So now we deploy the instance with:<\/p>\n\n\n\n
cd test-sP\nterraform apply --auto--approve<\/code><\/pre>\n\n\n\nOnce the instance has been deployed, retrieve its ID from the AWS console (or CLI) and then connect to it via SSM so you can get a BASH prompt.<\/p>\n\n\n\n
aws ssm start-session --target <instance-ID><\/code><\/pre>\n\n\n\nPerform Apache Install and Configuration<\/h2>\n\n\n\n
You’ll now need to install Apache including the various rewrite modules so we can put up a simple test site.<\/p>\n\n\n\n
sudo apt-get install apache2 -y\nsudo a2enmod ssl\nsudo a2ensite default-ssl\nsudo a2enmod rewrite\nsudo systemctl restart apache2\n \nsudo apt-get install ntp\ntimedatectl set-timezone Europe\/London<\/code><\/pre>\n\n\n\nYou should now be able to get to the default page site on:<\/p>\n\n\n\n
\n- http:\/\/www.tristanself.co.uk<\/a><\/li>\n\n\n\n
- https:\/\/www.tristanself.co.uk<\/a><\/li>\n<\/ul>\n\n\n\n
Configure HTTP and HTTPS Sites<\/h3>\n\n\n\n
Firstly move\/copy the files to create the basic configuration files:<\/p>\n\n\n\n
mv \/etc\/apache2\/sites-available\/000-default.conf \/etc\/apache2\/sites-available\/000-tristanself.co.uk.conf\nmv \/etc\/apache2\/sites-available\/default-ssl.conf \/etc\/apache2\/sites-available\/000-tristanself.co.uk-SSL.conf<\/code><\/pre>\n\n\n\nNext you need to edit the two files to make the files look as below, we’re making any HTTP connections redirect to HTTPS.<\/p>\n\n\n\n
Note at this stage we’re just using the self-signed certificate for now.<\/p>\n\n\n\n
\/etc\/apache2\/sites-available\/000-tristanself.co.uk.conf<\/strong><\/p>\n\n\n\n<VirtualHost *:80>\n ServerName tristanself.co.uk\n ServerAlias www.tristanself.co.uk\n \n RewriteEngine On\n RewriteCond %{HTTPS} off\n RewriteRule (.*) https:\/\/%{HTTP_HOST}%{REQUEST_URI}\n \n ServerAdmin webmaster@localhost\n DocumentRoot \/var\/www\/html\n \n #LogLevel info ssl:warn\n \n ErrorLog ${APACHE_LOG_DIR}\/error.log\n CustomLog ${APACHE_LOG_DIR}\/access.log combined\n \n #Include conf-available\/serve-cgi-bin.conf\n<\/VirtualHost><\/code><\/pre>\n\n\n\n\/etc\/apache2\/sites-available\/000-tristanself.co.uk-SSL.conf<\/strong><\/p>\n\n\n\n<VirtualHost *:443>\n ServerAdmin webmaster@localhost\n \n DocumentRoot \/var\/www\/html\n \n #LogLevel info ssl:warn\n \n ErrorLog ${APACHE_LOG_DIR}\/error.log\n CustomLog ${APACHE_LOG_DIR}\/access.log combined\n \n #Include conf-available\/serve-cgi-bin.conf\n \n SSLEngine on\n \n SSLCertificateFile \/etc\/ssl\/certs\/ssl-cert-snakeoil.pem\n SSLCertificateKeyFile \/etc\/ssl\/private\/ssl-cert-snakeoil.key\n \n #SSLCertificateChainFile \/etc\/apache2\/ssl.crt\/server-ca.crt\n \n #SSLCACertificatePath \/etc\/ssl\/certs\/\n #SSLCACertificateFile \/etc\/apache2\/ssl.crt\/ca-bundle.crt\n \n #SSLCARevocationPath \/etc\/apache2\/ssl.crl\/\n #SSLCARevocationFile \/etc\/apache2\/ssl.crl\/ca-bundle.crl\n \n #SSLVerifyClient require\n #SSLVerifyDepth 10\n \n #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire\n <FilesMatch \"\\.(?:cgi|shtml|phtml|php)$\">\n SSLOptions +StdEnvVars\n <\/FilesMatch>\n <Directory \/usr\/lib\/cgi-bin>\n SSLOptions +StdEnvVars\n <\/Directory>\n<\/VirtualHost><\/code><\/pre>\n\n\n\nCreate the symlinks, then restart Apache.<\/p>\n\n\n\n
ln -s \/etc\/apache2\/sites-available\/000-tristanself.co.uk.conf \/etc\/apache2\/sites-enabled\/000-tristanself.co.uk.conf\nln -s \/etc\/apache2\/sites-available\/000-tristanself.co.uk-SSL.conf \/etc\/apache2\/sites-enabled\/000-tristanself.co.uk-SSL.conf\n \nsudo systemctl restart apache2<\/code><\/pre>\n\n\n\nCreate Simple Test Website Pages<\/h3>\n\n\n\n
We’ll now create some website pages to test with:<\/p>\n\n\n\n
cd \/var\/www\/html\nrm index.html<\/code><\/pre>\n\n\n\nCreate an index.html file in \/var\/www\/html as follows:<\/p>\n\n\n\n
index.html<\/p>\n\n\n\n
<html>\n<body>\n<h1>Simple Site<\/h1>\nHello There!\n<a href=\"secure\/index.html\">Secure Site<\/a>\n<\/body>\n<\/html><\/code><\/pre>\n\n\n\nThen, create an index.html file in \/var\/www\/html\/secure as follows:<\/p>\n\n\n\n
<html>\n<body>\n<h1>Top Secure Site<\/h1>\nYou're in the secret page<br>\n<a href=\"\/Shibboleth.sso\/Session\">Show Session Information<\/a><br>\n<a href=\"\/Shibboleth.sso\/Status\">Show Status Information<\/a><br>\n<a href=\"\/Shibboleth.sso\/Logout\">Shibboleth Logout<\/a>\n<\/body>\n<\/html><\/code><\/pre>\n\n\n\nYou should now be able to test, but obviously the secure site won’t yet work, but you should get your new index.html page.<\/p>\n\n\n\n
Shibboleth sP Installation and Configuration<\/h2>\n\n\n\n
Next we install Shibboleth, which are implemented as an Apache module:<\/p>\n\n\n\n
sudo apt-get install libapache2-mod-shib\nsudo a2enmod shib<\/code><\/pre>\n\n\n\nSet up a Shibboleth certificate (n.b. these are different to the Apache certificate). On Debian and its derivatives, run the command (as we are using Shibboleth sP v3+):<\/p>\n\n\n\n
sudo shib-keygen -h www.tristanself.co.uk -e https:\/\/www.tristanself.co.uk\/shibboleth -n sp-encrypt\nsudo shib-keygen -h www.tristanself.co.uk -e https:\/\/www.tristanself.co.uk\/shibboleth -n sp-signing<\/code><\/pre>\n\n\n\nThe keys is\/are created in \/etc\/shibboleth.<\/p>\n\n\n\n
Check the certificate fingerprint(s) as follows (you will need to confirm this with IAM later as part of the registration process):<\/p>\n\n\n\n
