Shine Achieves AWS Premier Partner Status & Gen AI Competency
 

SSO with SAML Authentication Using Shibboleth IDP

03 Dec 2018 SSO with SAML Authentication Using Shibboleth IDP

Posted by

Introduction:

The objective of this article is to achieve SSO with SAML authentication in AEM  involving Single identity provider(IDP). Here we are using Shibboleth as IDP. 

This article includes setting up Shibboleth IDP , integrating with ApacheDs(Directory Server) followed by integration with AEM.

Little bit background on SAML – Secure Assertion Markup Language

SAML is a secure xml based communication language which can share identities between multiple organisation and applications.

Many Large Enterprises/organisations providing multiple web/mobile applications require users to access it securely . These organisations already know users identity as they would have logged in to the system and their identity is stored in the enterprise active directory. I t makes sense to use this information to login to other applications which out having to re-login to each of these applications. SAML provides secure way of achieving this single sign on.

For SAML to work there are 3 entities involved, principal i.e., users , identity provider (maintains directory of user and authentication mechanism), service provider which hosts target website, application or service and serves the request.

SAML SSO works by transferring the user’s identity from the identity provider to the service provider. This is done through an exchange of digitally signed XML documents.
Consider the following scenario: A user is logged into a system that acts as an identity provider. The user wants to log in to a remote application hosted on the service provider. The following happens:

  • The user accesses the remote application and the application loads.
  • The application identifies the user’s origin (by application subdomain, user IP address, or similar) and redirects the user to the identity provider, asking for authentication. This is the authentication request.
  • The user either has an existing active browser session with the identity provider or establishes one by logging into the identity provider.
  • The identity provider builds the authentication response in the form of an XML-document containing the user’s username or email address, signs it using an X.509 certificate, and posts this information to the service provider.
  • The service provider, which already knows the identity provider and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint.
  • The identity of the user is established and the user is provided with app access.

Setting up the Environment 

Softwares used for the setup

The binaries used are mentioned below.

Software

Version

Downloaded from

Shibboleth IDP

2.4.4

http://shibboleth.net/downloads/identity-provider/latest/

Tomcat (App server for IDP)

apache-tomcat-8.5.35

http://tomcat.apache.org/download-60.cgi

Apache Directory Service Specific to OS

ApacheDS-2.0

http://directory.apache.org/apacheds/downloads.html

Apache  Directory Studio(Client to connect to ApacheDS)

Apache Directory Studio-2.0

https://directory.apache.org/studio/

JDK

JDK 1.8

https://www.oracle.com/technetwork/pt/java/javase/downloads/index.html

1.  Installation and Configuration of Apache DS and Apache Directory Studio(LDAP server and Client).

We need to setup LDAP sever, where we can create users and groups. Here we are using Apache DS.

Follow the installation instructions from ApacheDS during installation also install Apache Directory Studio, a client to connect to Apache DS.

Below are the steps to create connection and users in Apache DS using Apache Directory Studio.

  1. Open the Apache Directory, to create connection to ApacheDS. The bottom left corner shows all of the LDAP connections. If the view is empty, meaning a connection still needs to be specified.
image1-18.png
image3-19.png

Directory Server

Directory Server

Default Bind DN

Default Bind Password

Apache Directory Server

uid=admin,ou=system

secret

OpenDS, Sun, Fedora

cn=Directory Manager

specified at setup

OpenLDAP

specified at setup, see slapd.conf

specified at setup, see slapd.conf

2. Installation of Shibboleth IDP

Unzip the downloaded (shibboleth-identityprovider-2.4.4-bin.zip) binary and run the install.bat file / install.sh. The installation creates the IdP’s entity ID, initial metadata, a basic set of IdP configuration files and a key pair of self-signed certificate used for signing/encryption.

Remember the password given during installation. IDP keystore is generated during installation. This password will be used during SSL configuration of tomcat.

Structure of the folder under Shibboleth installation directory 

Screen Shot 2018-12-03 at 1.02.59 pm.png

Structure of  the credentials folder holding  certificate and keys

Screen Shot 2018-12-03 at 1.13.10 pm.png

The installed path configured will be used to update all the configuration xml for the path.

The domain name entered during installation should be set in the host file

    1. 3. Installation and configure Tomcat

      • Unzip and install tomcat 8.5 into any directory and set CATALINA_HOME in environment variables to the installation directory of tomcat
      • Configure server.xml in tomcat under the path <TOMCAT_HOME>/conf  to enable SSL as below. Here JSSE implementation is used for SSL.
      • <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxPostSize="100000"
            HttpHeaderSize="1048576"
            maxThreads="150"
            SSLEnabled="true"
            scheme="https"
            secure="true"
            clientAuth="want"
            sslProtocol="TLS"
            keystoreFile="/Users/abc/shibboleth-installation/credentials/idp.jks"
            keystorePass="test123"
            trustManagerClassName="net.shibboleth.utilities.ssl.TrustAnyCertificate" />
      • Configure keystore to point to IDP keystore generated during Shibboleth IDP installation
      • Make sure the SSL port is properly set, we can set it to 8443. 
      • Copy “idp.war” from <IDP install folder>/war/idp.war to <TOMCAT_HOME>/webapps
      • If you see below exception in catalina.out, download trustany-ssl-1.0.0.jar and place it under <TOMCAT_HOME>/lib

      4. Configuring Shibboleth IDP

    1. Screen Shot 2018-12-03 at 2.29.01 pm.png
      • Modify <IDP installed folder>/conf/login.config, make sure the path to login.conf is properly configured to point to LDAP server
      image29-96.png
      • Update ProfileHandlers  and Login Handlers in  <IDP installed folder>/conf/handler.xml as below.  Login Handler are required to know details of LDAP Server.  Point to right location of login.conf. Remove all the entries for authentication in LoginHandler except “UsernamePassword” and “PreviousSession.”
      • Modify <IDP installed folder>/conf/logging.xml for detail debug trace.
      • Add the metadata file  adobecq.xml at  <IDP installed folder>/metadata/ , which provides informations about service provider, the certificates used for signing SAML message and where to post the SAML response once user is authenticated and where to redirect on logout. Configure the Entity ID to match the Service provider entity ID given in SAML 2 authentication handler configuration in AEM config. Configure Location in AssertionConsumerService to match to AEM intercept path (default path) in SAML 2 authentication handler configuration. This path should end with saml_login .

       

      Screen Shot 2018-12-03 at 3.40.12 pm.png
      Screen Shot 2018-12-03 at 3.40.27 pm.png
      image26-87.png
      image27-90.png

      5.  Configuring  AEM

      • Make a request to AEM at http://<host&gt; : <port>/ which redirects to IDP login page.
      • Login with user created in active directory with appropriate credentials this takes you to the AEM home page.
      image35-114.png
No Comments

Leave a Reply

Discover more from Shine Solutions Group

Subscribe now to keep reading and get access to the full archive.

Continue reading