Configuring Shibboleth authentication

This section describes how to configure Shibboleth so that you can use Service Desk or Asset Manager with the Shibboleth only logon policy.

For more detailed and specific information about configuring Shibboleth, refer to the Shibboleth documentation.

Shibboleth comprises two parts:

  • An Identity Provider (IdP) – A web application that is configured to talk to Active Directory. It displays a login web page to enter your relevant credentials and confirms your identity with its configured system(s).
  • A Service Provider (SP) – An add-on to your web server (for example, IIS or Apache) that is configured to protect certain website paths (such as /ServiceDesk.WebAccess). It redirects users to your IdP to log in and then pass information about their identity back to your web application by adding headers to the HTTP request. The SP and IdP don’t need to communicate directly but they do need to be configured to trust each other. The user’s web browser needs visibility of both.

If you are using IIS, make sure that the IIS 6 Management Compatibility Windows Feature is installed on your web server.

The examples below include example addresses, remember to replace these addresses with your own values

Connecting to your internal IdP

The first step is to connect to your internal IdP.

To connect to your internal IdP:

  1. Go to https://localhost/Shibboleth.sso/Metadata on your web server to download an XML file that contains detailed information about the SP.
  2. Save this with a unique name for your SP.
  3. On your Shibboleth server, copy the XML file from the previous step to C:\Program Files (x86)\Shibboleth\IdP\metadata.
  4. Open the file C:\Program Files (x86)\Shibboleth\IdP\conf\metadata-providers.xml in a text editor.
  5. Where the comment say so, add a line as follows with a unique ID and the path to your metadata file similar to:
Copy
<MetadataProvider id="LocalMetadataUNIQUEID" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/example.com.xml"/>
  1. Save and close the file.
  2. Restart the Shibboleth 3 IdP Daemon service then disconnect from the server.
  3. On your web server navigate to C:\Program Files\Shibboleth\etc\shibboleth and open shibboleth2.xml.
  4. In the <Sessions> section replace the <SSO> tag to be similar to:
Copy
<SSO entityID="https://www.example.com/idp/shibboleth"> SAML2 SAML1</SSO>
  1. In the <ApplicationDefaults> section add a <MetadataProvider> tag to:
Copy
<MetadataProvider type="XML"
    uri="https://www.example.com/idp/shibboleth"
    backingFilePath="lab-shib01-idp-metadata.xml"
    reloadInterval="180000"/>
  1. Save the file, then restart IIS and the Shibboleth 2 Daemon (Default) service.

At the bottom of the server variables list there are some values related to Shibboleth including HTTP_EPPN, which confirms the logged in user name.

More information about the session is available at https://webserver/Shibboleth.sso/Session.

Changing the server variable name to HTTP_LANDESK_USER

The default header expected by Service Desk and Asset Manager applications for the logged in user name is HTTP_LANDESK_USER. You can override this in the tps.config file to match the default (see Configuring Web Access to use a different server variable) or you can re-configure Shibboleth.

Configuring and protecting Service Desk and Asset Manager

When you have associated your Service Desk and Asset Manager users with a network login using the Administration component in the console, and set up the Logon Policy as described in Setting the Logon policy, you can protect your Web Access instance.

To protect the Web Access instance:

  1. Navigate to C:\Program Files\Shibboleth\etc\shibboleth and open shibboleth2.xml.
  2. In the <Host> section add a new <Path> tag with the name of your Web Access instance:
Copy
<Host name="hd37f6c6dv3ctrh.example.com">
    <Path name="secure" authType="shibboleth" requireSession="true"/>
    <Path name="ServiceDesk.WebAccess" authType="shibboleth"
        requireSession="true"/>
</Host>
  1. Save the file, then restart IIS and the Shibboleth 2 Daemon (Default) service.
  2. Go to https://webserver/ServiceDesk.WebAccess.
    You are logged in.

Web Access looks for the HTTP_LANDESK_USER value in two places. First it looks at the HTTP headers that the Shibboleth SP populate. It then looks in the URL query string, which is how you can test Shibboleth authentication without a full integrated environment setup.

To test Web Access using the URL query string, navigate to: https://webserver/ServiceDesk/WebAccess/[email protected].

This has no effect in an integrated Shibboleth environment. The SP still redirects you to IdP login page and populates the HTTP header, which takes precedence over the URL value.

Configuring Web Access to use a different server variable

Rather than re-configure Shibboleth to use the attribute name HTTP_LANDESK_USER, you can re-configure Web Access to use the default attribute name of HTTP_EPPN.

To configure Web Access to use a different server variable:

  1. Open the tps.config file for Web Access and add the line:
Copy
<add key="ShibbolethHeaderId" value="HTTP_EPPN" />
  1. Recycle the application pool used by Web Access.