multiple applications on SP

[salibeh]

Hello,
I am trying to extend your project to support multiple applications on the SP. I was successful in adding a second virtual host to the ssl.conf file pointing to the crt and key files I created using openssl. The second app index.html and secure/index.html are placed in /var/www/html/second/ folder.
With the above configuration I was able to demonstrate sso. That is, once I was authenticated starting with the second app, I was able to access the first app (yours) without being required to authenticate again. The problem I have is that once I was authenticated using the second app, I was redirected to the logout page of the first app in /var/www/html/secure/. rather than the logout page of the second app in /var/www/html/second/secure/.
Based on what I learned from my own online searches, it appears that I need to update the sp metadata and make the same available to the idp. I would appreciate your help and guidance in getting the above to work correctly. That is, what configurations do I need to apply (and in which files) on the sp and idp.

I know that the above is not an issue with your project but I have no way of contacting you directly.
Best,
Emil

[winstonhong]

Your info "Based on what I learned from my own online searches, it appears that I need to update the sp metadata and make the same available to the idp." is correct.

You need to run the two different docker containers to host two SP apps.

• Each docker container runs a web server to host a SP app (e.g., 1st app and 2nd app).
• Each SP app needs to generate the separate SP metadata and then upload it to IdP. That is, IdP holds two SP metadata corresponding to two different SP apps (e.g., sp1-example-org.xml and sp2-example-org.xml) in the following IdP folder.
  https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/tree/master/shibboleth-idp-dockerized/ext-conf/metadata
  -IdP metadata needs to upload to each web server which hosts a SP app, for example, the following SP folder hosted by the web server.
  https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/tree/master/shibboleth-sp-testapp/shibboleth-sp
  In your use cases, just
  cp -rf [shibboleth-sp-testapp](https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/tree/master/shibboleth-sp-testapp) shibboleth-sp-testapp1
cp -rf [shibboleth-sp-testapp](https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/tree/master/shibboleth-sp-testapp) shibboleth-sp-testapp2
  Then make minor revision on both SP metadata and then upload it to IdP.

[salibeh]

Thank you for your help. Just to be clear.

1. on the idp, make two copies of the shibboleth-sp-testapp: shibboleth-sp-testapp1, shibboleth-sp-testapp2

2. edit the sp metadata on idp for each to reflect the correct entityid (based on sp1, sp2) and the ID.
   How to change the ID for sp2; leaving sp1 with the original?

3. create a set of new crt and key files for sp2; use the existing for sp1

4. edit sp2 metadata on idp to include the crt in the ds:x509Certificate

5. on sp2, edit sp2 shibboleth2.xml to reflect sp2-example.org. do the same for sp1 (although my intend is to leave the original sp alone that is not to rename it sp1)

Are the above what you meant by minor revisions? Are there more (files and changes) that you can think of?
Thanks

[winstonhong]

• On the idp, make two copies of the shibboleth-sp-testapp: shibboleth-sp-testapp1, shibboleth-sp-testapp2

Yes.

• edit the sp metadata on idp for each to reflect the correct entityid (based on sp1, sp2) and the ID.

Yes.

• How to change the ID for sp2; leaving sp1 with the original?

https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/blob/master/shibboleth-sp-testapp/shibboleth-sp/shibboleth2.xml

change the ID for sp2:
entityID="https://sp.example.org:2443/Shibboleth.sso/Metadata" --> entityID="https://sp2.example.org:2443/Shibboleth.sso/Metadata"

Yes. Just leaving sp1 with the original

• create a set of new crt and key files for sp2; use the existing for sp1

Yes.

• edit sp2 metadata on idp to include the crt in the ds:x509Certificate

Just download sp2 metadata from the link "https://sp2.example.org:2443/Shibboleth.sso/Metadata"
and then upload it to the IdP folder

• on sp2, edit sp2 shibboleth2.xml to reflect sp2-example.org. do the same for sp1 (although my intend is to leave the original sp alone that is not to rename it sp1)

Yes. You can leave the original sp alone that is not to rename it sp1.
On sp2, edit sp2 shibboleth2.xml to modify entityID to reflect sp2-example.org

[salibeh]

Thank you very much for your prompt response.

when I was asking "How to change the ID for sp2", I was referring to the following ID in the sp-example.org.xml (and NOT the entityID):

" <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_2bfe46fbf65e268f30b921e7abdcc9ba1f1cdcea" ......."

