Azure AD SAML federation using Shibboleth SP

Concept

SAML Authentication Concept

Configure IDP

Configure SP

#yum install httpd
#systemctl enable httpd
#systemctl start httpd
#yum install httpd mod_ssl
#systemctl restart httpd
#openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/shibboleth-demo.key -x509 -days 365 -out /etc/pki/tls/certs/shibboleth-demo.crt
#vim /etc/httpd/conf.d/ssl.conf
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/shibboleth-demo.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/shibboleth-demo.key
#firewall-cmd --permanent --zone=public --add-port=443/tcp
#firewall-cmd --reload
Default Apache Web Server page
#wget https://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo -P /etc/yum.repos.d
#yum install shibboleth
#systemctl enable shibd
#systemctl start shibd
#shibd -t 
2020-11-09 10:47:08 CRIT XMLTooling.Config : libcurl lacks OpenSSL-specific options, this will greatly limit functionality
2020-11-09 10:47:08 WARN Shibboleth.Application : insecure cookieProps setting, set to "https" for SSL/TLS-only usage
2020-11-09 10:47:08 WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites
2020-11-09 10:47:08 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage
overall configuration is loadable, check console or log for non-fatal problems
#cd /etc/shibboleth
#cp shibboleth2.xml shibboleth2.xml.backup
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://<DNS name of the application or Apache web server's ip>/shibboleth"
REMOTE_USER="eppn subject-id pairwise-id persistent-id"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https" redirectLimit="exact">
<SSO entityID=https://sts.windows.net/341aad7c-768b-4b4b-9362-xxxxxxxx/">
<!-- discoveryProtocol=”SAMLDS” discoveryURL=”https://ds.example.org/DS/WAYF"> -->
SAML2
</SSO>
<!-- Example of locally maintained metadata. --><MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
https://<Apache web server's ip>/Shibboleth.sso/SessionA valid session was not found.
https://Apache web server's ip>/Shibboleth.sso/Metadata
#cd /etc/shibboleth
#./metagen.sh -c sp-signing-cert.pem -h <DNS name of the application or Apache web server's ip> -o <"Your organisation name"> -u <"URL"> > sp-metadata.xml

Finishing up IDP Configuration

https://<DNS name of the application or Apache your web server's ip>/Shibboleth.sso/Login
Enterprise Application

Finishing up SP Configuration

Shibbolethise Apache Web Server

#cd /etc/httpd/conf.d
#vim shib.conf
<Location /<FolderName>>
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
</Location>
<Location />
AuthType shibboleth
ShibRequestSetting requireSession 1
require shib-session
</Location>

Verify SAML/SSO

MS Login page
Apache web page

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store