openssl x509 -fingerprint -in \/etc\/shibboleth\/sp-encrypt-cert.pem -sha256\nopenssl x509 -fingerprint -in \/etc\/shibboleth\/sp-signing-cert.pem -sha256<\/code><\/pre>\n\n\n\nEdit Apache Configuration<\/h2>\n\n\n\n
Edit these files and put in the following location into the files so that when a user goes to the “secure” part of the site the authentication are enforced and passed to Shibboleth sP to handle.<\/p>\n\n\n\n
sudo vi \/etc\/apache2\/sites-available\/000-tristanself.co.uk.conf\nsudo vi \/etc\/apache2\/sites-available\/000-tristanself.co.uk-SSL.conf<\/code><\/pre>\n\n\n\nAdd the following to both files above:<\/p>\n\n\n\n
...\n <Location \/secure\/>\n AuthType shibboleth\n ShibRequestSetting requireSession 1\n Require valid-user\n <\/Location>\n...<\/code><\/pre>\n\n\n\nOKTA Configuration<\/h2>\n\n\n\n
We now need to create an Application within OKTA to represent our Test Website with its Shibboleth sP authentication; this is not provided as a complete configuration guide, more just what the basic settings should be.<\/p>\n\n\n\n
General<\/strong><\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-12.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-13.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-14.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-16.png\")
<\/figure>\n\n\n\nSign-On<\/strong><\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-17.png\")
<\/figure>\n\n\n\nAssignments<\/strong><\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-19.png\")
<\/figure>\n\n\n\nNow we have configured the OKTA IdP end, we can configure the Shibboleth sP end.<\/p>\n\n\n\n
Shibboleth sP Configuration<\/h2>\n\n\n\n
Now we need to configure Shibboleth sP with some basic configuration. First take a backup of the configuration:<\/p>\n\n\n\n
cd \/etc\/shibboleth\nsudo cp \/etc\/shibboleth\/shibboleth2.xml \/etc\/shibboleth\/shibboleth2.backup.xml<\/code><\/pre>\n\n\n\nThen edit the \/etc\/shibboleth2.xml file and update these three sections within.<\/p>\n\n\n\n
Update the entityID<\/h3>\n\n\n\n...\n<ApplicationDefaults entityID=\"https:\/\/www.tristanself.co.uk\/shibboleth\"\n REMOTE_USER=\"eppn subject-id pairwise-id persistent-id\"\n cipherSuites=\"DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1\">\n...<\/code><\/pre>\n\n\n\nUncomment Metadata Source (for IdP)<\/strong><\/p>\n\n\n\n...\n <!-- Example of locally maintained metadata. -->\n <MetadataProvider type=\"XML\" validate=\"true\" path=\"partner-metadata.xml\"\/>\n...<\/code><\/pre>\n\n\n\nNow pull down a copy of the OKTA IdP metadata with:<\/p>\n\n\n\n
curl https:\/\/domain.okta.com\/app\/exkmibiehqCyQ1CRy417\/sso\/saml\/metadata -o partner-metadata.xml<\/code><\/pre>\n\n\n\nThe update of the Metadata needs to be automated, see a later section.<\/p>\n\n\n\n
Configure the Default IdP<\/h3>\n\n\n\n
You now need to set within the document which IdP that Shibboleth sP should use, for us this is obviously OKTA, so we need to add the following within the “<Sessions> section. Don’t worry about the WAYF discoveryURL, we’re not using this, so you can leave that as is.<\/p>\n\n\n\n
<SSO entityID=\"http:\/\/www.okta.com\/exkmibiehqCyQ1CRy417\"\n discoveryProtocol=\"SAMLDS\" discoveryURL=\"https:\/\/ds.example.org\/DS\/WAYF\">\n SAML2\n<\/SSO><\/code><\/pre>\n\n\n\nThis configuration will tell Shibboleth sP where to send the authentication requests, when it gets them.<\/p>\n\n\n\n
Expose the Attributes to End Users<\/h3>\n\n\n\n
You need to edit \/etc\/shibboleth2.xml and then set “showAttributeValues” to “true”, followed by removing the ACL (or adjusting to something more suitable) on the second:<\/p>\n\n\n\n
...\n <!-- Session diagnostic service. -->\n <Handler type=\"Session\" Location=\"\/Session\" showAttributeValues=\"true\"\/>\n...\n \n...\n <!-- Status reporting service. -->\n <Handler type=\"Status\" Location=\"\/Status\" acl=\"127.0.0.1 ::1\"\/>\n...<\/code><\/pre>\n\n\n\nResolve and Decode Incoming Attributes<\/h3>\n\n\n\n
In our OKTA configuration, being the IdP it is exposing certain attributes to the relying party, the sP, i.e. our test website running Shibboleth sP. these are: mail, sn, givenName and uid. So we need to add these to the Attribute Map.<\/p>\n\n\n\n
vi \/etc\/shibboleth\/attribute-map.xml<\/code><\/pre>\n\n\n\nAdd these within the file normally after the “Legacy Pairwise” section.<\/p>\n\n\n\n
...\n <Attribute name=\"mail\" nameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\" id=\"mail\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n <\/Attribute>\n \n <Attribute name=\"sn\" nameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\" id=\"sn\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n <\/Attribute>\n \n <Attribute name=\"givenName\" nameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\" id=\"givenName\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n <\/Attribute>\n \n <Attribute name=\"uid\" nameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\" id=\"uid\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n <\/Attribute>\n...<\/code><\/pre>\n\n\n\nIf you’re not seeing the attributes appear, if you tail the \/var\/log\/shibboleth\/shibd.log file you’ll see something like the following if attributes are coming in but not being mapped correctly:<\/p>\n\n\n\n
