the client to
whatever endpoint is specified in the account partner trust policy. The trust policy also holds the
verification certificates the public part of the token-signing certificate.
Follow this procedure to verify that the trust policy on the adfsaccount computer is configured
properly.
To verify the trust policy settings on the adfsaccount computer
1. Click Start, select Programs, point to Administrative Tools, and then click Active
Directory Federation Services.
2. In the console tree, double-click Federation Service, right-click Trust Policy, and then
click Properties.
3. On the General tab, in Federation Service URI, verify that it displays
urn:federation:adatum.
4. In Federation Service endpoint URL, verify that it displays
https://adfsaccount.adatum.com/adfs/ls/, and then click OK.
Token-signing certificate
The FS-A uses a token-signing certificate to sign the SAML tokens it passes to the SP. This has
to be included in the partner metadata XML file (adatum-metadata.xml) on the Shibboleth side so
that incoming SAML tokens can be verified by the SP. It can be extracted from the exported trust
policy XML file and pasted into the Shibboleth metadata.
Follow this procedure to export the A. Datum trust policy to an xml file and copy the token-signing
verification certificate data to a file to be transferred to the Shibboleth SP.
To export the A. Datum trust policy
1. Click Start, point to All Programs, point to Administrative Tools, and then click Active
2. In the console tree, double-click Federation Service, right-click Trust Policy, and then
click Export.
20
3. Browse to a location, name the file you will export, and then click Save.
4. Click OK.
5. Open the saved .xml file in Notepad and copy the <X509Certificate> node as shown
below.
<X509Certificate>MIIC0DCCAbygAwIBAgIQ4B+bbxPCYoVPdGkNqYQ79TAJBgUrDgMCHQUAMCgxJjAkBgNVBAMTH
UZlZGVyYXRpb24gU2VydmVyIGFkZnNhY2NvdW50MB4XDTA4MDMyMDIxMDkzOFoXDTA5MDMyMTAzMDkzOFowKDEmMCQ
GA1UEAxMdRmVkZXJhdGlvbiBTZXJ2ZXIgYWRmc2FjY291bnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBA
QCnjxLNHe1TmGuB/
+lFqNij1ryejrV8rJkjZgwaWNEG1dOisz38piIpTBKNWqNBpGR1JHu8037oCSXghayxX0ChvKGBKVxoZWpVHOORywf
Le/C1TD4x54PjZspfGMbSR/W5LbK5YUwo4TTKi8iLJZVLHfBfaGp9U5viYv79LpLexUea4j3tc8L7qv/imxfHdLhtB
QH5HBZ4/wTOh5/gSVX6AFjpC/kSDQ5LJuScrJr5A4XIlppjWwoSafXNrhzw17iI03yw38n/BokA/t46qmx+z4ui3nz
bTY7sHluarrcqRB9ly8newCUUT1dZb+nhK1YoDoC3UiIOEHg/wqjqweidAgMBAAEwCQYFKw4DAh0FAAOCAQEAlj9xt
te9YK9IB2kc/zQtURYryJV8GxTaYaGkPWI+W3MPK1FNUSSLNLtfknhYpPkAr7PJUjDyaHKF3pOYIkTy7iS8ZVCLIFQ
RnJsMS3j6PQo2IL+RruNDCIFsxg8yWghx7Yref7bUF5Mndc3KggTmDSPqoCGb67Dr0ypwTaGxAfXCUL1gqp4zIV2ys
ILL20VLjra2bV2h0+svca90Ux9bfDOeNaCfPNKiIEEx4tMFUAX0snsAc4ocaRai+MnaO4JjxCYuEdI9Fc7GDRf3Vm0
e9CipWkN4XgXbu74EtMIRQelLQ7z4kIfWGGqmH2UJ/itnAuw/Q6rqpBS0daaEB3FXdQ==</X509Certificate>
Notes
The trust policy can be exported into an XML file for easy import into an ADFS resource
partner. However, the format is not out-of-the-box compatible with the format of the
partner metadata required by Shibboleth, although you should be able to write a
transformation to accomplish this.
In the meantime, the above information from the trust policy is required from the FS-A to
set up the correct metadata (adatum-metadata.xml) in the Shibboleth SP.
Organizational claims
Organizational claims are the superset of claims that the FS-A can pass to resource partners.
Each resource partner definition will reference an agreed subset of the organizational claims, by
using agreed semantics. The adfsaccount.adatum.com computer, that acts as the FS-A already
has a couple of resource partners and now we will add a new one for contoso.com. It also has a
number of organization claims which do not have to be modified or edited for this guide.
Account stores
In order for a federation server to operate as an account partner (FS-A), you must configure an
account store. In our case, the local Active Directory store has already been added and a number
of claims extractions have also already been configured. We will use these existing claims.
Security Principal/Attribute
Organization Claim
Organization Claim Type
Authenticated Users
Adatum
Group
Company
Affiliation
Custom
21
Security Principal/Attribute
Organization Claim
displayName
DisplayName
Custom
givenName
givenName
Custom
mail
mail
Custom
Purchasing Admins@adatum.com
Purchasing Administrator
Group
Purchasing Dept@adatum.com
Purchasing Agent
Group
sn
Surname
Custom
telephoneNumber
Telephone
Custom
Title
Position
Group
TokenAppUser@adatum.com
TokenApp
Group
User Principal Name
User Principal Name
Identity Claim
userPrincipalName
upn
Custom
Define a resource partner

We must now add a new resource partner for contoso.com to the adfsaccount computer. Follow
the steps below to achieve this:
Add a resource partner
1. In the Active Directory Federation Services snap-in, expand Partner Organizations,
and then click Resource Partners.
2. Right-click Resource Partners, point to New, and then click Resource Partner.
3. On the Welcome to the Add Resource Partner Wizard page, click Next.
4. On the Import Policy File page, click Next.
5. On the Resource Partner Details page, in Display name, type Contoso.com, in
Federation Service URI, type urn:federation:sp.contoso.com, in Federation Service
endpoint URI, type https://sp.contoso.com/shibboleth.sso/ADFS, and then click
Next.
Note
The paths in URIs are case-sensitive in ADFS.
6. On the Federation Scenario page, click Next.
7. On the Resource Partner Identity Claims page, select the UPN Claim check box, and
then click Next.
8. On the Select UPN Suffix page, click Next.
9. On the Enable this Resource Partner page, click Next.
22
10. On the Completing the Add Resource Partner Wizard page, click Finish.
Configure outgoing claim mappings

Once the claims extractions against the Active Directory have been configured, you must
configure some outgoing claim mappings. These are the claim types and names the resource
partner (the Shibboleth SP) will be expecting. They will be populated by the FS-A in the SAML
token which will be presented to the SP.
The table below shows some of the outgoing claim mappings you create and use for your own
testing. For this scenario however, we will simply use the UPN identity claim only.
Organization Claim
Map to Outgoing Claim
Affiliation
Custom
company
DisplayName
Custom
displayName
givenName
Custom
givenName
mail
Custom
mail
Position
Custom
title
Surname
Custom
sn
Telephone
Custom
telephone
upn
Custom
userPrincipalName
User Principal Name
Identity Claim
User Principal Name
User Principal Name
User Principal Name
Identity Claim
If you want to create extra outgoing claim mappings, follow these instructions.
Create additional outgoing claim mappings
1. Right-click Contoso, point to New, and then click Outgoing Group Claim Mapping.
2. In Create a New Outgoing Group Claim Mapping, in Organization group claims,
ensure that an appropriate organization claim is specified, in Outgoing group claim
name, type claimName and then click OK.
Step 2: Configuring and Testing Shibboleth

as the Service Provider (Scenario 1)
To follow these steps, you must already have Shibboleth installed on the platform of your choice.
23
Note
For detailed instruction on how to install Shibboleth as a Service Provider (SP), refer to
Appendix C: Installing a Shibboleth SP and then follow the link back to this location and
follow the steps below
Perform the following steps on sp.contoso.com

Shibboleth general configuration is made by editing the file: /etc/shibboleth/shibboleth.xml.
The most important points are highlighted in italicized text.
Edit the file as follows:
...
<RequestMapProvider
type="edu.internet2.middleware.shibboleth.sp.provider.NativeRequestMapPro
vider">
<RequestMap applicationId="default">
<Host name="sp.contoso.com">
<Path name="secure"
authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapProvider>
...
<Applications id="default" providerId="urn:federation:sp.contoso.com"
homeURL="https://sp.contoso.com"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
...
<CredentialsProvider
type="edu.internet2.middleware.shibboleth.common.Credentials">
<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
<FileResolver Id="defcreds">
<Key>
<Path>/etc/pki/sp.contoso.com.key</Path>
</Key>
<Certificate>
24
<Path>/etc/pki/sp.contoso.com.crt </Path>
</Certificate>
</FileResolver>
</Credentials>
</CredentialsProvider>
Once you have finished the general configuration, you must perform additional Active Directory
Federation Services (ADFS)-specific configuration within the same file
(/etc/shibboleth/shibboleth.xml).
For additional help on this section, visit the following URL: http://go.microsoft.com/fwlink/?
LinkID=125821
Edit the file as follows:
<Extensions>
<Library path="/opt/shibbolethsp/libexec/xmlproviders.so" fatal="true"/>
<Library path="/opt/shibboleth-sp/libexec/adfs.so"
fatal="true"/>
</Extensions>
Change the sessionInitiator element to point to A. Datum (the FS-A).

<SessionInitiator isDefault="true" id="adatum"
Location="/WAYF/adatum.com"
Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
wayfURL="https://adfsaccount.adatum.com/adfs/ls/clientlogon.aspx "
wayfBinding="http://schemas.xmlsoap.org/ws/2003/07/secext "/>
Inside the application section that you want to ADFS-enable, or in the top-level default, locate the
tag <md:AssertionConsumerService> and edit as follows:
Note
The index value in the following must be unique for the set.
<md:AssertionConsumerService Location="/SAML/POST" index="1"

Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="2"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<md:AssertionConsumerService Location="/ADFS" index="3" isDefault="true"
Binding="http://schemas.xmlsoap.org/ws/2003/07/secext "
ResponseLocation="/"/>
25
Note
The ResponseLocation tag is used during a Active Directory Federation Services
(ADFS)-initiated Single Sign-On (SSO) logout and specifies where to send the browser
after you terminate the session.
Create a MetadataProvider element for A.Datum
<MetadataProvider
type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
uri="/opt/shibboleth-sp/etc/shibboleth/adatum-metadata.xml "/>
Edit the adatum-metadata.xml metadata file you linked to above.

In the following section, you configure the metadata (trust policy) on the Shibboleth SP for the
account partner A. Datum
Ensure that you have the verification certificate data that you exported earlier from the ADFS trust
policy at hand. You must copy it to the appropriate section of the adatum-metadata file.
Edit the adatum-metadata.xml file you created in the last step so that it looks like the following
example:
Note
You have to ensure that data in the <ds:X509Certificate> section uses your own
certificate data.
<EntitiesDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata
/opt/shibboleth-sp/share/xml/shibboleth/saml-schema-metadata-2.0.
urn:mace:shibboleth:metadata:1.0 @-PKGXMLDIR-@/shibboleth-metadata1.0.xsd http://www.w3.org/2000/09/xmldsig# @-PKGXMLDIR-@/xmldsig-coreschema.xsd"
Name="urn:federation:partners"
validUntil="2010-01-01T00:00:00Z">
<EntityDescriptor entityID="urn:federation:Adatum">
<IDPSSODescriptor
protocolSupportEnumeration="http://schemas.xmlsoap.org/ws/2003/07/secext "
>
26
<Extensions>
<shibmd:Scope>adatum.com</shibmd:Scope>
</Extensions>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIC0DCCAbygAwIBAgIQ4B+bbxPCYoVPdGkNqYQ79TAJBgUrDgMCHQUAMCgxJjAk
BgNVBAMTHUZlZGVyYXRpb24gU2VydmVyIGFkZnNhY2NvdW50MB4XDTA4MDMyMDIx
MDkzOFoXDTA5MDMyMTAzMDkzOFowKDEmMCQGA1UEAxMdRmVkZXJhdGlvbiBTZXJ2
ZXIgYWRmc2FjY291bnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn
jxLNHe1TmGuB/+lFqNij1ryejrV8rJkjZgwaWNEG1dOisz38piIpTBKNWqNBpGR1
JHu8037oCSXghayxX0ChvKGBKVxoZWpVHOORywfLe/C1TD4x54PjZspfGMbSR/W5
LbK5YUwo4TTKi8iLJZVLHfBfaGp9U5viYv79LpLexUea4j3tc8L7qv/imxfHdLht
BQH5HBZ4/wTOh5/gSVX6AFjpC/kSDQ5LJuScrJr5A4XIlppjWwoSafXNrhzw17iI
03yw38n/BokA/t46qmx+z4ui3nzbTY7sHluarrcqRB9ly8newCUUT1dZb+nhK1Yo
DoC3UiIOEHg/wqjqweidAgMBAAEwCQYFKw4DAh0FAAOCAQEAlj9xtte9YK9IB2kc
/zQtURYryJV8GxTaYaGkPWI+W3MPK1FNUSSLNLtfknhYpPkAr7PJUjDyaHKF3pOY
IkTy7iS8ZVCLIFQRnJsMS3j6PQo2IL+RruNDCIFsxg8yWghx7Yref7bUF5Mndc3K
ggTmDSPqoCGb67Dr0ypwTaGxAfXCUL1gqp4zIV2ysILL20VLjra2bV2h0+svca90
Ux9bfDOeNaCfPNKiIEEx4tMFUAX0snsAc4ocaRai+MnaO4JjxCYuEdI9Fc7GDRf3
Vm0e9CipWkN4XgXbu74EtMIRQelLQ7z4kIfWGGqmH2UJ/itnAuw/Q6rqpBS0daaE B3FXdQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleSignOnService
Location="https://adfsaccount.adatum.com/adfs/ls/ "/>
</IDPSSODescriptor>
</EntityDescriptor>
</EntitiesDescriptor>
27
The Attribute Acceptance Policy is an incoming attribute filter that defines which incoming claims
will be accepted for processing. The only claim we will configure here is
'REMOTE_USER=adamcar@adatum.com' (Identity claim UPN).
Edit /etc/shibboleth/AAP.xml as follows:
<AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:1.0"
xsi:schemaLocation="urn:mace:shibboleth:1.0 /opt/shibbolethsp/share/xml/shibboleth/shibboleth.xsd">
<AttributeRule Name="http://schemas.xmlsoap.org/claims/UPN" Scoped="true"

Header="REMOTE_USER" Alias="user">
<AnySite>
<AnyValue/>
</AnySite>
</AttributeRule>
<AttributeRule Name="Group" Header="ADFS-Group" Alias="adfsgroup">

<AnySite>
<AnyValue/>
</AnySite>
</AttributeRule>
</AttributeAcceptancePolicy>
Testing the Federation Scenario 1

In this scenario, Adam Carter from A. Datum will access the federated sample application at
contoso.com.
Note
You may be prompted in Security Alert for certificate information. To install certificates,
click View Certificate and then click Install, or you can click Yes each time that you are
prompted. Each Security Alert displays the message "The security certificate was issued
by a company you have not chosen to trust." This is expected behavior because selfsigned certificates are used for the purposes of this guide.
To access the contoso.com application
1. Log on to the ADFS Account client computer (adfsclient.adatum.com) as Adamcar, with
the password pass@word1.
28
2. Open a browser, and navigate to https://sp.contoso.com/secure/index.shtml.

