Explorations into UMN Shibboleth Auth - Part 4 Configuring Shibboleth SP to use UMN test IdP
RecapSo far I have configured my Shibboleth SP to use the TestShib2 service. Using the TestShib2 service is relatively simple as it does not require that you edit the shibboleth2.xml file. The shibboleth2.xml file is provided to you by the service and you can simply copy the file into the correct location and restart the shibd service in order to use it. The shibboleth2.xml file includes an external reference to the metadata.xml file that simplifies its use even more because there is no need to copy the metadata.xml locally and reference it from shibboleth2.xml file.
Steps required for using UMN test Idp
- Save a copy of the local computers metadata .xml file by going to http://yourURL/Shibboleth.sso/Metadata. This needs to be sent to idm at umn dot edu along with your request
- Send an email to idm at umn dot edu requesting that your server be added to the list of authorized servers for the UMN test IdP.
- Request that your username would be added to the user list who are autherized to use the test IdP for authentication.
- Download the copy of the test IdP metadata file from UMN Shibboleth wiki and place it in /etc/shibboleth directory on your server.
- Configure your server's /etc/shibboleth/shibboleth2.xml file to reference UMN test IdP and the test IdP metadata file.
- If you want to protect https space instead of http space, then you need to request that change by emailing idm at umn dot edu.
Configuring shibboleth2.xml file to work with UMN test IdPThe trickiest part of configuring Shibboleth in my view is in configuring the shibboleth2.xml file on your server. This file controls how Shibboleth will behave and what it will try to protect. In this case we are simply protecting a web directory. It is best to start with shibboleth2.xml file that came with the distribution. There are four aspects of that file that need to be changed:
- MetadataProvider - This needs to point to the local or remote metadata file
- RequestMap - the type and in the case of Native a host name and path of the directory being protected
- The right entityID - This is just a name that you give your own server's entity (ie. https://yourURL/shibboleth-sp this does not need to resolve to anything
- SessionInitiator - Here you indicate where to relay session requests (in our case this is the UMN test IdP URL
Linked below is a shibboleth2.xml file that is configured to work with UMN Test IdP.