Configuring Shibboleth 2.3.8

You can configure Shibboleth 2.3.8 as your identity provider for Enterprise Logins in ArcGIS Online. The configuration process involves two main steps: registering your enterprise identity provider with ArcGIS Online and registering ArcGIS Online with the enterprise identity provider.

Step 1: Register Shibboleth 2.3.8 as the enterprise identity provider with ArcGIS Online

Steps:
  1. Verify that you are logged in and that you are an administrator of your organization.
  2. Click the My Organization button at the top of the site. Your organization page opens.
  3. Click the Edit Settings button.
  4. Click the Security link on the left side of the page.
  5. Within the Enterprise Logins section, click the Set Identity Provider button.
  6. Enter a name for the identity provider in the window that opens.
  7. Provide metadata information for the identity provider using one of the two options below:
    • File—By default, Shibboleth provides the IdP metadata file in SHIBBOLETH_HOME/metadata. If the metadata file is accessible, choose the File option for the metadata of the enterprise identity provider and browse to the file SHIBBOLETH_HOME/metadata/idp-metadata.xml
    • Parameters—Choose this option if the file is not accessible. Enter the values manually and supply the requested parameters: login URL, binding type, and certificate. Contact your Shibboleth administrator to obtain these.

Step 2: Register ArcGIS Online as the trusted service provider with Shibboleth 2.3.8

Steps:
  1. Configure ArcGIS Online as a relying party in Shibboleth
    1. Obtain the metadata file of your ArcGIS Online organization and save it as an XML file.

      To get the metadata file, log in to your organization as an administrator and open your organization page. Click the Edit Settings button, the Security tab, and within the Enterprise Logins section, click the Get Service Provider button.

    2. Add ArcGIS Online as the trusted service provider in Shibboleth by defining a new RelyingParty element in the SHIBBOLETH_HOME/conf/relying-party.xml file.

      Add the snippet below within the ChainingMetadataProvider. Provide the path to your organization’s metadata XML file (saved in step 2.1.a). (Replace citygis.maps.arcgis.com with the URL of your organization.)

      <!-- Load AGOL metadata -->
	    <MetadataProvider xsi:type="FilesystemMetadataProvider"
	                      xmlns="urn:mace:shibboleth:2.0:metadata"
	                      id="citygis.maps.arcgis.com"
	                      metadataFile="<PATH_TO_THE_SAVED_METADATA>/citygismetadata.xml">
  2. Configure attribute resolver.

    ArcGIS Online expects a SAML name identifier to be passed from the IdP for the user trying to log in to ArcGIS Online. To make this data available, you need to configure the Shibboleth attribute resolver by modifying SHIBBOLETH_HOME/conf/attribute-resolver.xml file.

    The following attribute definition sends the principal name of the user who was authenticated by the Shibboleth IdP in the name identifier to ArcGIS Online.

    <!-- Name identifier for passing principal name to ArcGIS Online -->
    <resolver:AttributeDefinition id="principal" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
    </resolver:AttributeDefinition>
  3. Configure attribute filter.

    Configure the Shibboleth attribute filter to release the user’s principal name encoded as a NameID to ArcGIS Online after authenticating the user.

    To add this filter, open the SHIBBOLETH_HOME/conf/attribute-filter.xml file and add the following attribute filter policy within the AttributeFilterPolicyGroup XML element. (Replace citygis.maps.arcgis.com with the URL of your organization.)

    <!-- release the NameID to citygis.maps.arcgis.com -->
    <afp:AttributeFilterPolicy>
            <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="citygis.maps.arcgis.com" />
    
            <afp:AttributeRule attributeID="principal">
                <afp:PermitValueRule xsi:type="basic:ANY" />
            </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

    ArcGIS Online supports flow-in of the givenName and the email address attributes of the enterprise login from the enterprise identity provider into ArcGIS Online. When a user signs in using an enterprise login and if ArcGIS Online receives attributes with the names givenname and emailor mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the identity provider.

    It is recommended that you pass in the email address from the enterprise identity provider to ArcGIS Online. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization.

  4. Configure authentication source.

    Configure authentication source used by the Shibboleth IdP.

    The following example shows how to configure Apache Directory Server as a user store with Shibboleth in the SHIBBOLETH_HOME/conf/login.config file.

    ShibUserPassAuth {   
edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="ldap://host:port"
      baseDn="ou=users,ou=system"
      ssl="true"
      serviceUser="uid=admin,ou=system"
      serviceCredential="secret"
      subtreeSearch="true"
      userField="uid"
      userFilter="uid={0}";
};

  5. Configure login handler.

    Enable UsernamePassword login handler in Shibboleth. With the login handler, users can log in using a user name and password from the authentication source configured in the previous step.

    To configure the login handler, open the SHIBBOLETH_HOME/conf/handler.xml file and uncomment the user name and password login handler. (Replace <SHIBBOLETH_HOME> with your Shiobboleth installation path.)

    <!--  Username/password login handler -->
     
    <ph:LoginHandler xsi:type="ph:UsernamePassword" 
                  jaasConfigurationLocation="file://<SHIBBOLETH_HOME>/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>

  6. Turn off assertion encryption in the Shibboleth IdP.

    ArcGIS Online does not support encrypted SAML assertions from the identity providers, so you need to turn off assertion encryption in Shibboleth.

    To turn off assertion encryption, open the SHIBBOLETH_HOME/conf/relying-party.xml file and within the <DefaultRelyingParty>"saml: SAML2SSOProfile" section, change the value of encryptAssertions to never.

    <rp:DefaultRelyingParty provider="https://grid3.esri.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
...  
     <rp:ProfileConfiguration xsi:type="saml:SAML2ECPProfile" includeAttributeStatement="true" 
                                 assertionLifetime="PT5M" assertionProxyCount="0" 
                                 signResponses="never" signAssertions="always" 
                                 encryptAssertions="never" encryptNameIds="never"/>
...
</rp:DefaultRelyingParty>
  7. Restart the web server that hosts the Shibboleth web application.
Copyright © 1995-2013 Esri. All rights reserved.
9/23/2013