Connect OpenSSO as a Shibboleth 2 IDP to a Shibboleth SP using SAML2

I've been receiving an increasing amount of questions on connecting OpenSSO with Shibboleth.

I previously wrote a blog on connecting OpenSSO in SP mode with a Shibboleth IDP using SAML2, and
have updated that article with links to more detailed information.

These are the steps to connect a Shibboleth SAML2 SP with OpenSSO in IDP mode :.

STEP 1: Create Hosted IdP Configuration in OpenSSO console (if you want to use it in production,  make sure to have your credentials in the keystore, for proof-of-concept scenarios the keystore contains one test key)

STEP 2: Grab the newly created OpenSSO IdP metadata XML (you can use either ssoadm.jsp export entity command or access directly /opensso/saml2/jsp/exportmetadata.jsp?entityid=<created-entitiy-id-of-the-idp>) and reference it in the Shibboleth SP configuration.

STEP 3: Edit the Shibboleth SP metadata (/Shibboleth.sso/Metadata), and remove all the XML digital signature AND the <md:Extensions> nodes.

STEP 4: Create a Remote Service provider in the same Circle of Trust (ssoadm.jsp, import-entity or from console wizard)

STEP 5: Make sure you connect the IdP and SP metadata to the same Circle of Trust profile

STEP 6: Use the OpenSSO console to edit IdP metadata, and add attributes. All the released attributes must use the URI-style attrname-format (Shibboleth won't accept unspecified attribute nameformat), so use the following syntax urn:oasis:names:tc:SAML:2.0:attrname-format:uri|<saml-attr-name>=<local-attr-name> 

Additional information regarding Shibboleth can be found in the OpenSSO mailinglist archive

That's it folks. Go play !

Comments:

These steps mentioned above are at very high level and when I started investigating as a newbie, they were very difficult for me to understand. So once I got this setup configured, I have added more detailed steps to configure this setup available at below given URL :

http://blog.ebadgujar.com/2010/11/steps-for-configuring-openam-as-idp.html

Comments are welcome to enhance this further.

Thanks,
Sagar

Posted by Sagar Shukla on November 26, 2010 at 04:38 AM CET #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Bert Van Beeck is a Senior Software Architect at Sun Microsystems, specialized in Sun's Identity Management portfolio. He's part of the Northern European pre-sales software team.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today