LDAP configuration
You will need to further refine the LDAP configuration within in ldap.properties
to suit your Active Directory configuration. In the following we are assuming that sAMAccountName
will be used as the username by users authenticating at the IdP. Please check the following are correct in relation to that;
idp.authn.LDAP.userFilter= (sAMAccountName={user}) idp.attribute.resolver.LDAP.searchFilter= (sAMAccountName=$resolutionContext.principal)
The following line idp.attribute.resolver.LDAP.returnAttributes
will need to include cn
and sAMAccountName
, but it may include others, and will need to be updated when building your Attribute Resolver
idp.attribute.resolver.LDAP.returnAttributes= cn,sAMAccountName
By default the Shibboleth IdP configuration assumes that you will be using a secure protocol either startTLS or SSL to connect to your Active Directory Domain Controller using LDAP. If you have this available then you should configure the public key certificate of the server(s) in %{idp.home}/credentials/ldap-server.crt
, and configure idp.authn.LDAP.useStartTLS
, idp.authn.LDAP.useStartTLS
and idp.authn.LDAP.ldapURL
accordingly.
Unfortunately, the default configuration of Active Directory does not have a certificate installed for startTLS or LDAP over SSL/TLS to be enabled, therefore many organisations maybe using unencrypted LDAP on port 389 so you may need to set the following lines in their ldap.properties
idp.authn.LDAP.useStartTLS = false idp.authn.LDAP.useSSL = false #idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt #idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore
By configuring the above with both idp.authn.LDAP.useStartTLS
and idp.authn.LDAP.useSSL
set to false and no idp.authn.LDAP.trustCertificates
or idp.authn.LDAP.trustStore
, then your Shibboleth IdP is using an unencrypted protocol between the IdP and the LDAP Server (Active Directory Domain Controllers).
It is strongly recommended that you configure your LDAP Server to support either StartTLS or SSL/TLS LDAP over SSL/TLS with a Certificate, and re-configure your Shibboleth IdP accordingly.