idp basics & installation - duke universitypeople.duke.edu/~shilen/shibtraining/idp.pdfidp...
TRANSCRIPT
IdP Basics & Installation
Shilen Patel - [email protected] Carter - [email protected] Guzman - [email protected]
2Credits and Acknowledgements
These slides were created by Lukas Hämmerle and Chad La Joie from SWITCHaai.
Adapted by Shilen Patel for this presentation.
If you see this on a slide, hands-on work is required
3Essential file editing commandsEditor Nano VIM EmacsOpen file $ nano file.xml $ vim file.xml $ emacs file.xml
Save file <ctrl>-o <esc>, :w <ctrl>-x, <ctrl>-s
Save and exit
<ctrl>-x <esc>, :wq <ctrl>-x, <ctrl>-c, y
Search string
<ctrl>-w, string <esc>, /string <ctrl>-s, string
Go to line number
<ctrl>--, number <esc>, number,<shift>-G
<esc>, number,<shift>-G
Pro and Cons
+ Easy- No highlighting
+ Highlighting- “Weird” to use
+ Very powerful- No highlighting
4Tips and Tricks for Hands-on Part
Lines starting with $ usually commands to be executed
Character \ is line break symbol, which allows to break a line when typed
Watch out for invalid XML/configuration errorsReports errors regarding well-formedness and schema validity
$ xmlwf /path/some-XML-File.xml Reports errors and line/column number if XML is not well-formedE.g. shibboleth2.xml:261:2: mismatched tag
Changes to VM
Modifications to VM:
1. cd /opt/installfest/setup/; ./setup.sh2. Update your hosts file to replace “100” with your participant number.3. In /etc/shibboleth/shibboleth2.xml - - Replace sp100.example.org to spXXX.example.org - Replace entityID for idp to https://idpXXX.example.org/idp/shibboleth (search for idp100) - <MetadataProvider type="Chaining"> <MetadataProvider type="XML" file="/opt/installfest/idps/idpXXX/idpXXX-metadata.xml"/> </MetadataProvider>
4. cp /opt/installfest/sps/spXXX/sp.key /etc/shibboleth/sp-key.pem5. cp /opt/installfest/sps/spXXX/sp.crt /etc/shibboleth/sp-cert.pem6. cp /opt/installfest/sps/spXXX/altspXXX-metadata.xml /var/www/html/altspXXX-metadata-remote.xml7. cp /opt/installfest/idps/idpXXX/idpXXX-metadata.xml /opt/tomcat-6.0.16/webapps/ROOT/ 8. ping spXXX.example.org from your host.
5
6Current Environment
NetworkIDP: 10.0.1.XXXSP: 10.0.2.XXX
JavaTomcatThe following modifications have been made to the Tomcat installation
Endorse Xerces and Xalan “DelegateToApplicationProvider” Tomcat Connector
See https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepareLDAPShibboleth SP
7More Tips and tricks
Restart your browser cookies after changesShouldn’t be necessary in most cases but is safer that way
Use SSH to connect to VM$ ssh [email protected]
8Available Users in LDAP
alum1/passwordgivenName surname: Alumnus ExampleAffiliation: alumEntitlements:
student1/passwordgivenName surname: Student 1 ExampleAffiliation: student, libary-walk-inEntitlements: urn:example.org:res1:12345, urn:example.org:res2:09876, http://example.org/user, http://channel8.msdn.org/user
student2/passwordgivenName surname: Student 2 ExampleAffiliation: student, libary-walk-in, part-time-studentEntitlements: urn:example.org:res1:12345,http://channel8.msdn.org/user
9More available Users in LDAP
staff1/passwordgivenName surname: Staff 1 ExampleAffiliation: staff, employeeEntitlements:
staff2/passwordgivenName surname: Staff 2 ExampleAffiliation: staff, part-time-employeeEntitlements:
Your Laptop
Set your IP address to 10.0.3.X.Set your subnet mask to 255.255.0.0.Add the following to your hosts file (/etc/hosts for UNIX, C:\windows\system32\drivers\etc\hosts for Windows XP)10.0.1.XXX idpXXX.example.org10.0.1.XXX ds.example.org10.0.2.XXX spXXX.example.org10.0.2.XXX altspXXX.example.org
10
11VM Operating System Environment
CentOS (Red Hat) 5 VMWare imageUser: “root” / Password: “password”SSH on port 22 is open and you can login with passwordApache 2.2, running on 443 port (https)Self-signed SSL certificatesAuthConfig added to /cgi-bin and /html for .htaccessApache ServerName set to spXXX.example.orgHostnames:idpXXX.example.org
spXXX.example.org
altspXXX.example.org (alternative SP hostname)
ds.example.org
Restarting Processes
Apache/etc/init.d/httpd restart
Shibboleth SP/etc/init.d/shibd restart
TomcattomcatStop -- alias for /opt/tomcat-6.0.16/bin/shutdown.shtomcatStart -- alias for /opt/tomcat-6.0.16/bin/startup.sh
LDAP/etc/init.d/apacheds restart default
12
13Terms: Entity ID
A unique identifier for a identity provider (IdP) or service provider (SP)
In shibboleth 2 the recommended format is a URLidp: https://HOSTNAME/idp/shibbolethsp: https://HOSTNAME/shibboleth
14Terms: Relying Party
The SAML peer to which the IdP is communicating.
