Open salibeh opened 2 years ago
Your info "Based on what I learned from my own online searches, it appears that I need to update the sp metadata and make the same available to the idp." is correct.
You need to run the two different docker containers to host two SP apps.
cp -rf [shibboleth-sp-testapp](https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/tree/master/shibboleth-sp-testapp) shibboleth-sp-testapp1
cp -rf [shibboleth-sp-testapp](https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/tree/master/shibboleth-sp-testapp) shibboleth-sp-testapp2
Then make minor revision on both SP metadata and then upload it to IdP. Thank you for your help. Just to be clear.
on the idp, make two copies of the shibboleth-sp-testapp: shibboleth-sp-testapp1, shibboleth-sp-testapp2
edit the sp metadata on idp for each to reflect the correct entityid (based on sp1, sp2) and the ID. How to change the ID for sp2; leaving sp1 with the original?
create a set of new crt and key files for sp2; use the existing for sp1
edit sp2 metadata on idp to include the crt in the
on sp2, edit sp2 shibboleth2.xml to reflect sp2-example.org. do the same for sp1 (although my intend is to leave the original sp alone that is not to rename it sp1)
Are the above what you meant by minor revisions? Are there more (files and changes) that you can think of? Thanks
Yes.
Yes.
How to change the ID for sp2; leaving sp1 with the original?
<ApplicationDefaults entityID="https://sp.example.org:2443/Shibboleth.sso/Metadata" REMOTE_USER="eppn persistent-id targeted-id">
change the ID for sp2: entityID="https://sp.example.org:2443/Shibboleth.sso/Metadata" --> entityID="https://sp2.example.org:2443/Shibboleth.sso/Metadata"
Yes. Just leaving sp1 with the original
Yes.
Just download sp2 metadata from the link "https://sp2.example.org:2443/Shibboleth.sso/Metadata" and then upload it to the IdP folder
Yes. You can leave the original sp alone that is not to rename it sp1. On sp2, edit sp2 shibboleth2.xml to modify entityID to reflect sp2-example.org
Thank you very much for your prompt response.
when I was asking "How to change the ID for sp2", I was referring to the following ID in the sp-example.org.xml (and NOT the entityID):
" <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_2bfe46fbf65e268f30b921e7abdcc9ba1f1cdcea" ......."
Thanks
when I was asking "How to change the ID for sp2", I was referring to the following ID in the sp-example.org.xml (and NOT the entityID):
" <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_2bfe46fbf65e268f30b921e7abdcc9ba1f1cdcea" ......."
This ID is the random ID automatically generated by SAML SP. You can NOT change it, and You do NOT need to change it. Just download sp2 metadata from the link "https://sp2.example.org:2443/Shibboleth.sso/Metadata" and save it as sp2-example-org.xml. Then you can find that this ID was automatically generated by Shibboleth SP in the sp2-example-org.xml
Note that this random ID is NOT mandatory for SP metadata. For example, Office365 SP metadata or Shibboleth SP metadata has this random ID, but Amazon AWS SP metadata does NOT has this random ID. https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/tree/master/shibboleth-idp-dockerized/ext-conf/metadata
Thanks for all your help.
Hi, When you say "Then you can find that this ID was automatically generated by Shibboleth SP in the sp2-example-org.xml", how the ID be automatically generated, that is, am I to exercise a particular utility to generate the sp metadata (and on which files or in which folder) that results in the automatic generation of the ID?
You do NOT need to "exercise a particular utility to generate the sp metadata", just download sp2 metadata from the link "https://sp2.example.org:2443/Shibboleth.sso/Metadata" and save it as sp2-example-org.xml.
Then you can find that this ID was automatically generated by Shibboleth SP in the sp2-example-org.xml
Note that
Quote "OpenSAML is a set of open source C++ & Java libraries used in support of the Shibboleth Project's implementation of the Security Assertion Markup Language (SAML)."
https://shibboleth.atlassian.net/wiki/spaces/OS30/overview
In summary, follow README to run Shibboleth SP app2 and then download sp2 metadata from the link "https://sp2.example.org:2443/Shibboleth.sso/Metadata" and save it as sp2-example-org.xml.
