3

I'm trying to familiarize myself with Shibboleth 2.5.3 and Active Directory Federation Services (tried both 2.0 and 3.0). What I'd like to achieve is having an Apache server authenticate against ADFS as IdP using Shibboleth as SP. For that reason I set up a Ubuntu VM with Apache and Shibboleth and a Windows Server VM with ADFS.

If I understand correctly, I need to add Shibboleth as a relying party trust to ADFS. In order to do that, I need metadata generated by Shibboleth at https://shibboleth/Shibboleth.sso/Metadata. However, this doesn't work as Shibboleth tries to get Metadata from ADFS as specified in the shibboleth2.xml <SSO> tag (https://winserver.testdomain.com/adfs/services/trust). Everything below adfs/services returns an HTTP 503 error. None of the solutions recommended elsewhere seem to fix that (restarting IIS, fiddling with certificates). I also can't find any logfile which protocols the 503 error.

What am I doing wrong? Probably, I'm just not grasping the concept correctly...

Julian B
  • 33
  • 1
  • 4

2 Answers2

2

Did you follow this guide: AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation?

It's old but the principles are still valid.

Hopefully, this will give you some clues.

rbrayb
  • 1,098
  • 1
  • 12
  • 20
1

There are really too many questions here!

I would like to address the first one: generate the shibboleth SP metadata.

You can use the tool: shib_metagen (in Debian it is in the shibboleth-sp2-utilspackage).

In the shibboleth2.xml you specify where the federation metadata are. If you plan to let the SP download it from IdP, you need to check the ADFS documentation. But you can also include the xml metadata of the IdP (the ADFS server), as a file.

The SSO tag in shibboleth2.xml has nothing to do with metadata: it contains the entityID of the IdP. The metadata things are in the MetadataProvider element.

473183469
  • 1,350
  • 1
  • 12
  • 23