2025-04-05 18:39:52 INFO Shibboleth.AttributeExtractor.XML [9] [default]: skipping SAML 2.0 Attribute with Name: uid, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\n2025-04-05 18:39:52 INFO Shibboleth.AttributeExtractor.XML [9] [default]: skipping SAML 2.0 Attribute with Name: firstname, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified<\/code><\/pre>\n\n\n\nRestart Apache and Shibboleth sP<\/h2>\n\n\n\n
We are then done, restart the services and we can test.<\/p>\n\n\n\n
systemctl restart apache2\nsystemctl restart shibd.service<\/code><\/pre>\n\n\n\nTesting and Play<\/h2>\n\n\n\n
Now we are all set to perform some testing. So browse to:<\/p>\n\n\n\n
https:\/\/www.tristanself.co.uk<\/a><\/p>\n\n\n\nThen click the link for “Secure Site”, you then be redirected to OKTA IdP. Enter your credentials, then you’ll be redirected back to the secure site.<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-20.png\")
<\/figure>\n\n\n\nIf the authentication has worked, you’ll see:<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-21.png\")
<\/figure>\n\n\n\nYou can then click on “Show Session Information” to be able to expose what attributes the IdP has released:<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-22.png\")
<\/figure>\n\n\n\nIf you want test within the same browser window and force re-authentications, you can open Developer Tools \u2192 Application (tab) \u2192 Storage (left menu) \u2192 Cookies, then find the “_shibsession_<numbers>”<\/em>, and delete this session to force a reauthentication on the browser side.<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-23-1024x415.png\")
<\/figure>\n\n\n\nExtra Debug Logging<\/h2>\n\n\n\n
If you want to enable extra logging you can do this by swapping to “DEBUG” mode, note this is pretty verbose!<\/p>\n\n\n\n
vi \/etc\/shibboleth\/shibd.logger<\/code><\/pre>\n\n\n\nNormally you can just set the first line “log4j.rootCategory=INFO, shibd_log, warn_log” from “INFO” to “DEBUG”.<\/p>\n\n\n\n
Then restart Shibboleth sP with: “systemctl restart shibd”.<\/p>\n\n\n\n
Now you’ll see lots more useful read out, so to test go to \/Shibboleth.sso\/Login in your browser whilst tailing \/var\/log\/shibboleth\/shibd.log.<\/p>\n\n\n\n
tail -f \/var\/log\/shibboleth\/shibd.log<\/code><\/pre>\n\n\n\nAutomating Metadata Download<\/h2>\n\n\n\n
There are a couple of ways you may be able to do this, first approach is to automate a download using a BASH script and refer to it in the configuration, the second is if there is now mechanisms within Shibboleth sP itself to automatically refresh\/download metadata from an external web location.<\/p>\n\n\n\n
Using an example script, let’s create the script:<\/p>\n\n\n\n
touch \/opt\/shibboleth\/update-idp-metadata.sh\nchmod +x \/opt\/shibboleth\/update-idp-metadata.sh<\/code><\/pre>\n\n\n\nNow let’s edit the file and add the code:<\/p>\n\n\n\n
#!\/bin\/bash\n \n# Location of the downloaded metadata\nMETADATA_URL=\"https:\/\/domain.okta.com\/app\/exkmibiehqCyQ1CRy417\/sso\/saml\/metadata\"\nDEST_PATH=\"\/etc\/shibboleth\/partner-metadata.xml\"\nBACKUP_PATH=\"\/etc\/shibboleth\/partner-metadata.xml.bak\"\n \nNOWDATE=$(date -u)\n \n# Download new metadata\ncurl -sSf \"$METADATA_URL\" -o \"${DEST_PATH}.tmp\"\n \n# Check if download succeeded\nif [ $? -eq 0 ]; then\n echo \"$NOWDATE [INFO] Metadata downloaded successfully.\"\n \n # Backup old metadata\n cp \"$DEST_PATH\" \"$BACKUP_PATH\"\n \n # Replace the old file\n mv \"${DEST_PATH}.tmp\" \"$DEST_PATH\"\n \n # Reload Shibboleth SP (to pick up new metadata)\n systemctl restart shibd\n \n echo \"$NOWDATE [INFO] Metadata updated and shibd restarted.\"\nelse\n echo \"$NOWDATE [ERROR] Failed to download metadata from $METADATA_URL\"\n exit 1\nfi<\/code><\/pre>\n\n\n\nNow run it to test:<\/p>\n\n\n\n
root@ip-192-168-0-27:\/opt\/shibboleth# .\/update-idp-metadata.sh\n[INFO] Metadata downloaded successfully.\n[INFO] Metadata updated and shibd restarted.<\/code><\/pre>\n\n\n\nAnd automate by adding to a cron like:<\/p>\n\n\n\n
\nvi \/etc\/cron.d\/shib-metadata<\/code><\/pre>\n\n\n\nAdd the following:<\/p>\n\n\n\n
30 2 * * * root \/opt\/shibboleth\/update-idp-metadata.sh >> \/var\/log\/shibboleth\/metadata-update.log 2>&1<\/code><\/pre>\n\n\n\nAnd it will download the latest Metadata from the OKTA IdP each night at 02:30.<\/p>\n\n\n\n
Website SSL Certificate<\/h2>\n\n\n\n
We want to have a nice certificate on our test site, so we’ll install Certbot for this. You’ll need to ensure that your site is open for challenges from CertBot’s servers, i.e. HTTP is accessible from your server, additionally, any domain you are specifying for use i.e. tristanself.co.uk<\/a> and www.tristanself.co.uk<\/a> in my case need to have an A record for these (at least), an AAAA record is not required unless you are using IPv6.<\/p>\n\n\n\nThe Terraform creates an A record for www.tristanself.co.uk<\/a> automatically, but no “apex” is created, we can do this by Terraform, but if you needed to do this manually, the following will do this. Note that AWS Route53 gives you an option to have the Apex A record be an alias of another record, rather than having to hardcode it to a specific IP, something that is normally not allowed in the DNS configuration.<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-24-1024x416.png\")
<\/figure>\n\n\n\nFirstly we install\u00a0Certbot\u00a0for Apache<\/strong>\u00a0with:<\/p>\n\n\n\napt install certbot python3-certbot-apache -y<\/code><\/pre>\n\n\n\nNow you can run\u00a0certbot\u00a0to obtain a certificate.<\/p>\n\n\n\n