In all existing cases, the relying party of the IdP is always an SP. Some very advanced cases allow one IdP to be a relying party to another IdP.
15Terms: Binding
A description of how a SAML message is attached to an underlying transport protocol, such as http or smtp.
For example: If the message is sent over HTTP what HTTP headers need to be set, what are the URL or form parameter names, etc.
16Terms: Profile
A description of how to use SAML, over a specific binding, to accomplish a specific task (e.g. Single Signon) in an interoperable manner.
Profiles are the finest grained unit of interoperability within SAML.
17Terms: Metadata
A description of the SAML features supported by a SAML entity. Most importantly this includes the URLs for communicating with an entity.
Shibboleth also uses this information to build technical trust between entities.
18Installation
1. unzip /opt/installfest/distro/shibboleth-idp-2.0.0-bin.zip2. cd identityprovider3. chmod +x ant.sh4. ./ant.sh
a. answer yes to first questionb. use /opt/shibboleth-idp as your shib home directoryc. enter your hostname: idpXXX.example.orgd. enter password for your password
19Tomcat Deployment
1. Create the file /opt/tomcat-6.0.16/conf/Catalina/localhost/idp.xml with the contents:<Context docBase=”/opt/shibboleth-idp/war/idp.war” privileged="true” antiResourceLocking="false” antiJARLocking="false” unpackWAR="false" />
2. Start Tomcat3. Test your install
https://idpXXX.example.org/idp/profile/Status
You should simply see an “ok” message.If you receive an error, check /opt/tomcat-6.0.16/logs/catalina.out.
20SHIB_HOME
/opt/shibboleth-idp should now contain:binconfcredentialsliblogsmetadatawar
The Shibboleth documentation refers to this directory as SHIB_HOME
21SHIB_HOME/bin
Contains command line tools
aacli: Attribute authority command line interface allows you to simulate an attribute query/release
version: Provides the version of the IdP
22SHIB_HOME/conf
The IdP’s configuration files.
We’ll cover most as we go through the course. We will not cover service.xml or internal.xml as these control advanced features.
23SHIB_HOME/credentials
Credentials used by the IdP.
By default the IdP’s generated key (idp.key), cert (idp.crt) and a keystore (idp.jks) containing both are put here.
Good location to place things like trust anchor X.509 certs, cached CRLs, etc.
24SHIB_HOME/lib
The libraries (jars) that make up the IdP.
These are copies of those that occur in the IdP WAR file and are only used by the command line tools.
25SHIB_HOME/logs
Location of the Shibboleth log files.
process log: detailed description the IdP processing requests
access log: record of all the clients that connect to the idPaudit log: record of all information sent out from the IdP
26SHIB_HOME/metadata
Default location where various metadata files are stored.
The IdP does not automatically load any metadata. Metadata read from a file, or stored backup copies of remote metadata are usually put in this directory.
27SHIB_HOME/war
The location of the IdP WAR file created by the installer.
We point Tomcat to this file, instead of copying it to Tomcat, so that we don’t forget to copy new WARs if we rebuild the IdP (to add an extension, for example) or run into problems with Tomcat’s file caching mechanisms.
