How do I set up a Shibboleth 3 identity provider?

Question

Edit

So, I think I'm almost there. The only thing still missing is that Shibboleth IdP returns an encrypted, transient NameId, and I need for it to return the user name, unencrypted. If anyone can get me past this last blocker, I will mark that the answer.

(end of edit)

I've been trying to set up a Shibboleth 3 IdP (our app supports SAML, and we need a test environment).

My goal is a simple environment that queries our LDAP directory to provide authentication.

I set up Shibboleth IdP 3, and it seems to query AD correctly, but I am having a really hard time getting it to return the attributes (uid, First Name, Last Name, email) that I am requesting.

I'm pretty sure my problem is in my attribute-resolver.xml and attribute-filter.xml files, but I'm not having any luck getting it working.

Basically what happens is that I successfully log in (as far as Shibboleth is concerned), but when it passes the Assertion back to my application, none of the attributes are there.

I have tried adding them to Attribute-resolver.xml and attribute-filter.xml, but then I get errors in the idp-warn.log (below). It's a credential error. I'm pretty sure the username password is right, because shibboleth is able to authenticate me (it would fail if that was wrong, wouldn't it?) so there must be something else wrong with my setup.

I have also tried return the username in the Assertion Name Identifier, but all I seem to get back is a base-64 encoded string (decoding it yields bytes that don't decode back to a string, so I'm not sure what's in there).

At this point, what I could really use a reference to a good how-to for setting up Shibboleth IdP 3 with LDAP. I've been going through their docs online, and while there is a lot of raw data there, it's very challenging to derive a list of everything that must be done in order to get it up and running. Any suggestions?

Answer 1

not a full answer and I haven't worked with shibboleth, but we've run into the same problem with NameID while setting up SAML.

I believe this page shows hot to set up which name id shibboleth will send: https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverSAML2NameIDAttributeDefinition

and this answer describes what different name schemes mean https://stackoverflow.com/a/21682789/143585

What we did, though, is in saml config for SAMLAuthenticationProvider we added userDetails and there was a beautiful piece of code that I'm very proud of:

@Override
public Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException {
    try {
        String login = credential.getAttributeByName("login").getAttributeValues().get(0).getDOM().getFirstChild().getNodeValue();
        return loadUserByUsername(login);
    } catch (Exception e) {
        LOG.error("could not get login name from saml credential", e);
        throw new UsernameNotFoundException("Could not load user", e);
    }
}

idp stuff was handled by a 3rd party so I guess it was they who added this custom attribute to saml response. I guess you can configure shibboleth to do the same.