Tuesday Nov 10, 2009

Connect OpenSSO as a Shibboleth 2 IDP to a Shibboleth SP using SAML2

I've been receiving an increasing amount of questions on connecting OpenSSO with Shibboleth.

I previously wrote a blog on connecting OpenSSO in SP mode with a Shibboleth IDP using SAML2, and
have updated that article with links to more detailed information.

These are the steps to connect a Shibboleth SAML2 SP with OpenSSO in IDP mode :.

STEP 1: Create Hosted IdP Configuration in OpenSSO console (if you want to use it in production,  make sure to have your credentials in the keystore, for proof-of-concept scenarios the keystore contains one test key)

STEP 2: Grab the newly created OpenSSO IdP metadata XML (you can use either ssoadm.jsp export entity command or access directly /opensso/saml2/jsp/exportmetadata.jsp?entityid=<created-entitiy-id-of-the-idp>) and reference it in the Shibboleth SP configuration.

STEP 3: Edit the Shibboleth SP metadata (/Shibboleth.sso/Metadata), and remove all the XML digital signature AND the <md:Extensions> nodes.

STEP 4: Create a Remote Service provider in the same Circle of Trust (ssoadm.jsp, import-entity or from console wizard)

STEP 5: Make sure you connect the IdP and SP metadata to the same Circle of Trust profile

STEP 6: Use the OpenSSO console to edit IdP metadata, and add attributes. All the released attributes must use the URI-style attrname-format (Shibboleth won't accept unspecified attribute nameformat), so use the following syntax urn:oasis:names:tc:SAML:2.0:attrname-format:uri|<saml-attr-name>=<local-attr-name> 

Additional information regarding Shibboleth can be found in the OpenSSO mailinglist archive

That's it folks. Go play !

Thursday Dec 18, 2008

Connect OpenSSO as a Shibboleth 2 SP to a Shibboleth 2 IDP using SAML2

Using OpenSSO to connect to Shibboleth 2 IDP's has become very easy with the latest changes in OpenSSO.  
These are the steps to accomplish this :

  1. Use the latest nightly OpenSSO build (or the next Stable build that will be released), you will need many fixes from the last weeks, therefore the last OpenSSO Express build is too old...
  2. Create a Hosted IdP Configuration in OpenSSO console (if you want to use it in production, make sure to have your credentials in the keystore, for proof-of-concept scenarios the keystore contains one test key)
  3. Grab the newly created OpenSSO IdP metadata XML (you can use either ssoadm.jsp export entity command or access directly
    /opensso/saml2/jsp/exportmetadata.jsp?entityid=) and reference it in the SP configuration.
  4. Edit the Shibboleth SP metadata (/Shibboleth.sso/Metadata), and remove all the XML digital signature AND the nodes.
  5. Import the modified SP metadata to OpenSSO (Via ssoadm.jsp, the import CLI or through the OpenSSO console)
  6. In the OpenSSO console, add the IdP and SP metadata to one Circle of Trust profile
  7. Use the OpenSSO console to edit the IdP metadata, and add attributes.

All the released attributes must use the URI-style attrname-format (Shibboleth won't accept unspecified attribute nameformat), so use
the following syntax : urn:oasis:names:tc:SAML:2.0:attrname-format:uri|=

That's it : from now on you can federate identities with the Shibboleth 2 IDP.

Should you need detailed instructions, have a look here.

There is also a lot of information available in the mailinglist archive.


Turn OpenSSO into a Shibboleth 1.x SP/IDP

The following was posted in the opensso users mailinglist, that a lot of people found very interesting to say the least !

Chris Phillips (chris.phillips@queensu.ca) wrote an article on how OpenSSO Enterprise can be configured as an Shibboleth 1.3 IDP.
The article can be found at : https://wiki.queensu.ca/display/heidm/HowTo-Building+a+Shib+IdP+1.3+with+Sun+Access+Manager+7+for+SSO

Academic World : Here comes OpenSSO !
Technorati Tags:
About

Bert Van Beeck is a Senior Software Architect at Sun Microsystems, specialized in Sun's Identity Management portfolio. He's part of the Northern European pre-sales software team.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today