Configure single sign-on (SSO) from Shibboleth to CloudSSO.
Before you begin
Install Shibboleth, Tomcat, and an LDAP server.
The Shibboleth configurations in this topic are suggestions to help you understand the end-to-end CloudSSO SSO configuration process. Alibaba Cloud does not provide consulting services for Shibboleth configuration.
Step 1: Get SAML SP metadata from Alibaba Cloud
-
Log on to the CloudSSO console.
-
In the left-side navigation pane, click Settings.
-
In the SSO Logon section, download the service provider (SP) metadata file and save it to
/opt/shibboleth-idp/metadata/aliyun-cloudsso-metadata.xml.Save the
Entity IDof the SP for later use.
Step 2: Register Alibaba Cloud with Shibboleth
Configure the /opt/shibboleth-idp/conf/metadata-providers.xml file to specify the metadata file from Step 1: Get SAML SP metadata from Alibaba Cloud and register Alibaba Cloud with Shibboleth.
<!--
<MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
-->
<!-- Replace the preceding commented code with the following code. -->
<MetadataProvider id="AliyunMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/aliyun-cloudsso-metadata.xml"/>
Step 3: Configure user attributes from Shibboleth
-
Modify the
/opt/shibboleth/conf/services.xmlfile.The default configuration uses the
attribute-resolver.xmlfile, which is insufficient. To enable the complete configuration, replace it withattribute-resolver-full.xml.<value>%{idp.home}/conf/attribute-resolver.xml</value> <!-- Replace the preceding code with the following code. --> <value>%{idp.home}/conf/attribute-resolver-full.xml</value> -
Modify the
/opt/shibboleth/conf/attribute-resolver-full.xmlfile.-
In the file, configure which attributes are returned with user information. In this example, the
mailattribute is returned.<!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <!-- Schema: Core schema attributes--> <!-- Add the following code after the preceding comments. --> <AttributeDefinition xsi:type="Simple" id="mail"> <InputDataConnector ref="myLDAP" attributeNames="mail" /> <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> </AttributeDefinition> -
In the file, read the settings from
/opt/shibboleth/conf/ldap.propertiesto create the LDAP connection.<!-- Example LDAP Connector --> <!-- <DataConnector id="myLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" ... </DataConnector> --> <!-- Replace the preceding example code with the following code. --> <DataConnector id="myLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> <FilterTemplate> <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]]> </FilterTemplate> </DataConnector>
-
-
Modify the
/opt/shibboleth/conf/attribute-filter.xmlfile to add an attribute filter.In the
PolicyRequirementRuletag, replace thevalueattribute with the Alibaba CloudentityIDfrom Step 1: Get SAML SP metadata from Alibaba Cloud.<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" xmlns="urn:mace:shibboleth:2.0:afp" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> <!-- Add the following code after the preceding code. --> <AttributeFilterPolicy id="aliyun"> <PolicyRequirementRule xsi:type="Requester" value="[entityID]" /> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy>
Step 4: Configure the SAML NameID
-
Modify the
/opt/shibboleth/conf/relying-party.xmlfile to configure the NameID for Alibaba Cloud.In the
beantag, replace therelyingPartyIdsattribute with the Alibaba CloudentityIDfrom Step 1: Get SAML SP metadata from Alibaba Cloud.<!-- Override example that identifies a single RP by name and configures it for SAML 2 SSO without encryption. This is a common "vendor" scenario. --> <!-- <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:encryptAssertions="false" /> </list> </property> </bean> --> <!-- Replace the preceding commented code with the following code. --> <bean parent="RelyingPartyByName" c:relyingPartyIds="[entityID]"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:encryptAssertions="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </list> </property> </bean> -
Modify the
/opt/shibboleth/conf/saml-nameid.xmlfile to configure NameID generation.<!-- Uncomment the following two beans to enable them. --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> <bean parent="shibboleth.SAML1AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> -
Modify the
/opt/shibboleth/conf/saml-nameid.propertiesfile to configure NameID properties.idp.nameid.saml2.default = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress idp.persistentId.useUnfilteredAttributes = true idp.persistentId.encoding = BASE32
Step 5: Get SAML IdP metadata from Shibboleth
-
Restart Tomcat to apply your changes.
