Name: ccc-shib-split-authn
Owner: Unicon, Inc.
Description: This demonstrates how to modify the Shibboleth IdP v3 to support unique users coming from 2 different authn/attribute sources.
Created: 2015-11-03 01:11:23.0
Updated: 2017-03-07 18:20:10.0
Pushed: 2017-02-01 06:52:06.0
Homepage: null
Size: 163
Language: Java
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
This project demonstrates how to modify the Shibboleth IdP v3 to support unique users coming from 2 different authn/attribute sources. The main strategy of this implementation is to only modify resources in the “public” areas of the IdP.
While this has been configured to support two LDAP servers, it should be trivial to switch authentication sources to another forms-based authentication type, such as JAAS/JDBC.
IdP configuration files that are either added or changed to utilize the split authn support are located in src/main/IDP_HOME
. The directory structure generally mirrors that of an installed IdP.
This project includes a few Java source files. Those can be found in src/main/java
and in src/test/java
.
This project utilizes Docker for testing (see Testing
below). The test env configuration is in src/test/docker-compose
.
Notes on the types of changes made to each resource is available in the project wiki.
./gradlew assembleDist
will build and package the distributable. New releases should be put in the release section of the project's Github repo.
Download the latest stable release from https://github.com/Unicon/ccc-shib-split-authn/releases/.
After unpacking the distribution, review the layout of the directory structure. It should line up with your IdP installation. A breakdown of the changes made to each resource is available in the project wiki.
Many of the files have matching equivalents of the default installation, so it may not be desirable to just drop them into your overlay directly. It might be more prudent to use a diff/merge utility to identify changes between the distribution's files and yours.
idp.properties
file, idp.additionalProperties
include references to other property files, specifically ldap properties for separate LDAP instances. Also idp.authn.flows
is set to Splitauthn
. This enables the flow contained in this distribution.studentLdap.properties
and employeeLdap.properties
are mirror images of the ldap.properties
file. All of the properties work as expected except the search filter. (uid=$requestContext.principalName.replace("@student", ""))
(or (uid=$requestContext.principalName.replace("@student", ""))
) have an additonal call that strips the realm identifier used during attribute lookup.attribute-resolver.xml
is generally the same, but one should note that each ldap-based attribute definition has two resolver dependencies, one to each ldap. An activation condition on each DataConnector determines which source is used to populate the attribute definition.general-authn.xml
file has an added flow definition that defines the flow contained in this distribution.global.xml
, the custom.AttributeResolverResources
has an extra definition that defines “custom” beans used by the Split-authn flow.The label of the “role/realm” can be changed by adding a property idp.login.realm=<label>
to the messages/messages.properties
file.
This project utilizes a pure Shibboleth IdP v3 Docker image along with two 389-ds LDAP images for testing. There is also an Shibboleth SP-based image to simulate the whole SAML process end-to-end.
A hosts
file entry should be setup to point idp.ccc.local
to the IP address of the docker host.
Assuming that Docker has been setup properly, and your Docker env variables are correct, as well, the containers can be started with:
adlew runContainers
Browsing to https://idp.ccc.local/ will bring you to a landing page. Clicking the link will initiate the SP/IdP flowx. There are test accounts staff1/password
and student1/password
. Each lives in a separate LDAP server.
The containers can be reset with:
adlew clean
To add in viewing the logs of Jetty, the IdP, the LDAP servers, and the SP, one can run:
nwithLogs.sh
Ctrl+C will stop the logging process, but will leave the containers running. Use './gradlew clean' to terminate and remove those instances.
extra-beans.xml
removed and its contents placed in the standard global.xml
global.xml
, services.xml
mods are no longer needed and the file has been removed from this solution.login.vm