This guide covers configuration for Shibboleth IDP v5.x, with specific focus on Linux DevOps best practices.
Shibboleth IDP v5.x uses a modular configuration system located primarily in the conf/ directory:
conf/idp.properties - Main configuration propertiesconf/config-directory.xml - Configuration directory settingsconf/metadata-providers.xml - Metadata provider configurationconf/attribute-resolver.xml - Attribute resolution configurationconf/attribute-filter.xml - Attribute filtering and release policiesconf/authn/ - Authentication flow configurationconf/c14n/ - Client address canonicalizationconf/credentials/ - Credential definitionsconf/drivers/ - Database driversconf/intercept/ - Interceptor configurationconf/metadata/ - Metadata filesconf/services.xml - Service registry configurationconf/saml-nameid.properties - SAML name identifier configurationconf/saml-schema.xml - SAML schema configurationconf/signature-signing.properties - Signature signing configurationconf/system-password.properties - System password configurationconf/velocity/ - Velocity template customizationconf/views/ - View customizationKey properties in conf/idp.properties:
# Basic Settings
idp.entityID= https://idp.example.com/idp/shibboleth
idp.scope= example.com
idp.host.name= idp.example.com
# SSL/TLS Configuration
idp.signing.cert= /opt/shibboleth-idp/credentials/idp-signing.crt
idp.signing.key= /opt/shibboleth-idp/credentials/idp-signing.key
idp.encryption.cert= /opt/shibboleth-idp/credentials/idp-encryption.crt
idp.encryption.key= /opt/shibboleth-idp/credentials/idp-encryption.key
# Storage and Session Settings
idp.session.StorageService= shibboleth.ClientSessionStorageService
idp.replayCache.StorageService= shibboleth.ClientPersistentStorageService
idp.consent.StorageService= shibboleth.ClientPersistentStorageService
# Attribute Configuration
idp.attribute.resolver.eduPersonTargetedID.default=true
idp.persistentId.sourceAttribute= mail
idp.sessions.checkAddress= false
idp.sessions.thirdPartyDiscovery= false
# Logging
idp.loglevel.idp= INFO
idp.loglevel.packages= DEBUG
conf/attribute-resolver.xml)Define how attributes are retrieved from external sources:
<!-- Example LDAP attribute resolver -->
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldaps://ldap.example.com:636"
baseDN="ou=people,dc=example,dc=com"
principal="cn=idp-bind,ou=services,dc=example,dc=com"
principalCredential="password">
<dc:FilterTemplate>
<![CDATA[
(&(objectClass=inetOrgPerson)(uid=$resolutionContext.principal))
]]>
</dc:FilterTemplate>
<dc:ReturnAttributes>uid,cn,sn,givenName,mail,eduPersonPrincipalName</dc:ReturnAttributes>
</resolver:DataConnector>
conf/attribute-filter.xml)Define which attributes can be released to specific service providers:
<!-- Example attribute filter policy -->
<afp:AttributeFilterPolicy id="exampleSP">
<afp:PermitRule>
<basic:Rule xsi:type="basic:AttributeValueString" attributeID="eduPersonScopedAffiliation" value="member@example.com"/>
</afp:PermitRule>
<afp:PermitRule>
<basic:Rule xsi:type="basic:Requester" value="https://sp.example.com/shibboleth"/>
</afp:PermitRule>
</afp:AttributeFilterPolicy>
Shibboleth IDP v5.x supports various authentication methods in the conf/authn/ directory:
conf/authn/general-authn.xml - General authentication settingsconf/authn/password-authn.xml - Password authenticationconf/authn/mfa-authn.xml - Multi-factor authenticationconf/authn/external-authn.xml - External authentication systemsEnable and configure password authentication:
<!-- In conf/authn/password-authn.xml -->
<bean id="authn.Password" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="false"
p:forcedAuthenticationSupported="true">
<property name="nextFlow">
<ref bean="authn.MFA" />
</property>
</bean>
For MFA integration with privacyIDEA:
Add privacyIDEA authenticator configuration in conf/authn/mfa-authn.xml:
<bean id="authn.MFA" parent="shibboleth.AuthenticationFlow"
p:authenticationFlows-ref="authn.MFA.Flows" />
<util:list id="authn.MFA.Flows">
<ref bean="authn.privacyIDEA" />
</util:list>
<bean id="authn.privacyIDEA" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="false"
p:forcedAuthenticationSupported="true">
<!-- privacyIDEA-specific configuration -->
</bean>
Create conf/authn/privacyidea.properties:
# privacyIDEA server configuration
privacyidea.url=https://privacyidea.example.com
privacyidea.realm=default
privacyidea.ssl.verify=true
privacyidea.timeout=30
# User mapping
privacyidea.user.mapping=mail
Configure metadata providers in conf/metadata-providers.xml:
<!-- Example federation metadata provider -->
<MetadataProvider id="FederationMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/federation-metadata.xml"
metadataURL="https://federation.example.com/metadata.xml">
<MetadataFilter xsi:type="SignatureValidation"
trustEngineRef="shibboleth.MetadataTrustEngine" />
<MetadataFilter xsi:type="RequiredValidUntil"
maxValidityInterval="%{idp.maximumValidityInterval:P180D}" />
</MetadataProvider>
Configure secure communication in conf/idp.properties:
# SSL/TLS Configuration
idp.sealer.storeType= JCEKS
idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
# Secure session settings
idp.session.secureOnly= true
idp.session.useSecureCookies= true
idp.session.trustClientCert= false
Restrict access to administrative endpoints in conf/handler.xml:
<!-- Status handler with ACL -->
<Handler type="Status" Location="/Status"
acl="127.0.0.1 ::1 fd00::/8 fe80::/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" />
<!-- Admin handler with ACL -->
<Handler type="Admin" Location="/Admin"
acl="127.0.0.1 ::1 fd00::/8 fe80::/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" />
After making configuration changes:
Running Shibboleth IdP in regulated environments? We assist with:
Secure your deployment: office@linux-server-admin.com | Contact Page