3. You will be redirected to the account partner where you will be authenticated.
4. If authentication is successful you will be redirected again, this time to the Shibboleth SP,
which will verify that the Security Assertions Markup Language (SAML) token was signed
by a trusted partner before processing the data to be used for authorization to the
resource originally requested by the client.
Note
You can follow the full trace of the traffic by referring to the trace log of the HTTP headers
in Appendix D: Trace log of HTTP Headers SP to FS-A.
Step 3: Configuring Shibboleth as the

Identity Provider (Scenario 2)
For the second scenario, use the second Debian virtual machine. For instructions on how to
install the Debian operating system, refer to Appendix A: Preparing the SP Debian Platform.
The instructions to install Shibboleth as an IdP are located in Appendix G: Installing Shibboleth
IdP.
Notes
The instructions to install Shibboleth as an IdP differ slightly for that of an SP, hence there
are two appendices for the install.
For clarification, the platform for an IdP is Java-based (which requires the Java runtime
environment, servlet container, == crossplatform). The SP on the other hand is written
in C++ (there are versions for Unix and Windows) and requires a Web Server (apache or
IIS).
The rest of this section covers how to configure Shibboleth as an IdP.

The picture below describes the components to install and configure:
29
Configure the Shibboleth IdP

Start with one or two general settings, which can be configured in the IdP.xml file located here:
$IDP_HOME/etc/idp.xml.
Replace all occurrences of idp.example.org with idp.contoso.com.
Italicize all the other important configuration points below and edit the file accordingly:
<IdPConfig
xmlns="urn:mace:shibboleth:idp:config:1.0"
xmlns:cred="urn:mace:shibboleth:credentials:1.0"
xmlns:name="urn:mace:shibboleth:namemapper:1.0"
xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0
../schemas/shibboleth-idpconfig-1.0.xsd"
AAUrl="https://idp.contoso.com:8443/shibboleth-idp/AA"
resolverConfig="file:/usr/local/shibboleth-idp/etc/resolver.xml"
defaultRelyingParty="urn:federation:partners"
providerId="urn:federation:idp.contoso.com">
The defaultRelyingParty property is simply a custom-defined name for the global metadata within
which each partner will have their own separate section.
Edit the file to add a RelyingParty element matching the defaultRelyingParty name:
<RelyingParty name="urn:federation:partners" signingCredential="cred">
30
<NameID nameMapping="shm_adfs"/>
</RelyingParty>
Edit the file to add a name mapping element that will generate the user principal name
(UPN) Identity claim for ADFS
<NameMapping
xmlns="urn:mace:shibboleth:namemapper:1.0"
id="shm_adfs"
format="http://schemas.xmlsoap.org/claims/UPN"
class="edu.internet2.middleware.shibboleth.common.provider.UPNNameIde
ntifierMapping"
handleTTL="28800" scope="contoso.com"/>
Edit the file to specify a fileresolver for the key pair that will sign the SAML assertions
<FileResolver Id="cred">
<Key>
<Path>file:/etc/pki/idp.contoso.com.key</Path>
</Key>
<Certificate>
<Path>file:/etc/pki/idp.contoso.com.crt</Path>
</Certificate>
</FileResolver>
Edit the file to add a protocol handler, this is the Shibboleth IdP endpoint for ADFS
<ProtocolHandler
implementation="edu.internet2.middleware.shibboleth.idp.provider.ADFS_SSO
Handler">
<Location>https?://[^:/]+(:443)?/shibboleth-idp/ADFS </Location>
</ProtocolHandler>
Edit the file to add a MetadataProvider element that will reference the metadata file which
contains the trust settings for your ADFS resource partner.
<MetadataProvider
type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
uri="file:/usr/local/shibboleth-idp/etc/treyresearch-metadata.xml "/>
Create the metadata file /usr/local/shibboleth-idp/etc/treyresearch-metadata.xml and edit it so it

looks like the example below.
31
See also: http://go.microsoft.com/fwlink/?LinkID=125821
<EntitiesDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:
../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.
../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig#
../schemas/xmldsig-core-schema.xsd"
Name="urn:federation:partners"
validUntil="2010-01-01T00:00:00Z">
<EntityDescriptor entityID="urn:federation:treyresearch">
<SPSSODescriptor
protocolSupportEnumeration="http://schemas.xmlsoap.org/ws/2003/07/secext "
>
<AssertionConsumerService index="1" isDefault="true"
Location="https://adfsresource.treyresearch.net/adfs/ls/ "/>
</SPSSODescriptor>
</EntityDescriptor>
</EntitiesDescriptor>
Next, configure the attribute store. The attributes must be resolved from our SP and linked to an
ID so that the attributes can be understood by Active Directory Federation Services (ADFS) and
used as an identity claim, custom claim or group claim.
Modify the /usr/local/shibboleth-idp/etc/resolver.xml file as follows:
<AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="urn:mace:shibboleth:resolver:1.0"
xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 shibboleth-resolver1.0.xsd">
<SimpleAttributeDefinition id="sn"
namespace="http://schemas.xmlsoap.org/claims" sourceName="sn">
<DataConnectorDependency requires="directory"/>
32
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="CommonName"
namespace="http://schemas.xmlsoap.org/claims" sourceName="sn">
<SimpleAttributeDefinition id="mail"
namespace="http://schemas.xmlsoap.org/claims" sourceName="mail">
<SimpleAttributeDefinition id="Group"
namespace="http://schemas.xmlsoap.org/claims"
sourceName="eduPersonAffiliation">
<JNDIDirectoryDataConnector id="directory">
<Search filter="uid=%PRINCIPAL%">
<Controls searchScope="SUBTREE_SCOPE" returningObjects="false" />
</Search>
<Property name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory" />
<Property name="java.naming.provider.url"
value="ldap://localhost/dc=contoso,dc=com" />
<Property name="java.naming.security.principal"
value="cn=admin,dc=contoso,dc=com" />
<Property name="java.naming.security.credentials" value="p@ssw0rd" />
<Property name="java.naming.referral" value="follow" />
<Property name="java.naming.ldap.derefAliases" value="never" />
</JNDIDirectoryDataConnector>
</AttributeResolver>
Once you have configured the resolver as in the above example, you should test it. A test tool
called resolvertest is available for this purpose.
Test the resolver
33
cd $IDP_HOME/bin
./resolvertest --resolverxml=file:///usr/local/shibbolethidp/etc/resolver.xml --user=philip
Received the following from the Attribute Resolver:
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
AttributeName="mail"
AttributeNamespace="http://schemas.xmlsoap.org/claims"><AttributeValue>ph
ilip@contoso.com</AttributeValue></Attribute>
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AttributeName="sn"
AttributeNamespace="http://schemas.xmlsoap.org/claims"><AttributeValue>Br
usten</AttributeValue></Attribute>
<SimpleAttributeDefinition id="mail"
namespace="http://schemas.xmlsoap.org/claims" sourceName="mail">
AttributeName="CommonName"
AttributeNamespace="http://schemas.xmlsoap.org/claims"><AttributeValue>Br
usten</AttributeValue></Attribute>
AttributeName="Group"
34
AttributeNamespace="http://schemas.xmlsoap.org/claims"><AttributeValue>me
mber</AttributeValue><AttributeValue>staff</AttributeValue><AttributeValu
value="com.sun.jndi.ldap.LdapCtxFactory" />
AttributeValue>employee</AttributeValue></Attribute>
In order to release these attributes to the partners of this IdP, you have to add the attributes to the
Attribute Release Policy (ARP). To make it simple, we will release all attributes to all trusted
partners.
Edit $IDP_HOME/etc/arps/arp.site.xml
<?xml version="1.0" encoding="UTF-8"?>

<AttributeReleasePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance" xmlns="urn:mace:shibboleth:arp:1.0"
xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd" >
<Description>Simplest possible ARP.</Description>
<Rule>
<Target>
<AnyTarget/>
</Target>
<Attribute name="sn">
<AnyValue release="permit"/>
</Attribute>
<Attribute name="CommonName">
</Attribute>
<Attribute name="mail">
</Attribute>
<Attribute name="Group">
</Attribute>
</Rule>
</AttributeReleasePolicy>
Restart Tomcat.
/etc/init.d/tomcat restart
35
Step 4: Configuring and Testing ADFS as the

Resource Partner (Scenario 2)
Active Directory Federation Services (ADFS) is already installed on the FS-R
(adfsresource.treyresearch.net), the trust policy is configured and it is also pre-configured with a
number of applications hosted on IIS 6.0.We will use these applications rather than creating any
new ones. However, you have to configure a new account partner for IdP.contoso.com.
Confirming the trust policy

1. Click Start, point to Programs, point to Administrative Tools, and then click Active
2. In the ADFS snap-in, expand Federation Service, right-click Trust Policy, and then click
Properties.
3. In Trust Policy Properties, confirm that the value for Federation Service URI is
urn:federation:treyresearch.net, and the value of Federation Service endpoint URL
is https://adfsresource.treyresearch.net/adfs/ls/.
4. In Trust Policy Properties, click OK.
Note
The resource partner has not yet obtained a copy of the IdP verification certificate. You
must acquire this before you attempt to access to the application.
Add a new account partner

To add a new account partner
1. In the ADFS snap-in, expand Partner Organizations, and then click Account Partners.
2. Right-click Account Partners point to New, and then click Account Partner.
3. On the Welcome to the Add Account Partner Wizard page, click Next.
4. On the Import Policy File page, click Next.
5. On the Account Partner Details page, in Display name, type contoso.com, in
Federation Service URI, type urn:federation:idp.contoso.com, in Federation Service
endpoint URL, type https://idp.contoso.com/shibboleth-idp/ADFS, and then click
Next.
6. On the Account Partner Verification Certificate page, click Browse.
7. In Browse for Verification Certificate file, navigate to C:\, click adfsaccount_ts.cer and
then click Open.
8. On the Account Partner Verification Certificate page, click Next.
9. On the Federation Scenario page, click Next.
10. On the Account Partner Identity Claim page, select UPN Claim and then click Next.
36
11. On the Accepted UPN Suffixes page, in Add a new suffix, type contoso.com, click
Add, and then click Next.
12. On the Enable this Account Partner page, click Next.
13. On the Completing the Add Account Partner Wizard page, click Finish.
Test the Federation Scenario 2

In order to accomplish this section you must first have completed the configuration of openLDAP
as specified in Appendix F: Installing OpenLDAP.
In this scenario, you can test access to an application hosted and protected by A. Datum by using
the local host computer (you will have to add a loopback adaptor on the host to do this) to
connect to the application URL, and, when asked for credentials, supply one of the users created
in the OpenLDAP, as follows:
To access the claims-aware application
1. Open a browser window on the host client computer and then navigate to
https://adfsweb.treyresearch.net:8081/claimapp/.
2. When you are prompted for your home realm, click contoso.com, and then click Submit.
3. When you are prompted for credentials, type the user name chris, and the password
p@ssw0rd.
At this point the claims-aware application appears in the browser. You can see which claims
were sent to the Web server in the SingleSignOnIdentity.SecurityPropertyCollection section
of the sample application. You will find a complete trace log of the http traffic for this test in
Appendix H: Trace log of HTTP Headers IdP to FS-R.
Appendix A: Preparing the SP Debian

Platform
The instructions show you how to install the Debian (etch) platform that is to be used as a service
provider (SP).
Make sure you have a system that is up-to-date.
apt-get update
apt-get upgrade
Install an SSH server, so you can access the server through SSH.
apt-get install openssh-server -y
37
Install some useful utilities

apt-get install tcpdump lynx less vim rcs psmisc -y
Install ntpdate and openntpd to synchronize with a time server, the Security Assertions Markup
Language (SAML) assertions have to be verified within a given time.
apt-get install ntpdate openntpd
Appendix B: Setting up Apache 2.2.3

These instructions will help you to install and configure Apache 2.2.3 in accordance with the
scenario instructions in the main body of the document.
Install Apache 2.2.3. We used the threaded version.
apt-get install apache2-mpm-worker
Enable Secure Sockets Layer (SSL) and include module and reload.
a2enmod ssl
a2enmod include
apache2ctl graceful
Configure Apache to listen on port 443 (/etc/apache2/sites-available/ports.conf).

Listen 80
Listen 443
Create a new site at /etc/apache2/sites-available/ssl.

<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName
SSLEngine
sp.contoso.com
On
SSLCertificateFile
/etc/pki/sp.contoso.com.crt
SSLCertificateKeyFile
/etc/pki/sp.contoso.com.key
SSLCertificateChainFile
/etc/pki/rootCA.crt
38
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews +Includes
AllowOverride None
Order allow,deny
allow from all
AddType text/html .shtml

AddOutputFilter INCLUDES .shtml
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined

ServerSignature On
</VirtualHost>
Enable the SSL site.

a2ensite ssl
Change /etc/apache2/sites-available/default.
NameVirtualHost
<VirtualHost
*:80
*:80>
Make sure Apache is configured correctly, and reload.

apache2ctl configtest
Syntax ok
39
apache2ctl graceful
Appendix C: Installing a Shibboleth SP

Follow the steps in this appendix to install Shibboleth as a resource partner role (SP).
See also:
http://go.microsoft.com/fwlink/?LinkID=125826
Get the build requirements:
apt-get install build-essential -y
apt-get install openssl -y
apt-get install libssl-dev -y
apt-get install libcurl3-openssl-dev -y
apt-get install apache2-threaded-dev -y
Create installation files directory:

mkdir /root/shibboleth
Set up environment variables:

export SHIB_INSTALL=/root/shibboleth/
export SHIB_HOME=/opt/shibboleth-sp
export XERCESCROOT=$SHIB_INSTALL/xerces-c-src_2_8_0/
Get all source packages:

cd $SHIB_INSTALL
wget http://shibboleth.internet2.edu/downloads/log4shib/1.0/log4shib1.0.tar.gz
wget http://apache.spegulo.be/xerces/c/xerces-c-src-current.tar.gz
1.4.0.tar.gz
wget
http://shibboleth.internet2.edu/downloads/opensaml/cpp/1.1.1/opensaml1.1.1.tar.gz
40
wget
http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/1.3.1/shibbole
th-sp-1.3.1.tar.gz
Unpack all source files.

tar xzf log4shib-1.0.tar.gz
tar xzf opensaml-1.1.1.tar.gz
tar xzf shibboleth-sp-1.3.1.tar.gz
tar xzf xerces-c-src-current.tar.gz
tar xzf xml-security-c-1.4.0.tar.gz
Now we can start compiling. Start with log4shib.