28Now some sleight of hand
cp /opt/installfest/idps/idpXXX/idp.*/opt/shibboleth-idp/credentials
cp /opt/installfest/sps/spXXX/*.xml/opt/shibboleth-idp/metadata
29Logging: Configuration
Logging configuration is controlled by the logging.xml config fileLog messages belong in a hierarchal category; most correspond to Java package namesLog messages have 5 levels: TRACE, DEBUG, INFO, WARN, ERROR
https://spaces.internet2.edu/display/SHIB2/IdPLogging
30Logging: Configuration
Look at the IdP process log. Note how the messages are all info messages.Edit logging.xml and the change the logging level for the logger edu.internet2.middleware.shibboleth to DEBUGRestart the IdP and look at the process log again.The IdP will pick up change to logging.xml every 5 minutes.
31Metadata: Goals
Load metadata for local SPs from the filesystemLoad another metadata from a remote location
32Metadata: Configuration
Metadata is loaded in to the IdP by metadata providers.Metadata providers are configured in the relying-party.xml fileThis file may only contain one top-level provider. By default the top level provider is a chaining provider that contains other metadata providers and uses them in the order defined.
https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider
33Metadata: Provider Config
• Metadata providers are configured using <MetadataProvider> element
• Every metadata provider has a:– unique ID given by the id attribute– type given by the xsi:type attribute
• Each type of metadata provider has its own set of configuration options
34Metadata: Filesystem Provider
The filesystem metadata provider reads a metadata file from the local filesystem.Type attribute value:–FilesystemMetadataProvider
Configuration attribute:–metadataFile gives the path to the metadata file
35Metadata: Local Metadata
In relying-party.xml add the following to the existing chaining metadata provider:
<MetadataProvider id=”spXXX"
xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata”
metadataFile=”/opt/shibboleth-idp/metadata/spXXX-metadata.xml” />
36Metadata: Local Metadata
Define an additional metadata provider that loads metadata from:/opt/shibboleth-idp/metadata/altspXXX-metadata.xml
37Metadata: File-backed HTTP Provider
Loads metadata via HTTP and backs it up to a local fileType attribute value:–FileBackedHTTPMetadataProvider
Configuration Attributes:–metadataURL: HTTP URL of metadata file–backingFile: location of the backup file
In production metadata signatures should be required and validated.
38Metadata: Remote Metadata
Update the metadata provider for altspXXX to load metadata from http://spXXX.example.org/altspXXX-metadata-remote.xmland stores it to /opt/shibboleth-idp/metadata/altspXXX-metadata-remote.xml
Metadata: Verify
Go to the following URLshttps://spXXX.example.org/securehttps://altspXXX.example.org/secure
You should see the following error, which makes sense since we haven’t configured the authentication piece yet.
39
40Metadata: Watchout
The chaining metadata provider looks up relying party information in its children in the order they are defined. If two child providers load different metadata for the same entity only the first description will ever be used by the IdP. No attempt to merge the data is made.
Authentication
42Terms: Authentication Mechanism
A concrete mechanism used to authenticate a user.
Shibboleth 2 currently supports REMOTE_USER, user/pass against LDAP & Kerberos, and IP address based mechanisms.
43Terms: Authentication Method
An identifier that a relying party may use to stipulate how authentication should be performed.
Authentication method identifiers correspond to a prescription of how authentication is done (even if the details are only in someone’s head).
44Terms: Login Handler
An IdP component that correlates all supported authentication methods with currently configured authentication mechanisms.
A login handler may map more than one authentication method to the same authentication mechanism.
45Terms: Session
State information about the user, currently active authentication methods, and services to which they are signed into.
A user’s IdP session is created the first time they authenticate but may outlive the lifetime of all authentication methods.
46Authentication: Goals
Configure UsernamePassword login handler to authenticate against LDAP.
47Login Handler: Configuration
Login handlers are configured in handler.xml•<LoginHandler> defines a login handlerEvery login handler definition has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.
https://spaces.internet2.edu/display/SHIB2/IdPUserAuthn
48Login Handler: Configuration
Each <LoginHandler> must contain at least one <AuthenticationMethod> which indicates what authentication method the login handler provides.
