Integration with OnePass on Windows (CUHK Login via ADFS)

• Service Provider using Windows version below
  – Windows Server 2008 R2, or above
• IIS is being started with SSL enabled
• SSO and SLO should be signed
• Assertion should be signed and encrypted
• Signing algorithm should be SHA256 for the federation
• The application server time must be kept up-to-date and accurate
• Logout button should be enhanced for global sign out OnePass session

For IIS7 or above and Shibboleth SP 3.0

• Prerequisites
  A default installation of IIS is enough but “ISAPI Extensions” & “ISAPI Filters” have to be installed
• Download the latest .msi Shibboleth SP installer (The 32-bit web server modules can function with a 64-bit shibd service, so there is no need to install a 32-bit shibd to handle 32-bit app pools)
• Run the installer, accepting the default settings and “Configure IIS7 module” must be checked, the shibd service will also be installed for you
• Reboot your server after installation completed
• Verify Shibboleth installation with
  • In Services, the Shibboleth service should have Service = Running, Startup Type = Automatic and Logon As = Local System
  • Check C:\Windows\System32\InetSrv\config\applicationHost.config, IIS7 Shibboleth modules should be added as below
    • <add name=”ShibNative32″ image=”C:\opt\shibboleth-sp\lib\shibboleth\iis7_shib.dll” precondition=”bitness32″ />
    • <add name=”ShibNative” image=”C:\opt\shibboleth-sp\lib64\shibboleth\iis7_shib.dll” precondition=”bitness64″ />
  • Open a web browser, go to https://localhost/Shibboleth.sso/Status (case sensitive), it should return an XML document with:
    <Status><OK/></Status>

For IIS6/IIS7 and Shibboleth SP 2.6

• Download Shibboleth SP 2.6 .msi Shibboleth SP installer (for 64-bit machine)
• Run the installer, accepting the default settings, the shibd service will also be installed for you
• Reboot your server after installation completed
• Verify Shibboleth installation with
  • In Services, the Shibboleth service should have Service = Running, Startup Type = Automatic and Logon As = Local System
  • Open IIS Manager, click the server name and open ISAPI Filters. The settings should be
    Name = Shibboleth and
    Executable = C:\opt\shibboleth-sp\lib64\shibboleth\isapi-shib.dll
  • In IIS Manager, click the server name and open Handler Mappings. The setting should be
    Path = *.sso,
    State = Enabled,
    Path Type = Unspecified,
    Handler = IsapiModule, and
    Entry Type = Inherited
  • In IIS Manager, click the website name under Sites, then open Handler Mappings. The settings should be
    Path = *.sso,
    State = Enabled,
    Path Type = Unspecified,
    Handler = IsapiModule, and
    Entry Type = Inherited
  • Open a web browser, go to https://localhost/Shibboleth.sso/Status (case sensitive), it should return an XML document with:
    <Status><OK/></Status>

**The configuration below is for your reference only. Some parameters and paths may be different with different Shibboleth versions / sub-versions. Kindly double-check the corresponding path name/certificate name in your configuration file.

• Default configuration files should be found in C:\opt\shibboleth-sp\etc\shibboleth\
• In C:\opt\shibboleth-sp\etc\shibboleth\, update below information on shibboleth2.xml

• Example for installing an X509 certificate (If you want to generate a self-signed certificate for “CredentialResolver”)
  – Use the keygen.bat command in C:\opt\shibboleth-sp\etc\shibboleth to create new certificate
  – keygen.bat –h {your hostname} –e {IDP entityID} –y {number of years to issue}
  e.g. keygen.bat –h abc.cuhk.edu.hk –e http://xyz.cuhk.edu.hk/services/trust –y 10 (Production)
• Restart shibboleth service and IIS service after configuration, and check any error at C:\opt\shibboleth-sp\var\log\shibboleth\
• Sample shibboleth2.xml for Windows host and OnePass testing environment

• Core Attributes (The attributes are released by default)
  • such as Email Address, Role (Staff/Student/Alumni), Display Name

For more information about the specifics of the attributes released, please contact ITSC Service Desk.

• Provide your CADS no. to OnePass Team
• The entity ID of your application
• Metadata URL (The default is https://{yourhostname}/Shibboleth.sso/Metadata), must be accessible from campus network
• The core attributes would be passed to your application by default, additional attributes need by request
• Include OnePass Logout URL plus your application logout together for your logout button
• OnePass team would import your metadata and have configuration on OnePass Testing platform, email notification with testing accounts would be sent to you once ready for test
• Test completion, vulnerability scanning must be pass before migrating to OnePass Production environment
• Please schedule the production with OnePass Team 3 working days in advance.

• Remember to clean up your browser cache first, it’ll be good to use incognito or InPrivate mode for testing
• Assume ASP.Net is enabled in your server
• By default, your server’s path /secure is protected by OnePass. If you want to change it, please refer to
  C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml and update the “Path name”
  Create a test.aspx in your /secure/test.aspx to print all variables:
  <% For Each var as String in Request.ServerVariables
  Response.Write(var & ” ” & Request(var) & “<p>”) Next %>
• Open a browser to access https://{yourhostname}/secure/test.php
• You will be redirected to OnePass login page, key in valid Login ID and password
• You should be able to authenticate and find your Login ID in server variable HTTP_NameID and and REMOTE_USER
  e.g. for getting attribute variable: HTTP_{attr}, e.g. HTTP_giveName
• Logout, you will be redirected to OnePass Logout page. Access your website again and see if you have to fill in your credential to login OnePass