FreeKB - How to setup username and password authentication in Shibboleth
How to setup username and password authentication in Shibboleth

Home > Search > How-to


Shibboleth includes a default login page.

 

The $shibboleth_home/conf/login.config file is used to configure the authentication method. For example, let's say you want to authentication to an LDAP server.

ShibUserPassAuth {
   edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="ldap://ldap1.example.com:389 ldap://ldap2.example.com:389"
      baseDn="ou=people,dc=example,dc=com"
      tls="true"
      userFilter="uid={0}";
};

 

In $shibboleth_home/conf/attribute-resolver.xml, add your LDAP server information again.

<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
  ldapURL="ldap://ldap.example.com"
  baseDN="ou=people,dc=example,dc=com"
  principal="uid=john.doe,ou=people"
  principalCredential="john does password">

 

By default, the UsernamePassword section of the $shibboleth_home/conf/handler.xml file is commented out. Remove the comments to enable username and password authentication.

<ph:LoginHandler xsi:type="ph:UsernamePassword"
                 jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
  <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>

 

You will probably want to set Shibboleth logging to ALL if you are setting this up for the first time so that the LDAP events are written to idp-process.log.

Restart the Tomcat application server that idp.war has been deployed to and then check idp-process.log. Be aware that it can take a while (5 mintues or longer) for Tomcat to produce the app. This may be some issue with Shibboleth and LDAP. Once the app is coming up, here is a sample of a failed authentication attempt due to an invalid LDAP DN.

Search for user: john.doe@example.com failed using filter: uid={0}
Authentication failed
javax.naming.AuthenticationException: Cannot authenticate dn, invalid dn

 

On the other hand, this is an example of a successful authtentication attempt.

Authentication succeeded for dn: uid=john.doe,ou=people,dc=example,dc=com

 

Do not be too terribly surprised or worried if you get an error after signing in. This is quite common when first setting up Shibboleth, and simply means that you've not yet assembled all of the pieces (IdP, SP, app server, LDAP, et cetera). As long as the log has "Authentication successed" you are well on your way.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments