Home

Configuring Shibboleth Auth

samltool.com

1. Create a self-signing certificate for the ReSeeD application

   • We used the service https://www.samltool.com/self_signed_certs.php

   • Values we filled in

     Country name: United Kingdom
     State or province: London
     Organization Name: Cottage Labs
     Common name, the domain: 
     
     Valid days: 365
     Bits to generate the private key: 1024 bits
     Digest Algorithm: SHA1
     

     From here, we got the certificate and certificate key, which we added to the .env file.

2. Register the metadata with SAML test

   • Visit https://rdms.cottagelabs.com/users/auth/saml/metadata and save the file locally
   • Upload the file to https://samltest.id/upload.php (the fetch doesn't seem to work)

3. Fill in the env file will all of the values needed

   # SAML Login 
   
   SAML_SERVICE_URL=https://rdms.cottagelabs.com/users/auth/saml/callback 
   SAML_IDP_SERVICE_URL=https://samltest.id/saml/idp 
   SAML_SP_ID=https://rdms.cottagelabs.com/ 
   SAML_IDP_SSO_SERVICE_URL=https://samltest.id/idp/profile/SAML2/Redirect/SSO 
   SAML_IDP_CERT=-----BEGIN CERTIFICATE----- MIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwgg
   EKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOEjj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1klbN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF/cL5fOpdVa54wT
   I0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8nspXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0GA1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVzdC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsFAAOCAQEASk
   3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHTTNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nblD1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcUZOpx4s
   wtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu3kXPjhSfj1AJGR1l9JGvJrHki1iHTA== -----END CERTIFICATE----- 
   SAML_SP_CERTIFICATE=-----BEGIN CERTIFICATE----- xxx -----END CERTIFICATE----- 
   SAML_SP_CERTIFICATE_KEY=-----BEGIN PRIVATE KEY----- xxx -----END PRIVATE KEY-----
   SAML_ATTRIBUTE_UID=urn:oasis:names:tc:SAML:attribute:pairwise-id
   SAML_ATTRIBUTE_NAME=urn:mace:dir:attribute-def:displayName
   SAML_ATTRIBUTE_EMAIL=urn:mace:dir:attribute-def:mail
   SAML_ATTRIBUTE_ROLE=urn:mace:dir:attribute-def:eduPersonAffiliation
   # If Authorization is restricted, only users with affiliation=staff are allowed access
   SAML_RESTRICT_AUTHORIZATION=true
   

   The values for the IDP were obtained from https://samltest.id/download/#SAMLtests_IdP

   The values for the required attributes were taken from discussions recorded in https://gitlab.ruhr-uni-bochum.de/FDM/rdm-system/antleaf-projectmanagement/-/issues/24#note_132494 and https://gitlab.ruhr-uni-bochum.de/FDM/rdm-system/antleaf-projectmanagement/-/issues/24#note_132512

   If SAML_RESTRICT_AUTHORIZATION is set to true, only users with affiliation=staff are allowed access. See note and https://gitlab.ruhr-uni-bochum.de/FDM/rdm-system/antleaf-projectmanagement/-/issues/164

4. Reload the environment variables in the container

   Bring the container down and up again

5. Test the service is regsitered with SAML test at https://samltest.id/start-sp-test/

   entityID: https://rdms.cottagelabs.com/ 
   Destination Resource(RelayState, optional): https://rdms.cottagelabs.com/users/auth/saml/callback
   

   • The entityID is the application URL.
   • The destination resource is the callback URL. It works even without it.

   This should redirect you to a login page within samltest

   If at this point you get the message the service is not registered, please wait a few minutes. We had to wait about 5 minutes before it started working.

6. test with the SAML login on the ReSeeD application

   Visit Login -> Sign in with SAML

   It should redirect you to samltest, get you to add the username and password and redirect to Cottage labs ReSeeD application.

RUB IdP

Some attributes might be requested via raw OID values, e.g. RUB IdP. See example here