Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version 4

changes.mady.by.user Ian Young

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Claims URI should not be made into a link. Correct some other formatting issues as well.

...

Code Block
<servlet-mapping>
					 <servlet-name>IdP</servlet-name>
					 <url-pattern>/ADFS</url-pattern>
			 </servlet-mapping>
  • Run "./ant compile" from $IDP_HOME in order to compile the extension
  • Run "./ant install" from $IDP_HOME in order to add the extension to your existing IdP installation

...

Code Block
<ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.ADFS_SSOHandler">
				<Location>https?://[^:/]+(:443)?/shibboleth-idp/ADFS</Location>
		 </ProtocolHandler>
  • Add a NameMapping configuration to idp.xml in order to add support for MS UPNs. Reference this mapping from the appropriate
    <RelyingParty> element.
Code Block
<NameMapping
				xmlns="urn:mace:shibboleth:namemapper:1.0"
				id="shm"
				format="http://schemas.xmlsoap.org/claims/UPN"
				class="edu.internet2.middleware.shibboleth.common.provider.UPNNameIdentifierMapping"
				handleTTL="28800" scope="example.org"/>

...

Code Block
<md:AssertionConsumerService Location="/ADFS" index="4"
    Binding="http://schemas.xmlsoap.org/ws/2003/07/secext" ResponseLocation="/"/>

...

The Location value is up to you, but must be defined in the Resource Partner configuration to the ADFS servers that will be supporting this ! SP. As with other endpoints, the full endpoint location is determined by appending this value to the handlerURL attribute and usually the server hostname. A typical value will be https://hostname.example.org/Shibboleth.sso/ADFS

Finally (and this is the really hard part) you have to understand how SessionInitiators work at a fairly deep level if you want to deploy this for real. To test ADFS, the simplest thing to do is to treat this like a bilateral installation with a single ! IdP partner site. You modify the SessionInitiator element with the isDefault attribute to use ADFS and redirect directly to the ADFS Account Partner. To do this, you change the wayfBinding attribute to {{
http://schemas.xmlsoap.org/ws/2003/07/secext and set the wayfURL attribute to the location of the ADFS Account Partner's federation service URL. After these changes, resources that are protected in a default manner will cause an ADFS-style redirect to the wayfURL location.

...

ADFS refers to SAML attributes as claims. Various claims are predefined for communicating things like usernames, groups, email addresses. Custom claims are also supported. All claims have a common AttributeNamespace of html}" title="Visit page outside Confluence"linktype="raw" linktext="http://schemas.xmlsoap.org/claims">http://schemas.xmlsoap.org/claims

Since this is not the default namespace used by Shibboleth, each <AttributeRule> element must include a Namespace attribute containing the ADFS namespace above.

...

The subject of the assertions from an ADFS ! IdP will typically use a Microsoft-defined format called a UPN that contains the AD username. To export this value to REMOTE_USER, a rule such as the following can be used:

...