cd $SHIB_INSTALL/log4shib-1.0
./configure --disable-static --disable-doxygen --prefix=$SHIB_HOME
make
make install
Xerces
cd $SHIB_INSTALL/xerces-c-src_2_8_0/src/xercesc/
./runConfigure -p linux -r pthread -P $SHIB_HOME
make
make install
XML security
cd $SHIB_INSTALL/xml-security-c-1.4.0/
./configure --without-xalan --prefix=$SHIB_HOME
make
make install
OpenSAML
cd $SHIB_INSTALL/opensaml-1.1.1/
./configure --with-log4shib=$SHIB_HOME --prefix=$SHIB_HOME -C
41
make
make install
Shibboleth-SP
cd $SHIB_INSTALL/shibboleth-1.3.1
#./configure --prefix=$SHIB_HOME --with-log4shib=$SHIB_HOME/
./configure --prefix=$SHIB_HOME --with-log4shib=$SHIB_HOME/ --withapxs22=/usr/bin/apxs2
make
make install
Create some useful directories:

ln -s $SHIB_HOME/etc/shibboleth /etc/shibboleth
#./ln -s $SHIB_HOME/var/log /var/log/shibboleth
Set up startup script for Shibbolethdaemon:

cp /etc/shibboleth/shibd-debian /etc/init.d/shibd
chmod +x /etc/init.d/shibd
update-rc.d shibd defaults
Create a file /etc/apache2/mods-available/shibd.load

#
# Load the SHIBBOLETH module
#
LoadModule mod_shib /opt/shibboleth-sp/libexec/mod_shib_22.so
Create a file /etc/apache2/mods-available/shibd.conf

#
# Global Configuration
# This is the XML file that contains all the global, non-apache-specific
# configuration.
Look at this file for most of your configuration
parameters.
42
#
ShibSchemaDir /opt/shibboleth-sp/share/xml/shibboleth
ShibConfig /opt/shibboleth-sp/etc/shibboleth/shibboleth.xml
#
# Used for example logo and style sheet in error templates.
#
<IfModule mod_alias.c>
<Location /shibboleth-sp>
Allow from all
</Location>
Alias /shibboleth-sp/main.css /opt/shibbolethsp/share/doc/shibboleth/main.css
Alias /shibboleth-sp/logo.jpg /opt/shibbolethsp/share/doc/shibboleth/logo.jpg
</IfModule>
#
# Configure the module for content
#
# You can now do most of this in shibboleth.xml using the RequestMap
# but you MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
#
<Location /secure>
AuthType shibboleth
ShibRequireSession On
require valid-user
</Location>
Enable the module:

a2enmod shib
43
Test the apache configuration:
Syntax OK
Reload
apache2ctl graceful
Appendix D: Trace log of HTTP Headers SP

to FS-A
This section shows a trace of the http traffic that is created when the client tries to access
resources.
https://sp.contoso.com/secure/index.shtml
GET /secure/index.shtml HTTP/1.1

Host: sp.contoso.com
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain
;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: _saml_idp=dXJuOmZlZGVyYXRpb246YWRhdHVt
HTTP/1.x 302 Found

Date: Tue, 13 May 2008 15:10:52 GMT
Server: Apache/2.2.3 (Debian) mod_ssl/2.2.3 OpenSSL/0.9.8c
Set-Cookie:
_shibstate_05a9f4fac0e19a42483bc9f26c08873dbf2dbc9a=https%3A%2F%2Fsp.contoso.com%2Fsecure
%2Findex.shtml; path=/
44
Location:
https://adfsaccount.adatum.com/adfs/ls/clientlogon.aspx?wa=wsignin1.0&wreply=https%3A%2F
%2Fsp.contoso.com%2FShibboleth.sso%2FADFS&wct=2008-0513T15%3A10%3A52Z&wctx=cookie&wtrealm=urn%3Afederation%3Asp.contoso.com
Content-Length: 521
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
---------------------------------------------------------https://adfsaccount.adatum.com/adfs/ls/clientlogon.aspx?wa=wsignin1.0&wreply=https%3A%2F
GET
/adfs/ls/clientlogon.aspx?wa=wsignin1.0&wreply=https%3A%2F%2Fsp.contoso.com
%2FShibboleth.sso%2FADFS&wct=2008-05-13T15%3A10%3A52Z&wctx=cookie&wtrealm=urn%3Afederation
%3Asp.contoso.com
HTTP/1.1
Host: adfsaccount.adatum.com
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,
*/*;q=0.5
Keep-Alive: 300
HTTP/1.x 302 Found

Date: Tue, 13 May 2008 15:11:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location:
/adfs/ls/auth/integrated/?wa=wsignin1.0&wreply=https%3A%2F%2Fsp.contoso.com
%3Asp.contoso.com
Cache-Control: no-cache
45
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 315
---------------------------------------------------------https://adfsaccount.adatum.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wreply=https%3A%2F
GET
%3Asp.contoso.com
HTTP/1.1
Accept:
*/*;q=0.5
Keep-Alive: 300
HTTP/1.x 401 Unauthorized

Content-Length: 1656
Content-Type: text/html
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Tue, 13 May 2008 15:11:31 GMT
GET
46
%3Asp.contoso.com
HTTP/1.1
Accept:
*/*;q=0.5
Keep-Alive: 300
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
HTTP/1.x 401 Unauthorized

Content-Type: text/html
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAADAAMADgAAAAFgokCNqGQu9fzLLYAAAAAAAAAAI4AjgBEAAAABQLODgAAAA9BAEQAQQBUAFUATQ
ACAAwAQQBEAEEAVABVAE0AAQAWAEEARABGAFMAQQBDAEMATwBVAE4AVAAEABQAYQBkAGEAdAB1AG0ALgBjAG8AbQAD
ACwAYQBkAGYAcwBhAGMAYwBvAHUAbgB0AC4AYQBkAGEAdAB1AG0ALgBjAG8AbQAFABQAYQBkAGEAdAB1AG0ALgBjAG
8AbQAAAAAA
Date: Tue, 13 May 2008 15:11:32 GMT
GET
%3Asp.contoso.com
HTTP/1.1
Accept:
47
*/*;q=0.5
Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAFoAAAAYABgAcgAAAAAAAABAAAAADgAOAEAAAAAMAAwATgAAAAAAAAAAAAAABYIIAGEAZA
BhAG0AYwBhAHIARABQADIAMgAxADgAgQNfUiNpsawAAAAAAAAAAAAAAAAAAAAAY9ChESutgoeXDL5Tj1QR4dIRtv3Z
JnOl
HTTP/1.x 200 OK
Date: Tue, 13 May 2008 15:11:32 GMT
Set-Cookie:
_WebSsoAuth=eNrNVltzqlwS9adYnseUh7uAlaSGm4gCioCKNVVfbWCDiFwEFPDXfxiTTJJzzkxmnsYXN72btVevbn
r3YwmS45grS1hUUZb231eK+DT4iyR9ghiNqCEJCHRIooQ3ZGnIDAmf8BjSA5QP3EFfKcszVNKyAmn1NMBRlBmi1BAj
LIwaY9iYwHevPsXT4Fyk4wD6sAC3Q8bAB9U5GfQ1cMiKNSzKzvg0wDpDlH42NMkxLcc3tneQDJRROU5BAstx5Y1NTl
PH2E90DN4CGDw/vsQmZKkf3QxlX88qHgZZAf/EsnNYpIuCC6ob148+ozefV1Tu7Ecw9eAKllUReTf894O+uDx/ibnM
f3pZWmVl1v0nj8hn5y/Pv8dHvkT2dqJ/iW4QwA/KbjeLoy4tQTYF5f5Vv9vOXb8k8oqOQlB9oDZ4XgmKe5rixHFDuo
FEMTF2LBj9JBW+8/SI/Ab3ne/r0a/kqz1Mq8h7QTUrUMGke+5/tv+HivnsrMFqn/m/1s8np3EdpX5Wl29JMs/uAXrV
65Pe1Yri37yDCBb9SVYkoDt9X1X5GEFKbw8TUP7sdCozkP/MihDxjiBKSsRe6oPnrlITDxT/uFfsh8x9hn3T4/1o5N
8p8qZX1eXYPVfw68b/QwCfGfbfV7fXngZykZ3zwWdrmQMPfoPX4Cv4GhzP8LnKYpiCPH+T7vPuV+svhg8amlGYdsEW
8F7975Tquv5ZEy9MutpDEZRFOge/jMIfg/tb0L8V+POjANIs7bJ2jK4fyrDPHcOsiKp98gdIDMHQG+QQNt7Qw8j0x6
CPfODzTZhPzIoSDMs9wF6QVjCAxa0/9O2V8jT48b1O/fxoFSAtuw6YlB/W/x0PmF7gMcuhPyzfwnmh9H24P6iDfCQn
RmHX+f4Xnd41ukPcqwaBwPWaZtesJls4IYEdrdJ9YuVLNuz62kfPR+Rd2279sRbes3d3nGUw8eXNg49IlwlkJa4K0w
Bl+U2pRaJZtipZHWKDykym0ZEidnI7tK+iKbnR3BnhM7ySq/0ZCfK5eV03cwQiKGVd3JF92uUZLPQZb0UbnKhEGDdp
QqA7FJFLyCZLfrew26WVacLSqOVRYhq4KE8xHjWwgDKsgLFK6goekHKUamgsNsDnyNrVVudENTKb9keQWe+mO8nC9x
hOnGSJBdL6ihhxOg3ntSJXKBEkk5NOV0vpcGZURs2cY00HiKnsrzbIY1ly2VQR4l0LZnzI2dzxmoSHIEfInPayCUQe
bNLBrLUsx+ec1E3WzQpzutoEIrdXpAZilo+uEJluI53liYiskpxVBYYnz5JePz3dRf8g9OMctvcMbCmUFUEF7ivhds
8Ht5YKnzVFEVBREDi3Dbla4blQMUj+wXWbpeBk66Uvx/rJMWjW4jrOdiGGmjA1bE4TwmZ24GI+1Nc8p1lTe3fcyevW
2a5yFydDG1+3frJuFXkS71J97+D6xd9QqMaTW9HiSE3UWk1UGk2Mr4tJdrNRLzaLu77a6rkoJZpgyBxmS1yj+atkHe
+2s70vHy9uxFvdGt9tldDZrBIPnxwcnMXc1KjDUIo0DpUF8ySbikuIhsRzHWeOVHix5m77cy7rYjWE9NCo+rRTNpHP
PPJw7NIXHbCihYdizRSz+LALa7DRJRnzF1F5JZg8UnKLn+ubk87n8gqbTc8MStCZYG7DPWibLSrsL3OZn6+bbLfJ19
PFYtXWgQoRAbNEsqHI5WFX5oGsueYK2VCqO6ccu85Iy5pHTKTOdmt1GvABkHPWpi6Rc6FZNVdhY0NAHojKY1T6dEGi
pAmmvrqveGNKTfkdidTWYk8hobnejrjJIReQ2BQNSp2dTa+YFRRHbpVjnh82dWaCYKsX+2uN0ZGCEm1NMCnCZzGHVO
TolDQPV/IcEenVtRy6nB7PoCi804pnjy2TwlqwbQvzd+5Dup9jTiZmAmFHykKahkh9OpxqGPlcqPEcJ9WC4UzmNdlV
LzrhuIXAGRJ3PLBNVUHWmbMKj8cecjUq; path=/adfs/ls/; secure;
HttpOnly
48
Set-Cookie:
_WebSsoAuth0=e+UU7WzNyI0FHCDHy43ysCG05Ryb6LZpqrpaBXG6d/JlzBX0cmYfxBZM5xMiXzhKbLV0ZDK7taAqE
2OVzkrNJA6jpZHhivqwKs66KCiTsgmZdhPuG9opYEC79oTSUt8j5mFoJaK5PGWC7I5osUDbvLaA3HDBVrBVLDzl5FV
Z422pqCqOrtVDAXB3je/Rh/LiARa1G9YNxEV3fQvBUp9HiiQ1ZKVNbG6LlmnJeWTmgRWIHrQULMjZoRGcs+Qr7MSjZ
XEVEOsEhawQ5ZtYJ7fh1j3TpFRpysqAR9Wgr2SsBBtZPiVT3J4hUZVy5xoxRsUp503UB0DiicnWN24f/9cv+265f/X
Ieyf4V494v//f5v5nrPeXN2Ixz0fZocvA7jakGWboYkR3Ofo061MMjXsB0et9nSW7KfsC/ajoxp6saHucyFm29s/Xu
alnDrEhNcSxIYNSJImPOkycoFmSwFgUGxIjjMYIlCWIIdb9ej2s961Rtfeb4beH97jer+NaT+xZBWz71m0+4vK8L9y
mqL8BreGmEw==; path=/adfs/ls/; secure;
HttpOnly
Set-Cookie: _LSCleanup=2008-05-13:15:11:32Zr0urn:federation:sp.contoso.com;
path=/adfs/ls/; secure;
HttpOnly
Pragma: no-cache
Expires: -1
---------------------------------------------------------https://sp.contoso.com/Shibboleth.sso/ADFS
POST /Shibboleth.sso/ADFS HTTP/1.1

