Connect OpenSSO as a Shibboleth 2 SP to a Shibboleth 2 IDP using SAML2

Using OpenSSO to connect to Shibboleth 2 IDP's has become very easy with the latest changes in OpenSSO.  
These are the steps to accomplish this :

  1. Use the latest nightly OpenSSO build (or the next Stable build that will be released), you will need many fixes from the last weeks, therefore the last OpenSSO Express build is too old...
  2. Create a Hosted IdP Configuration in OpenSSO console (if you want to use it in production, make sure to have your credentials in the keystore, for proof-of-concept scenarios the keystore contains one test key)
  3. Grab the newly created OpenSSO IdP metadata XML (you can use either ssoadm.jsp export entity command or access directly
    /opensso/saml2/jsp/exportmetadata.jsp?entityid=) and reference it in the SP configuration.
  4. Edit the Shibboleth SP metadata (/Shibboleth.sso/Metadata), and remove all the XML digital signature AND the nodes.
  5. Import the modified SP metadata to OpenSSO (Via ssoadm.jsp, the import CLI or through the OpenSSO console)
  6. In the OpenSSO console, add the IdP and SP metadata to one Circle of Trust profile
  7. Use the OpenSSO console to edit the IdP metadata, and add attributes.

All the released attributes must use the URI-style attrname-format (Shibboleth won't accept unspecified attribute nameformat), so use
the following syntax : urn:oasis:names:tc:SAML:2.0:attrname-format:uri|=

That's it : from now on you can federate identities with the Shibboleth 2 IDP.

Should you need detailed instructions, have a look here.

There is also a lot of information available in the mailinglist archive.


Comments:

I'm really interested, but is there anyone who already use this or is it just a proof-of-concept for now ? I'd really like to know if this is a reliable technique before trying something like this with thousands of users...

Posted by Huân Thebault on October 20, 2009 at 04:04 AM CEST #

Can you please be a little more specific on your steps?

In step 3 you say "and reference it in the SP configuration." A assume that means import it in the SP configuration. Was I to have created a Hosted SP as well? Also the OpenSSO IdP xml metadata that I am to reference in the SP configuration, does that need it's element tags changed from "IDPSSODescriptor" to "SPSSODescriptor"?

In step 5, it says to "Import the modified SP metadata to OpenSSO". Into what in OpenSSO, my Hosted SP?

Posted by Jim Wade on November 04, 2009 at 11:31 AM CET #

Hi,
I'm setting up an OpenSSO configuration where OpenSSO is the IdP while Shibboleth is used on a SP.
Could you post details on this scenario too?
Many thanks.
-roberto

Posted by Roberto on November 10, 2009 at 04:07 AM CET #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Bert Van Beeck is a Senior Software Architect at Sun Microsystems, specialized in Sun's Identity Management portfolio. He's part of the Northern European pre-sales software team.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today