Implement user-based SSO by using Shibboleth - Resource Access Management

This topic provides an example on how to implement user-based single sign-on (SSO) between Shibboleth and Alibaba Cloud. The example describes the end-to-end SSO process between a cloud identity provider (IdP) and Alibaba Cloud.

Preparations

Install Shibboleth, Apache Tomcat, and a Lightweight Directory Access Protocol (LDAP)-authenticated server.
Configure the LDAP-authenticated server.
Create two accounts for subsequent use. First, create an administrator account on the LDAP-authenticated server. The distinguished name (DN) of the administrator account is uid=admin,ou=system, and the password is secret.
Then, create a test account on the LDAP-authenticated server. The DN of the test account is cn=Test User,ou=users,dc=wimpi,dc=net, and the password is secret. The following figure shows the detailed information.
The following section describes the user information fields:
- mail: the logon name of the Resource Access Management (RAM) user.
- memberof: the name of the RAM role.
- samaccountname: the username of the account that is used to log on to Shibboleth.
- userpassword: the password of the account that is used to log on to Shibboleth.

Configure Shibboleth to connect to the LDAP-authenticated server.

Modify the following content in the /opt/shibboleth-idp/conf/ldap.properties file:

# The LDAP authentication mode.
idp.authn.LDAP.authenticator = bindSearchAuthenticator

# The address of the LDAP-authenticated server.
idp.authn.LDAP.ldapURL=ldaps://[The address of the LDAP-authenticated server]:389

# Disable Transport Layer Security (TSL) and Transport Layer Security (SSL).
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL = false

# The directory tree for search.
idp.authn.LDAP.baseDN = dc=wimpi,dc=net
idp.authn.LDAP.subtreeSearch = true
# The logon matching rule. The user information field samaccountname is used to log on to the LDAP-authenticated server. 
idp.authn.LDAP.userFilter= (samaccountname={user})

# The username and password of the admin account that you created.
idp.authn.LDAP.bindDN = uid=admin,ou=system
idp.authn.LDAP.bindDNCredential = secret

idp.attribute.resolver.LDAP.searchFilter =(samaccountname=$resolutionContext.principal)

Note

The configurations of Shibboleth that are described in this topic are suggestions and used only to help you understand the end-to-end SSO process from Shibboleth to Alibaba Cloud. Alibaba Cloud does not provide consulting services for the configurations of Shibboleth.

Step 1: Download the SAML SP metadata file of Alibaba Cloud

Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose Integrations > SSO.
On the SSO tab, click the User-based SSO tab.
In the Setup SSO section, copy the value of the SAML Service Provider Metadata URL parameter.
Open a new tab in your browser and paste the URL in the address bar. On the page that appears, right-click the page and select Save As to download the metadata file in the XML format and save the file as /opt/shibboleth-idp/metadata/aliyun-ram-user-metadata.xml.
Note
The XML file contains the information that is required to configure Alibaba Cloud as a Security Assertion Markup Language (SAML) service provider (SP). Record the value of entityID in the EntityDescriptor element for subsequent configurations in Shibboleth.

Step 2: Register Alibaba Cloud with Shibboleth

Configure the metadata file that you obtained in Step 1: Download the SAML SP metadata file of Alibaba Cloud in the /opt/shibboleth-idp/conf/metadata-providers.xml file to register Alibaba Cloud with Shibboleth.

<!--
    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
-->

<!-- Find the code that is displayed in the preceding line in the file and replace the code with the code that is displayed in the following line. -->

<MetadataProvider id="AliyunMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/aliyun-ram-user-metadata.xml"/>

Step 3: Configure the user attributes that are returned by Shibboleth

Modify the /opt/shibboleth/conf/services.xml file.
The original configuration file contains the attribute-resolver.xml field and does not provide complete configuration information. You must replace the field with the attribute-resolver-full.xml field to provide complete configuration information.
```
<value>%{idp.home}/conf/attribute-resolver.xml</value>

<value>%{idp.home}/conf/attribute-resolver-full.xml</value>
```

Modify the /opt/shibboleth/conf/attribute-resolver-full.xml file.