Accept:
*/*;q=0.5
Keep-Alive: 300
Referer:
https://adfsaccount.adatum.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wreply=https%3A%2F
%2Fsp.contoso.com%2FShibboleth.sso%2FADFS&wct=2008-0513T15%3A10%3A52Z&wctx=cookie&wtrealm=urn%3Afederation%3Asp.contoso.com Cookie:
_saml_idp=dXJuOmZlZGVyYXRpb246YWRhdHVt;
%2Findex.shtml
Content-Type: application/x-www-form-urlencoded
49
wa=wsignin1.0&wresult=%3Cwst%3ARequestSecurityTokenResponse+xmlns%3Awst%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%3E%3Cwst%3ARequestedSecurityToken%3E
%3Csaml%3AAssertion+AssertionID%3D%22_44d33665-4a30-403c-97e8-3d3c84ca5dab%22+IssueInstant
%3D%222008-05-13T15%3A11%3A32Z%22+Issuer%3D%22urn%3Afederation%3Aadatum%22+MajorVersion%3D
%221%22+MinorVersion%3D%221%22+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML
%3A1.0%3Aassertion%22%3E%3Csaml%3AConditions+NotBefore%3D%222008-05-13T15%3A11%3A32Z
%22+NotOnOrAfter%3D%222008-05-13T16%3A11%3A32Z%22%3E%3Csaml%3AAudienceRestrictionCondition
%3E%3Csaml%3AAudience%3Eurn%3Afederation%3Asp.contoso.com%3C%2Fsaml%3AAudience%3E%3C
%2Fsaml%3AAudienceRestrictionCondition%3E%3C%2Fsaml%3AConditions%3E%3Csaml%3AAdvice%3E
%3Cadfs%3ACookieInfoHash+xmlns%3Aadfs%3D%22urn%3Amicrosoft%3Afederation
%22%3ERCIbqH23lW4bfE58k1lr8NqErdY%3D%3C%2Fadfs%3ACookieInfoHash%3E%3C%2Fsaml%3AAdvice%3E
%3Csaml%3AAuthenticationStatement+AuthenticationInstant%3D%222008-05-13T15%3A11%3A32Z
%22+AuthenticationMethod%3D%22urn%3Afederation%3Aauthentication%3Awindows%22%3E%3Csaml
%3ASubject%3E%3Csaml%3ANameIdentifier+Format%3D%22http%3A%2F%2Fschemas.xmlsoap.org
%2Fclaims%2FUPN%22%3Eadamcar%40adatum.com%3C%2Fsaml%3ANameIdentifier%3E%3C%2Fsaml
%3ASubject%3E%3C%2Fsaml%3AAuthenticationStatement%3E%3Csaml%3AAttributeStatement%3E%3Csaml
%3ASubject%3E%3Csaml%3ANameIdentifier+Format%3D%22http%3A%2F%2Fschemas.xmlsoap.org
%2Fclaims%2FUPN%22%3Eadamcar%40adatum.com%3C%2Fsaml%3ANameIdentifier%3E%3C%2Fsaml
%3ASubject%3E%3Csaml%3AAttribute+AttributeName%3D%22Group%22+AttributeNamespace%3D%22http
%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3Etokenapp%3C%2Fsaml
%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3C%2Fsaml%3AAttributeStatement%3E
%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E
%3CSignedInfo%3E%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org
%2F2001%2F10%2Fxml-exc-c14n%23%22+%2F%3E%3CSignatureMethod+Algorithm%3D%22http%3A%2F
%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1%22+%2F%3E%3CReference+URI%3D
%22%23_44d33665-4a30-403c-97e8-3d3c84ca5dab%22%3E%3CTransforms%3E%3CTransform+Algorithm%3D
%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature%22+%2F%3E
%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22+%2F
%3E%3C%2FTransforms%3E%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org
%2F2000%2F09%2Fxmldsig%23sha1%22+%2F%3E%3CDigestValue%3E%2FeabcxxZxRFXeF4aUiRnhmTpP9g%3D
%3C%2FDigestValue%3E%3C%2FReference%3E%3C%2FSignedInfo%3E%3CSignatureValue%3EJoemdGW%2Bd
%2FEvFe9EAtgnf09BWsMiDSsyL4tjkQ5oS8xN%2FrkYpUgUzDSEbiKY62J2tGthu%2FfpKSzVxK%2Fe
%2F05Tvb6UqZpoerNJBTiW23tDekxnm30Z0%2FGse9mPBZOUyPToMCPQwG6mSQ2DGH1B0Q1f5QTf8Ts5za%2B
%2Fs6nM0kDxadA4wbMRumLQoU7d6e8VZHZET2h123qGE9aEVz%2FQknHgKwIGt03fmFqN7tPEju8L8LoYlw7f
%2FSIhzUapkGEb9nICkZyaJBgAUAlzmgjfp%2F4p7coFe%2F%2BU4Y1TVGGkup4NS9borSHRWfDAhIExe1Td0R
%2FG7yiN9B3i4tmp9LC8B4uENw%3D%3D%3C%2FSignatureValue%3E%3CKeyInfo%3E%3CX509Data%3E
%3CX509Certificate%3EMIIC0DCCAbygAwIBAgIQ4B
%2BbbxPCYoVPdGkNqYQ79TAJBgUrDgMCHQUAMCgxJjAkBgNVBAMTHUZlZGVyYXRpb24gU2VydmVyIGFkZnNhY2NvdW
50MB4XDTA4MDMyMDIxMDkzOFoXDTA5MDMyMTAzMDkzOFowKDEmMCQGA1UEAxMdRmVkZXJhdGlvbiBTZXJ2ZXIgYWRm
c2FjY291bnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnjxLNHe1TmGuB%2F
%2BlFqNij1ryejrV8rJkjZgwaWNEG1dOisz38piIpTBKNWqNBpGR1JHu8037oCSXghayxX0ChvKGBKVxoZWpVHOORy
wfLe%2FC1TD4x54PjZspfGMbSR%2FW5LbK5YUwo4TTKi8iLJZVLHfBfaGp9U5viYv79LpLexUea4j3tc8L7qv
%2FimxfHdLhtBQH5HBZ4%2FwTOh5%2FgSVX6AFjpC%2FkSDQ5LJuScrJr5A4XIlppjWwoSafXNrhzw17iI03yw38n
%2FBokA%2Ft46qmx%2Bz4ui3nzbTY7sHluarrcqRB9ly8newCUUT1dZb%2BnhK1YoDoC3UiIOEHg
50
%2FwqjqweidAgMBAAEwCQYFKw4DAh0FAAOCAQEAlj9xtte9YK9IB2kc%2FzQtURYryJV8GxTaYaGkPWI
%2BW3MPK1FNUSSLNLtfknhYpPkAr7PJUjDyaHKF3pOYIkTy7iS8ZVCLIFQRnJsMS3j6PQo2IL
%2BRruNDCIFsxg8yWghx7Yref7bUF5Mndc3KggTmDSPqoCGb67Dr0ypwTaGxAfXCUL1gqp4zIV2ysILL20VLjra2bV
2h0%2Bsvca90Ux9bfDOeNaCfPNKiIEEx4tMFUAX0snsAc4ocaRai
%2BMnaO4JjxCYuEdI9Fc7GDRf3Vm0e9CipWkN4XgXbu74EtMIRQelLQ7z4kIfWGGqmH2UJ%2FitnAuw
%2FQ6rqpBS0daaEB3FXdQ%3D%3D%3C%2FX509Certificate%3E%3C%2FX509Data%3E%3C%2FKeyInfo%3E%3C
%2FSignature%3E%3C%2Fsaml%3AAssertion%3E%3C%2Fwst%3ARequestedSecurityToken%3E%3Cwsp
%3AAppliesTo+xmlns%3Awsp%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy
%22%3E%3Cwsa%3AEndpointReference+xmlns%3Awsa%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws
%2F2004%2F08%2Faddressing%22%3E%3Cwsa%3AAddress%3Eurn%3Afederation%3Asp.contoso.com%3C
%2Fwsa%3AAddress%3E%3C%2Fwsa%3AEndpointReference%3E%3C%2Fwsp%3AAppliesTo%3E%3C%2Fwst
%3ARequestSecurityTokenResponse%3E&wctx=cookie
HTTP/1.x 302 Found
Date: Tue, 13 May 2008 15:11:01 GMT
Set-Cookie:
_shibsession_05a9f4fac0e19a42483bc9f26c08873dbf2dbc9a=_8321642afcaed806700b192abd3cf2a5;
path=/
Set-Cookie: _saml_idp=dXJuOmZlZGVyYXRpb246YWRhdHVt; path=/; expires=Tue,
20 May 2008 15:11:01 GMT
Location: https://sp.contoso.com/secure/index.shtml
Content-Length: 334
---------------------------------------------------------https://sp.contoso.com/secure/index.shtml
GET /secure/index.shtml HTTP/1.1

Accept:
*/*;q=0.5
Keep-Alive: 300
Referer:
51
https://adfsaccount.adatum.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wreply=https%3A%2F
Cookie: _saml_idp=dXJuOmZlZGVyYXRpb246YWRhdHVt;
%2Findex.shtml;
_shibsession_05a9f4fac0e19a42483bc9f26c08873dbf2dbc9a=_8321642afcaed806700b192abd3cf2a5
HTTP/1.x 200 OK
Date: Tue, 13 May 2008 15:11:01 GMT
Accept-Ranges: bytes
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Output of our Server-Side Include (SSI) application:

HTTPS=on
HTTP_HOST=sp.contoso.com
HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.
8,image/png,*/*;q=0.5
HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
HTTP_ACCEPT_ENCODING=gzip,deflate
HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_KEEP_ALIVE=300
HTTP_CONNECTION=keep-alive
HTTP_REFERER=https://sp.contoso.com/secure/
HTTP_COOKIE=_saml_idp=dXJuOmZlZGVyYXRpb246YWRhdHVt;
_shibstate_05a9f4fac0e19a42483bc9f26c08873dbf2dbc9a=https%3A%2F%2Fsp.contoso.com%2Fsecure;
_shibsession_05a9f4fac0e19a42483bc9f26c08873dbf2dbc9a=_6e8b71f4bf8bf7cb6914ddc3545bc1c2
HTTP_CACHE_CONTROL=max-age=0
HTTP_SHIB_ORIGIN_SITE=urn:federation:adatum
HTTP_SHIB_IDENTITY_PROVIDER=urn:federation:adatum
HTTP_SHIB_AUTHENTICATION_METHOD=urn:federation:authentication:windows
HTTP_SHIB_AUTHENTICATION_INSTANT=2008-05-13T14:57:44Z
HTTP_SHIB_NAMEIDENTIFIER_FORMAT=http://schemas.xmlsoap.org/claims/UPN
52
HTTP_SHIB_ATTRIBUTES=
HTTP_SHIB_APPLICATION_ID=default
HTTP_REMOTE_USER=
HTTP_ADFS_GROUP=
PATH=/usr/local/bin:/usr/bin:/bin
SERVER_SIGNATURE=<address>Apache/2.2.3 (Debian) mod_ssl/2.2.3
OpenSSL/0.9.8c Server at sp.contoso.com Port 443</address>
SERVER_SOFTWARE=Apache/2.2.3 (Debian) mod_ssl/2.2.3 OpenSSL/0.9.8c

SERVER_NAME=sp.contoso.com
SERVER_ADDR=192.168.101.183
SERVER_PORT=443
REMOTE_ADDR=192.168.101.176
DOCUMENT_ROOT=/var/www/
SERVER_ADMIN=webmaster@localhost
SCRIPT_FILENAME=/var/www/secure/index.shtml
REMOTE_PORT=1932
REMOTE_USER=adamcar@adatum.com
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
QUERY_STRING=
REQUEST_URI=/secure/index.shtml
SCRIPT_NAME=/secure/index.shtml
DATE_LOCAL=Tuesday, 13-May-2008 16:06:45 BST
DATE_GMT=Tuesday, 13-May-2008 15:06:45 GMT
LAST_MODIFIED=Tuesday, 13-May-2008 16:06:42 BST
DOCUMENT_URI=/secure/index.shtml
USER_NAME=root
DOCUMENT_NAME=index.shtml
53
Appendix E: Installing Tomcat and Apache

2.2.3
The instructions for the scenarios require that Tomcat and Apache 2.2.3 are installed.To
complete the installation, follow these below.
First, set environment variables.
#Environment variables:
export CATALINA_HOME=/usr/local/tomcat
export JAVA_HOME=/usr/local/java
export INSTALL_DIR=/usr/local
export IDP_HOME=/usr/local/shibboleth-idp
Install the build requirements for Java.

apt-get install libstdc++5 y
Install Java JDK

Download jdk-6u6-linux-i586.bin from http://go.microsoft.com/fwlink/?LinkID=125832
cd $INSTALL_DIR
chmod +x jdk-6u6-linux-i586.bin./jdk-6u6-linux-i586.bin
./jdk-6u6-linux-i586.bin
ln -s jdk1.6.0_06/jre/ java
Add JAVA_HOME to your profile (/etc/profile) and add it to the PATH.

export IDP_HOME=/usr/local/shibboleth-idp
if [ "`id -u`" -eq 0 ]; then
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$JAVA_HOME/bin"
else
PATH="/usr/local/bin:/usr/bin:/bin:/usr/games:$JAVA_HOME/bin"
fi
54
Log out and then log in again to see if the Java binaries are now included in the PATH.
java -version
java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Client VM (build 10.0-b22, mixed mode, sharing)
Install the Tomcat servlet container:

cd $INSTALL_DIR
wget http://mirror.public-internet.co.uk/ftp/apache/tomcat/tomcat-5/v5.5.26/bin/apachetomcat-5.5.26.tar.gz
tar xzf apache-tomcat-5.5.26.tar.gz
Create useful symlinks.

ln -s /usr/local/apache-tomcat-5.5.26 /usr/local/tomcat
ln -s /usr/local/apache-tomcat-5.5.26/logs/ /var/log/tomcat
Create a startup script for Tomcat (/etc/init.d/tomcat).

#!/bin/sh
#
# Startup script for Tomcat5.5
NAME=tomcat
JAVA_HOME=/usr/local/java
export JAVA_HOME
CATALINA_HOME=/usr/local/tomcat
export CATALINA_HOME
CATALINA_PID=/var/run/tomcat.pid
export CATALINA_PID
if [ -z "${JAVA_HOME}" -a -d "$JAVA_HOME" ]; then

echo "JAVA_HOME was not set properly: $JAVA_HOME"
exit 1
fi
55
if [ -z "${CATALINA_HOME}" -a -d "$CATALINA_HOME" ]; then

echo "CATALINA_HOME was not set properly: $CATALINA_HOME"
exit 1
fi
start() {
echo "Starting tomcat: "
if [ -x "$CATALINA_HOME/bin/startup.sh" ]; then
su -p -c $CATALINA_HOME/bin/startup.sh
echo "done."
else
echo "Cannot find $CATALINA_HOME/bin/startup.sh, or
it isn't executable"
exit 1
fi
}
stop() {
echo "Shutting down tomcat: "
if [ -x "$CATALINA_HOME/bin/shutdown.sh" ]; then
su -p -c $CATALINA_HOME/bin/shutdown.sh
sleep 1
#killall -9 java
echo "done."
else
echo "Cannot find $CATALINA_HOME/bin/shutdown.sh, or
it isn't executable"
exit 1
fi
}
# See how we were called

case "$1" in
start)
start
56
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "Usage: $0 {start|stop|restart}"
esac
exit 0
Make the script executable and add it to the runlevels:

chmod +x /etc/init.d/tomcat
update-rc.d tomcat defaults
Configure a Tomcat connector to listen on localhost on port 8009. You have to modify
$CATALINA_HOME/conf/server.xml.
All of the other connectors can be commented, since all other requests will go through Apache.

<Connector port="8009" address="127.0.0.1" enableLookups="false"
redirectPort="443" protocol="AJP/1.3"
tomcatAuthentication="false" />
Restart Tomcat
We will put an Apache Web server in front of the Tomcat servlet container. This Apache Web
server will proxy every HTTPS request to Tomcat and will authenticate for the Single Sign-On
(SSO) and Active Directory Federation Services (ADFS) directories of the Shibboleth IdP webapp
(see later).
57
First, install Apache 2.2.3 and the mod_jk module (necessary for the proxy functionality towards
Tomcat).
apt-get install apache2-mpm-worker libapache2-mod-jk -y
Change the listening port of Apache from 80 to 443 (/etc/apache2/ports.conf).

Listen 443
Since we are listening on 443, https, we will enable the Secure Sockets Layer (SSL) module.
a2enmod ssl
Enable the proxy_ajp module.

a2enmod proxy_ajp
Enabling proxy as a dependency
Module proxy installed; run /etc/init.d/apache2 force-reload to enable.
Module proxy_ajp installed; run /etc/init.d/apache2 force-reload to enable.
Configure Apache with SSL, proxy and authentication. We will be using basic authentication
against a Lightweight Directory Access Protocol (LDAP) server, which will be set up later. First,
we have to enable the mod_authnz_ldap module:
a2enmod authnz_ldap
Modify the file /etc/apache2/sites-available/default.