49Login Handler: UsernamePassword
Login handler that prompts for a username/password and validates against a JAAS module (LDAP & Kerberos 5 currently supported)Type attribute value:UsernamePasswordConfiguration attributes:–jaasConfigurationLocation path to the JAAS configuration file
50Login Handler: UsernamePassword
Edit the login.config1.Uncomment the LDAP login modules2.Configure it like this:
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host=”127.0.0.1” port=“10389” base="ou=people,dc=example,dc=org" userField="uid";
51Login Handler: UsernamePassword
Edit handler.xml1.Comment out RemoteUser handler2.Uncomment UsernamePassword handler
52LoginHandler: UsernamePassword
1.Restart Tomcat2.Access
https://spXXX.example.org/cgi-bin/attribute-viewer
3.Use student1/password as the username/password
53LoginHandler: UsernamePassword
The login page presented to the user is /opt/installfest/distro/identityprovider/resources/webpages/login.jsp
You may define more than one UsernamePassword login handler, with different authentication methods. For example one that work with LDAP and another that works with KerberosYou may define more than one LDAP host so that if one is down another is used.
54LoginHandler: Authentication Duration
Each authentication mechanism supports an activity timeoutAfter this timeout expires the mechanism is considered inactive for that user.If the user attempts to access a new service provider that requires that authentication mechanism they must re-authenticate.
55LoginHandler: Authentication Duration
It is configured by the authenticationDuration attribute on the <LoginHandler>Its value is the number of minutes of inactivity and its default value is 30.
56Forced Authentication
SAML 2 allows a service provider to force authentication of the user, even if the user has an existing session.Accesshttps://spXXX.example.org/Shibboleth.sso/Login?forceAuthn=true&target=https://spXXX.example.org/cgi-bin/attribute-viewer
Note that it requires you to authenticate again even though the user has a session.
57Force Authentication
Only works with mechanisms that can re-authenticate a user.RemoteUser does not support forced authentication.The service provider will receive an error if the IdP can not support forced authentication
58Authentication Method Selection
An SP may provide a list of acceptable methodsThe IdP then checks to see if any active mechanism provides any of those methods, if so, single sign on occursOtherwise the IdP picks supported, but not yet active, method and uses that.
Attribute Resolution
60Terms: Attribute
A piece of information about a user. Each attribute has a unique ID and has zero of more values.
Shibboleth attributes are protocol-agnostic data structures.
61Terms: SAML Attribute
An attribute that is represented in SAML notation.
Shibboleth transforms attributes into SAML attributes by a process known as encoding.
62Terms: Data Connector
A plugin that creates multiple attributes from information in data sources like LDAP and databases.
Shibboleth currently supports static, LDAP, relational database, computed, and stored ID data connectors.
63Terms: Attribute Definition
A plugin that creates a single attribute by transforming other attributes and state information.
Shibboleth currently supports simple, scoping, regex, mapping, template, scripting, principal name, and principal authentication method attribute definitions.
64Terms: Attribute Encoder
A plugin that converts an attribute into a protocol specific form, like a SAML attribute.
Attribute encoders are associated with an attribute through the attribute’s attribute definition.
65Terms: Principal Connector
A plugin that converts a name identifier, provided by a relying party, into the internally used userid.
66Terms: Attribute Resolver
A subsystem in Shibboleth responsible for fetching, transforming, and associating encoders with attributes.
Only attributes produced by attribute definitions leave the resolver and are available to other parts of the system.
67A bit of logging configuration
Edit logging.xmlTurn the logging level of each currently defined logger to WARNAdd a new logger:<logger name=“edu.internet2.middleware.shibboleth.common.attribute”> <level value=“DEBUG” /></logger>
68Attribute Goals
Define a simple attribute with a static value.Gather user information from an LDAP directoryCreate attribute definition that release some information with simple values and other information with scoped values
69Data Connector: Configuration
Data connectors are configured in attribute-resolver.xml•<DataConnector> defines a data connectorEvery data connector has a id attribute that uniquely identifies it.Every data connector has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.
https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute
70Data Connector: Configuration
Some connectors will need information collected by another plugin in order to work. This is represented by a <resolver:Dependency ref=“NAME” />
The dependency is declared before any other configuration elements.
The value of the ref attribute is the ID of the plugin upon which the connector depends.
71Data Connector: Static
Static data connector adds attributes to every resolved account.Type attribute value:StaticConfiguration attributes:none
https://spaces.internet2.edu/display/SHIB2/ResolverStaticDataConnector
72Data Connector: Static
The produced attributes are defined by:<Attribute id=“ATTRIBUTE_ID”>Values are added by:<Value>VALUE</Value>An attribute may have more than one value.