Thanks

[winstonhong]

• when I was asking "How to change the ID for sp2", I was referring to the following ID in the sp-example.org.xml (and NOT the entityID):

• " <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_2bfe46fbf65e268f30b921e7abdcc9ba1f1cdcea" ......."

This ID is the random ID automatically generated by SAML SP. You can NOT change it, and You do NOT need to change it.
Just download sp2 metadata from the link "https://sp2.example.org:2443/Shibboleth.sso/Metadata" and save it as sp2-example-org.xml.
Then you can find that this ID was automatically generated by Shibboleth SP in the sp2-example-org.xml

Note that this random ID is NOT mandatory for SP metadata. For example, Office365 SP metadata or Shibboleth SP metadata has this random ID, but Amazon AWS SP metadata does NOT has this random ID.
https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/tree/master/shibboleth-idp-dockerized/ext-conf/metadata

[salibeh]

Thanks for all your help.

[salibeh]

Hi,
When you say "Then you can find that this ID was automatically generated by Shibboleth SP in the sp2-example-org.xml", how the ID be automatically generated, that is, am I to exercise a particular utility to generate the sp metadata (and on which files or in which folder) that results in the automatic generation of the ID?

[winstonhong]

You do NOT need to "exercise a particular utility to generate the sp metadata", just download sp2 metadata from the link "https://sp2.example.org:2443/Shibboleth.sso/Metadata" and save it as sp2-example-org.xml.

Then you can find that this ID was automatically generated by Shibboleth SP in the sp2-example-org.xml

Note that

• I do NOT create this ID manually. I follow README to run OpenLDAP, Shibboleth IdP and Shibboleth SP, and then test the SAML authentication process successfully. Then I download the sp metadata from https://sp.example.org:2443/Shibboleth.sso/Metadata and save it as sp-example-org.xml. Then I discover that the sp metadata contains this ID, i.e., ID="_2bfe46fbf65e268f30b921e7abdcc9ba1f1cdcea"

https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/blob/master/shibboleth-idp-dockerized/ext-conf/metadata/sp-example-org.xml

• Shibboleth SP and Shibboleth IdP are developed using OpenSAML library. If you want to know how OpenSAML generates this random ID, you can read the source code of OpenSAML library.

Quote "OpenSAML is a set of open source C++ & Java libraries used in support of the Shibboleth Project's implementation of the Security Assertion Markup Language (SAML)."

https://shibboleth.atlassian.net/wiki/spaces/OS30/overview

• If you want to run both sp1 and sp2 on the same host (which is either physical machine or virtual machine VMWare), you can specify different port for sp2 such as https://sp2.example.org:3443/Shibboleth.sso/Metadata and https://sp2.example.org:3080/Shibboleth.sso/Metadata

In summary, follow README to run Shibboleth SP app2 and then download sp2 metadata from the link "https://sp2.example.org:2443/Shibboleth.sso/Metadata" and save it as sp2-example-org.xml.

[salibeh]

Hi,

After creating and running the container for sp1.example.org. I downloaded the Metadata using https://sp1.example.org:2443/Shibboleth.sso/Metadata. I copied the Metadata to sp2-example-org.xml (given below). I copied the sp2-example-org.xml to ext-conf/metadata folder on idp (is there a way to upload the file to idp similiar to the downloading on the sp?). I navigated to the sp1 login page successfully. When I clicked the login link), the idp did not provide the login page but it errors stating " The application you have accessed is not registered for use with this service."

The idp-wan.log in the /opt/shibboleth-idp/logs on idp displays the following:

2022-04-20 23:21:29,514 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:117] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID https://sp1.example.org:2443/Shibboleth.sso/Metadata)
2022-04-20 23:21:29,516 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration

I appreciate your help.
Thanks
Emil

---

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_6adf0a8594a70d9c9b59b072df3907fde63b6447" entityID="https://sp1.example.org:2443/Shibboleth.sso/Metadata">

