Shibboleth IdP configuration with simplified backend
Scott Koranda
skoranda at gmail.com
Wed Apr 30 10:09:26 EDT 2014
> As I am playing with ECP extensions at the moment, I am trying to
> deploy my own Shibboleth Identity Provider Server in order to have a
> controllable IdP with access to the logs.
> So to speak what I am interested in, is a simplified configuration of
> the IdP with set of 2-3 users. So far I have seen configurations with
> the LDAP used as a backend. I don't really need LDAP, and I don't want
> to spend time configuring it.
> I would be extremely happy with some docs/examples for a static
> configuration (with flat files) or simple references for MySQL
> configurations. Anybody?
>
My preferred development environment for ECP is a Shibboleth IdP running
in Tomcat behind Apache HTTP Server using AJP. I then simply protect the ECP
endpoint using basic auth. So the Apache configuration has something like
ProxyPass /idp/ ajp://localhost:8009/idp/
<Location /idp/profile/SAML2/SOAP/ECP>
AuthType Basic
AuthName "ECP Testing"
AuthUserFile /etc/apache2/passwords_ecp
Require valid-user
</Location>
Then create the password file using the htpasswd command line utility.
If you prefer a Tomcat only solution then you will need to edit
web.xml in the Shibboleth IdP deployment source and add something like
<security-constraint>
<display-name>Shibboleth IdP</display-name>
<web-resource-collection>
<web-resource-name>ECP</web-resource-name>
<url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ECPTESTER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ECPTEST</realm-name>
</login-config>
and redeploy. Then edit tomcat-users.xml and add appropriate users and
passwords with the correct role. Please see the Tomcat documentation
for details.
More information about the users
mailing list