Shibboleth IDP installation and Deployment configuration steps (Tomcat Deployment)

Source: Internet
Author: User
Tags ldap tomcat
Shibboleth is a SAML standard-based single sign-on implementation. http://shibboleth.net/products/

SAML2 's introduction:
1. The Saml in my eyes
2. Oasis Official Documentation

Two words of the word SAML:

In SAML2 's web SSO (browser-based single sign-on, excluding app user authentication) model, there are two important roles: Service Provider (SP) and Identity Provider (IDP).

The process is somewhat similar to OAuth, but the token mechanism is very different, and SAML represents the token with a specific XML schema.

Simple SAML WEB SSO process: Suppose two sites: Site A (SP) and Site B (IDP)
When a user accesses a protected resource on site A, site a generates a SAML request and allows the user to submit the request to Site B, site B discovers that the user is not logged in, so the user logs in, the user logs on, generates a SAML Response, and then sends it to site A, Site A resolves the SAML response and establishes the user context.

The above is the process of login, looked up so much information and did not see how SSO is implemented. From a practical point of view, because the user is not logged in, is to jump to the IDP to authenticate (collection of public authentication), so it should be the first time the user logged in to the IDP session. This principle is consistent with Jasig CAs.

Shibboleth provides an SP and IDP installation package, which describes only the Shibboleth IDPThe Tomcat installation deployment.

Preparation materials:
1. Tomcat 8.0 (Previous versions did not attempt, theoretically deployable)
2. Shibboleth-identity-provider-3.1.2.zip (http://shibboleth.net/downloads/identity-provider/latest/)
3. The LDAP Service is already installed

Installation steps:
1. Unzip the downloaded Shibboleth IDP to any directory, such as C:\Temp\shibboleth-identity-provider-3.1.2.

2. Run the Bin directory install.bat, enter the domain name, installation directory (default C:/OPT/SHIBBOLETH-IDP), cookie Password and other information, where the domain name as far as possible not to use localhost (failure reasons I have not found), even if first with a fake domain name, Then point to localhost in the Hosts file.
Note: The first step to extract the directory and the second step after the actual installation of the directory too much like, it is easy to confuse, it is recommended to delete the extracted directory after installation. In fact, this extract directory of the bin directory has other functions, such as rebuild, etc., this tutorial does not involve.

3. Configure Tomcat
3.1 Enable Tomcat HTTPS, this is not described, specifically, search for "Tomcat HTTPS one-way authentication"
3.2 Modify the Tomcat default 8080 port and HTTPS 8443 ports to 80 and 443. (This feeling is optional, do it first)
3.3 The installed Shibboleth IDP, inside the host node of Tomcat's Server.xml, adds a context node:

<context docbase= "C:/opt/shibboleth-idp/war/idp.war" path= "IDP"
			 privileged= "true"
			 antiresourcelocking = "false"
			 swallowoutput= "true"/>

Familiar to know that this is the war that Tomcat is reading from the foreign source.
3.4 If the Shibboleth installation path is not in the default C:/OPT/SHIBBOLETH-IDP, you need to include the parameters in the tomcat boot parameter
-didp.home=< Installation path >

or find the Web. XML in the Shibboleth War package and add the context parameter:
<context-param>
    <param-name>idp.home</param-name>
    <param-value>j:/downloads/ Shi bboleth/idp</param-value>
</context-param>


4. So far, the shibboleth has been installed, followed by the configuration
4.1 Configuration Ldap,shibboleth Default provides a variety of authentication methods, the configuration file is C:\opt\shibboleth-idp\conf\authn\, the profile of the guidance relationship is:
General-authn.xml

Password-authn-config.xml

Ldap-authn-config.xml

Place Holder

So the configuration of the LDAP connection is eventually configured in C:\opt\shibboleth-idp\conf\ldap.properties.

4.2 Add a service Provider. There is already a ready-made website https://www.testshib.org/, providing a way to determine if your shibboleth is installed, step by step.

Shibboleth official website Wiki:https://wiki.shibboleth.net/confluence/display/idp30/installation

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.