Connect OpenSSO as a Shibboleth 2 SP to a Shibboleth 2 IDP using SAML2
By Bert Van Beeck on Dec 18, 2008
These are the steps to accomplish this :
- Use the latest nightly OpenSSO build (or the next Stable build that will be released), you will need many fixes from the last weeks, therefore the last OpenSSO Express build is too old...
- Create a Hosted IdP Configuration in OpenSSO console (if you want to use it in production, make sure to have your credentials in the keystore, for proof-of-concept scenarios the keystore contains one test key)
- Grab the newly created OpenSSO IdP metadata XML (you can use either ssoadm.jsp export entity command or access directly
) and reference it in the SP configuration.
- Edit the Shibboleth SP metadata (/Shibboleth.sso/Metadata), and remove all the XML digital signature AND the
- Import the modified SP metadata to OpenSSO (Via ssoadm.jsp, the import CLI or through the OpenSSO console)
- In the OpenSSO console, add the IdP and SP metadata to one Circle of Trust profile
- Use the OpenSSO console to edit the IdP metadata, and add attributes.
All the released attributes must use the URI-style attrname-format (Shibboleth won't accept unspecified attribute nameformat), so use
the following syntax : urn:oasis:names:tc:SAML:2.0:attrname-format:uri|
That's it : from now on you can federate identities with the Shibboleth 2 IDP.
Should you need detailed instructions, have a look here.
There is also a lot of information available in the mailinglist archive.