Integration with OnePass on Linux (CUHK Login via ADFS)

Integration with OnePass on Linux (CUHK Login via ADFS)

Information included on this page will help you to install and use Shibboleth for authentication and integration with OnePass on an Linux or Windows or other servers.

 

1. Requirements
  • Service Provider using Linux versions below
    – Red Hat Enterprise Linux and CentOS 5, 6, 7
    – SUSE Linux Enterprise Server 10, 11, 11-SP1, 11-SP2, 11-SP3, 11SP4, 12, 12SP1
    – OpenSUSE Linux 13.1, 13.2
  • Apache is being started with SSL enabled
  • Signing algorithm should be SHA256 for the federation
  • The application server time must be kept up-to-date and accurate
  • Logout button should be enhanced for global sign out OnePass session
2. Shibboleth Installation

 

3. Basic Configuration of Shibboleth (/etc/shibboleth/shibboleth2.xml)
  • Default configuration files should be found in /etc/shibboleth/
  • An apache configuration file for Shibboleth should be found in /etc/httpd/conf.d/shib.conf
  • In /etc/shibboleth, update below information on shibboleth2.xml
ApplicationDefaults, update entityID=”sp.example.org” to your application hostname, change REMOTE_USER=”NameID”, add signingAlg=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha256″ digestAlg=”SHA256″
e.g. <ApplicationDefaults entityID=”https://abc.cuhk.edu.hk/shibboleth” REMOTE_USER=”eppn persistent-id NameID” signingAlg=”http://www.w3.org/2001/04/xmldsig-more#rsa-sha256″ digestAlg=”SHA256″>
Sessions lifetime: update to “28800”, timeout: update to “1200”
SSO entityID, should be updated to OnePass entityID, the entityIDs for testing / UAT / production environments:
Testing: http://ststest.itsc.cuhk.edu.hk/adfs/services/trust
UAT: http://stsu.itsc.cuhk.edu.hk/adfs/services/trust
Production: http://sts.cuhk.edu.hk/adfs/services/trust
Handle type: update to “MetadataGenerator”, signing: update to “true”
Errors supportContact: update to a valid email address for the person managing the SP configuration
MetadataProvider type: update the uri to OnePass testing / UAT / Production environments
Testing: https://ststest.itsc.cuhk.edu.hk/federationmetadata/2007-06/federationmetadata.xml
UAT: https://stsu.itsc.cuhk.edu.hk/federationmetadata/2007-06/federationmetadata.xml
Production: https://sts.cuhk.edu.hk/federationmetadata/2007-06/federationmetadata.xml
  • Restart shibd after configuration, and check any error at /var/log/shibboleth/
  • Sample shibboleth2.xml for Linux host and OnePass testing environment

 

4. Modification for Attributes Mapping (/etc/shibboleth/attribute-map.xml)
  • Core Attributes (The attributes are released by default)

AttributeID Reference for Attributes Mapping
NameID <Attribute name=”urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” id=”NameID”/>
objectGUID <Attribute name=”urn:oid:1.2.840.113556.1.4.2″ id=”objectGUID”/>
eduPersonAffiliation <Attribute name=”urn:oid:1.3.6.1.4.1.5923.1.1.1.1″ id=”unscoped-affiliation”>
<AttributeDecoder xsi:type=”StringAttributeDecoder” caseSensitive=”false”/>
</Attribute>
displayName <Attribute name=”urn:oid:2.16.840.1.113730.3.1.241″ id=”displayName”/>

  • Additional attributes (upon request)

AttributeID SAML 2 Names
employeeNumber <Attribute name=”urn:oid:2.16.840.1.113730.3.1.3″ id=”employeeNumber”/>
surname <Attribute name=”urn:oid:2.5.4.4″ id=”sn”/>
givenName <Attribute name=”urn:oid:2.5.4.42″ id=”givenName”/>

Restart shibd after configuration, and check any error at /var/log/shibboleth/

 

5. Integration Work with OnePass Team
  • Provide your CADS no. to OnePass Team
  • The entity ID of your application
  • Metadata URL (The default is https://{yourhostname}/Shibboleth.sso/Metadata), must be accessible from campus network 137.189.8.0/24
  • The core attributes would be passed to your application by default, additional attributes need by request
  • Include OnePass Logout URL plus your application logout together for your logout button
    Testing environment: https://ststest.itsc.cuhk.edu.hk/adfs/ls/?wa=wsignout1.0
    UAT environment: https://stsu.itsc.cuhk.edu.hk/adfs/ls/?wa=wsignout1.0
    Production environment: https://sts.cuhk.edu.hk/adfs/ls/?wa=wsignout1.0
  • OnePass team would import your metadata and have configuration on OnePass Testing platform, email notification with testing accounts would be sent to you once ready for test
  • Test completion, vulnerability scanning must be pass before migrating to OnePass Production environment

 

6. Simple Test
  • Remember to clean up your browser cache first, it’ll be good to use incognito or InPrivate mode for testing
  • Assume PHP is installed in your server
  • By default, your server’s path /secure is protected by OnePass. If you want to change it, please refer to /etc/httpd/conf.d/shib.conf
  • The core attributes would be passed to your application by default, additional attributes need by request
  • Create a test.php in your /secure/test.php to show phpinfo()
    <% php phpinfo() %>
  • Open a browser to access https://{yourhostname}/secure/test.php
  • You will be redirected to OnePass login page, key in valid Login ID and password
  • You should be able to authenticate and find your Login ID in server variable NameID and REMOTE_USER
    e.g. for php to get the LoginID using php variable: echo ‘LoginID:’ . $_SERVER[‘NameID’]
  • Logout, you will be redirected to OnePass Logout page. Access your website again and see if you have to fill in your credential to login OnePass