Hi,
After creating and running the container for sp1.example.org. I downloaded the Metadata using https://sp1.example.org:2443/Shibboleth.sso/Metadata. I copied the Metadata to sp2-example-org.xml (given below). I copied the sp2-example-org.xml to ext-conf/metadata folder on idp (is there a way to upload the file to idp similiar to the downloading on the sp?). I navigated to the sp1 login page successfully. When I clicked the login link), the idp did not provide the login page but it errors stating " The application you have accessed is not registered for use with this service."
The idp-wan.log in the /opt/shibboleth-idp/logs on idp displays the following:
2022-04-20 23:21:29,514 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:117] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID https://sp1.example.org:2443/Shibboleth.sso/Metadata) 2022-04-20 23:21:29,516 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration
I appreciate your help. Thanks Emil
Quote " I downloaded the Metadata using https://sp1.example.org:2443/Shibboleth.sso/Metadata. I copied the Metadata to sp2-example-org.xml (given below). I copied the sp2-example-org.xml to ext-conf/metadata folder on idp (is there a way to upload the file to idp similiar to the downloading on the sp?). I navigated to the sp1 login page successfully. When I clicked the login link), the idp did not provide the login page but it errors stating " The application you have accessed is not registered for use with this service."
Probably a typo: (it is sp2, NOT sp1) https://sp1.example.org:2443/Shibboleth.sso/Metadata should be https://sp2.example.org:2443/Shibboleth.sso/Metadata
You need to register sp2 with Shibboleth IdP (see Steps 4 and 5 below).
Download the Metadata using https://sp2.example.org:2443/Shibboleth.sso/Metadata
Copy the Metadata to sp2-example-org.xml.
Copy sp2-example-org.xml to ext-conf/metadata
Add sp2 to ext-conf/conf/metadata-providers.xml
<MetadataProvider id="SPMD2" xsi:type="FilesystemMetadataProvider"
metadataFile="/opt/shibboleth-idp/metadata/sp2-example-org.xml"
maxRefreshDelay="PT48H">
</MetadataProvider>
Add sp2 to ext-conf/conf/relying-party.xml
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp2.example.org:2443/Shibboleth.sso/Metadata">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="false" />
</list>
</property>
</bean>
Run Shibboleth IdP again.
cd Shibboleth-SAML-IdP-SP/shibboleth-idp-dockerized
./run.sh
Note that if you use sp1 instead of sp, you need to repeat the above procedure again to register sp1 with Shibboleth IdP.
Hi, Thanks for your input. I was able to successfully get sp1 (sp1.example.com:2443) to work. However when I build and run sp using sp.example.com:2443, I get an error" docker ... failed : port is already in use" It appears that docker using the same ip address for sp1 and sp. is there a way to force a container to pick a different ip address? Thanks
Just keep sp app unchanged. Only modify the ports of sp1 (i.e., from 2080 to 3080, from 2443 to 3443).
$cd shibboleth-sp1-testapp
$sudo nano shibboleth-sp/shibboleth2.xml
change the ID for sp1:
entityID="https://sp1.example.org:2443/Shibboleth.sso/Metadata" --> entityID="https://sp1.example.org:3443/Shibboleth.sso/Metadata"
$sudo nano ./run.sh
docker run -it --rm -p 3080:80 -p 3443:443 --name="shibboleth-sp" example/shibboleth-sp:latest
$./run.sh
https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/blob/master/shibboleth-sp-testapp/run.sh
Then execute the following steps to update the configuration of Shibboleth IdP for sp1 app.
Download the sp1 Metadata using https://sp1.example.org:3443/Shibboleth.sso/Metadata
Copy the Metadata to sp1-example-org.xml.