-
Access
https://<your_server_address>/idp/shibbolethand save the metadata file to your local computer.
Step 6: Enable SSO in CloudSSO
-
In the left-side navigation pane of the CloudSSO console, click Settings.
-
In the SSO Logon section, click Configure IdP.
-
In the Configure IdP dialog box, select Upload Metadata File.
-
Click Upload File and upload the IdP metadata file from Step 5: Get SAML IdP metadata from Shibboleth.
-
Turn on the SSO switch to enable SSO.
NoteAfter you enable SSO logon, username and password logon is disabled. This means CloudSSO users can no longer sign in with their platform credentials. Once enabled, all users must sign in through your identity provider.
Step 7: Create a user in CloudSSO
Create a user in CloudSSO with the same name as the corresponding user in Shibboleth.
-
In the left-side navigation pane of the CloudSSO console, choose .
-
On the User page, click Create User.
-
In the Create User panel, enter a Username.
In this example, the username is
testUser@testdomain.alicloud.com. -
Set the user status to Enabled.
-
Click Close.
(Optional) Step 8: Assign permissions to the user
To allow users to access resources in specific Resource Directory member accounts after SSO, create a permission set and grant the user access to those accounts.
-
Create a permission set in CloudSSO to define policies.
For more information, see Create a permission set.
-
Grant the user access to the member accounts.
For more information, see Grant access to a member account.
Verify the result
You can initiate SSO from either Alibaba Cloud or Shibboleth.
-
Initiate SSO from Alibaba Cloud
-
On the Overview page of the CloudSSO console, copy the user logon URL.
-
Open the URL in a new browser.
-
Click Go. You are automatically redirected to the Shibboleth login page. The SSO Login page is displayed with the Enterprise Account Login URL field automatically filled in. Click the Go button to go to the identity provider login page.
-
On the Shibboleth logon page, enter the username (testUser) and password, and then click Log On.
The system automatically logs you on with SSO and redirects you to the CloudSSO user portal.
-
Access the resources in the member accounts to which you have permissions.
-
-
Initiate SSO from Shibboleth
-
Access
https://<your_server_address>/idp/profile/SAML2/Unsolicited/SSO?providerId=<entityID>.Replace
<entityID>in the URL with the Alibaba CloudentityIDfrom Step 1: Get SAML SP metadata from Alibaba Cloud. -
On the Shibboleth logon page, enter the username (testUser) and password, and then click Log On.
The system automatically logs you on with SSO and redirects you to the CloudSSO user portal.
-
Access the resources in the member accounts to which you have permissions.
-
FAQ
If you encounter issues during verification, check the /opt/shibboleth-idp/logs/idp-process.log file. The following are common issues:
Error after successful Shibboleth logon
Check the error message in the /opt/shibboleth-idp/logs/idp-process.log file. If the error is related to ValidateUsernamePassword, check your LDAP connection settings and deployment. Ensure that you have uncommented the required sections and that there are no extra spaces.
Logon fails with "unable to connect to the ldap" error
Check the LDAP connection settings in the ldap.properties and attribute-resolver-full.xml files.
Redirect error: "The NameID is missing"
Verify that you correctly mapped the mail attribute from the user information in Step 3: Configure user attributes from Shibboleth. Also, verify that the NameID is configured correctly in Step 4: Configure the SAML NameID.
Access error: "Unsupported Request" on https://<your_server_address>/idp/profile/SAML2/Unsolicited/SSO?providerId=<entityID>
Check whether the entityId is configured correctly. The entityId must be consistent across three locations: the metadata file in the metadata folder, the attribute-filter.xml file, and the relying-party.xml file.
Redirect error: "The response signature is invalid"
Upload the Shibboleth metadata file to Alibaba Cloud again.