I have made some progress on this - it seems there were errors in the attribute-resolver and attribute-filter files. I am still having problems with the Shibboleth attributes.
If I define the eduPersonPrincipalName as a static attribute, the HTTP_EPPN and HTTP_REMOTEUSER server variables are populated with the static value. Although, I have copied the attribute definition block from https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler+-+Attribute+resolver, I cannot seem to set eduPersonPrincipalName to the Kerberos principal name.
Another problem is that I am trying to get Kerberos SSO working against two Active Directory forests - RESOURCE and ACCOUNT. The RESOURCE domain trusts the ACCOUNT domain. I have created the keytab files for both forests, and defined both realms in the handler.xml file. I can SSO as a user in the resource forest, but get an authentication failure when I try to log in as a user in the ACCOUNT domain.
I am attaching the IdP configuration files.
|