Shibboleth IDP configuration for multiple organizations & Google apps

So you want to configure your IDP to allow logins from multiple organizations google apps? IE you want SchoolA to sign into http://docs.SchoolA.com and SchoolB to sign into http://docs.SchoolB.com.

The documentation on googles site isn’t very clear so here are some step by step instructions.

Before you even make a start, backup ALL of your IDP configuration files.

PreReqs:

  • Working IDP
  • Google Apps Educational Account
  • CNAME records set for docs.SchoolA.com and docs.SchoolB.com

Firstly complete the steps documented beautifully by Will Norris – Do the config for any school, we are just doing this to make sure you have a working IDP.

Test the above config changes by browsing to http://apps.SchoolA.com where SchoolA.com is the domain of the school you have configure google apps for. A usual misconception new users have about google apps is that it will create user accounts when you first login. This is not true. Your user account name on google apps must match the value being passed by the IDP. I have written a perl google apps provisioning tool, get in touch if you want it.

It worked? Great! If not, don’t continue. Get Will’s configuration working first then continue.

Now let’s get started configuring your IDP to allow multiple organizations to authenticate to Google Apps.

1. Log into your google apps admin account at http://google.com/a/SchoolA.com

2. Click Advanced tools – Set up Single Sign on – Tick Use a domain specified issuer

You are done in Google Apps. Congrats.

3. Ssh into your IDP

4. Is your Google Metadata located at /opt/shibboleth-idp/metadata/google-metadata.xml ? It should be, if not, modify the below guide to suite your paths. It will make sense..

5. Edit /opt/shibboleth-idp/metadata/google-metadata.xml to read

<EntityDescriptor entityID="google.com/a/schoola.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoola.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

6. Copy google-metadata.xml to google-metadata2.xml

7. Edit /opt/shibboleth-idp/metadata/google-metadata2.xml to read

<EntityDescriptor entityID="google.com/a/schoolb.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoolb.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

8. Edit /etc/shibboleth/relying-party.xml

9. Smile

10. Make me a cup of tea

11. Replace the entire Relying Party section for the google connectivity. After you are done it should read something like…

<RelyingParty id="google.com/a/schoola.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
<RelyingParty id="google.com/a/schoolb.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

12. Search for Google.com again – look for the MetadataProvider section

13. Copy and paste the first reference replacing .xml with 2.xml, change the second schools id value to GoogleMD2, it should read something like this:

<MetadataProvider id="GoogleMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata.xml" maintainExpiredMetadata="true" />
<MetadataProvider id="GoogleMD2" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata2.xml" maintainExpiredMetadata="true" />

Congrats, you are done in relying-party.xml!

14. Edit /etc/shibboleth/attribute-filter.xml

15. Search for google.com

16. Edit the value to read “google.com/a/schoola.com”

17. Copy and paste the policy, replace schoola.com with schoolb.com in the new policy.

It should read:

<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoola.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoolb.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>

18. I restarted tomcat using the ./Shutdown ./Startup script to test and it worked fine. Test by browsing to http://apps.schoola.com/(assuming you have this cname set). If you have problems please check that you replaced schoola.com and schoolb.com with your domain and also your IDP references.

How to kill a shibboleth session

Kill an SP session with a HTML redirect:

<meta http-equiv=”REFRESH” content=”0;url=https://shib.example.org/Shibboleth.sso/Logout”>
Kill an SP session by visiting a URL:
https://shib.example.org/Shibboleth.sso/Logout

Kill an IDP session:

Single Log off is not fully supported in Shibboleth, it is recommended you redirect a user to a page requesting they close their browser window.
Note: Don’t forget to replace example.org with your domain

Why is my shibboleth IDP so slow to accept the first connection?

When I create my first connection to my shibboleth IDP it takes 30 / 40 seconds for tomcat to serve the login page.

At first I expected that my tomcat memory allocation / heap space value wasn’t being applied but my ps aux | grep java showed:
/usr/lib/jvm/java-6-sun/bin/java -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Xmx512m -Djava.endorsed.dirs=/opt/tomcat/common/endorsed -classpath :/opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/commons-logging-api.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
I could see above it wasn’t using enough memory so I edited /usr/share/tomcat5.5/bin/catalina.sh and under JAVA_OPTS I added: -Xms256m -Xmx1024m -server -XX:+AggressiveOpts -XX:MaxPermSize=512m
It now reads:
JAVA_OPTS=”$JAVA_OPTS “-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager” “-Djava.util.logging.config.file=”$CATALINA_BASE/conf/logging.properties -Xms256m -Xmx2048m -server -XX:+AggressiveOpts -XX:MaxPermSize=1024m”
I used the ./shutdown.sh script provided with tomcat to shutdown tomcat and then the ./startup.sh script to restart. Tested and performance was massively improved after a 5 minute start up wait.
Use tailf /var/log/shibboleth/idp-process.log to watch the log file to check for startup completion.

Shibboleth Cert miss-match with UK Federation


I’m wasn’t sure how this happened but this error appeared in my SP:

2009-11-02 15:39:30 ERROR OpenSSL [3]: path validation failure: self signed certificate
2009-11-02 15:39:30 ERROR XMLTooling.SOAPTransport.CURL [3]: supplied TrustEngine failed to validate SSL/TLS server certificate
2009-11-02 15:39:30 ERROR Shibboleth.AttributeResolver.Query [3]: exception during SAML query to xxxxx AttributeQuery: CURLSOAPTransport failed while contacting SOAP endpoint (xxxx): SSL certificate problem, verify that the CA cert is OK. Details:
2009-11-02 15:39:30 ERROR Shibboleth.AttributeResolver.Query [3]: unable to obtain a SAML response from attribute authority
Note: I replaced my IDP paths with xxxx for the purpose of this post.
I got in touch with the UK Federation asking if they could shed any light on the problem.
It turns out that this was due to my IDP information not being correct at the metadata end. I notified the UK Federation and they updated my record and republished their metadata and it started working again 🙂
Thanks to Sara for helping out with this.
Note: was the value that wasn’t changed at federation level.