<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
</md:Extensions>

<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
md:Extensions
<init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://sp1.example.org:2443/Shibboleth.sso/Login"/>
</md:Extensions>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sp1.example.org:2443/Shibboleth.sso/Artifact/SOAP" index="1"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sp1.example.org:2443/Shibboleth.sso/SLO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp1.example.org:2443/Shibboleth.sso/SLO/Redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp1.example.org:2443/Shibboleth.sso/SLO/POST"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp1.example.org:2443/Shibboleth.sso/SLO/Artifact"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp1.example.org:2443/Shibboleth.sso/SAML2/POST" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://sp1.example.org:2443/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp1.example.org:2443/Shibboleth.sso/SAML2/Artifact" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://sp1.example.org:2443/Shibboleth.sso/SAML2/ECP" index="4"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://sp1.example.org:2443/Shibboleth.sso/SAML/POST" index="5"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://sp1.example.org:2443/Shibboleth.sso/SAML/Artifact" index="6"/>
</md:SPSSODescriptor>

</md:EntityDescriptor>

[winstonhong]

Quote " I downloaded the Metadata using https://sp1.example.org:2443/Shibboleth.sso/Metadata. I copied the Metadata to sp2-example-org.xml (given below). I copied the sp2-example-org.xml to ext-conf/metadata folder on idp (is there a way to upload the file to idp similiar to the downloading on the sp?). I navigated to the sp1 login page successfully. When I clicked the login link), the idp did not provide the login page but it errors stating " The application you have accessed is not registered for use with this service."

Probably a typo: (it is sp2, NOT sp1)
https://sp1.example.org:2443/Shibboleth.sso/Metadata
should be
https://sp2.example.org:2443/Shibboleth.sso/Metadata

You need to register sp2 with Shibboleth IdP (see Steps 4 and 5 below).

1. Download the Metadata using https://sp2.example.org:2443/Shibboleth.sso/Metadata
2. Copy the Metadata to sp2-example-org.xml.
3. Copy sp2-example-org.xml to ext-conf/metadata
4. Add sp2 to ext-conf/conf/metadata-providers.xml

    <MetadataProvider id="SPMD2" xsi:type="FilesystemMetadataProvider"					
		metadataFile="/opt/shibboleth-idp/metadata/sp2-example-org.xml"
		maxRefreshDelay="PT48H">
    </MetadataProvider>	

5. Add sp2 to ext-conf/conf/relying-party.xml

        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp2.example.org:2443/Shibboleth.sso/Metadata">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="false" />
                </list>
            </property>
        </bean>	

6. Run Shibboleth IdP again.

cd Shibboleth-SAML-IdP-SP/shibboleth-idp-dockerized
./run.sh

Note that if you use sp1 instead of sp, you need to repeat the above procedure again to register sp1 with Shibboleth IdP.

[salibeh]

Hi,
Thanks for your input. I was able to successfully get sp1 (sp1.example.com:2443) to work. However when I build and run sp using sp.example.com:2443, I get an error" docker ... failed : port is already in use" It appears that docker using the same ip address for sp1 and sp. is there a way to force a container to pick a different ip address?
Thanks

[winstonhong]

Just keep sp app unchanged. Only modify the ports of sp1 (i.e., from 2080 to 3080, from 2443 to 3443).

$cd shibboleth-sp1-testapp

$sudo nano shibboleth-sp/shibboleth2.xml

change the ID for sp1:
entityID="https://sp1.example.org:2443/Shibboleth.sso/Metadata" --> entityID="https://sp1.example.org:3443/Shibboleth.sso/Metadata"

$sudo nano ./run.sh

docker run -it --rm -p 3080:80 -p 3443:443 --name="shibboleth-sp" example/shibboleth-sp:latest

$./run.sh

https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/blob/master/shibboleth-sp-testapp/run.sh

Then execute the following steps to update the configuration of Shibboleth IdP for sp1 app.

1. Download the sp1 Metadata using https://sp1.example.org:3443/Shibboleth.sso/Metadata
2. Copy the Metadata to sp1-example-org.xml.
3. Copy sp1-example-org.xml to ext-conf/metadata
4. Add sp1 to ext-conf/conf/metadata-providers.xml

    <MetadataProvider id="SPMD2" xsi:type="FilesystemMetadataProvider"					
		metadataFile="/opt/shibboleth-idp/metadata/sp1-example-org.xml"
		maxRefreshDelay="PT48H">
    </MetadataProvider>	

5. Add sp1 to ext-conf/conf/relying-party.xml

        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp1.example.org:3443/Shibboleth.sso/Metadata">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="false" />
                </list>
            </property>
        </bean>	

6. Run Shibboleth IdP again.

cd Shibboleth-SAML-IdP-SP/shibboleth-idp-dockerized
./run.sh

Finally execute the following steps to test sp1 app.