73Data Connector: Static
Create an attribute ‘eduPersonAffiliation’ that has one value ‘member’
<resolver:DataConnector id="staticEPA” xsi:type="Static” xmlns="urn:mace:shibboleth:2.0:resolver:dc">
<Attribute id="eduPersonAffiliation"> <Value>member</Value> </Attribute>
</resolver:DataConnector>
74Attribute Definition: Configuration
Attribute definitions are configured in attribute-resolver.xml•<AttributeDefinition> defines a definitionEvery definition has a id attribute that uniquely identifies it.Every definition has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.
https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute
75Attribute Definition: Configuration
Most definitions will need information collected by another plugin in order to work. This is represented by a <resolver:Dependency ref=“NAME” />
The dependency is declared before any other configuration elements.
The value of the ref attribute is the ID of the plugin upon which the definition depends.
76Attribute Definition: Simple
Attribute definition that simply releases an attribute from the resolver.Type attribute value:SimpleConfiguration attributes:sourceAttributeID - the name of the attribute, provided the dependencies, that will provide the values for this attribute
https://spaces.internet2.edu/display/SHIB2/ResolverSimpleAttributeDefinition
77Attribute Definition: ePA
Putting it all together we define an attribute definition for eduPersonAffiliation as follows:
<resolver:AttributeDefinition id="eduPersonAffiliation” xsi:type="Simple” xmlns="urn:mace:shibboleth:2.0:resolver:ad”
sourceAttributeID="eduPersonAffiliation">
<resolver:Dependency ref=”staticEPA” />
</resolver:AttributeDefinition>
78Attribute Definition: Testing
Restart the IdPClear your browser session or restart your browserWatch the logs using tail -f /opt/shibboleth-idp/logs/idp-process.log
Log in to https://spXXX.example.org/cgi-bin/attribute-viewer
You should see the following message:No attributes remained after encoding and filtering by value, no attribute statement built
79Attribute Encoders: Configuration
Attribute encoders are configured as children of an attribute definition.•<AttributeEncoder> defines an encoderEvery definition has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.
https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute
80Attribute Encoder: Basic SAML 1
A SAML 1 encoder always looks like this:
<resolver:AttributeEncoder xsi:type="SAML1String”xmlns="urn:mace:shibboleth:2.0:attribute:encoder”name="urn:mace:dir:attribute-def:eduPersonAffiliation” />
Only the name changes
https://spaces.internet2.edu/display/SHIB2/SAML1StringAttributeEncoder
81Attribute Encoder: Basic SAML 2
A SAML 2 encoder always looks like this:
<resolver:AttributeEncoder xsi:type="SAML2String”xmlns="urn:mace:shibboleth:2.0:attribute:encoder”name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1”
friendlyName=“eduPersonAffiliation” />
Only the name and friendly name changes
https://spaces.internet2.edu/display/SHIB2/SAML2StringAttributeEncoder
82Attribute Encoder: Configuration
Add SAML 1 and SAML 2 attribute encoders to your eduPersonAffiliation
eduPersonAffiliation:urn:mace:dir:attribute-def:eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1
83Data Connector: LDAP
Data connector that pulls user information from LDAPType attribute value:LDAPDirectoryConfiguration Attributes:ldapURL - ldap server connection URLbaseDN - search filter base DNprincipal - DN of user to connect ascredential - principal’s password
https://spaces.internet2.edu/display/SHIB2/ResolverLDAPDataConnector
84Data Connector: LDAP
Lastly the LDAP data connector contains a child element <FilterTemplate>The template is used to construct the query filter, for now we’ll use(uid=$requestContext.principalName)
85Data Connector: LDAP
If you put it all together you should get: <resolver:DataConnector id=”myLDAP” xsi:type="LDAPDirectory” xmlns="urn:mace:shibboleth:2.0:resolver:dc” ldapURL="ldap://127.0.0.1:10389” baseDN="ou=people,dc=example,dc=org” principal="uid=admin,ou=system” principalCredential=”password”>
<FilterTemplate> (uid=$requestContext.principalName) </FilterTemplate> </resolver:DataConnector>
86Attribute Definition: ePA
Add the LDAP data connector as a dependency to your eduPersonAffiliation attribute definition.Run another testNote how the LDAP’s values are added to the value from the static data connector?
