Wednesday 22 September 2010

Configuring shibboleth IdP to talk to an Active Directory

For those of you implementing a shibboleth IdP in an Active Directory environment, here is how the login.config and LDAP configuration within attribute-resolver.xml should look
When implementing our IdP I found lots of conflicting information on how it should be setup, we run a Windows Server 2008 R2 forest and domain functional level where all domain controllers are also global catalogues. I can confirm these settings work:


LDAP configuration in attribute-resolver.xml

    <!-- Example LDAP Connector -->
    <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
        ldapURL="
ldap://domain.suffix:3268" baseDN="dc=domain,dc=suffix" principal="idpserviceaccount@domain.suffix"
        principalCredential="passwordgoeshere">
        <FilterTemplate>
            <![CDATA[
                (samAccountName=$requestContext.principalName)
            ]]>
        </FilterTemplate>
    </resolver:DataConnector>

LDAP authentication configuration in login.config
// Example LDAP authentication
// See:
https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass
   edu.vt.middleware.ldap.jaas.LdapLoginModule required
      host="domain.suffix"
      base="dc=domain,dc=suffix"
   port="3268"
   userField="sAMAccountName"
      subtreeSearch="true"
   serviceUser="
serviceaccount@domain.suffix"
   ServiceCredential="passwordgoeshere";


2 comments:

  1. Marc, I can't thank you enough. I see this post is a couple years old but it really helped me out. I have been through all the shib docs and list, university docs, msad docs and tried so many variations I just kept circling but couldn't seem to land. I can finally continue forward with my project and get some sleep.
    Thanks again.
    Bonnie

    ReplyDelete
    Replies
    1. Hi Bonnie,

      Really glad it helped you - i had simular evenings of bashing my head against a brick wall trying to get this to work so felt i should share it.

      I have a couple of other posts on getting the attributes from AD security groups that may interest you.

      Good luck with your implementation

      Marc

      Delete