Shibboleth IdP configuration with simplified backend

Scott Koranda skoranda at gmail.com
Wed Apr 30 10:09:26 EDT 2014


> As I am playing with ECP extensions at the moment, I am trying to
> deploy my own Shibboleth Identity Provider Server in order to have a
> controllable IdP with access to the logs.
> So to speak what I am interested in, is a simplified configuration of
> the IdP with set of 2-3 users. So far I have seen configurations with
> the LDAP used as a backend. I don't really need LDAP, and I don't want
> to spend time configuring it.
> I would be extremely happy with some docs/examples for a static
> configuration (with flat files) or simple references for MySQL
> configurations. Anybody?
>

My preferred development environment for ECP is a Shibboleth IdP running
in Tomcat behind Apache HTTP Server using AJP. I then simply protect the ECP
endpoint using basic auth. So the Apache configuration has something like

ProxyPass /idp/ ajp://localhost:8009/idp/

<Location /idp/profile/SAML2/SOAP/ECP>
AuthType Basic
AuthName "ECP Testing"
AuthUserFile /etc/apache2/passwords_ecp
Require valid-user
</Location>

Then create the password file using the htpasswd command line utility.

If you prefer a Tomcat only solution then you will need to edit
web.xml in the Shibboleth IdP deployment source and add something like

<security-constraint>
      <display-name>Shibboleth IdP</display-name>
      <web-resource-collection>
        <web-resource-name>ECP</web-resource-name>
        <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
        <role-name>ECPTESTER</role-name>
      </auth-constraint>
      <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ECPTEST</realm-name>
</login-config>

and redeploy. Then edit tomcat-users.xml and add appropriate users and
passwords with the correct role. Please see the Tomcat documentation
for details.


More information about the users mailing list