LDAP configuration

You will need to refine the LDAP configuration in ldap.properties to suit your Active Directory configuration. In the following we are assuming that sAMAccountName will be used as the username by users authenticating at the IdP. Please check the following are correct in relation to that:

 idp.authn.LDAP.userFilter= (sAMAccountName={user})
 idp.attribute.resolver.LDAP.searchFilter= (sAMAccountName=$resolutionContext.principal)

The following line idp.attribute.resolver.LDAP.returnAttributes will need to include cn and sAMAccountName, but it may include others, and will need to be updated when building your Attribute Resolver

 idp.attribute.resolver.LDAP.returnAttributes= cn,sAMAccountName

By default the Shibboleth IdP configuration assumes that you will be using a secure protocol either startTLS or SSL to connect to your Active Directory Domain Controller using LDAP. If you have this available then you should configure the public key certificate of the server(s) in %{idp.home}/credentials/ldap-server.crt, and configure idp.authn.LDAP.useStartTLS, idp.authn.LDAP.useStartTLS and idp.authn.LDAP.ldapURL accordingly.

Unfortunately, the default configuration of Active Directory does not have a certificate installed for startTLS or LDAP over SSL/TLS to be enabled, therefore many organisations maybe using unencrypted LDAP on port 389 so you may need to set the following lines in their ldap.properties

 idp.authn.LDAP.useStartTLS            = false
 idp.authn.LDAP.useSSL                 = false
 #idp.authn.LDAP.trustCertificates      = %{idp.home}/credentials/ldap-server.crt
 #idp.authn.LDAP.trustStore             = %{idp.home}/credentials/ldap-server.truststore

By configuring the above with both idp.authn.LDAP.useStartTLS and idp.authn.LDAP.useSSL set to false and no idp.authn.LDAP.trustCertificates or idp.authn.LDAP.trustStore, then your Shibboleth IdP is using an unencrypted protocol between the IdP and the LDAP Server (Active Directory Domain Controllers).

It is strongly recommended that you configure your LDAP Server to support either StartTLS or SSL/TLS LDAP over SSL/TLS with a Certificate, and re-configure your Shibboleth IdP accordingly.