Shibboleth without SSL

Question

Q: Is it possible to deploy Shibboleth without SSL?

Intro: We need to deploy Shibboleth in our testing environment. This environment is not visible from the Internet, so we are not able to add some valid certificate -- so it warns us that we are using a self-signed certificate. Our app can't go through this warning, and we are not able to automatically test if login via SAML works properly.

We use a docker image shibboleth-idp with our setup.

I think that we can change settings of Jetty and turn off SSL, but I am not sure how and if Shibboleth will be OK with that.

winstonhong · Accepted Answer

Question: "we can change settings of Jetty and turn off SSL, but I am not sure how and if Shibboleth will be OK with that."

Answer:
(1) Yes. Shibboleth is OK without SSL for demo purpose only. In other words, on the testing environment, you can change settings of Jetty and turn off SSL, and then run Shibboleth IdP with Jetty on the HTTP port of 8080 instead of the HTTPS port of 8443.

I have validated SAML authentication/federation provided by Shibboleth IdP/Jetty/HTTP port:8080 without SSL for Shibboleth SP. In other words, Shibboleth IdP runs on the Jettp HTTP port 8080 (instead of HTTPS port 8443) provides SAML authentication/federation for Shibboleth SP successfully.

Remarks:
(I) Usually the deployment of Shibboleth IdP on the production environment leverages proxy to redirect external HTTPS port 443 to internal HTTPS port 8443 of Jetty.

Correspondingly the deployment of Shibboleth IdP on the testing environment leverages proxy to redirect external HTTPS port 80 to internal HTTPS port 8080 of Jetty.

(II) Shibboleth IdP should run on Jetty with HTTPS port when deployed on the production environment.

(2) Security And Networking of Shibboleth IdP demonstrates that Jetty HTTPS key and certificate are NOT the keys and certificates used by Shibboleth IdP, which indicates that Shibboleth is OK without SSL for demo purpose only.

Use of browser-facing TLS key and certificate
This key and certificate is not used by Shibboleth directly, and you SHOULD NOT use this key (or certificate) in any of the other capacities described below.

(3) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the instruction on building a SAML-based Authentication/Authorization Provider using Shibboleth SAML IdP and OpenLDAP.

Shibboleth SAML IdP is responsible for identity federation.
OpenLDAP is responsible for identity authentication.

(I) To run Shibboleth IdP with Jetty on the HTTP port of 8080, you only need to execute the commands below to modify the configuration before building both IdP and SP Docker images. For your convenience, the Shibboleth IdP without SSL provided by this GitHub repository has been validated.

cd shibboleth-idp-dockerized/ext-conf/conf/
cp idp.properties idp.properties.backup
cp idp.properties.without.ssl idp.properties
cd -

cd shibboleth-idp-dockerized/ext-conf/metadata/
cp idp-metadata.xml idp-metadata.xml.backup
cp idp-metadata-without-ssl.xml idp-metadata.xml
cd -

cd shibboleth-sp-testapp/shibboleth-sp/
# Edit shibboleth2.xml to update IdP entityID and metadata without SSL.
vi shibboleth2.xml


-->



-->

(II) I have validated SAML Single Sign-On (SSO) provided by Docker-running Shibboleth SAML IdP (Identity Provider) and OpenLDAP for the following enterprise applications. In other words, I leveraged Docker-running Shibboleth SAML IdP and OpenLDAP to log in to the following enterprise applications successfully.

Microsoft Office 365
Google G Suite
Salesforce
Dropbox
Box
Amazon AWS
OpenStack
Citrix NetScaler
VMware vCloud Director
Oracle NetSuite

(III) Another StackOverflow question Setting up a new Shibboleth IdP to work with an existing SAML SP discusses the SAML configuration between IdP and SP.

Shibboleth without SSL

Answers (1)

Related Questions