• Access the link "https://sp1.example.org:3443/" to launch the Shibboleth SAML SP1 demo
• Click Login
• You are redirected to Shibboleth SAML IdP
• Input Username/Password credential (e.g., winstonhong/winston-passwd) and then Click Login
• You are redirected back to reach Shibboleth SAML SP-protected web page
• Use the same web browser to access the link "https://sp.example.org:2443/" to launch the Shibboleth SAML SP demo
• Click Login
• You are automatically log in to Shibboleth SAML SP-protected web page (because of single sign on feature of Shibboleth SAML IdP). You do NOT need to input Username/Password credential again.

[salibeh]

Hi,
Thanks very much for all your help. I have successfully completed running sp and sp1 and verified the sso feature of the system.

I have another question. When I downloaded the metadata of sp1, the metadata file did not include the md:KeyDescriptor section including the x509certificate. How did you force your sp metadata to include that section? I understand that that section is not always required.

Thanks
Emil

[winstonhong]

It seems that you re-use sp.example.org.key and sp.example.org.crt as sp1.example.org.key and sp1.example.org.crt. Note that SUBJECT_NAME of sp1 is different from SUBJECT_NAME of sp.

1. Use the following commands to generate sp1.example.org.key and sp1.example.org.crt

# change these values as needed
$ OUT_DIR=/tmp/credentials
$ LIFETIME=3650 # 10 yrs 

# normally, only a back-channel TLS certificate needs a subject name
# but it doesn't hurt to add this to a signing or encryption certificate
$ SUBJECT_NAME='/CN=sp1.example.org'  

# create a 2048-bit key with long-lived, self-signed certificate
$ /usr/bin/openssl req -new -x509 -nodes \
    -newkey rsa:2048 -keyout $OUT_DIR/sp1.example.org.key \
    -days $LIFETIME -subj $SUBJECT_NAME -out $OUT_DIR/sp1.example.org.crt

https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/948470554/SAMLKeysAndCertificates

2. Then copy sp1.example.org.key and sp1.example.org.crt to shibboleth-sp1-testapp/shibboleth-sp1/

# Copy sp1.example.org.key and sp1.example.org.crt to Shibboleth SP1 folder
$cd shibboleth-sp1-testapp
$cp /tmp/credentials/ sp1.example.org.* shibboleth-sp1/

# Run Shibboleth SP1 docker container
$./run.sh

https://github.com/winstonhong/Shibboleth-SAML-IdP-and-SP/tree/master/shibboleth-sp-testapp/shibboleth-sp

3. Download the sp1 Metadata using https://sp1.example.org:3443/Shibboleth.sso/Metadata
   Then you can discover that the sp1 metadata file includes the md:KeyDescriptor section including the x509certificate.

[salibeh]

Thanks.
Before asking you the above question, I had already created sp1.example.or.crt and sp1.example.org.key from scratch with the correct cn and copied them to the correct directory shibboleth-sp (not shibboleth-sp1) under shibboleth-sp1-testapp1. However, when I downloaded the Metadata, the metadata did not include the md:keyDescriptor section (and did not include the x509certificate either). When I compared the sp1 metadata I created and the one already provide by you (sp-example-org.xml), it became clear to me that there is something missing in the process.
Best
Emil

[winstonhong]

1. Modify the shibboleth2.xml to replace sp.example.org.key and sp.example.org.crt with sp1.example.org.key and sp1.example.org.crt respectively so that Shibboleth SP to get the x509certificate of sp1.

cd shibboleth-sp-testapp

# Replace sp.example.org.key and sp.example.org.crt with sp1.example.org.key and sp1.example.org.crt respectively 
sudo nano shibboleth-sp/shibboleth2.xml

        <!-- Simple file-based resolver for using a single keypair. -->
        <CredentialResolver type="File" key="sp1.example.org.key" certificate="sp1.example.org.crt"/>

2. Run sp1 docker container.

3. Download the sp1 Metadata using https://sp1.example.org:3443/Shibboleth.sso/Metadata

Then you can discover that the sp1 metadata file includes the md:KeyDescriptor section including the x509certificate.