certbot --apache<\/code><\/pre>\n\n\n\nComplete the wizard, you can basically just accept the defaults unless you have a specific reason not to.<\/p>\n\n\n\n
In my case it generated a new SSL configuration file and then added this into the “sites-enabled” but all commented out, so to remove this from the configuration run the following and restart Apache.<\/p>\n\n\n\n
unlink \/etc\/apache2\/sites-enabled\/000-tristanself.co.uk-SSL.conf\nsystemctl restart apache<\/code><\/pre>\n\n\n\nNow when visiting the site you should find that the certificate is now being used.<\/p>\n\n\n\n
For completeness, you can also do the following to correct the error message in the logs about the “AH00558: apache2: Could not reliably determine the server’s fully qualified domain name…”<\/em>, add the following line to the \/etc\/apache2\/apache2.conf<\/strong> file:<\/p>\n\n\n\nServerName localhost<\/code><\/pre>\n\n\n\nMetadata Generation<\/h2>\n\n\n\n
The installation and configuration up to this point creates a working Shibboleth sP, there is also the metadata which is generated automatically by the MetadataGenerator handler, described in: Metadata Generation Handler<\/a>. In our particular example we don’t need to have our sP metadata for distribution to the IdP (OKTA), but in some cases you may be required to submit the Metadata to the IdP in this XML form, and\/or publish the metadata at a URL which can be read periodically by the IdP.<\/p>\n\n\n\nHowever, in our case we don’t actually need to do anything much with this metadata.<\/p>\n\n\n\n
wget https:\/\/www.tristanself.co.uk\/Shibboleth.sso\/Metadata -O sp-metadata.xml<\/code><\/pre>\n\n\n\nTo download the metadata template, then remove the top part of the file saying:<\/p>\n\n\n\n
!--\nThis is example metadata only. Do *NOT* supply it as is without review,\nand do *NOT* provide it in real time to your partners.\n --><\/code><\/pre>\n\n\n\nShibboleth.DEPRECATION Warning<\/h2>\n\n\n\n
Related to the above, we are seeing the following when running a test of the Shibboleth configuration:<\/p>\n\n\n\n
root@ip-192-168-0-27:\/etc\/shibboleth# shibd -t\n2025-04-14 12:15:57 WARN Shibboleth.DEPRECATION : MetadataGenerator handler\noverall configuration is loadable, check console or log for non-fatal problems<\/code><\/pre>\n\n\n\nAs discussed in: https:\/\/help.switch.ch\/aai\/guides\/sp\/configuration\/<\/a>, that since SPv3.3 the MetadataGenerator handler line within \/etc\/shibboleth\/shibboleth2.xml causes a: “WARN Shibboleth.DEPRECATION : MetadataGenerator handler” message. According to this: https:\/\/it.umn.edu\/services-technologies\/resources\/creating-metadata-file-your-sp<\/a> this URL provides just a template, which you should download, then turn off the above to remove the warning, then customise the template, which you then publish via other means for your IdP to use, which is what was stated in previous version. <\/p>\n\n\n\nTo suppress the message disable the handler by commenting out the following line in \/etc\/shibboleth2.xml<\/strong>, then restarting shibd with: systemctl restart shibd<\/strong>.<\/p>\n\n\n\n<Handler type=\"MetadataGenerator\" Location=\"\/Metadata\" signing=\"false\"\/><\/code><\/pre>\n\n\n\nNote that when you disable this the metadata will no longer be available at: https:\/\/www.tristanself.co.uk\/Shibboleth.sso\/Metadata<\/a>.<\/p>\n\n\n\nThe guidance that talks about running this command to generate the sP metadata appears to be no longer relevant.<\/p>\n\n\n\n
shib-metagen -2 -c sp-signing-cert.pem -h www.tristanself.co.uk -e https:\/\/www.tristanself.co.uk\/Shibboleth > sp-metadata.xml<\/code><\/pre>\n\n\n\nOKTA and Shibboleth sP with Signed\/Encrypted Assertions<\/h2>\n\n\n\n
Up until now we’ve had OKTA configured to:<\/p>\n\n\n\n
\n- Sign the SAML response message.<\/li>\n\n\n\n
- Sign the SAML assertion within the SAML response message.<\/li>\n<\/ul>\n\n\n\n
The Shibboleth sP having a copy of the IdP’s metadata, has a copy of the IdP’s signing certificate (public key), so can verify the authenticity of the SAML response, and SAML assertion within of having come from the IdP. But the assertion content is not encrypted.<\/p>\n\n\n\n
However, we’ve not got the SAML assertion content encrypted when it is sent to the Shibboleth sP, so we’ll see about enabling “Assertion Encryption” on OKTA (IdP) to encrypt the actual assertions so they can only be read by the IdP and sP.<\/p>\n\n\n\n
Obtain the Signing Certificate and Encryption Certificate from the Service Provider (sP)<\/h3>\n\n\n\n
Rather than digging through the metadata, we can just use the two files we created earlier which are already in PEM format, we need the \/etc\/shibboleth\/sp-encrypt-cert.pem<\/strong> and \/etc\/shibboleth\/sp-signing-cert.pem<\/strong> files. Copy these to your machine because we’ll need these for the next step to upload into OKTA. OKTA doesn’t appear to be able to take certificates from URLs via metadata.<\/p>\n\n\n\nConfigure OKTA (IdP) for Assertion Encryption<\/h3>\n\n\n\n
1. Open your OKTA application, which we created earlier via the OKTA admin console.<\/p>\n\n\n\n
2. Click on “General” and then edit the “SAML Settings”, then “Show Advanced Settings”.<\/p>\n\n\n\n
3. Set the “Assertion Encryption” to “Encrypted”.<\/p>\n\n\n\n
4. Set the “Encryption Algorithm” to “AES256-CBC”.<\/p>\n\n\n\n
5. Set the “Key Transport Algorithm” to “RSA-OAEP”<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-25-1024x577.png\")
