Shibboleth

Authentifizierungssystem für Webanwendungen um z.B. Linux-Webanwendungen am ADFS zu authentifizieren.

Voraussetzungen

  • voll installierter Apache mit bekanntem SSL-Zertifikat
  • gegenseitige DNS-Auflösung muss funktionieren
  • Zertifikat des Linuxrechners muss auch vom ADFS-Server anerkannt oder manuell importiert sein.
  • .Net auf ADFS-Server müssen TLS1.2 können.(Problem bei w2012r2)

Installation/Konfiguration auf z.B. Suse-server

Beispiel:
ADFS-Server (IDP): adfs.my.domain
Suse-Server (SP): mysuse.my.domain

mkdir /srv/www/htdocs/secure
echo "Hallo hier ist mysuse.my.domain" >> /srv/www/htdocs/secure/index.html
chown -R wwwrun /srv/www/htdocs/secure
zypper in shibboleth-sp
cp -avr /etc/shibboleth /etc/shibboleth.bak
wget https://adfs.my.domain/FederationMetadata/2007-06/FederationMetadata.xml --no-proxy -O /etc/shibboleth/myFederationMetadata.xml
#shib-keygen -u _shibd -g _shibd -h $(hostname -f) -y 30 -e https://$(hostname -f)/Shibboleth.sso -n sp-encrypt -f
#shib-keygen -u _shibd -g _shibd -h $(hostname -f) -y 30 -e https://$(hostname -f)/Shibboleth.sso -n sp-signing -f

Testdatei 'info.php' erstellen:

/srv/www/htdocs/secure/info.php
<!DOCTYPE html>
<html>
<head>
        <title>Shibboleth Attributes</title>
        <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
        <META HTTP-EQUIV="Expires" CONTENT="-1">
        <style>
        input, textarea {
                display: block;
                width: 100%;
        }
        textarea {
                height: 10em;
        }
        td {
                vertical-align: top;
        }
        table {
                white-space:pre-wrap;
        }
        </style>
</head>
<body>
diese Seite sollte nur nach erfolgreicher Anmeldung am ADFS zu sehen sein.<br><br>
<a href="https://adfs.my.domain/adfs/ls/?wa=wsignout1.0"> Logout</a> <br><br>
<a href="https://adfs.my.domain/adfs/ls/IdpInitiatedSignon.aspx"> Login</a><br>
        <h1>Request Data (key/value)</h1>
        <table>
        <?php
        foreach($_SERVER as $key=>$val){
                echo '<tr>';
                echo '  <td>' . $key . '</td>';
                echo '  <td>' . $val . '</td>';
                echo '</tr>';
        }
        ?>
        </table>
        <h1>Request Data (raw)</h1>
        <pre style="display: inline-block; border:1px solid Black;white-space:pre-wrap; background-color:#E8E8E8; color=black;" >
                <?php print_r($_SERVER) ?>
        </pre>
</body>
</html>

Editieren der Datei /etc/shibboleth/shibboleth2.xml :
Groß/Kleinschreibung beachten!!!

<ApplicationDefaults entityID="https://mysuse.my.domain/Shibboleth.sso" ...
<Sessions handlerSSL="true" cookieProps="https" ...
<SSO entityID="http://adfs.my.domain/adfs/services/trust" discoveryURL="https://mysuse.my.domain/Shibboleth.sso/Metadata" ...
<Errors supportContact="myName@my.domain" ...
<!-- Example of locally maintained metadata entkommentieren -->
<MetadataProvider type="XML" validate="true" path="myFederationMetadata.xml"/>
...
<!-- Session diagnostic service. showAttributeValues auf true setzen-->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
...


Editieren der Datei /etc/shibboleth/attribute-map.xml :

<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" id="upn"/>
<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" id="email"/>

dann Dienst neu starten

systemctl restart shibd.services

Konfiguration auf ADFS-Server

Add Relying Party Trust...
Start
Federation metadata address (host name or URL) : https://mysuse.my.domain/Shibboleth.sso/Metadata
Display name: "mysuse.my.domain per shibboleth"
I do not want configure multifactor authentification settings ...
Permit all users to access this relying party
Edit Claim Rules ...
   "Send LDAP Attributes as Claims" "Get-AD-Attributes"
      Attribute store: "Active Directory"
        User-Principal-Name              -> UPN
        E-Mail-Addresses                 -> E-Mail Address
        SAM-Account-Name                 -> sAMAccountName
        Token-Groups - Unqualified Names -> Group
        
   "Send Claims Using a Custom Rule" "Transform UPN"
      Custom rule:
        c:[Type == "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
        => issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6", Value = c.Value, Properties["https://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"]
        = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
  "Send Claims Using a Custom Rule" "Transform Email"
     Custom rule:
       c:[Type == "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
        => issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6", Value = c.Value, Properties["https://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"]
        = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
   "Send Claims Using a Custom Rule" "Transform Domain Users"
     Custom rule:
       c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value == "Domain Users"]
       => issue(Type = "urn:oid:1.3.6.1.4.1.5923.1.1.1.9", Value = "member@my.domain", 
       Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");

Testen durch : „https://mysuse.my.domain/secure“ ; anmelden mit upn am adfs-server

Fehlersuche