87Attribute Definition: ePPA
Create a simple attribute definition, called eduPersonPrimaryAffiliation that has a sourceAttributeID of eduPersonPrimaryAffiliation and depends myLDAP
Add attribute SAML1/2 string encoders:urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.5
88Attribute Scoping
Some attribute values may have ScopesScopes provide a domain within which an attribute value is validExample:Georgetown University has a main campus, a law school, and a medical school. A professor at the law school may not have the same rights as a professor at the medical school.
89Attribute Definition: Scoped
An attribute definition that adds a static scopeType attribute value:ScopedConfiguration Attributes:–sourceAttributeID - ID of the attribute whose values will be scoped–scope - scope added to the attribute values
https://spaces.internet2.edu/display/SHIB2/ResolverScopedAttributeDefinition
90Attribute Definition: Scoped
Create an attribute definition for eduPersonScopedAffiliation.
<resolver:AttributeDefinition id=”eduPersonScopedAffiliation" xsi:type=”Scoped”xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID=”eduPersonAffiliation” scope=“example.org”>
<resolver:Dependency ref=”myLDAP”/>
</resolver:AttributeDefinition>
91Attribute Definition: Prescoped
Prescoped attribute values already contain the scope within the datasourceType attribute value:PrescopedConfiguration Attributes:–sourceAttributeID - ID of the attribute with prescoped values–scopeDelimiter - the scope delimiter used in the attributes values (default: @)
https://spaces.internet2.edu/display/SHIB2/ResolverPrescopedAttributeDefinition
92Attribute Definition: Prescoped
Create an attribute definition that operates on the prescoped eduPersonPrincipalName attribute
<resolver:AttributeDefinition id=”eduPersonPrincipalName" xsi:type=”Prescoped”xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID=”eduPersonPrincipalName”>
<resolver:Dependency ref=”myLDAP" />
</resolver:AttributeDefinition>
93Attribute Encoders: Scoped
An attributes scope may be written into a SAML message in two ways:As an attribute on the SAML <AttributeValue Scope=“…”>Using inline value@scope notation
Notation used may be controlled by the scopeType attribute on the encoder. Values: attribute, inline
94Attribute Encoders: Scoped
SAML 1 Scoped Value Encoder<resolver:AttributeEncoder xsi:type="SAML1ScopedString”xmlns="urn:mace:shibboleth:2.0:attribute:encoder”name="urn:mace:dir:attribute-def:eduPersonPrincipalName” />
SAML 2 Scoped Valued Encoder<resolver:AttributeEncoder xsi:type="SAML2ScopedString”xmlns="urn:mace:shibboleth:2.0:attribute:encoder”name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6”
friendlyName=“eduPersonPrincipalName” />
95More about Dependencies
Any resolver plugin may have any number of dependencies.If more than one dependency provides the same attribute the dependent plugin operates on the effective union of valuesAttribute definitions may be marked with a dependencyOnly=“true” attribute. This ensures the value is never released outside the resolver (and speeds up filtering a bit).
96Data Connector Failover
Data connectors may define failover connectors such that if the data connector fails the failover connector is invoked.If more than one failover connector is defined they are tried in order until one succeeds.They are defined using:<resolver:FailoverDataConnector ref="CONNECTOR_ID_1" />
InCommon Recommendation
http://www.incommonfederation.org/attributesummary.html
So what if you have an existing LDAP with different attribute names? Change your LDAP schema if feasible Create additional attributes to use with Shibboleth Or just map the existing attributes with the “correct” ones using the attribute definition.
<resolver:AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" scope="example.org" sourceAttributeID="affiliation"> <resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
<resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" /> </resolver:AttributeDefinition>
97
Attribute Filtering
99Terms: Attribute Filter Policy
A policy containing a trigger, that indicates if the policy is active, and a set of attribute value filters.
100Terms: Policy Requirement Rule
A specific requirement that must be met in order for an attribute filter policy to in effect.
An attribute filter policy may only have one requirement rule but some rules allow child rules to be declared and combined.
101Terms: Attribute Rule
A rule, specific to an attribute, that determines which values are released to a relying party.
An attribute filter policy may have any number of attribute rules.
102Terms: Permit Value Rule
A rule that determines if an attribute value is permitted to be released to a relying party.
103Terms: Attribute Filter Policy Group
A collection of attribute filter policies.
These is the unit of configuration loaded by the attribute filtering engine.
104Terms: Attribute Authority
The entity that answers attribute requests.
This normally entails an attribute resolution phase followed by an attribute filtering phase.