<\/figure>\n\n\n\nYou may want to use different encryption algorithms, however you should be able to determine which are supported by your Shibboleth sP by examining your Shibboleth sP’s metadata.<\/p>\n\n\n\n
6. Using the two certificate files you got earlier, upload the sp-encrypt-cert.pem<\/strong> for the “Encryption Certificate” and the sp-signing-cert.pem<\/strong> for the “Signature Certificate”<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-26-1024x606.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-27-1024x829.png\")
<\/figure>\n\n\n\n7. Then save the SAML settings to confirm your changes.<\/p>\n\n\n\n
Testing to Confirm<\/h2>\n\n\n\n
Now try to log on to your test website with the DEBUG logging enabled (see the “Extra Debug Logging” section above) once applied restart Shibboleth sP.<\/p>\n\n\n\n
Now when you attempt a login you’ll see a lot for output and messages saying that the assertion content is being decrypted, if you then go back to OKTA and disable the encryption you’ll see output go back to what it was showing before that the assertions are not encrypted.<\/p>\n\n\n\n
Some sample output is given below:<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-28-1024x273.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-29-1024x506.png\")
<\/figure>\n\n\n\nWebsite Logout<\/h2>\n\n\n\n
The Logout of SAML is a can of worms, in this case however, we are going to use an example of “Global Logout”.<\/p>\n\n\n\n
The example shows how to configure “Global Logout”, which essentially means that when a user clicks the logout link in the test website, it logs the user out of the sP, but also instructs the IdP to log out all other sessions, even for other SAML sP protected sites (which support SLO – Single Log Out), which may or may not be what you want. An example of when you might want to use this is for shared computers, where you want to log out from all SSO enabled sites so if a user then walks away, another user doesn’t just swoop in and access another site (which wasn’t logged out), and accesses confidential information or services. Conversely, “Local Logout” will only log out the current sP, which means the user is still logged into the IdP, which would therefore allow them to immediately sign back into that sP or any other, it’s fine for a single user machine, but not desirable for a shared computer.<\/p>\n\n\n\n
In this example we’re using a Global Logout, however you may want to use Local Logout depending on your requirements. If you want to use the Local Logout option, this can be achieved by not setting “Enable Single Logout” as described below, and then within the Shibboleth configuration, however for the purposes of this particular example configuration, the Local Logout can be achieved by not applying the “Allow application to initiate Single Logout” as shown below, and then removing the “SAML2” from the \/etc\/shibboleth2\/shibboleth2.xml definition so only “Local” is left.<\/p>\n\n\n\n
<Logout>SAML2 Local<\/Logout><\/code><\/pre>\n\n\n\nHow the log-out function works in Local Logout and Global Logout configuration.<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-30.png\")
<\/figure>\n\n\n\nConfigure OKTA Application for Global Logout<\/h3>\n\n\n\n
Firstly you need to make an adjustment to our OKTA application that works with our Shibboleth sP.<\/p>\n\n\n\n
Edit the “SAML Settings”, then tick the box for “Enable Single Logout”, then complete the fields as shown.<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-31.png\")
<\/figure>\n\n\n\nSave your configuration.<\/p>\n\n\n\n
On the Shibboleth sP, you should now force a download of the updated metadata just to be sure (which will restart the Shibboleth sP).<\/p>\n\n\n\n
\/opt\/shibboleth\/update-idp-metadata.sh<\/code><\/pre>\n\n\n\nConfigure Shibboleth sP for Global Logout<\/h3>\n\n\n\n
Before we can test we now need to configure the Shibboleth sP for Global Logout. You’ll notice that in the earlier step when we created the Secret Website page that we have a link added to the page (i.e. \/Shibboleth.sso\/Logout<\/a>) that will be depending on the setting configured below will either use Global Logout, where the sP makes a request to the IdP telling it to logout all the sessions, or Local Logout, where it will just trigger the current session locally on this sP to be ended.<\/p>\n\n\n\nOn Shibboleth sP remove the “Local” from the following line in the etc\/shibboleth2.xml config, so it only says “SAML2”.<\/p>\n\n\n\n
...\n<Logout>SAML2 Local<\/Logout>\n...<\/code><\/pre>\n\n\n\nDownload new metadata from the IDP, and restart Shibboleth sP.<\/p>\n\n\n\n
Testing<\/h2>\n\n\n\n
Now we have configured the Global Logout, let’s give it a try.<\/p>\n\n\n\n
Go to the test website, then click the “Secure Site” link, you’ll then be redirected to the OKTA Login page, where you need to log in.<\/p>\n\n\n\n
Once successfully logged in, now click on the “Shibboleth Logout” link, where you’ll now see:<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-32.png\")
<\/figure>\n\n\n\nWhat is interesting is then if you go to your organisation’s OKTA front of house page, you’ll now be required to log in, this shows how you have been fully logged out from both the sP and the IdP.<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-33.png\")
