Shibboleth is a SAML standard-based single sign-on implementation. http://shibboleth.net/products/
SAML2 's introduction:
1. The Saml in my eyes
2. Oasis Official Documentation
Two words of the word SAML:
In SAML2 's web SSO (browser-based single sign-on, excluding app user authentication) model, there are two important roles: Service Provider (SP) and Identity Provider (IDP).
The process is somewhat similar to OAuth, but the token mechanism is very different, and SAML represents the token with a specific XML schema.
Simple SAML WEB SSO process: Suppose two sites: Site A (SP) and Site B (IDP)
When a user accesses a protected resource on site A, site a generates a SAML request and allows the user to submit the request to Site B, site B discovers that the user is not logged in, so the user logs in, the user logs on, generates a SAML Response, and then sends it to site A, Site A resolves the SAML response and establishes the user context.
The above is the process of login, looked up so much information and did not see how SSO is implemented. From a practical point of view, because the user is not logged in, is to jump to the IDP to authenticate (collection of public authentication), so it should be the first time the user logged in to the IDP session. This principle is consistent with Jasig CAs.
Shibboleth provides an SP and IDP installation package, which describes only the Shibboleth
IDPThe Tomcat installation deployment.
Preparation materials:
1. Tomcat 8.0 (Previous versions did not attempt, theoretically deployable)
2. Shibboleth-identity-provider-3.1.2.zip (http://shibboleth.net/downloads/identity-provider/latest/)
3. The LDAP Service is already installed
Installation steps:
1. Unzip the downloaded Shibboleth IDP to any directory, such as C:\Temp\shibboleth-identity-provider-3.1.2.
2. Run the Bin directory install.bat, enter the domain name, installation directory (default C:/OPT/SHIBBOLETH-IDP), cookie Password and other information, where the domain name as far as possible not to use localhost (failure reasons I have not found), even if first with a fake domain name, Then point to localhost in the Hosts file.
Note: The first step to extract the directory and the second step after the actual installation of the directory too much like, it is easy to confuse, it is recommended to delete the extracted directory after installation. In fact, this extract directory of the bin directory has other functions, such as rebuild, etc., this tutorial does not involve.
3. Configure Tomcat
3.1 Enable Tomcat HTTPS, this is not described, specifically, search for "Tomcat HTTPS one-way authentication"
3.2 Modify the Tomcat default 8080 port and HTTPS 8443 ports to 80 and 443. (This feeling is optional, do it first)
3.3 The installed Shibboleth IDP, inside the host node of Tomcat's Server.xml, adds a context node:
<context docbase= "C:/opt/shibboleth-idp/war/idp.war" path= "IDP"
privileged= "true"
antiresourcelocking = "false"
swallowoutput= "true"/>
Familiar to know that this is the war that Tomcat is reading from the foreign source.
3.4 If the Shibboleth installation path is not in the default C:/OPT/SHIBBOLETH-IDP, you need to include the parameters in the tomcat boot parameter
-didp.home=< Installation path >
or find the Web. XML in the Shibboleth War package and add the context parameter:
<context-param>
<param-name>idp.home</param-name>
<param-value>j:/downloads/ Shi bboleth/idp</param-value>
</context-param>
4. So far, the shibboleth has been installed, followed by the configuration
4.1 Configuration Ldap,shibboleth Default provides a variety of authentication methods, the configuration file is C:\opt\shibboleth-idp\conf\authn\, the profile of the guidance relationship is:
General-authn.xml
↓
Password-authn-config.xml
↓
Ldap-authn-config.xml
↓
Place Holder
So the configuration of the LDAP connection is eventually configured in C:\opt\shibboleth-idp\conf\ldap.properties.
4.2 Add a service Provider. There is already a ready-made website https://www.testshib.org/, providing a way to determine if your shibboleth is installed, step by step.
Shibboleth official website Wiki:https://wiki.shibboleth.net/confluence/display/idp30/installation
