Configuring other Shibboleth SPs

From RavenWiki
Jump to navigationJump to search

Most of the instructions in this wiki relate to getting the Shibboleth Consortium's SP software to work with Raven's Shibboleth/SAML IdP. It's possible to get the Raven Shibboleth service to inter-work with most standards-conforming SAML SPs, though custom configuration and possibly some in-depth knowledge of SAML may be needed. Raven Support has some experience of doing this and may be able to advise.

This document covers some of the issues you may encounter.

Metadata

You will need to register your SP with Raven by uploading suitable metadata to the Shibboleth Metadata administration site. Hopefully your SP or service supplier can provide this. Otherwise you may need to write it from scratch. See SP registration for how the upload process works and for some advice on changes you may need to make to supplied metadata to make it acceptable to Raven.

Attributes

Some SPs may want or require attribute and/or attribute values that Raven doesn't normally release, or which Raven doesn't have. See Attributes released by the Raven IdP for a summary of what's currently possible. Note that attribute values not normally released to SPs outside the University can sometimes be released by arrangement. Contact Raven Support if you need this.

A common problem is SPs that require 'forename' to be released (often along with 'surname' and 'mail address'), because Raven doesn't have access to forename information. A sometimes useful workaround is to use 'initials' in place for forename.

nameIDs

SAML authentications contain a single 'nameID' that in some way identifies the individual being authenticated. A number of different formats of nameID are defined, corresponding to different symantics.

The Raven default, matching normal 'Shibboleth' usage, is to use the 'transient' nameID format. This creates a random string that identifies each authentication transaction but which doesn't (except by reference to log information) directly identify the person being authenticated. In normal Shibboleth usage, nameID is largely ignored in favour of information provided in attributes.

However many non-Shibboleth SPs use the value of nameID as a 'user id' for the authenticated user. The 'transient' nameID format doesn't work in this case because a individual gets a different ID every time they authenticate. Such SPs normally want the 'emailAddress' nameID format which expects a string in the form of an email address (<local part>@<domain>). The Raven IdP can be configured to use this format for a particular SP on request - contact Raven Support. Note that the IdP always uses <CrsID>@cam.ac.uk as the value for this nameID which may not be the users preferred email address and may not actually be valid. Wherever possible, use the value of the user's 'mail' attribute as an address at which to contact them.

Service URLs

Helpful SPs discover everything they need to know to interact with Raven from the Raven Shibboleth service metadata, a copy of which is available at https://shib.raven.cam.ac.uk/shibboleth for the production service and https://shib-test.raven.cam.ac.uk/shibboleth for a debugging test instance. However some expect the relevant service URLs to be configured manually. All the necessary URLs appear in the IdP metadata, but selecting the right one may require an understanding of how both SAML and the SP in questions works.

If your SP wants to use the SAML 2.0 HTTP-POST binding use:

 https://shib.raven.cam.ac.uk/idp/profile/SAML2/POST/SSO

If your SP wants to use the SAML 2.0 HTTP-Redirect binding use:

 https://shib.raven.cam.ac.uk/idp/profile/SAML2/Redirect/SSO

Encryption Keys

SPs need to have the public key corresponding to the private key that the Raven IdP uses to identify itself and to encrypt things. Again, helpful SPs get this from the Raven Shibboleth service metadata where it appears in a self-signed X.509 certificate. Unfortunately the format in which it appears in the metadata isn't quite the format that most software will expect.

For convinience, the keys currently used appear below:

Production service on shib.raven.cam.ac.uk (expires Nov 17 14:50:51 2025 GMT):

