Configuring Shibboleth Service Provider to use WSO2 IDP

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Configuring Shibboleth Service Provider to use WSO2 IDP

varun_surana
We have a requirement wherein the client uses WSO2 as Identity Provider, and we have been using Shibboleth as Service Provider. We are very new to working with an IDP other than Shibboleth.

We tried configuring Shibboleth SP with details provided by the client like their SSO Entity ID and based on that prepared a Metadata file for their IDP with the help of http://xacmlinfo.org/2013/12/24/how-to-saml-generating-saml-metadata-for-saml2-sso-idp/.

Now when we are trying to go the URL which we are trying to protect we are getting an exception "Unable to locate metadata for identity provider."

The client has also provided a couple of certificate files; we are not sure where and how to use those.

Can someone please guide us on how to use Shibboleth as SP with WSO2 as IDP. Below is the content of shibboleth2.xml and IDP-metadata.xml

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">

<InProcess logger="native.logger">
    <ISAPI normalizeRequest="true" safeHeaderNames="true">
        <Site id="1" name="ourdomain.com" scheme="https" port="443"/>
    </ISAPI>
</InProcess>

<RequestMapper type="Native">
    <RequestMap>
        <Host name="ourdomain.com">
            <Path name="secure" authType="shibboleth" requireSession="true"/>
        </Host>
    </RequestMap>
</RequestMapper>

<ApplicationDefaults entityID="https://ourdomain.com/shibboleth"
                     REMOTE_USER="eppn persistent-id targeted-id">
    <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
              checkAddress="false" handlerSSL="false" cookieProps="http">
        <SSO entityID="https://<client-url>:9443/samlsso">
          SAML2 SAML1
        </SSO>
        <Logout>SAML2 Local</Logout>
        <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
        <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

        <Handler type="Session" Location="/Session" showAttributeValues="false"/>

       
        <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
    </Sessions>

    <Errors supportContact="contact@ourdomain.com"
        helpLocation="/about.html"
        styleSheet="/shibboleth-sp/main.css"/>

    <MetadataProvider type="XML" file="idp-metadata.xml"/>

   
    <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

   
    <AttributeResolver type="Query" subjectMatch="true"/>

   
    <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

</ApplicationDefaults>


<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>


<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

IDP Metadata

<EntityDescriptor entityID="https://client-url:9443/samlsso" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" validUntil="2023-09-23T06:57:15.396Z">
    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
MIIFMDCCBBigAwIBAgIJAN1pNoKRsRdHMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
                        VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
                        MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
                        cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
                        dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE3MTAwMzE2MzgwMFoX
                        DTIwMDMwNjE3NDIwMVowOjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
                        dGVkMRUwEwYDVQQDEwxmaXIuc2Fsay5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
                        DwAwggEKAoIBAQDh8o+DpodSfIsJK6FOQGhhU4HbRaWVdhNEVMyJm15TN7oqV2Vo
                        XAxZZtIgfbSJhZf5niWDq5m+ODWeqWawTHtC+4EpLD3t8SSdEb91qw96EfNlyvWm
                        xufeihjMano0A560mqPGQTFEkT1nZypyjOHZ3Uln0pubMH30e2YWewQr3lUfeNwN
                        dfIAMGlE7YDnhzAWblRJleN5J6duYcx6LX/7nkfaOOX0tN5Pga0zV6ZWu2eK6uSK
                        J3b/0toM/FH2DW8RcMRBMSf2ImHUBeHWOA0NagJ4okm8Bufb86WJj7DLBulptZO7
                        yr2fKzjYY+kdMrTlXQbYYvWFVx5O/gaGaHM5AgMBAAGjggG8MIIBuDAMBgNVHRMB
                        Af8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8E
                        BAMCBaAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5nb2RhZGR5LmNvbS9n
                        ZGlnMnMxLTcyNy5jcmwwXQYDVR0gBFYwVDBIBgtghkgBhv1tAQcXATA5MDcGCCsG
                        AQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRv
                        cnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6
                        Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRpZmlj
                        YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSMEGDAW
                        gBRAwr0njsw0gzCiM9f7bLPwtCyAzjApBgNVHREEIjAgggxmaXIuc2Fsay5lZHWC
                        EHd3dy5maXIuc2Fsay5lZHUwHQYDVR0OBBYEFLoNEtABRYUnAuVh2O/bbImJhe/o
                        MA0GCSqGSIb3DQEBCwUAA4IBAQAU9xh79wJzoiORpGoomcbQDFF0sW5/mZ1H62B7
                        hhaAPU8qqT625omu0y1R12z8f20tvq381+CKhL3r9Yya8EqVqA0TCsK6ixYG+x9Y
                        yjXx9BM8yuRv1gdxsEPJ+QOwqsQwCVDFznoNXA8FU6dMfX4QSERGdiGNaSgsMNCX
                        zca9kdXdk7ht/Kp7fLm6XIoqE2k4ml90ew2LanTBZhbtbsgxOrQicubK6ZY4CF5t
                        NEzbEMdGMaJZroIPf4MTrUS22Vw18xhFnlJVSbTAla1QlqNONmVOrEPq/Y6/J+fp
                        Uwwm009ZhNJq6zGJoNQJnHF3fq5yj8qWbTBw54o11OSM6x
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://client-url:9443/samlsso"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://client-url:9443/samlsso"/>
    </IDPSSODescriptor>
</EntityDescriptor>