<\/figure>\n\n\n\nWhen doing this when using a Local Logout you’ll find you are still logged in to the IdP, even if you’ve been logged off from the sP. However, you’ll also find that if you refresh the example website you’ll end up logging back on again.<\/p>\n\n\n\n
Option 2 – Example Site Authenticated with OpenAthens and Shibboleth sP<\/h1>\n\n\n\n
Using OpenAthens as the IdP instead of OKTA is actually a fairly minimal change to the configuration. In our example we use OKTA and OpenAthens for two different use cases, and OpenAthens uses OKTA as the directory source, however that is not really relevant for the purposes of this example deployment.<\/p>\n\n\n\n
OpenAthens provide guidance here: https:\/\/docs.openathens.net\/providers\/openathens-idp-elements#OpenAthensIdPelements-Ifyouareusingothersoftware(suchasShibboleth)<\/a><\/p>\n\n\n\n![\"(warning)\"](\"https:\/\/ssg-confluence.internal.sanger.ac.uk\/s\/hqtir2\/9012\/9rxlc3\/_\/images\/icons\/emoticons\/warning.svg\")
These instructions for option 2 are written assuming you’ve already configured Shibboleth sP to work with OKTA, so we are reconfiguring what is already there to work with OpenAthens; to avoid having to repeat much of the documentation!<\/strong><\/p>\n\n\n\nOpenAthens Configuration<\/h2>\n\n\n\n
We first need to create a “Resource” within OpenAthens, to do this, open the OpenAthens admin web console then:<\/p>\n\n\n\n
1. Click on “Resources”, then “Catalogue”. Then click on “Custom”, as we’ll be creating a custom resource for our Shibboleth sP.<\/p>\n\n\n\n
2. Click on “Create”, then select “SAML” as the resource type, then “Configure”.<\/p>\n\n\n\n
3. Here either upload your Shibboleth sP metadata XML file, which you can download from the server, or alternatively add the URL to the metadata, probably not ideal to do this though because the Metadata provided via the https:\/\/www.tristanself.co.uk\/Shibboleth.SSO\/Metadata<\/a> is not customised.<\/p>\n\n\n\n4. Click “Create Resource”.<\/p>\n\n\n\n
5. If you wish you can add the Access URL on the “Resource Details” page, I used: https:\/\/www.tristanself.co.uk\/secure<\/a><\/p>\n\n\n\nThat’s it, you’re ready to move on with the configuration.<\/p>\n\n\n\n
OpenAthens Metadata Location and Configuration<\/h2>\n\n\n\n
The document above says where you can get the OpenAthens Federation metadata from, to quote.<\/p>\n\n\n\n
“If you are using other software (such as Shibboleth). If you are not ready to add the OpenAthens federation metadata to your SP, you can add the metadata for just your own OpenAthens IdP: https:\/\/login.openathens.net\/saml\/2\/metadata-idp\/YOUR_OPENATHENS_API_NAME<\/em>“<\/p>\n\n\n\nSo in our case our API name is domain.com, therefore our metadata for\u00a0OpenAthens can\u00a0be found at:\u00a0https:\/\/login.openathens.net\/saml\/2\/metadata-idp\/domain.com<\/a><\/p>\n\n\n\nShibboleth sP Configuration Changes<\/h2>\n\n\n\n
To set Shibboleth sP to work with OpenAthens you need to perform the following changes. These steps have been written assuming you’ve already configured Shibboleth sP and the test site to use OKTA, so we’ll be swapping some of the settings, rather than starting afresh.<\/p>\n\n\n\n
Update EntityID<\/h3>\n\n\n\n
Within \/etc\/shibboleth\/shibboleth2.xml<\/strong> file you need to swap the EntityID to the OpenAthens Entity ID, so find the section where you have the OKTA EntityID and swap the value, for example:<\/p>\n\n\n\n<SSO entityID=\"https:\/\/idp.domain.com\/idp\/shibboleth\"\n discoveryProtocol=\"SAMLDS\" discoveryURL=\"https:\/\/ds.example.org\/DS\/WAYF\">\n SAML2\n<\/SSO><\/code><\/pre>\n\n\n\nSet the entity ID to\u00a0https:\/\/idp.domain.com\/idp\/shibboleth<\/a>\u00a0in the following file (in this test it was already set to Okta):<\/p>\n\n\n\nMetadata Configuration<\/h3>\n\n\n\n
We have already specified the metadata location to use a local file, however this currently contains the OKTA metadata, so we need to update this to have the OpenAthens metadata in it instead.<\/p>\n\n\n\n
So run the following command to download the OpenAthens Metadata file.<\/p>\n\n\n\n
wget https:\/\/login.openathens.net\/saml\/2\/metadata-idp\/domain.com -O \/etc\/shibboleth\/partner-metadata.xml<\/code><\/pre>\n\n\n\nNote that we have the automated download script, you should either update this script with the new URL for the OpenAthens Metadata or disable it by adding a “#” at the beginning of the line within the file in \/etc\/cron.d which was created in the option 1 documentation.<\/strong><\/p>\n\n\n\nThen restart Shibboleth (and Apache):<\/p>\n\n\n\n
systemctl restart shibd\nsystemctl restart apache2<\/code><\/pre>\n\n\n\nResolve and Decode Incoming Attributes<\/h3>\n\n\n\n
The attribute mapping from OpenAthens is a bit different to that from OKTA, depending on how the attributes are released and named we need to update the \/etc\/shibboleth\/attribute-map.xml configuration file to be able to pluck these out of the incoming assertion. You’ll see the below, some of the attributes we were resolving for the OKTA IdP, we can leave those in there, even if they have the same name, e.g. givenName and givenName, because the first definition will be ignored, because it doesn’t match the incoming attribute assertion format.<\/p>\n\n\n\n
\/etc\/shibboleth\/attribute-map.xml<\/p>\n\n\n\n
