Friday, September 13, 2013

SSO to WSO2 4.2.0 Carbon products via Shibboleth IdP

This post explains the steps needed to Single Sign On (SSO) to WSO2 Carbon based products via Shibboleth IdP.

Environment:
Carbon Product: WSO2 Identity Server 4.5.0 (Should work with any product based on Carbon 4.2.0 platform onwards)
Shibboleth Version: 2.4.0 (Latest at the time of this writing)

Please note that most of the steps are taken from [1] by Asela, which was written to enable SSO in Identity Server 3.2.3 with the help of several patches. Carbon 4.2.0 onwards this scenario can be executed without any such patches.

We will be referring to shibboleth installation directory as "IDP_HOME". And, file system paths and URLs should be changed according to your configurations.

Step 1.
Download Shibboleth IDP from "http://shibboleth.net/" and install it.

Step 2.
Enter following inside "ShibUserPassAuth{}" in IDP_HOME/conf/login.config to connect Shibboleth to the same LDAP IS is using.

    edu.vt.middleware.ldap.jaas.LdapLoginModule required
    ldapUrl="ldap://localhost:10389"
    bindDn="uid=admin,ou=system"
    bindCredential="admin"
    baseDn="ou=Users,dc=wso2,dc=org"
    ssl="false"
    userFilter="uid={0}"
    ;

Step 3.
Add following to 
IDP_HOME/conf/handler.xml
<ph:LoginHandler xsi:type="ph:UsernamePassword"
              jaasConfigurationLocation="file:///home/dulanja/work/apps/shibboleth-2.4.0/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>
Step 4.
Create new file IDP_HOME/metadata/carbon.xml. And add following to it.
<EntityDescriptor entityID="carbonServer" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
    <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:9443/acs" />
    <KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
            MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJV
            UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoM
            BFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAy
            MTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwN
            TW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0
            MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzO
            M4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe
            0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXn
            RS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcN
            AQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTm
            xbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogR
            Kv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
  </SPSSODescriptor>
</EntityDescriptor>
X509Certificate above is the default certificate of carbon products.

Step 5.
Add following to IDP_HOME/conf/relying-party.xml under <rp:relyingpartygroup>
<rp:RelyingParty id="carbonServer"
                     provider="https://idp.example.org/idp/shibboleth"
                     defaultSigningCredentialRef="IdPCredential" 
                     defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
        <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
                                 signResponses="always" 
                                 signAssertions="never" encryptAssertions="never" 
                                 encryptNameIds="never"/>
    </rp:RelyingParty>
Step 6.
Add following in the same file under <metadata:MetadataProvider> after <metadata:MetadataProvider id="IdPMD">
<metadata:MetadataProvider id="carbonMD" xsi:type="metadata:ResourceBackedMetadataProvider">
            <metadata:MetadataResource xsi:type="resource:FilesystemResource" file="/home/dulanja/work/apps/shibboleth-2.4.0/metadata/carbon.xml"/>
        </metadata:MetadataProvider>
Step 7.
In IDP_HOME/conf/attribute-resolver.xml, comment out <resolver:AttributeDefinition id="transientId">
Add:
<resolver:AttributeDefinition id="principal" xsi:type="PrincipalName" 
            xmlns="urn:mace:shibboleth:2.0:resolver:ad">
        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" 
            nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> 
    </resolver:AttributeDefinition>
Step 8.
In IDP_HOME/conf/attribute-filter.xml Comment out <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
Add:
<afp:AttributeFilterPolicy id="releaseBasicAttributesToAnyone">
        <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
        <afp:AttributeRule attributeID="principal">
                <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>
Step 9.
Copy IDP_HOME/war/idp.war to Tomcat 6

Step 10.
Copy IDP_HOME/lib/endorsed directory in to tomcat root directory.

Step 11.
Enable HTTPS in tomcat.

E.g.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
           keystoreFile="/home/dulanja/work/apps/shibboleth-2.4.0/credentials/idp.jks"
           keystorePass="shibboleth" />
Step 12.
Start server and check status of the server by using https://localhost:8443/idp/status

Step 13.
Import IDP_HOME/credentials/idp.crt to wso2is-4.5.0/repository/resources/security/wso2carbon.jks

Step 14.
In wso2is-4.5.0/repository/conf/security/authenticators.xml, under <authenticator name="SAML2SSOAuthenticator">
1. Make disabled="false"
2. Change "IdentityProviderSSOServiceURL" to https://localhost:8443/idp/profile/SAML2/POST/SSO
3. Add new parameter <Parameter name="IdPCertAlias">idp.example.org</Parameter>

Step 15.
Start IS and try to access Management Console. It should redirect to Shibboleth login page. Enter admin/admin.

You should be able to successfully login into Identity Server Management Console.

Now what about Single Logout (SLO)? 

It should be noted that Shibboleth IdP does not fully support Single Logout (SLO) profile [2]. However, Shibboleth 2.4.0 provides a limited feature [3], where it terminates only the SP's session (who sends the Logout request). But it will not send single logout requests to other SPs who have participated in the SSO session.  

i.e. Shibboleth never generates LogoutRequests to SPs.

It provides two mechanisms in this feature, called SAML and Local.

In SAML, SP is expected to send a message of type SAML LogoutRequest to a location like '/idp/profile/SAML2/SLO/Redirect' (this changes according to the binding used). Then Shibboleth will process that message according to the SAML rules and terminate the session.

In Local, SP sends any request to /idp/profile/Logout. No SAML processing will happen. Shibboleth will just terminate the session pointed to by the cookie.

You can learn the detailed behaviour of those two mechanisms by reading [3].

So, how does WSO2 IS 4.5.0 behave in this situation?

SAML mechanism does not work for WSO2 IS 4.5.0, since it always sends the LogoutRequest to the SSO url (i.e. idp/profile/SAML2/POST/SSO).

However, IS can work with Local mechanism. If following is inserted into  wso2is-4.5.0/repository/conf/security/authenticators.xml under "SAML2SSOAuthenticator", IS will terminate its own session and send a request to Shibboleth's Logout path. IdP will then terminate its session with the IS.
<Parameter name="ExternalLogoutPage">https://localhost:8443/idp/profile/Logout</Parameter>

Ref:
[1] http://www.soasecurity.org/2012/05/login-to-wso2carbon-servers-via.html
[2] https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues
[3] https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableSLO

1 comment:

Shibboleth idp said...

The post is quite beneficial since i was having a lot of problem while using the carbon products.