Thursday Dec 18, 2008

Connect OpenSSO as a Shibboleth 2 SP to a Shibboleth 2 IDP using SAML2

Using OpenSSO to connect to Shibboleth 2 IDP's has become very easy with the latest changes in OpenSSO.  
These are the steps to accomplish this :

  1. Use the latest nightly OpenSSO build (or the next Stable build that will be released), you will need many fixes from the last weeks, therefore the last OpenSSO Express build is too old...
  2. Create a Hosted IdP Configuration in OpenSSO console (if you want to use it in production, make sure to have your credentials in the keystore, for proof-of-concept scenarios the keystore contains one test key)
  3. Grab the newly created OpenSSO IdP metadata XML (you can use either ssoadm.jsp export entity command or access directly
    /opensso/saml2/jsp/exportmetadata.jsp?entityid=) and reference it in the SP configuration.
  4. Edit the Shibboleth SP metadata (/Shibboleth.sso/Metadata), and remove all the XML digital signature AND the nodes.
  5. Import the modified SP metadata to OpenSSO (Via ssoadm.jsp, the import CLI or through the OpenSSO console)
  6. In the OpenSSO console, add the IdP and SP metadata to one Circle of Trust profile
  7. Use the OpenSSO console to edit the IdP metadata, and add attributes.

All the released attributes must use the URI-style attrname-format (Shibboleth won't accept unspecified attribute nameformat), so use
the following syntax : urn:oasis:names:tc:SAML:2.0:attrname-format:uri|=

That's it : from now on you can federate identities with the Shibboleth 2 IDP.

Should you need detailed instructions, have a look here.

There is also a lot of information available in the mailinglist archive.


Friday Nov 14, 2008

Microsoft meets SAML2

In the world of federation, there are a few standards available to allow human2application single sign-on.  The open standards include SAML2 and ID-FF (now part of SAML2), and Microsoft's WS-Federation. 
As SAML2 and WS-Federation are mutually incompatible, it has been a challenge to connect WS-Federation platforms with those supporting SAML2.

Fortunately, Microsoft recently announced last few weeks that their new Server platform "Geneva" will be supporting SAML2 as a federation platform.  This basically means that Geneva servers can start playing a role as IDP or SP in a federated environment.   Combinations of .NET platform federating with an OpenSSO via SAML2 will become easy, the vice versa should also be possible. 

Good Job Microsoft on embracing the Open Standard SAML2 !!!  I'm looking forward to future circles of trust that will be created as a result of this.

More information : http://www.kuppingercole.com/articles/fg_micro_gen_271008


About

Bert Van Beeck is a Senior Software Architect at Sun Microsystems, specialized in Sun's Identity Management portfolio. He's part of the Northern European pre-sales software team.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today