<!-- Bits I've added to this file -->\n \n<Attribute name=\"mail\" nameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\" id=\"mail\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n<\/Attribute>\n \n<Attribute name=\"sn\" nameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\" id=\"sn\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n<\/Attribute>\n \n<Attribute name=\"givenName\" nameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\" id=\"givenName\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n<\/Attribute>\n \n<Attribute name=\"uid\" nameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\" id=\"uid\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n<\/Attribute>\n \n<Attribute name=\"urn:oid:2.5.4.42\" id=\"givenName\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n<\/Attribute>\n \n<Attribute name=\"urn:oid:2.5.4.4\" id=\"sn\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n<\/Attribute>\n \n<!-- End of my bits --><\/code><\/pre>\n\n\n\nWe added these two “givenName” and “sn”, you can see that these have a different format, therefore the previous ones wouldn’t have matched.<\/p>\n\n\n\n
<Attribute name=\"urn:oid:2.5.4.42\" id=\"givenName\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n<\/Attribute>\n \n<Attribute name=\"urn:oid:2.5.4.4\" id=\"sn\">\n <AttributeDecoder xsi:type=\"StringAttributeDecoder\" caseSensitive=\"false\"\/>\n<\/Attribute><\/code><\/pre>\n\n\n\nNow restart Shibboleth sP and Apache, and we are ready to test. If you have anything you are passing that is not mapped, you’ll see things like the following upon login within the \/var\/log\/shibboleth\/shibd.log file.<\/p>\n\n\n\n
2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: urn:mace:eduserv.org.uk:athens:attribute-def:federation:1.0:identifier\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: urn:oid:0.9.2342.19200300.100.1.3\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.1\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: urn:mace:eduserv.org.uk:athens:attribute-def:organisation:1.0:identifier\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: urn:oid:2.5.4.42\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.11\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: forenames\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: emailAddress\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: surname\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: urn:oid:2.16.840.1.113730.3.1.241\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: http:\/\/eduserv.org.uk\/federation\/attributes\/1.0\/organisationid\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: urn:oid:2.5.4.4\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: urn:oid:2.5.4.3\n2025-04-16 12:34:22 INFO Shibboleth.AttributeExtractor.XML [1] [default]: skipping SAML 2.0 Attribute with Name: organisationNum<\/code><\/pre>\n\n\n\nTesting<\/h2>\n\n\n\n
We can now perform some testing. <\/p>\n\n\n\n
Visit the test site, then click on “Secure Site”, notice now that we’re getting a slightly different logon screen within OKTA, note that in our case OpenAthens is the IdP, BUT it is backing off its authentication source to OKTA, if however you are using OpenAthens stand-alone or using it against another Directory Service, e.g. openLDAP or Active Directory, you’ll see something a bit different. <\/p>\n\n\n\n
However, in our case we can see that we’re authenticating via OpenAthens rather than direct to OKTA via the OKTA application as we did in Option 1.<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-34.png\")
<\/figure>\n\n\n\nAnd we’re in, going to the “Session” page within the Secure Site, we can see our attributes being released as expected.<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2025\/04\/image-35.png\")
<\/figure>\n\n\n\nQuestions<\/h1>\n\n\n\n
Some questions that arose from the development of the OKTA and Shibboleth sP Test.<\/p>\n\n\n\n
What does the NameID unspecified mean? What is the difference on the NameID bit, what does unspecified, persistent and transient formats mean?<\/h2>\n\n\n\n
In the context of SAML and Shibboleth, “NameID” refers to the unique identifier of the user in a SAML assertion, representing the subject of the authentication, and can be anything like an email address, username, or a unique identifier. <\/p>\n\n\n\n
So what does the different NameID format mean?<\/p>\n\n\n\n
Unspecified<\/h3>\n\n\n\n\n- Format URI: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified<\/li>\n\n\n\n
- Means the IdP doesn’t specify how to interpret the identifier \u2014 it’s up to the SP.<\/li>\n\n\n\n
- Often used when the value is meaningful only to the SP (e.g., a username like “jsmith”).<\/li>\n\n\n\n
- It can be flexible but may lack interoperability between systems.<\/li>\n<\/ul>\n\n\n\n
Persistent<\/h3>\n\n\n\n\n- Format URI: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent<\/li>\n\n\n\n
- A long-term, opaque, non-assignable identifier.<\/li>\n\n\n\n
- Same value sent to the same SP every time, enabling long-term account linking without exposing personal info.<\/li>\n\n\n\n
- Example: 4f1c2d67-9a67-4d13-82cb-3a15eabcde12<\/li>\n\n\n\n
- Good for privacy-preserving but consistent user identification.<\/li>\n<\/ul>\n\n\n\n
Transient<\/h3>\n\n\n\n\n- Format URI: urn:oasis:names:tc:SAML:2.0:nameid-format:transient<\/li>\n\n\n\n
- A temporary, one-time-use identifier.<\/li>\n\n\n\n
- Only valid for the current session or authentication transaction.<\/li>\n\n\n\n
- The SP can\u2019t rely on it to link user sessions long-term.<\/li>\n\n\n\n