105Attribute Filter Policy: Configuration
Attribute filters are defined in attribute-filter.xmlAttribute filter policies are declared with <AttributeFilterPolicy>
Every filter policy has a single id attribute that provides a unique name for the policy.
https://spaces.internet2.edu/display/SHIB2/IdPAddAttributeFilter
106Policy Requirement Rule
•<PolicyRequirementRule> defines a requirement rule.Every rule has a xsi:type attribute that defines its type. Each type has its own set of configuration options.Every attribute filter policy must have one, and only one, policy requirement rule
107Policy Requirement Rule: Any
Requirement rule that always evaluates to trueType attribute value:basic:ANYConfiguration Attributes:none
108Attribute Filter Policy: Configuration
A filter policy that releases information to anyone.
<AttributeFilterPolicy id=”attributesToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
</AttributeFilterPolicy>
109Attribute Rule: Configuration
A rule representing the set of values released to a relying party.•<AttributeRule> defines a rule.Every rule has an attributeID attribute that identifies the attribute, by ID, to which the rule applies
110Permit Value Rule: Configuration
A rule that signifies a value should be released to the requester.•<PermitValueRule> defines a rule.Every rule has a xsi:type attribute that defines its type. Each type has its own set of configuration options.
111Permit Value Rule: Any
Rule that always evaluates to trueType attribute value:basic:ANYConfiguration Attributes:none
112Attribute Filter Policy: Configuration
A filter policy that releases eduPersonPrimaryAffiliation to anyone.
<AttributeFilterPolicy id=”attributesToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
<AttributeRule attributeID=“eduPersonPrimaryAffiliation”>
<PermitValueRule xsi:type=“basic:ANY” />
</AttributeRule>
</AttributeFilterPolicy>
113Attribute Filter Policy: Configuration
Add a new attribute rule that also releases all eduPersonAffiliation values to everyone.
114Policy Requirement Rule: Attribute Requester String
A policy requirement rule that evaluates to true if the attribute requester matches a stringType attribute value:basic:AttributeRequesterStringConfiguration Attributes:–value - the entity ID of the attribute requester–ignoreCase - if case should be ignored during evaluation
115Attribute Filter Policy: Configuration
Create a new attribute filter policy rule whose requirement is that the requester is https://spXXX.example.org/shibboleth and that releases eduPersonPrincipalName.
116Permit Value Rule: AND, OR, NOT
Evaluates to true/false before evaluating the AND/OR/NOT of child rule(s).Type attribute value:basic:AND, basic:OR, basic:NOTAdditional Configuration:Each of these rules operate on child rules defined using <basic:Rule> with an xsi:type of the permit value rule to be and/or/not’ed
117Permit Value Rule: Attribute Value String
A policy requirement rule that evaluates to true if the attribute value matches a stringType attribute value:basic:AttributeValueStringConfiguration Attributes:–value - the principal name of the user–ignoreCase - true if values case should be ignored during comparison
118Attribute Rule: Configuration
A rule that allows only certain eduPersonAffiliation values
<AttributeRule attributeID=“eduPersonAffiliation”>
<PermitValueRule xsi:type=“basic:OR”>
<basic:Rule xsi:type=“basic:AttributeValueString”
value=“student” />
<basic:Rule xsi:type=“basic:AttributeValueString”
value=“staff” />
</PermitValueRule>
</AttributeRule>
119Attribute Rule Configuration
Create permit value rules for the two affiliation attributes that only allow the values: faculty, staff, student, alum, member, affiliate, employee, library-walk-in
120Group/User Policies
To create a “group policy” define a policy whose policy requirement rule matches on an attribute value carrying your group information.To create a “user policy” define a policy whose policy requirement rule matches on the value of the principal’s name.
121Attribute Filtering Gotchyas
Only those values explicitly permitted are ever releasedThere is no way to expressly deny the release of an attributes so be careful how your attribute filter policies overlap (deny value rules will be in 2.1)Rules that operate on an attributes’ values will not take scopes into consideration
New Features
123Shibboleth IdP 2.1
Expected release in October 2008.
Clustering support
Resource files available through Subversion
Deny release of attributes
124Documented Roadmap for 2.2
Back-channel SLO profile
X.509 authentication
User consent on attribute release
Many more features planned....
https://spaces.internet2.edu/display/SHIB2/Shibboleth+2.2+Roadmap