blob: 7d242714a1c224f0397a5a63b600e46681bbd36d [file] [log] [blame]
Alexander Noskov747be502017-01-12 14:53:55 +04001=======================
Alexander Noskovd0e69af2016-12-07 13:19:14 +04002salt-formula-shibboleth
Alexander Noskov747be502017-01-12 14:53:55 +04003=======================
4
5Shibboleth is among the world's most widely deployed federated identity solutions, connecting users to applications both within and between organizations.
6
7Sample pillars
8==============
9
10.. code-block:: yaml
11
12 shibboleth:
13 server:
14 enabled: true
Aleksieiev, Oleksiieca3f2a2018-05-17 13:21:01 -070015 app:
16 entity_id: http://${_param:proxy_vip_address_public}:5000
Oleksii Chupryna4e5dc72018-10-25 14:33:38 +030017 signing: "false"
18 encryption: "false"
Alexander Noskov747be502017-01-12 14:53:55 +040019 idp_url: "https://saml.example.com/oam/fed"
20 idp_metadata_url: "https://saml.example.com/oamfed/idp/metadata"
Stepan Rogov959bd5a2022-08-08 18:48:43 -070021 idp_metadata_url_reload_interval: 180000 # optional
Alexander Noskov747be502017-01-12 14:53:55 +040022 attributes:
23 - name: test
24 id: test
25 name_format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
Oleksii Chupryna4e5dc72018-10-25 14:33:38 +030026 - name: test1
27 id: test1
Alexander Noskov747be502017-01-12 14:53:55 +040028 key: |
29 -----BEGIN PRIVATE KEY-----
30 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDmM1NIxgQ3Y70Q
31 GXoFQQnJ7nliaRtJR2xHAW47InyALQ+M3/VCtdFnNI0d2CHoytQ6mVg6BzOtdvT2
32 ocEl0+LNkskSZsc6Nh59XooTQncL5PA7hXmo/nxCEgURH4oika5CC14K4hagwZca
33 CQZvW1m9KwfVaNc0Va0KepH2lGI+VdxyZgRMifTMl9qDLYr++ftyFTNn5uit0Yh8
34 9QFU4HLVvT0rHSQUTcFbvYE=
35 -----END PRIVATE KEY-----
36 certificate: |
37 -----BEGIN CERTIFICATE-----
38 MIIDDzCCAfegAwIBAgIJAOvxYAMLVkHZMA0GCSqGSIb3DQEBBQUAMCMxITAfBgNV
39 BAMTGGN0bC0wMS5qcGUyLmppb2Nsb3VkLmNvbTAeFw0xNzAxMTIxMDIwMTRaFw0y
40 k3u0PIEqysz9sOpmuSmlY4FKRobYQ3viviTIMTTuqjoCAFKIApI3tZWOqj+zShje
41 Xr4ue39/lvQLj2jXV+Q2TOovQA==
42 -----END CERTIFICATE-----
43 idp_certificate: |
44 -----BEGIN CERTIFICATE-----
45 BAMTGGN0bC0wMS5qcGUyLmppb2Nsb3VkLmNvbTAeFw0xNzAxMTIxMDIwMTRaFw0y
46 CcnueWJpG0lHbEcBbjsifIAtD4zf9UK10Wc0jR3YIejK1DqZWDoHM6129PZ8kx5k
47 aN5DvAdir7oYCpHwD5/WvHahUgsrtcz9s+pzRfiStvICVwqCsGquThZHe8YAgGpZ
48 04UU/56ncPbsHf5asS3DvfVGw==
49 -----END CERTIFICATE-----
lmercl4f7f6fd2018-03-12 17:39:56 +010050
51
52Shibboleth through HTTP proxy
53==============
54Sometimes there is needed to connect to IdP through HTTP proxy. This has to be done via adding TransportOption to MetadataProvider in Shibboleth2.xml configuration file.
55
56.. code-block:: yaml
57
58 shibboleth:
59 server:
60 enabled: true
Aleksieiev, Oleksiieca3f2a2018-05-17 13:21:01 -070061 proxy: http://10.10.10.12:8888
62
63
Oleksii Chupryna4e5dc72018-10-25 14:33:38 +030064Shibboleth with Transaction logging
65==============
66
67.. code-block:: yaml
68
69 shibboleth:
70 server:
71 enabled: true
72 logging:
73 message_decoder: DEBUG
74 outofprocess:
Oleksii Chupryna0148f62018-11-05 14:45:11 +020075 tranlogformat: "%u|%a|%s|%SP|%IDP|%t|%b|%ac|%attr|%E|%e|%S|%SS|%SM|%URI|%URL|%UA|%app|%p|%n|%D|%d|%I|%II"
Oleksii Chupryna4e5dc72018-10-25 14:33:38 +030076
77
Aleksieiev, Oleksiieca3f2a2018-05-17 13:21:01 -070078Override IdP metadata from file
79==============
80Sometimes the metadata is not publicly aviailable from IPD. You can define the metadata in pillar. In this case the idp_metadata_url parameter will be ignored.