<VirtualHost
*:443>
ServerAdmin webmaster@localhost
ServerName
idp.contoso.com
SSLEngine On
SSLCertificateFile
/etc/pki/idp.contoso.com.crt
SSLCertificateKeyFile
/etc/pki/idp.contoso.com.key
SSLCertificateChainFile
/etc/pki/rootCA.crt
<IfModule mod_proxy_ajp.c>
ProxyRequests Off
58
<Proxy ajp://localhost:8009>
Allow from all
</Proxy>
ProxyPass
/shibboleth-idp ajp://localhost:8009/shibboleth-idp
retry=5
</IfModule>
<Location /shibboleth-idp/SSO>
AuthType
Basic
AuthName "idp.contoso.com"
AuthBasicProvider
ldap
AuthzLDAPAuthoritative
off
AuthLDAPURL "ldap://localhost:389/ou=people,dc=contoso,dc=com"
Require
valid-user
</Location>
<Location /shibboleth-idp/ADFS>
AuthType
Basic
AuthName "idp.contoso.com"
AuthBasicProvider
ldap
AuthzLDAPAuthoritative
off
AuthLDAPURL "ldap://localhost:389/ou=people,dc=contoso,dc=com"
Require
valid-user
</Location>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined

ServerSignature On
</VirtualHost>
Check the overall configuration, and if OK, restart.

Syntax OK
apache2ctl restart
59
Appendix F: Installing OpenLDAP

These are instructions for installing OpenLDAP. They will be used by the Debian IdP to provide
authentication services
apt-get install slapd ldap-utils -y
You will be prompted for a password. When prompted, type p@ssw0rd. We imported a commonly
used Lightweight Directory Access Protocol (LDAP) schema, called eduPerson.
cd $INSTALL_DIR
wget http://middleware.internet2.edu/dir/schema/ldifs/OpenLDAP_eduPerson-200412.tar.gz
tar xzf OpenLDAP_eduPerson-200412.tar.gz
cp -a eduperson-200412.ldif /etc/ldap/schema/
Include this schema file by adding it to /etc/ldap/slapd.conf.

include
/etc/ldap/schema/eduperson-200412.ldif
Populate the openldap with some test accounts. Therefore, stop the service which was started
automatically at installation time.
/etc/init.d/slapd stop
Create a temporary file /tmp/openldap.ldif. All passwords used are p@ssw0rd.

dn: dc=contoso,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Contoso Organisation
dc: contoso
dn: cn=admin,dc=contoso,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}/g6P9Mic0qA1v0jTVhahP/rKegcxke10
60
dn: uid=chris,ou=people,dc=contoso,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: eduperson
eduPersonPrincipalName: chris
eduPersonAffiliation: member
eduPersonAffiliation: staff
eduPersonAffiliation: faculty
eduPersonEntitlement: urn:mace:library:y.com
eduPersonEntitlement: urn:mace:library:z.com
uid: chris
givenName: Chris
sn: Cox
cn: Chris Cox
mail: chris@contoso.com
homePhone: 015-7654321
mobile: 06-87654321
ou: people
homePostalAddress: Street 1$1234 PC$Oxford$UK
o: Organisation
description: Descriptive description
dn: ou=people,dc=contoso,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
dn: uid=philip,ou=people,dc=contoso,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
61
objectClass: eduperson
eduPersonPrincipalName: philip
eduPersonAffiliation: member
eduPersonAffiliation: staff
eduPersonAffiliation: employee
eduPersonEntitlement: urn:mace:library:x.com
uid: philip
givenName: philip
sn: Brusten
cn: Philip Brusten
mail: philip@contoso.com
homePhone: 015-1234567
mobile: 06-12345678
ou: people
homePostalAddress: Street 1$1234 PC$City$Belgium
o: Organisation
description: Descriptive description
Import the data into LDAP.

slapadd -v -l /tmp/openldap.ldif
added: "dc=contoso,dc=com" (00000001)
added: "cn=admin,dc=contoso,dc=com" (00000002)
added: "ou=people,dc=contoso,dc=com" (00000003)
added: "uid=philip,ou=people,dc=contoso,dc=com" (00000004)
added: "uid=chris,ou=people,dc=contoso,dc=com" (00000005)
Start LDAP.
/etc/init.d/slapd start
62
Appendix G: Installing Shibboleth IdP

Install Shibboleth as an IdP.
Get the Shibboleth IdP source package and unpack it.
cd $INSTALL_DIR
wget
http://shibboleth.internet2.edu/downloads/shibboleth/idp/1.3.3/shibboleth
-idp-1.3.3.tar.gz
tar xzf shibboleth-idp-1.3.3.tar.gz
Obtain the Shibboleth Active Directory Federation Services (ADFS) extension and extract it to the
custom extension directory of the Shibboleth installation directory.
cd shibboleth-1.3.3-install/custom
wget
http://shibboleth.internet2.edu/downloads/extensions/shib.ADFS.extension-0.9.tar.gz
tar xzf shib.ADFS.extension-0.9.tar.gz
The building of the Shibboleth ADFS extension will fail if there is not a lib directory present in the
extracted adfs directory; therefore create it:
mkdir adfs/lib
The distributed extension is missing a jsp file (adfs.jsp). Add the file before you build the webapp.
The file can be downloaded from the following URL, but we have also provided the content:
http://go.microsoft.com/fwlink/?LinkID=125827
adfs.jsp
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<%
response.setHeader("Expires","19-Mar-1971 08:23:00 GMT");
response.setHeader("Cache-control","no-cache");
response.setHeader("Pragma","no-cache");
%>
63
<%@ taglib uri="/WEB-INF/tlds/struts-logic.tld" prefix="logic" %>

<%@ taglib uri="/WEB-INF/tlds/struts-bean.tld" prefix="bean" %>
<jsp:useBean id="wreply" scope="request" class="java.lang.String" />

<jsp:useBean id="wa" scope="request" class="java.lang.String" />
<jsp:useBean id="wresult" scope="request" class="java.lang.String" />
<jsp:useBean id="hs_helpText" scope="application"
class="java.lang.String"/>
<jsp:useBean id="hs_detailedHelpURL" scope="application"
class="java.lang.String"/>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<link rel="stylesheet" type="text/css" href="main.css" />
<title>ADFS Authentication Request Processed</title>
</head>
<body onload="document.forms[0].submit()">
<%
if (request.getAttribute("wa") == null
|| request.getAttribute("wreply").equals("")
|| request.getAttribute("wresult") == null)
{
request.setAttribute("requestURL", request.getRequestURI());
request.setAttribute("errorText", "This page cannot be accessed
directly");
request.getRequestDispatcher("/IdPError.jsp").forward(request,
response);
}
%>
<h1>ADFS Authentication Request Processed</h1>
<script type="text/javascript">

</script>
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the
Continue button once to proceed to the requested site.
</p>
</noscript>
<form id="adfs"
action="<bean:write name="wreply"/>" method="post">
<div>
<input type="hidden" name="wa" value="<bean:write name="wa" />" />
<logic:present name="wctx" scope="request">
<input type="hidden" name="wctx" value="<bean:write name="wctx" />"
/>
</logic:present>
<input type="hidden" name="wresult" value="<bean:write name="wresult" />"
/>
</div>
<noscript>
<div>
<input type="submit" value="Continue" />
</div>
</noscript>
65
</form>
</body>
</html>
The ADFS endpoint must be mapped to the IdP servlet. Add the following servlet-mapping to the
webdiscriptor: /usr/local/shibboleth-1.3.3-install/webAppConfig/dist.idp.xml
<servlet-mapping>
<servlet-name>IdP</servlet-name>
<url-pattern>/ADFS</url-pattern>
</servlet-mapping>
Begin the compilation and installation of the Shibboleth software. Alter the JAVA_HOME
environment variable so it points to our Java SDK. After the compilation is done, change it back to
our Java JRE.
cd $INSTALL_DIR/shibboleth-1.3.3-install/
export JAVA_HOME=/usr/local/jdk1.6.0_06/
./ant
Buildfile: build.xml
init:
install.init:
install:
Do you want to install the Shibboleth Identity Provider? [Y,n]

Y
What name do you want to use for the Identity Provider web application?
[default: shibboleth-idp]
shibboleth-idp
init:
install.init:
install.idp:
Deploying the java web application.
Do you want to install it directly onto the
filesystem or use the tomcat manager application?
1) filesystem (default)
66
2) manager
init:
install.init:
install.idp.filesystem.prompt:
Select a home directory for the Shibboleth Identity Provider [default:
/usr/local/shibboleth-idp]
/usr/local/shibboleth-idp
Enter tomcat home directory [default: /usr/local/tomcat]
/usr/local/tomcat
...
BUILD SUCCESSFUL
Total time: 16 seconds
The implementation of Sun's JAXP parser may contain a memory leak. Therefore, the JDK
should endorse the new XML libraries in Tomcat. Copy the jar files /opt/shibbolethidp/endorsed/*.jar which comes with the Shibboleth IdP 1.3 package:
cp -p $SHIB_HOME/endorsed/*.jar $CATALINA_HOME/common/endorsed/
Restart tomcat.
At this point, you should be able perform the Shibboleth IdP Web application by going to
https://idp.contoso.com/shibboleth-idp/Status.
This request should return the following:
AVAILABLE
67
Appendix H: Trace log of HTTP Headers IdP

to FS-R
This section shows the HTTP traffic generated when a client accesses an Active Directory
Federation Services (ADFS)-protected resource.
https://adfsweb.treyresearch.net:8081/claimapp/
GET /claimapp/ HTTP/1.1

Host: adfsweb.treyresearch.net:8081
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14)
Gecko/20080404 Firefox/2.0.0.14
Accept:
*/*;q=0.5
Keep-Alive: 300
HTTP/1.x 302 Found

Date: Wed, 14 May 2008 09:36:51 GMT
Location:
https://adfsresource.treyresearch.net/adfs/ls/?wa=wsignin1.0&wreply=https%3a%2f
%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f&wct=2008-05-14T09%3a36%3a51Z&wctx=https
%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspx
Cache-Control: private
Content-Length: 362
---------------------------------------------------------https://adfsresource.treyresearch.net/adfs/ls/?wa=wsignin1.0&wreply=https%3a%2f
68
/adfs/ls/?wa=wsignin1.0&wreply=https%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp
%2f&wct=2008-05-14T09%3a36%3a51Z&wctx=https%3a%2f%2fadfsweb.treyresearch.net
%3a8081%2fclaimapp%2fDefault.aspx HTTP/1.1
Host: adfsresource.treyresearch.net
Gecko/20080404 Firefox/2.0.0.14
Accept:
<head>
*/*;q=0.5
Keep-Alive: 300
HTTP/1.x 200 OK
Date: Wed, 14 May 2008 09:36:52 GMT
Pragma: no-cache
Expires: -1
---------------------------------------------------------https://adfsresource.treyresearch.net/adfs/ls/discoverclientrealm.aspx?
wa=wsignin1.0&wreply=https%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f&wct=200805-14T09%3a36%3a51Z&wctx=https%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp
%2fDefault.aspx
POST
/adfs/ls/discoverclientrealm.aspx?wa=wsignin1.0&wreply=https%3a%2f
%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspx HTTP/1.1
69
Gecko/20080404 Firefox/2.0.0.14
Accept:
*/*;q=0.5
Keep-Alive: 300
Referer:
Content-Length: 529
__VIEWSTATE=
%2FwEPDwUKLTgyMDY2OTM4NQ9kFgJmD2QWAgIBDxAPFgYeDURhdGFUZXh0RmllbGQFC0Rpc3BsYXlOYW1lHg5EYXRh
VmFsdWVGaWVsZAUDVXJpHgtfIURhdGFCb3VuZGdkEBUDDVRyZXkgUmVzZWFyY2gTQS5EYXR1bSBDb3Jwb3JhdGlvbg
tjb250b3NvLmNvbRUDE3VybjpmZWRlcmF0aW9uOnNlbGYVdXJuOmZlZGVyYXRpb246YWRhdHVtHnVybjpmZWRlcmF0
aW9uOmlkcC5jb250b3NvLmNvbRQrAwNnZ2dkZGQTSrBqLko4ADpscpJHBuSzBcnJXQ%3D%3D&RealmList=urn
%3Afederation%3Aidp.contoso.com&RealmSubmissionButton=Submit&__EVENTVALIDATION=
%2FwEWBQLD2JmHDQK984%2BSAQL3tdyuAQKnm8mcBgLJ1%2BzKBkxD%2BdGqs2X7rGlHuk%2BJlc1q2oB1
HTTP/1.x 302 Found
Date: Wed, 14 May 2008 09:36:57 GMT
Location: https://idp.contoso.com/shibboleth-idp/ADFS?wa=wsignin1.0&wtrealm=urn
%3afederation%3atreyresearch&wct=2008-05-14T09%3a36%3a57Z&wctx=https%3a%2f
%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f%5chttps%3a%2f%2fadfsweb.treyresearch.net
%3a8081%2fclaimapp%2fDefault.aspx
Pragma: no-cache
Expires: -1
Content-Length: 394
---------------------------------------------------------https://idp.contoso.com/shibboleth-idp/ADFS?wa=wsignin1.0&wtrealm=urn%3afederation
%3atreyresearch&wct=2008-05-14T09%3a36%3a57Z&wctx=https%3a%2f%2fadfsweb.treyresearch.net
70
%3a8081%2fclaimapp%2f%5chttps%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp
%2fDefault.aspx
GET /shibboleth-idp/ADFS?wa=wsignin1.0&wtrealm=urn%3afederation%3atreyresearch&wct=200805-14T09%3a36%3a57Z&wctx=https%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f
%5chttps%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspx HTTP/1.1
Host: idp.contoso.com
Gecko/20080404 Firefox/2.0.0.14
Accept:
*/*;q=0.5
Keep-Alive: 300
Referer:
HTTP/1.x 401 Authorization Required

