[Shib-Users] How to implement IDP initiated SSO using Shibboleth2 ?

219 views
Skip to first unread message

Shriram

unread,
Oct 17, 2008, 2:56:11 AM10/17/08
to shibbole...@internet2.edu

Hello Friends,

 

I am using Shibboleth 2 IDP and SP. I am trying to implement a use case where Shibboleth2 IDP initiates Single Sign-on session.

 

Use case :

  1. User logs into a web application running on IDP side.
  2. After login, he clicks on a link which should initiate SSO with SP application [another web application, protected by Shibboleth2 SP].
  3. On clicking this link, the request is forwarded to Shibboleth2 IDP , which obtains the authenticated user’s principal name from request. The user’s principal name is passed as a request parameter.
  4. The Shibboleth2 IDP fetches all required attributes for that user, creates a SAML assertion and forwards it to SP.

 

Can anyone , please, help me in implementing this usecase ? Any starters will be useful.

 

 

Also, is there Shibboleth2 support for IDP initiated SSO using SAML2 ? If yes, how to use it ?

 

Looking forward to your reply.

 

 

 

Regards,

Shriram

 

 

 

DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.

Peter Schober

unread,
Oct 17, 2008, 3:03:07 AM10/17/08
to shibbole...@internet2.edu
* Shriram <shriram_...@persistent.co.in> [2008-10-17 08:55]:

> I am using Shibboleth 2 IDP and SP. I am trying to implement a use case
> where Shibboleth2 IDP initiates Single Sign-on session.

That is not what your use case describes.

> Use case :
>
> 1. User logs into a web application running on IDP side.
> 2. After login, he clicks on a link which should initiate SSO with SP


> application [another web application, protected by Shibboleth2 SP].

> 3. On clicking this link, the request is forwarded to Shibboleth2 IDP ,


> which obtains the authenticated user's principal name from request. The
> user's principal name is passed as a request parameter.

> 4. The Shibboleth2 IDP fetches all required attributes for that user,


> creates a SAML assertion and forwards it to SP.

The "web application" in 1. is an SP, which (after login) shows links
to other SPs (those mentioned in 2,3,4).
So just install an SP somewhere with links to the other SPs, maybe on
the IdP itself. The rest is WebSSO.

Also note that SAML and Shibboleth do not pass attributes and their
values (like a principal name) as request parameters, but in SAML
assertions (allowing them to be multivalued, signed, encrypted, etc.).

Cheers,
-peter

--
peter....@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140

Shriram

unread,
Oct 17, 2008, 3:49:30 AM10/17/08
to shibbole...@internet2.edu

 

Hello Peter,

 

Thanks for your response.

 

Let me clarify the use case below :

1.There’s a web application running on my server.

2.The user ,on accessing this application, gets authenticated by some mechanism.The authentication isn’t forced by Shibboleth IDP but by

  the application or probably the servlet container.

3.Now, after successful authentication, there’s a html link that points to another web application. 

4.This second web application is protected by my Shibboleth SP.

5.On clicking this link, I want the authenticated user to be ,first, directed to my Shibboleth IDP [so as to create the SAML assertion first].

6.The Shibboleth IDP should get the principal name from request and fetch all required attributes.

7.The Shibboleth IDP should then create a SAML assertion and forward this to the Shibboleth SP.

8.The Shibboleth SP will consume the SAML assertion and then forward the request to the second web application.   

 

Help me implement this using Shibboleth2.

 

Regards,

Shriram.

Peter Schober

unread,
Oct 17, 2008, 4:17:06 AM10/17/08
to shibbole...@internet2.edu
* Shriram <shriram_...@persistent.co.in> [2008-10-17 09:48]:

> Let me clarify the use case below :
>
> 1.There's a web application running on my server.
>
> 2.The user ,on accessing this application, gets authenticated by some
> mechanism.The authentication isn't forced by Shibboleth IDP but by
>
> the application or probably the servlet container.
>
> 3.Now, after successful authentication, there's a html link that points to
> another web application.
>
> 4.This second web application is protected by my Shibboleth SP.
>
> 5.On clicking this link, I want the authenticated user to be ,first,
> directed to my Shibboleth IDP [so as to create the SAML assertion first].
>
> 6.The Shibboleth IDP should get the principal name from request and fetch
> all required attributes.
>
> 7.The Shibboleth IDP should then create a SAML assertion and forward this to
> the Shibboleth SP.
>
> 8.The Shibboleth SP will consume the SAML assertion and then forward the
> request to the second web application.

Either you can drop steps 1 and 2 completely (since they have nothing
to do with Shibboleth/SAML) but then users will have to authenticate
twice: once to the application/container, once to the IdP. Kind of
ponitless.

Or there's a more fundamental misunderstanding: The IdP needs to
somehow authenticate the subject before handing out SAML
assertions. Passing it a principal name (or rather subject for the
IdP) in an request parameter will not make it hand out assertions.
The only way the IdP will accept external authentication is if the
authentication mechanism populates the IdPs REMOTE_USER environment.
See https://spaces.internet2.edu/display/SHIB2/IdPAuthRemoteUser

Reply all
Reply to author
Forward
0 new messages