Configure the user attributes that are returned by Shibboleth in the /opt/shibboleth/conf/attribute-resolver-full.xm file. In this example, the mail field is used as an user attribute.

<!-- ========================================== -->
<!--      Attribute Definitions                 -->
<!-- ========================================== -->

<!-- Schema: Core schema attributes-->

<!-- Find the code that is displayed in the preceding line in the file and append the code that is displayed in the following line. -->

<AttributeDefinition xsi:type="Simple" id="mail">
    <InputDataConnector ref="myLDAP" attributeNames="mail" />
    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</AttributeDefinition>

Read the configuration information that is contained in /opt/shibboleth/conf/ldap.properties in the file to establish a connection to the LDAP server.

<!-- Example LDAP Connector -->
<!--
	<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
		ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
		baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
		principal="%{idp.attribute.resolver.LDAP.bindDN}"
		principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
		useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
		...
	</DataConnector>
-->

<!-- Find the code that is displayed in the preceding line in the file and replace the code with the code that is displayed in the following line. -->

<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
			   ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
			   baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
			   principal="%{idp.attribute.resolver.LDAP.bindDN}"
			   principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
			   useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}"
			   connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
			   responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
	<FilterTemplate>
		<![CDATA[
				%{idp.attribute.resolver.LDAP.searchFilter}
			]]>
	</FilterTemplate>
</DataConnector>

Add an attribute filter to the /opt/shibboleth/conf/attribute-filter.xml file.

Replace the value attribute in the PolicyRequirementRule tag with the Entity ID that you obtained in Step 1: Download the SAML SP metadata file of Alibaba Cloud.

<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
							xmlns="urn:mace:shibboleth:2.0:afp"
							xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
							xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
	
<!-- Find the code that is displayed in the preceding line in the file and append the code that is displayed in the following line. -->
	
<AttributeFilterPolicy id="aliyun">
	<PolicyRequirementRule xsi:type="Requester" value="[entityID]" />
	<AttributeRule attributeID="mail">
		<PermitValueRule xsi:type="ANY" />
	</AttributeRule>
</AttributeFilterPolicy>

Step 4: Configure the NameID attribute in the SAML response

Configure the NameID attribute in the /opt/shibboleth/conf/relying-party.xml file.

Replace the relyingPartyIds attribute in the bean tag with the Entity ID that you obtained in Step 1: Download the SAML SP metadata file of Alibaba Cloud.

<!--
	Override example that identifies a single RP by name and configures it
	for SAML 2 SSO without encryption. This is a common "vendor" scenario.
-->
<!--
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
	<property name="profileConfigurations">
		<list>
			<bean parent="SAML2.SSO" p:encryptAssertions="false" />
		</list>
	</property>
</bean>
-->

<!-- Find the code that is displayed in the preceding line in the file and replace the code with the code that is displayed in the following line. -->

<bean parent="RelyingPartyByName" c:relyingPartyIds="[entityID]">
    <property name="profileConfigurations">
        <list>
            <bean parent="SAML2.SSO" p:encryptAssertions="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
        </list>
    </property>
</bean>

Configure the generation method of the NameID attribute in the /opt/shibboleth/conf/saml-nameid.xml file.

<!-- Find the following code. Comment out the code to make the configuration into effect.-->

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
    p:omitQualifiers="true"
    p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    p:attributeSourceIds="#{ {'mail'} }" />

<bean parent="shibboleth.SAML1AttributeSourcedGenerator"
    p:omitQualifiers="true"
    p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    p:attributeSourceIds="#{ {'mail'} }" />

Configure information about the NameID attribute in /opt/shibboleth/conf/saml-nameid.properties.

idp.nameid.saml2.default = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
idp.persistentId.useUnfilteredAttributes = true
idp.persistentId.encoding = BASE32

Step 5: Obtain the metadata file of the SAML IdP in Shibboleth

Restart Apache Tomcat to allow the preceding configurations to take effect.
Access https://<The IP address of the LDAP server>/idp/shibboleth and save the metadata file to your computer.