Date: Wed, 14 May 2008 09:35:29 GMT
WWW-Authenticate: Basic realm="idp.contoso.com"
Content-Length: 511
---------------------------------------------------------https://idp.contoso.com/shibboleth-idp/ADFS?wa=wsignin1.0&wtrealm=urn%3afederation
%2fDefault.aspx
71
GET /shibboleth-idp/ADFS?wa=wsignin1.0&wtrealm=urn%3afederation%3atreyresearch&wct=200805-14T09%3a36%3a57Z&wctx=https%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2f
%5chttps%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspx HTTP/1.1
Host: idp.contoso.com
Gecko/20080404 Firefox/2.0.0.14
Accept:
*/*;q=0.5
Keep-Alive: 300
Referer:
Authorization: Basic cGhpbGlwOnBAc3N3MHJk
HTTP/1.x 200 OK
Date: Wed, 14 May 2008 09:35:31 GMT
Set-Cookie: JSESSIONID=D30AEB89B24AA5AEEA8E2C6C75FB2D61;
Path=/shibboleth-idp; Secure
Expires: 19-Mar-1971 08:23:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=ISO-8859-1
---------------------------------------------------------https://adfsresource.treyresearch.net/adfs/ls/
POST /adfs/ls/ HTTP/1.1
72
Gecko/20080404 Firefox/2.0.0.14
Accept:
*/*;q=0.5
Keep-Alive: 300
Referer:
https://idp.contoso.com/shibboleth-idp/ADFS?wa=wsignin1.0&wtrealm=urn%3afederation
%2fDefault.aspx
wa=wsignin1.0&wctx=https%3A%2F%2Fadfsweb.treyresearch.net%3A8081%2Fclaimapp%2F%5Chttps%3A
%2F%2Fadfsweb.treyresearch.net%3A8081%2Fclaimapp%2FDefault.aspx&wresult=
%3CRequestSecurityTokenResponse+xmlns%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws
%2F2005%2F02%2Ftrust%22%3E%3CAppliesTo+xmlns%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws
%2F2004%2F09%2Fpolicy%22%3E%3CEndpointReference+xmlns%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fws%2F2004%2F08%2Faddressing%22%3E%3CAddress%3Eurn%3Afederation
%3Atreyresearch%3C%2FAddress%3E%3C%2FEndpointReference%3E%3C%2FAppliesTo%3E
%3CRequestedSecurityToken%3E%3CAssertion+xmlns%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML
%3A1.0%3Aassertion%22+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aassertion
%22+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aprotocol%22+xmlns%3Axsd%3D
%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%22+xmlns%3Axsi%3D%22http%3A%2F%2Fwww.w3.org
%2F2001%2FXMLSchema-instance%22+AssertionID%3D
%22_eaed99c0df7a1e97c68f66324c5fcde6%22+IssueInstant%3D%222008-05-14T09%3A35%3A31.798Z
%22+Issuer%3D%22urn%3Afederation%3Aidp.contoso.com%22+MajorVersion%3D%221%22+MinorVersion
%3D%221%22%3E%3CConditions+NotBefore%3D%222008-05-14T09%3A35%3A31.797Z%22+NotOnOrAfter%3D
%222008-05-14T09%3A40%3A31.798Z%22%3E%3CAudienceRestrictionCondition%3E%3CAudience%3Eurn
%3Afederation%3Atreyresearch%3C%2FAudience%3E%3C%2FAudienceRestrictionCondition%3E%3C
%2FConditions%3E%3CAuthenticationStatement+AuthenticationInstant%3D%222008-0514T09%3A35%3A31.797Z%22+AuthenticationMethod%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML
%3A1.0%3Aam%3Aunspecified%22%3E%3CSubject%3E%3CNameIdentifier+Format%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fclaims%2FUPN%22+NameQualifier%3D%22urn%3Afederation
%3Aidp.contoso.com%22%3Ephilip%40contoso.com%3C%2FNameIdentifier%3E%3CSubjectConfirmation
%3E%3CConfirmationMethod%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Acm%3Abearer%3C
73
%2FConfirmationMethod%3E%3C%2FSubjectConfirmation%3E%3C%2FSubject%3E%3C
%2FAuthenticationStatement%3E%3CAttributeStatement%3E%3CSubject%3E%3CNameIdentifier+Format
%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%2FUPN%22+NameQualifier%3D%22urn
%3Afederation%3Aidp.contoso.com%22%3Ephilip%40contoso.com%3C%2FNameIdentifier%3E
%3CSubjectConfirmation%3E%3CConfirmationMethod%3Eurn%3Aoasis%3Anames%3Atc%3ASAML
%3A1.0%3Acm%3Abearer%3C%2FConfirmationMethod%3E%3C%2FSubjectConfirmation%3E%3C%2FSubject
%3E%3CAttribute+AttributeName%3D%22mail%22+AttributeNamespace%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3CAttributeValue%3Ephilip%40contoso.com%3C
%2FAttributeValue%3E%3C%2FAttribute%3E%3CAttribute+AttributeName%3D%22sn
%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E
%3CAttributeValue%3EBrusten%3C%2FAttributeValue%3E%3C%2FAttribute%3E
%3CAttribute+AttributeName%3D%22CommonName%22+AttributeNamespace%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3CAttributeValue%3EBrusten%3C%2FAttributeValue%3E%3C
%2FAttribute%3E%3CAttribute+AttributeName%3D%22Group%22+AttributeNamespace%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3CAttributeValue%3Emember%3C%2FAttributeValue%3E
%3CAttributeValue%3Estaff%3C%2FAttributeValue%3E%3CAttributeValue%3Eemployee%3C
%2FAttributeValue%3E%3C%2FAttribute%3E%3C%2FAttributeStatement%3E%3Cds%3ASignature+xmlns
%3Ads%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%0D%0A%3Cds%3ASignedInfo
%3E%0D%0A%3Cds%3ACanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org
%2F2001%2F10%2Fxml-exc-c14n%23%22%3E%3C%2Fds%3ACanonicalizationMethod%3E%0D%0A%3Cds
%3ASignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsasha1%22%3E%3C%2Fds%3ASignatureMethod%3E%0D%0A%3Cds%3AReference+URI%3D
%22%23_eaed99c0df7a1e97c68f66324c5fcde6%22%3E%0D%0A%3Cds%3ATransforms%3E%0D%0A%3Cds
%3ATransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23envelopedsignature%22%3E%3C%2Fds%3ATransform%3E%0D%0A%3Cds%3ATransform+Algorithm%3D%22http%3A%2F
%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22%3E%3Cec%3AInclusiveNamespaces+xmlns%3Aec%3D
%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22+PrefixList%3D
%22code+ds+kind+rw+saml+samlp+typens+%23default+xsd+xsi%22%3E%3C%2Fec
%3AInclusiveNamespaces%3E%3C%2Fds%3ATransform%3E%0D%0A%3C%2Fds%3ATransforms%3E%0D%0A%3Cds
%3ADigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22%3E
%3C%2Fds%3ADigestMethod%3E%0D%0A%3Cds%3ADigestValue%3ETwuvUTi0PVHHCOtvc6%2B3qCrIMAw%3D%3C
%2Fds%3ADigestValue%3E%0D%0A%3C%2Fds%3AReference%3E%0D%0A%3C%2Fds%3ASignedInfo%3E%0D%0A
%3Cds%3ASignatureValue%3E%0D%0Au3lf8%2FP2XWRtX1yv
%2FLqvVVlw9UehLtgdD4SnVDb1OIaawizifCTq2PLWdRVfjNB4hRCMA1b%2B5j%2Bp%0D%0AqHg%2B4kjg53M%2FfC
%2BHuzKJLN0QxTXm497dVmt6KLxvQDQA4hL7ZAKKL%2FjEC4OAHOE%2FbD03UeXxt20Q%0D
%0AFk1tSpDsy1RMWk3%2FUv0%3D%0D%0A%3C%2Fds%3ASignatureValue%3E%0D%0A%3Cds%3AKeyInfo%3E%0D
%0A%3Cds%3AX509Data%3E%0D%0A%3Cds%3AX509Certificate%3E%0D
%0AMIICKzCCAZQCCQCjY1CwYLEyqjANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVSzEUMBIGA1UE%0D
%0ACBMLT3hmb3Jkc2hpcmUxDzANBgNVBAcTBk94Zm9yZDEMMAoGA1UEChMDT0NHMRQwEgYDVQQDEwtP%0D
%0AQ0cgUm9vdCBDQTAeFw0wODA1MTMxNjIyMTBaFw0wOTA1MTMxNjIyMTBaMFwxCzAJBgNVBAYTAlVL%0D
%0AMRQwEgYDVQQIEwtPeGZvcmRzaGlyZTEPMA0GA1UEBxMGT3hmb3JkMQwwCgYDVQQKEwNPQ0cxGDAW%0D
%0ABgNVBAMTD2lkcC5jb250b3NvLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0%2BzuZSih%0D
%0AxOjJhjXHiEJYYVKKXbWC1zQ2gLUB5HIY7Dehe%2BPbkpy3R234rsYXnpcCJ4LSyvjpqGX7Wb3hqnSH%0D
%0AH33mo9H5HxMF1MGhuTLH0DaUApDoCEE2dq2S%2BxcjXfc5Y7mOTQyE%2BPLgmlAyca4GEVXUJuqpj02D%0D
74
%0Aj4AnuI7RJ9cCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBQWlNTKwvm1j%2F9%2FiDkhLwKHFPbtQqPkPu6%0D
%0ApH%2BuNAiIW9XnlYAoNpMVKFEiegODqU0XKOil%2BzNvjpt%2B8VJ7Ch4XNZ4x8JKL4FxjcwXcLSE8DEHE%0D
%0AaR%2B0v%2Bp9oum8P1ELyPWiNnp1I2UsTLKBYKmm2z%2BNY%2BHmIURrrPEpvIvVgD939g%3D%3D%0D%0A%3C
%2Fds%3AX509Certificate%3E%0D%0A%3C%2Fds%3AX509Data%3E%0D%0A%3C%2Fds%3AKeyInfo%3E%3C%2Fds
%3ASignature%3E%3C%2FAssertion%3E%3C%2FRequestedSecurityToken%3E%3C
%2FRequestSecurityTokenResponse%3E
HTTP/1.x 200 OK
Date: Wed, 14 May 2008 09:36:59 GMT
Set-Cookie:
_WebSsoAuth=eNqdVml3qkoW9adkeT+6DCA44EqymkEGBRQZVL68xVAMMkqBiL+
+MSbpJH3v6/Tzi1WHU/vss+vUqXqCdprMKQhBWUV59vAxEtnn/l8k7qKYTxBD1HOJIWGT3tDBwXQ4crApOsXIGYqi/
QcRwhqIGazsrHruj1B0NkTHQ4zQUXKOT+Zj0nrzKZ/7dZnNfeCB0r4FmVclaEsAgV26Yf9Bto95aYISdp+e+1hniLK
vhkuaZHB+43yHym0YwXlmpwDOK3euUbI0xx7Ruf2eRv/l6TVDJs+86GaAD0pe0cDPS/Anrp3DOluXlF/dGH/ywdB3n
zdUqvYikLlgC2BVRu4N/yPQN5eXsKoKOEcQ2/NhA5zHz6k/ZqCaz9AZhriJHaV2USBPyNfl3+a/j4h8y/Wdg3eObhC
30HPmFkHL69IFb3LezHc508gtc5j71ac96r9827PIKx7dPKs6x+4/fUK+w74HyvM46urCzwUbhj+MFWTICBNOlkdwK
yuCukX6ajcwInTx/B7pC+6HMG85vqlUhSCrIvcVVavsCqTd/OGr/U8lO57jWFcGX51lUIW59z+qLp3XGSyAG/kR8N6
LRKudI3Crt5nSrRK9G27nUz5weZnaHYVbdXTFAd0QpDZ87MSCuV085mVwLwmIGBul/1KEURIV//oi/29g30X5CI38n
SwvT1oUZHZVl28V8UGnaZrHBn9l0WmEIiiJdA4ejIJf/fsq4N024uWJsbM864CT6PpJrgcqCfIyqsL0D5AYgqE3yCG
4uEMXI7Jf/QfkE58fwnxhVkJ7CEMbe0XaAh+UtwPzYGzF5/6vn7W0lye9tDPYNYkUfhr/fzxAdgZJXgBvCN/TeaX0c
7g/qIN8JsdGQdcK/olOHxrdIUw7qcHLMTa8+Lrb0Jzg1QoaXPnBRpOx61SA3fn77PmEfGjbjT/Xwsfu3R23yjKrLN1
rKFndqKSYhb5Pjip/sNXoVscGRF0hR8PKJwodCbiY7aMRxpbooG1bmUxzbyq5lyI+NqdEOqmSixhuvFjBtRBEXF3nY
UMMAntptscQWUcEKi3iNbch4cTLeCWpY4eaYB6tKo1iLA5GsMML2CDmeZVYROQadWmsOOkglwTcSP4mAOi22QsOTh+
nByVlxVhUmWuiG3iGILFlN6wxmujh0U/2LmdL00PGursEplm7Ojqz3FCasvFY+yg2WiMtE7PGSXU6mbic6E/0Et3kX
FrKdEPF53Mhd82baHgWG10n18mxSDabGbbacqbg8rjWNO6AjkLBLjw5G/Dy5MwF4mratatDKVxYNXh+vov+SeinFWj
vO7AfoyRrV/Z9xNyuQv926sGLLIoMemQYypkEVCPSVCCqfJ1iAqq6PjHebD3flNp2sdCpJR0YJRvIjKAalMzEl+WVS
uhAMWlK1oXYSizebA/7beGMiMAYma2Xmq3Ic7GVKa21V87efnm0dApwDdqsWeoqH6lW1heYopv2q02/2RaNfL3b/nm
MLh9NbFj1sFzllhieXYVSFzStUmwQLDYU231Xc6Yb05S0IgvQqruxS1Rnkw3JJas7Y88KGS1aLsYysuFFo2SusUulJ
uVDjeMnJ25vDXgeX075A8LVe0vRBmWLmRMrGMmDPb1BkMRpgRFGZrk+1NoRupnU3YX1iG0v8NB4aBofd2fFbZVLkOh
tMLW2ApzF4sQ/Wlg8u3Y06EVCLIiDx4eWi/PyOfMo0W2jA/S30pYfUz7Fwo2vpyLOWnIRTYjjIlI2jVCpYwJAwWul0
IoOonTBmbCRLN9w6GAKE8agt8HxMGFtEO7OmrMywHKvXfKmrbPkEOJMES93Le/q6InjEArwUrTyUWEsim4yvZyncek
boTvWE/26T70tArKAXEZEqTnuhFsWLC+R8X6AMlSzoKhvNUMRXX2pFLc1AXoJ1SszRlnO3s5kQTMHIx4E9pjkCY2cC
atIxNFrfhJQgWwofeZiI7JMIig7CJLROjIWEGE3Y8fRho2L1dU9L92iFBqN; path=/adfs/ls/; secure;
HttpOnly
Set-Cookie:
_WebSsoAuth0=3URaiB4KtNkzxM7jnB09PemXgalefSwpFyQ2IxacFOFj0dRP+pXE3Kpx1rOqPa+kBF/oGrQxM+dKG
xvlpuQrB7BTTn5NMKfSQWsnKRgoX0l8P/UCGezp8x7VN+klIk/6arXOTx7bchK+XlO83oZlEyVaUZ1MQ2Eu5cUGZ0/
YVLOVtg2m6iJL2dRRVwNMYCqk5JC1jBzEWYEf5VaHCOAbdXcYq2Rd7zIizrIt2x1EllgO5KVDH3YzUeSAnp1WI9wGx
iiQnpDvJ/tuuZ965KMT/KdHfDwC3p/GL1jvr+4yxKc4ersNJ9MhQfj40Ham7tAnADlyfOACj+z1/v4B2Ot+WO/n76L
eb55bvVGP6v3346bH9OiyhhXI/g2uJEZ+; path=/adfs/ls/; secure; HttpOnly
75
Set-Cookie: _LSRealm=urn:federation:idp.contoso.com; expires=Fri, 13-Jun-2008 09:36:59