81
82.. code-block:: yaml
83
84 shibboleth:
85 server:
86 idp_metadata_file: |
87 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
88 <EntityDescriptor xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
89 entityID="idp_url">
90 <IDPSSODescriptor
91 WantAuthnRequestsSigned="false"
92 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
93 <KeyDescriptor use="signing">
94 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
95 <ds:X509Data>
96 <ds:X509Certificate>MIIEADi........==</ds:X509Certificate>
97 </ds:X509Data>
98 </ds:KeyInfo>
99 </KeyDescriptor>
100 <KeyDescriptor use="signing">
101 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
102 <ds:X509Data>
103 <ds:X509Certificate>MIIEADi........==</ds:X509Certificate>
104 </ds:X509Data>
105 </ds:KeyInfo>
106 </KeyDescriptor>
107 <!-- Supported Name Identifier Formats -->
108 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
109 <!-- AuthenticationRequest Consumer endpoint -->
110 <SingleSignOnService
111 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
112 Location="https://IDP_URL/SAMLLogin"
113 />
114 </IDPSSODescriptor>
115 </EntityDescriptor>
116
117
118Shibboleth session control
119==============
120Sometimes there is needed to tune session settings for the application. This has to be done via setting sessions variables Shibboleth2.xml configuration file.
121
122.. code-block:: yaml
123
124 shibboleth:
125 server:
126 sessions:
127 lifetime: 28800
128 timeout: 3600
129 relaystate: "ss:mem"
130 checkaddress: "false"
131 handlerssl: "false"
132 cookieprops: "http"
133
134
135Shibboleth attributeresolver/regex plugins support
136==============
137Sometimes there is needed to set add new attribute by extracting some information from other attributes. This has to be done loading the plugin and a adding attributeresolver with transform type in Shibboleth2.xml configuration file.
138See more detail here: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeResolver#NativeSPAttributeResolver-TransformAttributeResolver(Version2.5andAbove)
139
140.. code-block:: yaml
141
142 shibboleth:
143 server:
144 outofprocess:
145 extensions:
146 library:
147 plugin1:
148 path: plugins.so
149 fatal: "true"
150 attributeresolver:
151 transform:
152 Email:
153 mantch1:
154 match: "@.*$"
155 destination_name: "User-identifier"
156 destination: "$1"
157 mantch2:
158 match: "@.*$"
159 destination: "$2"
160Shibboleth shared session
161==============
162Sometimes there is needed to set shibd on each controller where keystone is running. To make sure sessions are accessible and shared between all of them you need to setup shared storage for sessions
163The example below shows you how to setup shared storage using memcached available on controllers:
164Please note that sessioncache requires memcached with bitmap set to true. Omitting sessioncache element will result in an in-memory plugin identified as id="mem".
165https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPStorageService
166
167.. code-block:: yaml
168
169 shibboleth:
170 server:
171 outofprocess:
172 extensions:
173 library:
174 plugin1:
175 path: "memcache-store.so"
176 fatal: "true"
177 storageservice:
178 mc:
179 type: MEMCACHE
180 buildmap: "0"
181 sendtimeout: "999999" #optional
182 recvtimeout: "999999" #optional
183 polltimeout: "1000" #optional
184 failtimeout: "5" #optional
185 retrytimeout: "30" #optional
186 prefix: "SHIBD" #optional
187 hosts: "${_param:cluster_node01_address}:11211,${_param:cluster_node02_address}:11211,${_param:cluster_node03_address}:11211
188 mc-ctx:
189 type: MEMCACHE
190 buildmap: "1"
191 sendtimeout: "999999" #optional
192 recvtimeout: "999999" #optional
193 polltimeout: "1000" #optional
194 failtimeout: "5" #optional
195 retrytimeout: "30" #optional
196 prefix: "SHIBD" #optional
197 hosts: "${_param:cluster_node01_address}:11211,${_param:cluster_node02_address}:11211,${_param:cluster_node03_address}:11211
198 sessioncache:
199 type: "StorageService"
200 cachetimeout: "900" #optional
201 storageservice: "mc-ctx"
202 storageservicelite: "mc"
203 replaycache:
204 storageservice: "mc"
205 replaycache:
206 storageservice: "mc"
207 artifactTTL: "180" #optional