- Often used when you don\u2019t want persistent tracking or user identification.<\/li>\n<\/ul>\n\n\n\n
So really using Persistent NameID is when you need the sP to recognise the same user over multiple sessions, e.g. so they can access a profile they have customised with user preferences etc. You also protect privacy because it’s not a real name, it’s just an identifier. Transient is when you don’t need to track a user long term, e.g. you are providing a service to access information, all you need to know that the user is from an organisation with a subscription for example, you don’t care any more than that. e.g. document signing and so forth. Finally, “unspecified” is for when the sP requires the NameID contain a specific value, e.g. a username, so there is no need for format enforcement, typically you’d use this for old applications (e.g. SAML 1.1) or when it’s an internal system (which wants a specific username) or for quick set up and testing.<\/p>\n\n\n\n
What about SAML assertions having a Name Format of basic, unspecified or URI etc.?<\/h2>\n\n\n\n
Now we are talking NameFormat for SAML attributes, which is different from NameID and assertion confirmation. The attribute’s NameFormat affects how attributes are interpreted by the sP.<\/p>\n\n\n\n
In a SAML AttributeStatement, you send user attributes like email, display name, affiliation, etc. Each attribute has:<\/p>\n\n\n\n
\n- A Name (like urn:oid:0.9.2342.19200300.100.1.3 or just email)<\/li>\n\n\n\n
- A\u00a0NameFormat\u00a0(which tells the SP how to interpret the Name)<\/li>\n\n\n\n
- Optional\u00a0FriendlyName\u00a0(a human-readable alias)<\/li>\n<\/ul>\n\n\n\n
Digging into each NameFormat is:<\/p>\n\n\n\n
1. Unspecified – urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified<\/h3>\n\n\n\n\n- Just a raw string \u2014 no special format implied.<\/li>\n\n\n\n
- Attribute names like “email” or “uid” are just passed as-is.<\/li>\n\n\n\n
- Most flexible, but least standardized.<\/li>\n<\/ul>\n\n\n\n
2. Basic – urn:oasis:names:tc:SAML:2.0:attrname-format:basic<\/h3>\n\n\n\n\n- Legacy format from SAML 1.1.<\/li>\n\n\n\n
- Names are often simple strings like “cn”, “sn”, “mail”, “uid”.<\/li>\n\n\n\n
- Still used in some Shibboleth deployments for backward compatibility.<\/li>\n\n\n\n
- More structured than unspecified but less so than URI.<\/li>\n<\/ul>\n\n\n\n
3. URI – urn:oasis:names:tc:SAML:2.0:attrname-format:uri<\/h3>\n\n\n\n\n- The recommended standard format in modern SAML 2.0.<\/li>\n\n\n\n
- Uses URIs to define attribute names, often\u00a0OIDs\u00a0or schemas.<\/li>\n\n\n\n
- For example:\n
\n- urn:oid:0.9.2342.19200300.100.1.3 \u2192 email<\/li>\n\n\n\n
- urn:oid:2.5.4.3 \u2192\u00a0commonName<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Highly interoperable across federations (like eduGAIN).<\/li>\n<\/ul>\n\n\n\n
So on the sP side, you need to decide how to map incoming SAML attributes from the IdP to internal attribute names (in the sP) that your application(s) can use. So within the sP you’ll have some sort of translation table (attribute-map.xml on Shibboleth sP for example), where you define:<\/p>\n\n\n\n
\n- What the IdP sends in the SAML assertion (Name, NameFormat).<\/li>\n\n\n\n
- What the SP internally refers to that attribute as.<\/li>\n<\/ul>\n\n\n\n
So, it uses name + optional nameFormat to match SAML attributes. If there’s no match, the SP won’t make the attribute available to your apps therefore you need to ensure what is coming in maps to which for interpreting and exposing user data correctly.<\/p>\n\n\n\n
Additional Information<\/h1>\n\n\n\n\n- https:\/\/help.it.ox.ac.uk\/installing-shibboleth-sp-for-apache#collapse2307686<\/a><\/li>\n\n\n\n
- https:\/\/support.aaf.edu.au\/support\/solutions\/articles\/19000035962-installing-a-shibboleth-service-provider<\/a><\/li>\n\n\n\n
- https:\/\/spaces.at.internet2.edu\/display\/federation\/SP+Testing+for+SAML2<\/a><\/li>\n\n\n\n
- https:\/\/docs.eduvpn.org\/server\/v3\/shibboleth-sp.html<\/a><\/li>\n\n\n\n
- https:\/\/help.it.ox.ac.uk\/installing-shibboleth-sp-for-apache#collapse2307686<\/a><\/li>\n\n\n\n
- https:\/\/www.iam.harvard.edu\/resources\/saml-shibboleth-integration<\/a>https:\/\/help.it.ox.ac.uk\/installing-shibboleth-sp-for-apache#collapse2307686<\/a><\/li>\n\n\n\n
- https:\/\/docs.shib.ncsu.edu\/docs\/logout.html<\/a>
<\/a>https:\/\/github.com\/ConsortiumGARR\/idem-tutorials\/blob\/master\/idem-fedops\/HOWTO-Shibboleth\/Service%20Provider\/Debian\/HOWTO%20Install%20and%20Configure%20a%20Shibboleth%20SP%20v2.x%20on%20Debian%20Linux%209%20(Stretch).md<\/a><\/li>\n\n\n\n- https:\/\/it.umn.edu\/services-technologies\/resources\/creating-metadata-file-your-sp<\/a><\/li>\n\n\n\n
- https:\/\/iam.alaska.edu\/shib\/wiki\/SpSetup<\/a><\/li>\n\n\n\n
- https:\/\/www.ukfederation.org.uk\/content\/Documents\/Setup3SP<\/a><\/li>\n\n\n\n
- https:\/\/help.switch.ch\/aai\/guides\/sp\/logout\/<\/a><\/li>\n\n\n\n
- https:\/\/uwconnect.uw.edu\/it?id=kb_article_view&sysparm_article=KB0033930<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
The document provides an overview of how to setup and configure OKTA with a test Shibboleth sP (Service Provider) instance with a example site which is secured using OKTA. It can be used to explore how OKTA and Shibboleth sP interact with the SAML assertion exchange. The deployment is simple and provides the following: An …