GMT; path=/adfs/ls/; secure; HttpOnly
Set-Cookie: _LSCleanup=2008-0514:09:36:59Zahttps://adfsweb.treyresearch.net:8081/claimapp/; path=/adfs/ls/; secure;
HttpOnly
----------------------------------------------------------
POST /claimapp/ HTTP/1.1

Gecko/20080404 Firefox/2.0.0.14
Accept:
*/*;q=0.5
Keep-Alive: 300
Referer: https://adfsresource.treyresearch.net/adfs/ls/
wa=wsignin1.0&wresult=%3Cwst%3ARequestSecurityTokenResponse+xmlns%3Awst%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%3E%3Cwst%3ARequestedSecurityToken%3E
%3Csaml%3AAssertion+AssertionID%3D%22_93c01f44-0dc4-4a9d-b3e7-2b1707198000%22+IssueInstant
%3D%222008-05-14T09%3A36%3A59Z%22+Issuer%3D%22urn%3Afederation%3Atreyresearch
%22+MajorVersion%3D%221%22+MinorVersion%3D%221%22+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames
%3Atc%3ASAML%3A1.0%3Aassertion%22%3E%3Csaml%3AConditions+NotBefore%3D%222008-0514T09%3A36%3A59Z%22+NotOnOrAfter%3D%222008-05-14T10%3A36%3A59Z%22%3E%3Csaml
%3AAudienceRestrictionCondition%3E%3Csaml%3AAudience%3Ehttps%3A%2F
%2Fadfsweb.treyresearch.net%3A8081%2Fclaimapp%2F%3C%2Fsaml%3AAudience%3E%3C%2Fsaml
%3AAudienceRestrictionCondition%3E%3C%2Fsaml%3AConditions%3E%3Csaml%3AAdvice%3E%3Cadfs
%3AClaimSource+xmlns%3Aadfs%3D%22urn%3Amicrosoft%3Afederation%22%3Eurn%3Afederation
%3Aidp.contoso.com%3C%2Fadfs%3AClaimSource%3E%3Cadfs%3ACookieInfoHash+xmlns%3Aadfs%3D
%22urn%3Amicrosoft%3Afederation%22%3Egn%2F21HqZd4FKZisTZ9fQKZiUi0E%3D%3C%2Fadfs
%3ACookieInfoHash%3E%3C%2Fsaml%3AAdvice%3E%3Csaml
%3AAuthenticationStatement+AuthenticationInstant%3D%222008-05-14T09%3A35%3A31Z
76
%22+AuthenticationMethod%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aam%3Aunspecified
%22%3E%3Csaml%3ASubject%3E%3Csaml%3ANameIdentifier+Format%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fclaims%2FUPN%22%3Ephilip%40contoso.com%3C%2Fsaml%3ANameIdentifier
%3E%3C%2Fsaml%3ASubject%3E%3C%2Fsaml%3AAuthenticationStatement%3E%3CSignature+xmlns%3D
%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%3CSignedInfo%3E
%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-excc14n%23%22+%2F%3E%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org
%2F2000%2F09%2Fxmldsig%23rsa-sha1%22+%2F%3E%3CReference+URI%3D%22%23_93c01f44-0dc4-4a9db3e7-2b1707198000%22%3E%3CTransforms%3E%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org
%2F2000%2F09%2Fxmldsig%23enveloped-signature%22+%2F%3E%3CTransform+Algorithm%3D%22http%3A
%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22+%2F%3E%3C%2FTransforms%3E
%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22+%2F
%3E%3CDigestValue%3EjkUdkzWPBFHduN0gzG%2BPSM1z7Hs%3D%3C%2FDigestValue%3E%3C%2FReference%3E
%3C%2FSignedInfo%3E%3CSignatureValue%3ERNJntZTdwAMQPQ9Inhff92tf%2BRSByT1%2B4ut
%2FjUZo6NBiH3InXi21Dr0%2ByyyM9mod7LcxpkjwqlLqQLc%2FUckEKsOHgiFuuohw4%2BgaJVyjh
%2FOi40LEkOFP9s6dnGNlukbA61dBQNwNUEYUgW3psw
%2FVvKlZ4icUurUKFLYMr4sPLfPge0RwXHb3Bj7YNmDIkIQCzlTU3n%2F
%2FkZawDU26ThjflXcFaL7YnDcWlsmnyKjb8oUNwrwdDajIwSwLJlVu39Q766cFIf6Tr0PoFmrMBwAkvvpMcti4wGD
12z6z6jplPP81KRFVHcG3Swwc%2BBihHapdMn%2BGM6vFgIK7antYrHxDQg%3D%3D%3C%2FSignatureValue%3E
%3CKeyInfo%3E%3CX509Data%3E%3CX509Certificate
%3EMIIC0jCCAb6gAwIBAgIQGum1H0Qcf45PRdfVLyyEETAJBgUrDgMCHQUAMCkxJzAlBgNVBAMTHkZlZGVyYXRpb24
gU2VydmVyIGFkZnNyZXNvdXJjZTAeFw0wODAzMjAyMTE1NTVaFw0wOTAzMjEwMzE1NTVaMCkxJzAlBgNVBAMTHkZlZ
GVyYXRpb24gU2VydmVyIGFkZnNyZXNvdXJjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALK9peyQW5c
4tvVDh9JDTb5dZhCSiJE5M%2FPGIUrCzkcAmVAfsSFG6qFXZ%2BGG3J7GY%2FFuXZNS%2Bry1V6Zg2M%2BXBP%2F
%2FlbyeUhiVrOYuSjscnLSouu2DyxsYwd0mkjWvNcyNxglTyg7ZRHs8kI6fjZ1k8zDh9BEl4E4YdGhZc3GMvndAIcy
iYsfRLRG5AfADsPfTmI3DZMpi64jEiNPwHtQ54esHdyLhZiYILx3ChwLZfUbBg7slCUBRgjY6DaehWvSbKUeJXSxow
yunlYh3CpkJWyGcT0qFF%2FAeGLiKf0H5IIcl7xv7krfUhc5TlTzXmdR%2Feng9Ji4rSbc6FJpDGL9kX
%2B0CAwEAATAJBgUrDgMCHQUAA4IBAQAFRVe0xhQzC50DFaR8MHSV
%2B2Gega59G4S98HKiI30zoqH0H9wAT8c129rlisMb%2F%2FnBT%2F5H
%2FHW8D5iPDkpKzcvJcprHwSDPiSh0Yp0wXC4WdFbWB7qTx
%2BVQzf1lrE9184EFLi35IVTqTz91ctwbO8tyvKLl3ETSsa1VoFra12oVLfNYeWNqfu4Cqrb0ublpCsMz93X7dgMeX
BvX0TPmxi9qTKKOoqdDyFL3OOAGTyhrwilSptqVUNCxrxaevdHPt8KSRg7QEnmDmbQK%2B1HCt%2FrF%2FOM
%2FYI8p3jMyTs%2FeGwQWY5Q9uuWn4knnRDdfVD4J%2BMJbBYW8IIFeTnqK23aeU2gL%3C%2FX509Certificate
%3E%3C%2FX509Data%3E%3C%2FKeyInfo%3E%3C%2FSignature%3E%3C%2Fsaml%3AAssertion%3E%3C%2Fwst
%3ARequestedSecurityToken%3E%3Cwsp%3AAppliesTo+xmlns%3Awsp%3D%22http%3A%2F
%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%22%3E%3Cwsa%3AEndpointReference+xmlns
%3Awsa%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F08%2Faddressing%22%3E%3Cwsa
%3AAddress%3Ehttps%3A%2F%2Fadfsweb.treyresearch.net%3A8081%2Fclaimapp%2F%3C%2Fwsa
%3AAddress%3E%3C%2Fwsa%3AEndpointReference%3E%3C%2Fwsp%3AAppliesTo%3E%3C%2Fwst
%3ARequestSecurityTokenResponse%3E&wctx=https%3A%2F%2Fadfsweb.treyresearch.net
%3A8081%2Fclaimapp%2FDefault.aspx
HTTP/1.x 302 Found

Date: Wed, 14 May 2008 09:36:59 GMT
77
Location: https://adfsweb.treyresearch.net:8081/claimapp/Default.aspx
Set-Cookie:
_WebSsoAuth=eNqdVmt3qkoS/StZno+uBBB84Eqyhoc8FFDkofJlFo8GWp7SIOKvvxiTTJJ1z8yZ+4nqonrXrt3VBc
/IzdI5gxCoaljkD5+WzL8M/k2TPk6EFPWIBz71SLl08OiRYPo48ogpPiXoGY7jgwcZoQbIOardvH4ZjHB89oiPHwnK
xOk5OZmPaec9pnoZNFU+D0EAKveWZF5XoKsAAm7lx4MH1T0WlQ0q1L96GRC9A+bfHZcszdH8xvkOVbgIonnuZgDNa3
9uMKoyJ57wuftRxuD1+a1CrsgDeHOgB62oWRAWFfgd1z5gna8rJqxvjL/EEPhHzDsq0wQQ5D7YAlRX0L/hfyb6EfIa
13WJ5hjmBiFqgff0tfSnHNTzGT4jMD91YeaWJfaMfd/
+Y/33GbEftX5wCM7wBnFLPeduGYyiqXzwLufNfZczg35VoCKsv5zR4PXHmcGgfPKLvO4D+2f2jP2E/UhUFAns+yIsJ
BfFf5gryrERIZ2cgBJWDkSmQ4d6b1gQX7x8ZPqG+ynMe43vKtUxyGvov6EatVuDrF8/fPf/rmXHc5Lo2+B7sArquAj
+R9dl8yZHJfBhCEHw0SRG4x2BX7+vtH6XHNxw+5jqQSiqzO0p3Lqjbw7kxyBz0VMvFirc8qmoontLIMzaaIPXMoYpL
P/1Tf6/gf0Q5TM19t9keX02YJS7dVO9d8QnnbZtn1ryjUWvEY7hNNYHBAhGvwb3XSC4HcTrM+fmRd4Dp/D6Ra4HJo2
KCtZx9htIAiPwG+QjuPiPPkHlvwYP2Bc+fwjzjVmF3EcUu8Qb0haEoLpdmAdrK78Mfv3ZSHt9Nis3R/2QyNAX+//jA
fIzSIsSBI/oo5w3Sn8O9xt1sK/keBj1o+Cf6PSp0R3CdtMGvB4TK0iuuw0rSEGj4dFVHG4MlbhOJdTfv6+Rz9intr3
9tRc+T+8euNWWee2YQcuo+kan5TwOQ3pUh8OtwXYmMaSaGjtaTjHRWCiRcr6HI4Kv8GHXdSqdFcFU8S9lcmxPqXLSF
R+z/GSxQmspgkLTFHFLDSN3aXfHGFtDClcWyVrY0GgS5KKWNonHTIiA1bVWsxYHK9qRJWox+7xKHQr6VlNZK0E5qBW
FNkq4iQC+bfeSR7LH6UHLeDmRde6amhaZY1jiuC1vjSZmfAzTvS+4yvSQ8/4uRVnerY7erLC0tmoD3j3KrdEqy9RuS
FqfTia+IIcTs8I3hZBVKtsyyflcqv3wplqRJ0bXyXVyLNPNZkastoIt+SJptK0/ZGEsuWWg5kNRnZyFSF5N+3F1qKQ
Lr0cvL3fRvwj9vALd/QT2Y5zm3dq9W9ztUxjebj14VWWZw48cx3iTiGlllolkXWwyQsJ1P6TGm20Q2krXLRYms2Qjq
+IjlZN0i1G55LK8MikbaTbLqKaUOKkj2t1hvy29ERVZI7sLMruTRSFxcq1z9to52C+PjskAocXbNc9c1SPTqeaC0Ez
bffOZN9+iVa933z/P0ddjyC2vH5arwpHjs68x+oJldYaPosWG4fv3esH1NssoK7oEnb4b+1R9tvmYXvKmNw6cmDPgc
jFWsY0oWxV3TXwms5kQGYI4OQl7ZyiK5HIqHjCh2TuaMaw6wp440Ugd7tkNhqVeB6wY2tX60BhH5OdK/y1sRnx3QYc
2wLPkuDtrfqddotTsoqmzldAskSfh0SGS2bWnwS5SakEdAjF2fFJUz3nAyH4HDyjcKltxzIQMjzahmckk76glnFDHB
dQ2rVTrYwogKeiU2IEHWbmQXNwqTmh5bDRFKWex2+h4mPAuiHdnw1tZYLk3LkXbNXl6iEmuTJa7TvRN/CQIGANEBa5
CXBrLsp9OL+dpUoVW7I/N1Lzus2CLgTyil5CqDM+fCMuSFxU62Q9xjmkXDPOjZxiq7y+dEbY2wC+xfuXGOC+425kqG
fZwJILIHdMiZdAzaQVlEr8WJwmX6JYxZz4xoqsUItXDsJw1sbGESbsZP4YbPilXV/+89MtKag1+A40Y;
path=/claimapp; secure;
HttpOnly
Set-Cookie:
_WebSsoAuth0=P5R4u+eoXSB4O3Z6Mi9DW7+GRFotaGJGLQQFkmPZNk/mlSb8uvXWs7o7r5SUXJgGcgm7ECqXGBW2E
moHsNNOYUNxp8rDGy8tOaReaXI/DSIV7NnzHjc32QXSJ3O1WhengO8EhVyvGdHs4qqFqVHWJ9vSuEt1ccE5kDb1bGV
so6m+yDM+8/TVkJC4GqsEbK1iB3lWkke1MxEGxFbfHcY63TS7nEryfMv3F5GnlkN16bGH3UyWBWDmp9WIdIE1ipRn7
OfNvnvutx77nAT/mRGfPwEfv8avfwEUrBJW; path=/claimapp; secure; HttpOnly
Content-Length: 176
---------------------------------------------------------https://adfsweb.treyresearch.net:8081/claimapp/Default.aspx
78
GET /claimapp/Default.aspx HTTP/1.1

Gecko/20080404 Firefox/2.0.0.14
Accept:
*/*;q=0.5
Keep-Alive: 300
Referer: https://adfsresource.treyresearch.net/adfs/ls/
Cookie:
_WebSsoAuth=eNqdVmt3qkoS/StZno+uBBB84Eqyhoc8FFDkofJlFo8GWp7SIOKvvxiTTJJ1z8yZ+4nqonrXrt3VBc
/IzdI5gxCoaljkD5+WzL8M/k2TPk6EFPWIBz71SLl08OiRYPo48ogpPiXoGY7jgwcZoQbIOardvH4ZjHB89oiPHwnK
xOk5OZmPaec9pnoZNFU+D0EAKveWZF5XoKsAAm7lx4MH1T0WlQ0q1L96GRC9A+bfHZcszdH8xvkOVbgIonnuZgDNa3
9uMKoyJ57wuftRxuD1+a1CrsgDeHOgB62oWRAWFfgd1z5gna8rJqxvjL/EEPhHzDsq0wQQ5D7YAlRX0L/hfyb6EfIa
13WJ5hjmBiFqgff0tfSnHNTzGT4jMD91YeaWJfaMfd/
+Y/33GbEftX5wCM7wBnFLPeduGYyiqXzwLufNfZczg35VoCKsv5zR4PXHmcGgfPKLvO4D+2f2jP2E/UhUFAns+yIsJ
BfFf5gryrERIZ2cgBJWDkSmQ4d6b1gQX7x8ZPqG+ynMe43vKtUxyGvov6EatVuDrF8/fPf/rmXHc5Lo2+B7sArquAj
+R9dl8yZHJfBhCEHw0SRG4x2BX7+vtH6XHNxw+5jqQSiqzO0p3Lqjbw7kxyBz0VMvFirc8qmoontLIMzaaIPXMoYpL
P/1Tf6/gf0Q5TM19t9keX02YJS7dVO9d8QnnbZtn1ryjUWvEY7hNNYHBAhGvwb3XSC4HcTrM+fmRd4Dp/D6Ra4HJo2
KCtZx9htIAiPwG+QjuPiPPkHlvwYP2Bc+fwjzjVmF3EcUu8Qb0haEoLpdmAdrK78Mfv3ZSHt9Nis3R/2QyNAX+//jA
fIzSIsSBI/oo5w3Sn8O9xt1sK/keBj1o+Cf6PSp0R3CdtMGvB4TK0iuuw0rSEGj4dFVHG4MlbhOJdTfv6+Rz9intr3
9tRc+T+8euNWWee2YQcuo+kan5TwOQ3pUh8OtwXYmMaSaGjtaTjHRWCiRcr6HI4Kv8GHXdSqdFcFU8S9lcmxPqXLSF
R+z/GSxQmspgkLTFHFLDSN3aXfHGFtDClcWyVrY0GgS5KKWNonHTIiA1bVWsxYHK9qRJWox+7xKHQr6VlNZK0E5qBW
FNkq4iQC+bfeSR7LH6UHLeDmRde6amhaZY1jiuC1vjSZmfAzTvS+4yvSQ8/4uRVnerY7erLC0tmoD3j3KrdEqy9RuS
FqfTia+IIcTs8I3hZBVKtsyyflcqv3wplqRJ0bXyXVyLNPNZkastoIt+SJptK0/ZGEsuWWg5kNRnZyFSF5N+3F1qKQ
Lr0cvL3fRvwj9vALd/QT2Y5zm3dq9W9ztUxjebj14VWWZw48cx3iTiGlllolkXWwyQsJ1P6TGm20Q2krXLRYms2Qjq
+IjlZN0i1G55LK8MikbaTbLqKaUOKkj2t1hvy29ERVZI7sLMruTRSFxcq1z9to52C+PjskAocXbNc9c1SPTqeaC0Ez
bffOZN9+iVa933z/P0ddjyC2vH5arwpHjs68x+oJldYaPosWG4fv3esH1NssoK7oEnb4b+1R9tvmYXvKmNw6cmDPgc
jFWsY0oWxV3TXwms5kQGYI4OQl7ZyiK5HIqHjCh2TuaMaw6wp440Ugd7tkNhqVeB6wY2tX60BhH5OdK/y1sRnx3QYc
2wLPkuDtrfqddotTsoqmzldAskSfh0SGS2bWnwS5SakEdAjF2fFJUz3nAyH4HDyjcKltxzIQMjzahmckk76glnFDHB
dQ2rVTrYwogKeiU2IEHWbmQXNwqTmh5bDRFKWex2+h4mPAuiHdnw1tZYLk3LkXbNXl6iEmuTJa7TvRN/CQIGANEBa5
CXBrLsp9OL+dpUoVW7I/N1Lzus2CLgTyil5CqDM+fCMuSFxU62Q9xjmkXDPOjZxiq7y+dEbY2wC+xfuXGOC+425kqG
fZwJILIHdMiZdAzaQVlEr8WJwmX6JYxZz4xoqsUItXDsJw1sbGESbsZP4YbPilXV/+89MtKag1+A40Y;
_WebSsoAuth0=P5R4u+eoXSB4O3Z6Mi9DW7+GRFotaGJGLQQFkmPZNk/mlSb8uvXWs7o7r5SUXJgGcgm7ECqXGBW2E
moHsNNOYUNxp8rDGy8tOaReaXI/DSIV7NnzHjc32QXSJ3O1WhengO8EhVyvGdHs4qqFqVHWJ9vSuEt1ccE5kDb1bGV
so6m+yDM+8/TVkJC4GqsEbK1iB3lWkke1MxEGxFbfHcY63TS7nEryfMv3F5GnlkN16bGH3UyWBWDmp9WIdIE1ipRn7
OfNvnvutx77nAT/mRGfPwEfv8avfwEUrBJW
79
HTTP/1.x 200 OK
Date: Wed, 14 May 2008 09:36:59 GMT
Pragma: no-cache
Expires: -1
Resulting page from the claimapp when logged in with the user philip.
SSO Sample
[ Sign Out | Refresh without viewstate data]
Page Information
NameValueType
Simplified Path
https://adfsweb.treyresearch.net:8081/claimapp/Default.aspxS.String
User.Identity
NameValueType
Type nameSSO.SingleSignOnIdentityS.String
(IIdentity)User.Identity
NameValueType
Namephilip@contoso.comS.String
AuthenticationTypeWebSSOS.String
IsAuthenticatedTrueS.Boolean
(SingleSignOnIdentity)User.Identity
NameValueType
Namephilip@contoso.comS.String
NameTypehttp://schemas.xmlsoap.org/claims/UPNS.String
SecurityPropertyCollectionSSO.Auth.SecurityPropertyCollection
SSO.Auth.SecurityPropertyCollection
AuthenticatingAuthorityurn:federation:idp.contoso.comS.Uri
AuthenticationMethodurn:oasis:names:tc:SAML:1.0:am:unspecifiedS.Uri
AuthenticationTypeWebSSOS.String
80
IsAuthenticatedTrueS.Boolean
SignInUrl
%3a%2f%2fadfsweb.treyresearch.net%3a8081%2fclaimapp%2fDefault.aspxS.String
SignOutUrl
https://adfsresource.treyresearch.net/adfs/ls/?wa=wsignout1.0
S.String
WindowsIdentitynullnull
SingleSignOnIdentity.SecurityPropertyCollection
UriClaim TypeClaim Value
http://schemas.xmlsoap.org/claims/UPNUPNphilip@contoso.com
Appendix I: Disabling CRL Checking

If your FS-R is not connected to the Internet, you must turn off CLR checking. Microsoft has
provided the following script with instructions on how to do this: http://go.microsoft.com/fwlink/?
LinkID=125849
Note
In Windows Server 2008, CRL checking can be controlled in the Active Directory
Federation Services (ADFS) snap-in. Right-clicking Trust Policy, select Properties,
select the Verification Certificates tab and then choose None from the Revocation
Settings drop-down list.
Create a file TpCrlChk.vbs
'Option Explicit
Dim tpf ' Trust policy factory

Dim cf
' Claim Factory
Dim tpFileName
' Trust policy file name
Dim trUri
' TrustRealm Uri
Dim revFlagsStr ' RevocationFlags enum in string form
Dim tp
' TrustPolicy
Dim tr
' TrustedRealm
81
Dim revFlags
' RevocationFlags enum
Dim found
' Did we find the realm in the trust policy?
'---------------------------------------' Echo usage.

'---------------------------------------Sub Usage()
WScript.StdErr.WriteLine("Usage:")
WScript.StdErr.WriteLine("TpCrlChk.vbs TrustPolicy.xml TrustRealmUri
RevocationFlags")
WScript.StdErr.WriteLine()
WScript.StdErr.WriteLine("Arguments:")
WScript.StdErr.WriteLine("TrustPolicy.xml - Full path to the trust policy file")
WScript.StdErr.WriteLine("TrustRealmUri
- Uri of the trust realm whose setting must
be changed")
WScript.StdErr.WriteLine("RevocationFlags - One of the following:")
WScript.StdErr.WriteLine("
None")
CheckEndCert")
CheckEndCertCacheOnly")
CheckChain")
CheckChainCacheOnly")
CheckChainExcludeRoot")
CheckChainExcludeRootCacheOnly")
WScript.Quit
End Sub
'---------------------------------------' Fetch the RevocationFlags enum value.

'---------------------------------------Function GetRevFlags(revFlagsStr)
If (revFlagsStr = "None") Then
GetRevFlags = 0
ElseIf (revFlagsStr = "CheckEndCert") Then
GetRevFlags = 1
82
ElseIf (revFlagsStr = "CheckEndCertCacheOnly") Then

GetRevFlags = 2
ElseIf (revFlagsStr = "CheckChain") Then
GetRevFlags = 3
ElseIf (revFlagsStr = "CheckChainCacheOnly") Then
GetRevFlags = 4
ElseIf (revFlagsStr = "CheckChainExcludeRoot") Then
GetRevFlags = 5
ElseIf (revFlagsStr = "CheckChainExcludeRootCacheOnly") Then
GetRevFlags = 6
Else
Call Usage()
End If
End Function
'---------------------------------------' Get the parameters.

'----------------------------------------
Dim ArgObj
Set ArgObj = WScript.Arguments
If (ArgObj.Count < 3) Then

Call Usage()
End If
tpFileName = ArgObj.Item (0)

trUri
= ArgObj.Item(1)
revFlags
= GetRevFlags(ArgObj.Item(2))
'---------------------------------------' Do the job.

'----------------------------------------
WScript.StdOut.WriteLine("Loading trust policy: " & tpFileName)
83
'
' Create factories
'
Set tpf =
CreateObject("System.Web.Security.SingleSignOn.TrustPolicyFactory")
Set cf
= CreateObject("System.Web.Security.SingleSignOn.ClaimFactory")
'
' Load the TrustPolicy
'
Set tp
= tpf.Load(tpFileName, 0) ' initialize certs = false
'
' Find the realm and set the revocation flags
'
found = 0
If (tp.TrustPolicyEntryUri = trUri) Then
'
' Hosted realm attributes
'
WScript.StdOut.WriteLine("Changing the setting for this Federation service: " & trUri)
found = 1
tp.VerificationMethod.RevocationCheckFlags = revFlags
Else
'
' Trusted Realms
'
For Each tr in tp.TrustedRealms
If (tr.TrustPolicyEntryUri = trUri) Then
WScript.StdOut.WriteLine("Changing the setting for this Account partner: " &
trUri)
found = 1
tr.VerificationMethod.RevocationCheckFlags = revFlags
Exit For 'since the Uri is unique
End If
Next
84
If (found = 0) Then
WScript.StdOut.WriteLine("Error: " & trUri & " is neither this Federation Service
nor an Account partner.")
WScript.Quit
End If
End If
'---------------------------------------' Save the TrustPolicy

'---------------------------------------WScript.StdOut.Write("Saving changed trust policy...")
tp.Write(tpFileName)
WScript.StdOut.WriteLine("done.")
After you saved the script, run it as follows:

C:\>cscript
TpCrlChk.vbs c:\ADFS\TrustPolicy.xml
urn:federation:idp.contoso.com None
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Loading trust policy: c:\ADFS\TrustPolicy.xml

Changing the setting for this Federation service:
urn:federation:treyresearch
Saving changed trust policy...done.
Repeat the process for urn:federation:treyresearch:

C:\>cscript
TpCrlChk.vbs c:\ADFS\TrustPolicy.xml
urn:federation:treyresearch None
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Loading trust policy: c:\ADFS\TrustPolicy.xml

Changing the setting for this Federation service:
urn:federation:treyresearch
Saving changed trust policy...done.
85
86

Adfsshibboleth

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Adfsshibboleth

Caricato da

Copyright:

Formati disponibili

ADFS Step-by-Step Guide: Federation with

Shibboleth Federation Services

Appendix F: Installing OpenLDAP................................................................................................ 61

ADFS Step-by-Step Guide: Federation with

Prerequisites and requirements

Account federation server: A. Datum Corporation (adfsaccount.adatum.com)

Account client: A. Datum Corporation (adfsclient.adatum.com)

Resource federation server: Trey Research (adfsresource.treyresearch.net)

Resource Web server: Trey Research (adfsweb.treyresearch.net)

Windows XP with Service

Windows Server 2003 R2,

Windows Server 2003 R2,

Windows Server 2003 R2,

Shibboleth Identity Provider (IdP): Contoso Ltd (idp.contoso.com)

Shibboleth Service Provider (SP): Constoso Ltd (sp.contoso.com

The details of each computer are described in the following table:

Debian 4.0 (etch)

Shibboleth Federation IP address:

Debain 4.0 (etch)

Shibboleth Federation IP address:

Scenario 1: ADFS account federation server (FS-A) provides authentication services to

Active Directory Federation Services

Web Services (WS)-* interoperability. ADFS provides a federated identity management

Extensible architecture. ADFS provides an extensible architecture that supports the

1. User attempts to access ADFS-protected resource on site application server.

Standards Based. Shibboleth will use OpenSAML at http://go.microsoft.com/fwlink/?

A Standard (yet extensible) AttributeValue Vocabulary. Shibboleth has defined a standard

1. User attempts to access Shibboleth-protected resource on SP site application server.

Overcoming the language barrier

Preparing the environment

Account federation server: A. Datum Corporation (adfsaccount.adatum.com)

Account client: A. Datum Corporation (adfsclient.adatum.com)

Resource federation server: Trey Research (adfsresource.treyresearch.net)

Resource Web server: Trey Research (adfsweb.treyresearch.net)

Shibboleth Identity Provider (IdP): Contoso Ltd (idp.contoso.com)

Shibboleth Service Provider (SP): Constoso Ltd (sp.contoso.com

ADFS account client: A. Datum Corporation (adfsclient.adatum.com)

ADFS resource federation server: Trey Research (adfsresource.treyresearch.net)

ADFS resource Web server: Trey Research (adfsweb.treyresearch.net)

Shibboleth SP: contoso.com (sp.contoso.com)

Shibboleth IdP: contoso.com (idp.contoso.com)

Enable Keys and Certificates in Shibboleth

Perform the following steps on ldp.contoso.com

openssl req -x509 -new -out $CA/rootCA.crt -keyout $CA/rootCA.key days

Email Address []:

openssl x509 -req -in $CA/$C.csr -CA $CA/rootCA.crt -CAkey $CA/rootCA.key

openssl pkcs12 -export -in $PKI/$C.crt -inkey $PKI/$C.key -out

Perform the following steps on SP.contoso.com

openssl x509 -req -in $CA/$C.csr -CA $CA/rootCA.crt -CAkey $CA/rootCA.key

5. Save and close both files.

Configure sample Web applications

Create a homepage to be protected by the SP: /var/www/secure/index.shtml.

Step 1: Configuring ADFS as the Account

Configure the ADFS Account Federation Server (FS-A)

Configure the trust policy

Organization Claim Type

Organization Claim Type

User Principal Name

User Principal Name

Define a resource partner

Configure outgoing claim mappings

Organization Claim Type