Copy sp1-example-org.xml to ext-conf/metadata
Add sp1 to ext-conf/conf/metadata-providers.xml
<MetadataProvider id="SPMD2" xsi:type="FilesystemMetadataProvider"
metadataFile="/opt/shibboleth-idp/metadata/sp1-example-org.xml"
maxRefreshDelay="PT48H">
</MetadataProvider>
Add sp1 to ext-conf/conf/relying-party.xml
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp1.example.org:3443/Shibboleth.sso/Metadata">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="false" />
</list>
</property>
</bean>
Run Shibboleth IdP again.
cd Shibboleth-SAML-IdP-SP/shibboleth-idp-dockerized
./run.sh
Finally execute the following steps to test sp1 app.
Hi, Thanks very much for all your help. I have successfully completed running sp and sp1 and verified the sso feature of the system.
I have another question. When I downloaded the metadata of sp1, the metadata file did not include the
Thanks Emil
It seems that you re-use sp.example.org.key and sp.example.org.crt as sp1.example.org.key and sp1.example.org.crt. Note that SUBJECT_NAME of sp1 is different from SUBJECT_NAME of sp.
# change these values as needed
$ OUT_DIR=/tmp/credentials
$ LIFETIME=3650 # 10 yrs
$ SUBJECT_NAME='/CN=sp1.example.org'
$ /usr/bin/openssl req -new -x509 -nodes \ -newkey rsa:2048 -keyout $OUT_DIR/sp1.example.org.key \ -days $LIFETIME -subj $SUBJECT_NAME -out $OUT_DIR/sp1.example.org.crt
https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/948470554/SAMLKeysAndCertificates
2. Then copy sp1.example.org.key and sp1.example.org.crt to shibboleth-sp1-testapp/shibboleth-sp1/
$cd shibboleth-sp1-testapp $cp /tmp/credentials/ sp1.example.org.* shibboleth-sp1/
$./run.sh
https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/tree/master/shibboleth-sp-testapp/shibboleth-sp
3. Download the sp1 Metadata using https://sp1.example.org:3443/Shibboleth.sso/Metadata
Then you can discover that the sp1 metadata file includes the md:KeyDescriptor section including the x509certificate.
Thanks. Before asking you the above question, I had already created sp1.example.or.crt and sp1.example.org.key from scratch with the correct cn and copied them to the correct directory shibboleth-sp (not shibboleth-sp1) under shibboleth-sp1-testapp1. However, when I downloaded the Metadata, the metadata did not include the md:keyDescriptor section (and did not include the x509certificate either). When I compared the sp1 metadata I created and the one already provide by you (sp-example-org.xml), it became clear to me that there is something missing in the process. Best Emil
cd shibboleth-sp-testapp
# Replace sp.example.org.key and sp.example.org.crt with sp1.example.org.key and sp1.example.org.crt respectively
sudo nano shibboleth-sp/shibboleth2.xml
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp1.example.org.key" certificate="sp1.example.org.crt"/>
Run sp1 docker container.
Download the sp1 Metadata using https://sp1.example.org:3443/Shibboleth.sso/Metadata
Then you can discover that the sp1 metadata file includes the md:KeyDescriptor section including the x509certificate.
Hello, I am trying to extend your project to support multiple applications on the SP. I was successful in adding a second virtual host to the ssl.conf file pointing to the crt and key files I created using openssl. The second app index.html and secure/index.html are placed in /var/www/html/second/ folder. With the above configuration I was able to demonstrate sso. That is, once I was authenticated starting with the second app, I was able to access the first app (yours) without being required to authenticate again. The problem I have is that once I was authenticated using the second app, I was redirected to the logout page of the first app in /var/www/html/secure/. rather than the logout page of the second app in /var/www/html/second/secure/. Based on what I learned from my own online searches, it appears that I need to update the sp metadata and make the same available to the idp. I would appreciate your help and guidance in getting the above to work correctly. That is, what configurations do I need to apply (and in which files) on the sp and idp.
I know that the above is not an issue with your project but I have no way of contacting you directly. Best, Emil