Home

Shibboleth 1.3

Connecting SimpleSAMLphp SP to UK Access Federation and InCommon

Submitted by Andreas Åkre Solberg [1] on 13 October, 2009 - 09:09

A specific quickstart tutorial on how to connect simpleSAMLphp to distributed federations interacting with different versions of Shibboleth IdPs, using the new Shibobleth-friendly SAML SP module.

  • Version: $Id: simplesamlphp-ukaccess.txt 2209 2010-03-08 12:41:15Z andreassolberg $

This guide will describe how to configure simpleSAMLphp as a service provider (SP) supporting SAML 1.1 (shib1.3) and SAML 2.0 connecting it to a federation such as UK Access Federation or InCommon.

You should previously have installed simpleSAMLphp as described in the simpleSAMLphp installation instructions.

Configuring the SP

The SP is configured by an entry in config/authsources.php. If you copy the authsources.php configuration from config-templates, it contains a decent default setup.

Further details on configu...

SAML 2.0 Software Comparison

Submitted by Andreas Åkre Solberg [1] on 6 November, 2008 - 10:58
Screenshot of slides

Comparison and an overview of SAML 2.0 Software implementations for use in educational sector. Presentation held at EuroCAMP 2008 in Athens.


Shibboleth 1.3 Authentication Response

Submitted by Andreas Åkre Solberg [1] on 3 June, 2008 - 13:54 
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2008-06-03T12:50:35.108Z"
    MajorVersion="1" MinorVersion="1"
    Recipient="http://dev.andreas.feide.no/simplesaml/shib13/sp/AssertionConsumerService.php"
    ResponseID="_8dc1067f5ec16e242dc4c205797bd00f">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#_8dc1067f5ec16e242dc4c205797bd00f">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"

Configure Shibboleth 1.3 SP to work with simpleSAMLphp IdP

Submitted by Andreas Åkre Solberg [1] on 13 February, 2008 - 10:20

How to configure a Shibboleth 1.3 SP to work with a simpleSAMLphp IdP or bridge.

Document placeholder

not yet written.

Input welcome.

Service Provider's Guide to Feide Integration

Submitted by Andreas Åkre Solberg [1] on 28 October, 2007 - 17:59

This document is meant as a hand-out to new service providers who want to integrate their application with Feide authentication. This document is targeted to techincal people. It contains a large amount of links, so you will be able to find more documentation on what's unclear.

Download document

Shibboleth 1.3 IdP support added to simpleSAMLphp

Submitted by Andreas Åkre Solberg [1] on 18 September, 2007 - 11:51

I've added support for Shibboleth 1.3 IdP functionality in simpleSAMLphp. That means you setup an IdP with simpleSAMLphp and Shibboleth 1.3 SPs will be able to communicate with this IdP.

The support is only added to subversion, no new release yet.

[ simpleSAMLphp project page (including download and svn access) ]

Public release of Shibboleth 1.3-compatible SP written in PHP

Submitted by Andreas Åkre Solberg [1] on 30 August, 2007 - 13:37
This version is outdated, there exist a newer version of simpleSAMLphp, please go to the simpleSAMLphp page to find the most recent version on the top.

I am happy to release in public some alpha code of a Shibboleth 1.3 SP written in PHP.

The product is called simpleSAMLphp, and is the same that I released in version 0.1 one week ago, but now in this release I have added support for Shibboleth 1.3 SP. What does that mean? It means, you can have your PHP service connected to a shibboleth 1.3 IdP by using this library.

simpleSAMLphp is used in a GÉANT project to bridge protocols between Feide and similar infrastructure in other contries.

Other news in version 0.2:

  • Added initial documentation about installation and configuration
  • Added a configuration parameter of a url path prefix of where to install the SAML endpoints.

Your IdP must be configured to use attribute push, and there is not yet any support for shibboleth logout.

Shibboleth 1.3 SP implementation in PHP

Submitted by Andreas Åkre Solberg [1] on 30 July, 2007 - 12:26

Today, I validated an assertion from an Shibboleth 1.3 IdP, and extracted the attributes. The implementation is in pure PHP5, no shibd running in the background, can be installed as a user (in example you can have your company.com/~andreas/shibboleth-sp). Currently, proof of concept. I'll be working on making it a usuable SP to integrate PHP services. More updates will come. Contact me if you are interested in this product.

Open source? - Off course.

What is next? - To make my flexible identity-bridge complete, I need to implement a SAML 2.0 IdP. I'll try to make sure it can also be used as a stand-alone SAML 2.0 IdP, making it usable for small companies and universities that want a minimalistic IdP implementation. More info will come.

Attribute push in Shibboleth 1.2 SP

Submitted by Andreas Åkre Solberg [1] on 27 July, 2007 - 09:39

We are having some issues with getting attribute push working with Shibboleth 1.2 SP.

    for (unsigned int scount=0; scount < statements.size();) {

        SAMLAttributeStatement* s=dynamic_cast(statements[scount]);

        if (!s)

            continue;

As you see the scount parameter is never increasing if you find a statement that is not an attributestatement. In attribute push you will have both attribute- and authnstatements, so I cannot see how this can work.

What I really need is someone out there with an example XML document of an attribute push authentication response that is working with Shib 1.2 SP. I believe it exists as Shib 1.2 is supposed to support attribute push.

Thanks in advance!

Shibboleth 1.3 to SAML 2.0 Bridge

Submitted by Andreas Åkre Solberg [1] on 15 June, 2007 - 21:31

As we are waiting for Shibboleth 2.0... and waiting...

I decided to start the day by implementing a Shibboleth 1.3 IdP in PHP. By that I mean, an entity able to issue assertions interpreted by Shibboleth 1.3 SPs. I did not care about writing user interface and authentication towards LDAP backend.

It was pretty straight forward; except from xmldsig which is nontrivial. Started with an assertion with a static nameID and some static attributes for testing. When I had it working, I integrated it with OpenSSO PHP Extension, to perform the authentication via our SAML 2.0 IdP. When the user is returning after authenticating at Feide, I got the attributes and the NameID i need, so I wrap those into the SAML 1.1 AuthNResponse.

I configured a Shibboleth 1.3 SP, with Apache 1.3 and mod_shib. I also installed PHP and wrote a simple attribute viewer, showing all HTTP_SHIB* headers. I added meta data for my Shib IdP, and added all the Feide attributes in a ARP file.