Step 6: Enable user-based SSO in the Alibaba Cloud Management Console

In the left-side navigation pane of the RAM console, choose Identities > Roles.
On the SSO tab, click the User-based SSO tab.
Click Edit to the right of Setup SSO.
In the SSO Status section of the SSO Settings panel, click Enabled.
Note
User-based SSO takes effect on all RAM users in your Alibaba Cloud account. If you enable this feature, all RAM users in your Alibaba Cloud account must log on to the Alibaba Cloud Management Console by using SSO. If you use a RAM user, set the SSO Status parameter to Disabled in this step. Before you enable user-based SSO, you must complete the SSO settings for the RAM user. Otherwise, you cannot log on as the RAM user. To avoid this issue, you can also use your Alibaba Cloud account to configure user-based SSO.
In the Metadata File section, click Upload File to upload the metadata file that you obtained in Step 5: Obtain the metadata file of the SAML IdP in Shibboleth.
Select Enabled for Auxiliary Domain Name. In the field that appears, enter the domain name of the email address that you use as the Shibboleth username.
In this example, enter testdomain.alicloud.com.
Click OK.

Step 7: Create a RAM user in the Alibaba Cloud Management Console

In the left-side navigation pane of the RAM console, choose Identities > Users.
On the Users page, click Create User.
On the Create User page, configure the Logon Name and Display Name parameters.
Note
Make sure that the logon name and Shibboleth username must contain the same prefix. In this example, the prefix of the logon name is testUser.
In the Access Mode section, select Console Access and configure the parameters.
Click OK.

Verify the configuration results

After you complete the preceding configurations, you can initiate SSO from Alibaba Cloud or Shibboleth.

Initiate SSO from Alibaba Cloud
1. Log on to the RAM console with your Alibaba Cloud account. On the Overview page, copy the logon URL of a RAM user.
2. Move the pointer over the profile picture in the upper-right corner of the page and click Log Out. Then, paste the logon URL in the address bar of your browser and press Enter. You can also access the URL on a new tab.
3. Click Login with Organization Account. You are redirected to the logon page of Shibboleth.
4. On the logon page of Shibboleth, enter the username testUser and its password and click Log On.
  After the logon succeeds, you are redirected to the homepage of the Alibaba Cloud Management Console.
Initiate SSO from Shibboleth
1. Access https://<The IP address of the LDAP server>/idp/profile/SAML2/Unsolicited/SSO?providerId=<entityID>.
  Replace <entityID> with the Entity ID that you obtained in Step 1: Download the SAML SP metadata file of Alibaba Cloud.
2. On the logon page of Shibboleth, enter the username testUser and its password and click Log On.
  After the logon succeeds, you are redirected to the homepage of the Alibaba Cloud Management Console.

FAQ

If issues occur when you verify the configuration results, you can identify the issues by using the /opt/shibboleth-idp/logs/idp-process.log file. The following section provides answers to some frequently asked questions:

What do I do if an exception occur when I use a valid username and password to log on to Shibboleth?

View the error message in the /opt/shibboleth-idp/logs/idp-process.log file. If the ValidateUsernamePassword error message is displayed, view the connection configurations and deployment of your LDAP server. Make sure the code that must be commented out are commented out and that no extra spaces exist.

What do I do if the system does not respond when I log on to Shibboleth and the `unable to connect to the ldap` error message is displayed?

Check whether the connection configurations of your LDAP server in the ldap.properties and attribute-resolver-full.xml files are correct.

What do I do if the `The NameID is missing` error message is displayed when I am redirected to Alibaba Cloud?

Check whether the mail field is correctly mapped as an attribute in Step 3: Configure the user attributes that are returned by Shibboleth. Check whether the NameID attribute is correctly configured in Step 4: Configure the NameID attribute in the SAML response.

What do I do if the `Unsupported Request` error message is displayed when I access `https://<The IP address of your LDAP server>/idp/profile/SAML2/Unsolicited/SSO?providerId=<entityID>`?

Check whether the entityId field is correctly specified. Make sure that the value of the entityId field in the metadata file, attribute-filter.xml file, and relying-party.xml file are the same.

What do I do if the `The response signature is invalid` error message is displayed when I am redirected to Alibaba Cloud?

Re-upload the metadata file of Shibboleth to Alibaba Cloud.