Shibboleth IDP - SAML IDR SSO Configuration - RSA Ready Implementation Guide
2 years ago
Originally Published: 2020-09-01

This section describes how to integrate Shibboleth with RSA Cloud Authentication Service using IDR SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Shibboleth.
Procedure
  1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog.
  2. Search for ShibbolethSP and click Add to add the connector.                                                                                                                              image.png
  3. On the Basic Information page, choose Identity Router.
  4. Enter a name for the application in the Name field and click Next Step.                                                                image.png                             
  5. In the Connection Profile page, select SP-initiated.
  6. In the Connection URL field, enter the third-party service provider URL that generates the SAML AuthnRequest to Shibboleth IDP.           image.png
  7. In the SAML Identity Provider (Issuer) section, do the following:
    1. Click Generate Cert Bundle to generate and download the zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
    2. Click Choose File and upload the RSA private key.
    3. Click Choose File and upload the RSA public certificate.                                                                  image.png
  8. Make a note of the Identity Provider EntityID from the preceding screen. This will be used in the Shibboleth configuration as the target value.
  9. In the Service Provider section, do the following:
    1. In the Assertion Consumer Service (ACS) URL field, add <Shibboleth-Hostname> with the hostname as configured in your Shibboleth IDP. The hostname can be found in the file idp-metadata.xml file located in the <Shibboleth-Install-Location>\IdP\metadata\ folder (on the Windows Server where Shibboleth IDP is installed). The ACS URL will be of the form https://<Shibboleth-Hostname>/idp/profile/Authn/SAML2/POST/SSO.
    2. In the Audience (Service Provider Entity ID) field, add <Shibboleth-Scope> with the scope as configured in Shibboleth IDP. The scope can be found in the idp.properties file located in the <Shibboleth-Install-Location>\IdP\conf\ folder (on the Windows Server where Shibboleth IDP is installed). The Entity ID will be of the form https://<Shibboleth-Scope>/idp. Note: <Shibboleth-Install-Location> refers to the directory where Shibboleth IDP is installed. In Windows, by default, it is the "C:\Program Files (x86)\Shibboleth" directory. Any step that mentions <Shibboleth-Install-Location> should be replaced with the actual path to the directory where Shibboleth IDP is installed in your system.                                             image.png
  10. In the User Identity section, select unspecified in the Identifier Type drop-down list, select the name of your user identity source, and select the property value as sAMAccountName.                                                                                                       image.png
  11. Click Next Step.
  12. Choose your desired Access Policy for this application.                                                                                                                                 image.png
  13. On the Portal Display page, select Display in Portal.
  14. Click Publish Changes.                                                                                                                                                                               image.png
  15. Click Next Step > Save and Finish.
  16. Click Publish Changes. Your application is now enabled for SSO.
  17. On the My Applications page, click the drop-down icon beside the Edit option of the application configured and click Export Metadata. The file is downloaded with the name <ApplicationName>-idp-metadata.xml where <ApplicationName> is the name given in Step 4 of this section. This file needs to be uploaded to Shibboleth IDP.

Configure Shibboleth

Perform these steps to configure Shibboleth.
Procedure

  1. Sign in to the server where Shibboleth IDP is installed.
  2. Copy the metadata file downloaded in Step 17 of the previous section and place it in the <Shibboleth-Install-Location>\IdP\metadata\ folder.                                                                                                                                                                                                         image.png
  3. Edit the <Shibboleth-Install-Location>\IdP\conf\metadata-providers.xml file to add another Metadata Provider entry as follows pointing to the location of the metadata file copied - <MetadataProvider id="<generic name> " xsi:type="FilesystemMetadataProvider" metadataFile="<Shibboleth-Install-Location>\IdP\metadata\Shibboleth_IDP-idp-metadata.xml" />                                                                                                               image.png
  4. Edit the <Shibboleth-Install-Location>\IdP\conf\authn\saml-authn-config.xml file to add a new bean as follows - <bean id="shibboleth.authn.SAML.discoveryFunction" parent="shibboleth.Functions.Constant" c:target="shib-idp-test" />.                                                   The value for "target" is the same as the Identity Provider Entity ID value obtained from Step 8 of the previous section.                             image.png
  5. Edit the <Shibboleth-Install-Location>\IdP\conf\c14n\subject-c14n.xml file to do the following: 
    1. Uncomment the following reference bean - <ref bean="c14n/SAML2ProxyTransform" />                                                                                                                                       image.png
    2. Add a new "value" inside the "list" element in the bean with id="shibboleth.ProxyNameTransformPredicate". The "value" should be the Issuer Entity ID of RSA Cloud Authentication Service configuration. The code looks as follows -  <value>shib-idp-test</value>                                                                                                                                                               image.png
  6. Edit the <Shibboleth-Install-Location>\IdP\conf\saml-nameid.xml file to add another bean under the SAML 2 NameID Generation block as follows -  <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
    p:omitQualifiers="true"
    p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    p:attributeSourceIds="#{ {'sAMAccountName'} }" />
    image.png
  7. Edit the <Shibboleth-Install-Location>\IdP\conf\idp.properties file to add the SAML and/or MFA flows in idp.authn.flows parameter. Any new flow can be added to the end of the string using the pipe (|) character.                                                                                                   idp.authn.flows=Password|SAML|MFA                                                                                                                                                            image.png
  8. Edit the <Shibboleth-Install-Location>\IdP\conf\relying-party.xml file to add the authentication flow to the required service providers (that need to be protected using RSA) by adding or modifying the "p:authenticationFlows" parameter for the respective beans as follows -         <bean parent="SAML2.SSO" p:encryptAssertions="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:authenticationFlows="SAML"/>                                                                                                                                  image.pngNote: The supported flows for RSA are SAML and MFA. Repeat the preceding step for each application. which needs to be protected using RSA.
  9. (Optional Step) - This step is required only if MFA authentication flow is used for any service providers protected by RSA according to Step 8. Edit and add the following code snippet to the <Shibboleth-Install-Location>\IdP\conf\authn\mfa-authn-config.xml file to add the SAML flow as required to an existing MFA transition map - 
    <util:map id="shibboleth.authn.MFA.TransitionMap">
    <!-- Run authn/Flow1 first. -->
    <entry key="">
    <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
    </entry>
    <!-- If that returns "proceed", run authn/Flow2 next. -->
    <entry key="authn/Password">
    <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/SAML" />
    </entry>
    </util:map>
  10. Save all the configuration files and restart the Shibboleth IDP service. Wait for about 30 seconds after the service starts before proceeding.  

Note: <Shibboleth-Install-Location> refers to the directory where Shibboleth IDP is installed. In Windows, by default, it is the "C:\Program Files (x86)\Shibboleth" directory . Any step that is mentioned <Shibboleth-Install-Location> should be replaced with the actual path to the directory where Shibboleth IDP is installed in your system.



The configuration is complete.
Return to Shibboleth - RSA Ready Implementation Guide.

Related Articles

Trending Articles

Don't see what you're looking for?