-----BEGIN CERTIFICATE-----
MIICujCCAaICCQDN9BMM2g2oWzANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDExRz
aGliLnJhdmVuLmNhbS5hYy51azAeFw0xNTExMjAxNDUwNTFaFw0yNTExMTcxNDUw
NTFaMB8xHTAbBgNVBAMTFHNoaWIucmF2ZW4uY2FtLmFjLnVrMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxBNt1CZhNwQfCTD7sT0VctwAsdHAqhOmADg+
Jkpw27QKxVIPlUANAY3e7mbKuWGNYjLv9+KUrkwGhSXnOwUUCC01w+8JpII2j1W6
8iAvKGszfolVfmfj8vqscQ/UqlSKaGjruWk394v3b7eddYh7HCAOtgOJDIKX9F0e
bMkIdqQgw2e5uenwt1S9TgwOvYi+IfuZ5yhQv9Yuwo76QS8UkxOyvZdRZl7MIchx
O0THaTYbrca0GsSc+r9SIb++rM5fQ0yxQzh36PqbGiA1noS/dhkRZb3ywLPNoFzu
qwWOvcN6ubhO5YOKmTPn1N0uVg94LVMCxMWlO+DjZ8aFmMr96wIDAQABMA0GCSqG
SIb3DQEBBQUAA4IBAQBimCfClavq2Wk1Zsq9AQ3TWeVFrm1kaCUi4J5j3uWNlMVK
PsIGE0BHAALMixG+XWt5+QW70CXq6RnHXMS0TLfM5q6K8jIVURK599bTF2/d4fNq
3QJNaVusuqCqym3Z7rt71QfGtPi0rVKVlQL+lL87a0TDLIyWLsbEe786NpYe0mEe
BXPQwpPwSaJ1PnPNlsl5i/cUZou5zZQGHtqEY/PR7wAxS/28A6qWLVpMQEUYtb9M
ZBb6lO15RJ5qwk6paQG87nhMPAFwSbK+OpCkt3hYd7l8LjXNG74eOZdPM5V6DmZz
nMRF0t4QBDKsuZ64N/+u7R3Nj6uzsQsb7PJXGNTf
-----END CERTIFICATE-----

Debugging/test service on shib-test.raven.cam.ac.uk (expires Dec 2 11:56:44 2022 GMT)

-----BEGIN CERTIFICATE-----
MIIDRjCCAi6gAwIBAgIJANGv1GtjrUKOMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
BAMTGXNoaWItdGVzdC5yYXZlbi5jYW0uYWMudWswHhcNMTIxMjA0MTE1NjQ0WhcN
MjIxMjAyMTE1NjQ0WjAkMSIwIAYDVQQDExlzaGliLXRlc3QucmF2ZW4uY2FtLmFj
LnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJeHcwBjETJCV4XX
P9xI6qFSpbDJ94veVlT11dN1opYY/3QC+6pa811/4wXeQ35e64U1UcqpzP0f1EFR
MBxT22Wt3ASBpdp+2U+AEwOahfUI8uQDK2n3E67dQ1km76vhpxbX0CyZggnSkluN
kOMLIJrZFr0gaI7/a08JoTzwn6pjFWklvMhPHpu2Wr5AodSY6+sljX4/nNKUxyHo
WfwiZG50/u4f3PmFb0b2YIpjmdBIJQzaBbOHSjDUVpONRwz++rPr1DuXeWzmOHIK
hqGZzsk+TjbhZcA0mX26iaw59pNZq/y0W8IXSzHUGum19L6LWKwt61path7OdZTz
sHD2twIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUYj7x7CBTsVBP86VAwrNz
q/nvhRYwHwYDVR0jBBgwFoAUYj7x7CBTsVBP86VAwrNzq/nvhRYwDQYJKoZIhvcN
AQEFBQADggEBAKJEUuUYXss4j3cfFtz7fK8pQ7Xejnop18wBEThSyzJSjd7YEq6w
ZCdfGTzWjBmUXQWRijm9JX9f2sobXiUuwDvHK6N/1OM/7V2a0qPrdX53UMceVY0o
M/x+HKKZ6svBXkj5VTovzPEUnPAl3m1JiZAffJtn7mz+wEPluJEcgqWWrwHjRJs8
lzuR6fJ3PacP0Qcg2nBk9y9YxSrGKHFFZ6s8iszpnsVDzQPD3NZSuHTCbp2J7cz0
/XyCLO75rEBXAmp8/L96QjlEUiQukScWn3jNRsI6lX9GypVZKBm/y5v5Tyj/x+i2
SuQ4UiVzLdJ3C6y7SMog3XganjH9Qg6r6AA=
-----END CERTIFICATE-----