Connect OpenSSO as a Shibboleth 2 IDP to a Shibboleth SP using SAML2
By Bert Van Beeck on Nov 10, 2009
I've been receiving an increasing amount of questions on connecting OpenSSO with Shibboleth.
I previously wrote a blog on connecting OpenSSO in SP mode with a Shibboleth IDP using SAML2, and
have updated that article with links to more detailed information.
These are the steps to connect a Shibboleth SAML2 SP with OpenSSO in IDP mode :.
STEP 1: Create Hosted IdP Configuration in OpenSSO console (if you want to use it in production, make sure to have your credentials in the keystore, for proof-of-concept scenarios the keystore contains one test key)
STEP 2: Grab the newly created OpenSSO IdP metadata XML (you can use either ssoadm.jsp export entity command or access directly /opensso/saml2/jsp/exportmetadata.jsp?entityid=<created-entitiy-id-of-the-idp>) and reference it in the Shibboleth SP configuration.
STEP 3: Edit the Shibboleth SP metadata (/Shibboleth.sso/Metadata), and remove all the XML digital signature AND the <md:Extensions> nodes.
STEP 4: Create a Remote Service provider in the same Circle of Trust (ssoadm.jsp, import-entity or from console wizard)
STEP 5: Make sure you connect the IdP and SP metadata to the same Circle of Trust profile
STEP 6: Use the OpenSSO console to edit IdP metadata, and add attributes. All the released attributes must use the URI-style attrname-format (Shibboleth won't accept unspecified attribute nameformat), so use the following syntax urn:oasis:names:tc:SAML:2.0:attrname-format:uri|<saml-attr-name>=<local-attr-name>
Additional information regarding Shibboleth can be found in the OpenSSO mailinglist archive.
That's it folks. Go play !