Shibboleth IDP4 Notes: Difference between revisions

From NIEF Wiki
Jump to navigation Jump to search
Line 8: Line 8:
       <AttributeRule attributeID="niefEmail">
       <AttributeRule attributeID="niefEmail">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefEmployer">
       </AttributeRule>
      <AttributeRule attributeID="niefEmployer">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefFedId">
       </AttributeRule>
      <AttributeRule attributeID="niefFedId">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefGivenName">
       </AttributeRule>
      <AttributeRule attributeID="niefGivenName">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefIdentityProviderId">
       </AttributeRule>
      <AttributeRule attributeID="niefIdentityProviderId">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefSurName">
       </AttributeRule>
      <AttributeRule attributeID="niefSurName">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefTelephoneNumber">
       </AttributeRule>
      <AttributeRule attributeID="niefTelephoneNumber">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefIdentityProviderId">
       </AttributeRule>
      <AttributeRule attributeID="niefIdentityProviderId">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefUniqueSubjectId">
       </AttributeRule>
      <AttributeRule attributeID="niefUniqueSubjectId">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="nief28CFR">
       </AttributeRule>
      <AttributeRule attributeID="nief28CFR">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
       </AttributeRule>
      <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefORI">
       </AttributeRule>
      <AttributeRule attributeID="niefORI">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
       </AttributeRule>
      <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefEmployerStateCode">
       </AttributeRule>
      <AttributeRule attributeID="niefEmployerStateCode">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
       </AttributeRule>
      <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefPSO">
       </AttributeRule>
      <AttributeRule attributeID="niefPSO">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefSLEO">
       </AttributeRule>
      <AttributeRule attributeID="niefSLEO">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefAAL">
       </AttributeRule>
      <AttributeRule attributeID="niefAAL">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefFAL">
       </AttributeRule>
      <AttributeRule attributeID="niefFAL">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefIAL">
       </AttributeRule>
      <AttributeRule attributeID="niefIAL">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefIntelligenceAnalystIndicator">
       </AttributeRule>
      <AttributeRule attributeID="niefIntelligenceAnalystIndicator">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
       </AttributeRule>
      <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
       </AttributeRule>
      <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
       </AttributeRule>
      <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
       </AttributeRule>
      <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefDisplayName">
       </AttributeRule>
      <AttributeRule attributeID="niefDisplayName">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
       </AttributeRule>
      <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefLocalId">
       </AttributeRule>
      <AttributeRule attributeID="niefLocalId">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefNCICCertificationIndicator">
       </AttributeRule>
      <AttributeRule attributeID="niefNCICCertificationIndicator">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefNDExPrivilegeIndicator">
       </AttributeRule>
      <AttributeRule attributeID="niefNDExPrivilegeIndicator">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefPCIICertificationIndicator">
       </AttributeRule>
      <AttributeRule attributeID="niefPCIICertificationIndicator">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
       </AttributeRule>       <AttributeRule attributeID="niefFICAMAssuranceLevelCode">
       </AttributeRule>
      <AttributeRule attributeID="niefFICAMAssuranceLevelCode">
           <PermitValueRule xsi:type="ANY" />
           <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
     </AttributeFilterPolicy>
     </AttributeFilterPolicy>


Revision as of 01:01, 6 May 2021

About

Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

Sample attribute-filter

   <AttributeFilterPolicy id="releaseAll">
       <PolicyRequirementRule xsi:type="ANY" />
      <AttributeRule attributeID="niefEmail">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployer">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFedId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefGivenName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProviderId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefSurName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefTelephoneNumber">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProviderId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefUniqueSubjectId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="nief28CFR">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefORI">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployerStateCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefPSO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefSLEO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefAAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIntelligenceAnalystIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefDisplayName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefLocalId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefNCICCertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefNDExPrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefPCIICertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFICAMAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>

   </AttributeFilterPolicy>

Sample Attribute Definition

To Do: Create a NIEF Attribute Registry definition.

If you add the NIEF Attribute Defintions you can reference this table for the IDs to use within the Attribute Resolver:

Id Within attribute-resolver.xml Attribute Name URL
NIEF Mandatory
niefEmail Email Address Text https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
niefEmployer Employer Name https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
niefFedId Federation Id https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
niefGivenName Given Name https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
niefIdentityProviderId Identity Provider Id https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
niefSurName Sur Name https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
niefTelephoneNumber Telephone Number https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
niefIdentityProviderId Identity Provider Id https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
niefUniqueSubjectId Unique Subject Id https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
NIEF Highly Recommended
nief28CFR 28 CFR Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
niefElectronicAuthenticationAssuranceLevelCode Electronic Authentication Assurance Level Code https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
niefORI Employer ORI https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
niefEmployerOrganizationGeneralCategoryCode Employer Organization General Category Code https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
niefEmployerStateCode Employer State Code https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
niefIdentityProofingAssuranceLevelCode Identity Proofing Assurance Level Code https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
niefPSO Public Safety Officer Indicator https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
niefSLEO Sworn Law Enforcement Officer Indicator https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
niefAAL Authenticator Assurance Level https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
niefFAL Federation Assurance Level https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
niefIAL Identity Assurance Level https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
NIEF Recommended
niefIntelligenceAnalystIndicator Intelligence Analyst Indicator https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator Counter Terrorism Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator Criminal History Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator Criminal Intelligence Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator Criminal Investigative Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
niefDisplayName Display Name https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
niefGovernmentDataSelfSearchHomePrivilegeIndicator Government Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
niefLocalId Local Id https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
niefNCICCertificationIndicator NCIC Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
niefNDExPrivilegeIndicator NDEx Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
niefPCIICertificationIndicator PCII Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
niefFICAMAssuranceLevelCode FICAM Assurance Level Code https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

Quick Test, create a properties file per attribute in the attributes/custom directory: 

   id=gfipmmail
   transcoder=SAML2StringTranscoder
   saml2.name=gfipm:2.0:user:EmailAddressText

   id=firstname
   transcoder=SAML2StringTranscoder
   saml2.name=gfipm:2.0:user:GivenName

   id=lastname
   transcoder=SAML2StringTranscoder
   saml2.name=gfipm:2.0:user:SurName

GFIPM Reference Fed Metadata Provider

   <MetadataProvider id="HTTPMetadata"
                     xsi:type="FileBackedHTTPMetadataProvider"
                     backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
                     metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
       <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
       <MetadataFilter xsi:type="EntityRole">
           <RetainedRole>md:SPSSODescriptor</RetainedRole>
       </MetadataFilter>
   </MetadataProvider>
Retrieved from "https://wiki.nief.org/index.php?title=Shibboleth_IDP4_Notes&oldid=253"