Shibboleth Integration

SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. Since Mistral-IdM and Shibboleth make use of the SAML standard, they both can exchange that information. That is, the Shibboleth Service Provider is allowed to request authentication to the Mistral-IdM Identity Provider. In the same way, the Mistral-idM Service Provider is able to query authentication and attributes to the Shibboleth Identity Provider.

Shibboleth Service Provider with Mistral-IdM Identity Provider

In this section, we are going to configure Shibboleth and Mistral-IdM in such a way the resources are protected by Shibboleth with Apache, and authentication is performed by Mistral-IdM. We suppose you have installed and properly configured both Shibboleth SP v2 (that is, the Apache module and the shibd daemon enabled) and Mistral-IdM.

Firstly, you have to add a SessionInitiator in Shibboleth2.xml to recognize the new entity, adding for instance:

<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
   <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
   <SessionInitiator type="Shib1" defaultACSIndex="5"/>

You also have to reference a metadata file which contains all mistral information. To do that, in the shibboleth2.xml file also add:

<MetadataProvider type="XML" file="mistral-metadata.xml"/>

Ensure you have an active credential resolver, for instance:

<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

Then, you have to create the mistral-metadata.xml file describing the service information. This file have to contain an entry describing the URL of the HTTP-Redirect service. This URL is the URL of your Mistral Identity Provider.

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

Additionally, you have to configure the KeyDescriptors in order to sign and validate the SAML messages which will be exchanged between providers. This KeyDescriptors should contains the public key of the Mistral-IdM Identity Provider. It can be obtained from [mistral_installation_folder]/certs/Mistral-IdP_CertCert.der

You can download an example here (mistral-metadata.xml).

Now, you have to configure Mistral-IdM to trust in Shibboleth messages. To do so, you have to edit [mistral_installation_folder]/config/SP-config.xml to add the SP descriptor. Just add an entry indicating the Shibboleth SP id, and the public key to validate the signatures. This public key has been indicated in the CredentialResolver entry. For instance you have to add:

<SP id=""
cert_path="/etc/shibboleth/sp-cert.pem" />

Shibboleth Identity Provider with Mistral-IdM Service Provider

In this section, we are going to configure Shibboleth and Mistral-IdM in such a way the resources are protected by Mistral-IdM in tomcat, and authentication is performed by Shibboleth Identity Provider. We suppose you have installed and properly configured both Shibboleth IdP v2 (that is, the .war deployed on tomcat) and Mistral-IdM.

Firstly, you have to add the Service Provider descriptor to the Identity Provider configuration. To do so, you can edit the relying-party.xml file under /opt/shibboleth/conf/ adding:

<MetadataProvider xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml" />

Then, you can create the sp-metadata.xml containing the SP descriptor. As entityId you have to establish the ID of your Mistral-IdM Service Provider (it is established in the filter_config.xml file or in the realm_config.xml file).

The metadata descriptor should indicate as AssertionConsumerService in an HTTP-POST the URL of the Mistral Shibboleth_listener (http://your_provider_url:port/mistral/Shibboleht_listener). For instance, you can add:

<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/mistral/Shibboleth_listener"/>

That indicates to the Identity Provider that, after a succesfully authentication, it should send the response to the Shibboleth listener of Mistral.

In the sp-metadata.xml file you have also to include the KeyDescriptor information, that is, the public key of the Service Provider (which the Filter or the Realm uses), in order to validate the incoming messages. By default, this public key can be obtained from Mistral-API_CertCert.der.

You can get an example here (sp-metadata.xml).

Finally, you have to configure in Mistral-IdM the public key used by the Shibboleth Identity Provider in order to validate the incoming messages. To know what this public key is, you can edit the file relying-party.xml under /opt/shibbolet-idp/conf searching the security configurations. The certificate entry indicates what credential is being used.

<security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
   <security:Certificate>/opt/shibboleth-idp/credentials/idp.crt   </security:Certificate>

This certificate should be specified in the mistral_config.xml file as the IDP_CERT_PATH. For instance:

<entry key="IDP_CERT_PATH">opt/shibboleth-idp/credentials/idp.crt</entry>