Shibboleth IDP4 Notes: Difference between revisions
Jump to navigation
Jump to search
(Created page with "==About== Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.") |
|||
| (37 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
==About== | ==About== | ||
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS. | Just some notes about Shibboleth IDP4 based on discussions with Texas DPS. | ||
==Changes== | |||
An important change is that Shibboleth IDP 4 has a new '''secrets.properties''' file within the credentials directory. This file will override credentials that are put into the properties file in the config file likely leading to problems. Be sure to migrate service credentials into this properties file. | |||
== Sample attribute-filter == | |||
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below. | |||
<AttributeFilterPolicy id="releaseNIEFAttributes"> | |||
<PolicyRequirementRule xsi:type="ANY" /> | |||
<AttributeRule attributeID="niefEmail"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefEmployer"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefFedId"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefGivenName"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefIdentityProviderId"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefSurName"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefTelephoneNumber"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefIdentityProviderId"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefUniqueSubjectId"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="nief28CFR"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefORI"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefEmployerStateCode"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefPSO"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefSLEO"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefAAL"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefFAL"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefIAL"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefIntelligenceAnalystIndicator"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefDisplayName"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefLocalId"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefNCICCertificationIndicator"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefNDExPrivilegeIndicator"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefPCIICertificationIndicator"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
<AttributeRule attributeID="niefFICAMAssuranceLevelCode"> | |||
<PermitValueRule xsi:type="ANY" /> | |||
</AttributeRule> | |||
</AttributeFilterPolicy> | |||
== Attribute Definitions == | |||
Add the [[NIEF Attribute Defintions]] to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml: | |||
{|class="wikitable" | |||
!Id Within attribute-resolver.xml | |||
!Attribute Name | |||
!URL | |||
|- | |||
!colspan="3"|NIEF Mandatory | |||
|- | |||
|niefEmail | |||
|Email Address Text | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0 | |||
|- | |||
|niefEmployer | |||
|Employer Name | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0 | |||
|- | |||
|niefFedId | |||
|Federation Id | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0 | |||
|- | |||
|niefGivenName | |||
|Given Name | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0 | |||
|- | |||
|niefIdentityProviderId | |||
|Identity Provider Id | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0 | |||
|- | |||
|niefSurName | |||
|Sur Name | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0 | |||
|- | |||
|niefTelephoneNumber | |||
|Telephone Number | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0 | |||
|- | |||
|niefIdentityProviderId | |||
|Identity Provider Id | |||
|https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0 | |||
|- | |||
|niefUniqueSubjectId | |||
|Unique Subject Id | |||
|https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0 | |||
|- | |||
!colspan="3"|NIEF Highly Recommended | |||
|- | |||
|nief28CFR | |||
|28 CFR Certification Indicator | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0 | |||
|- | |||
|niefElectronicAuthenticationAssuranceLevelCode | |||
|Electronic Authentication Assurance Level Code | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0 | |||
|- | |||
|niefORI | |||
|Employer ORI | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0 | |||
|- | |||
|niefEmployerOrganizationGeneralCategoryCode | |||
|Employer Organization General Category Code | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0 | |||
|- | |||
|niefEmployerStateCode | |||
|Employer State Code | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0 | |||
|- | |||
|niefIdentityProofingAssuranceLevelCode | |||
|Identity Proofing Assurance Level Code | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0 | |||
|- | |||
|niefPSO | |||
|Public Safety Officer Indicator | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0 | |||
|- | |||
|niefSLEO | |||
|Sworn Law Enforcement Officer Indicator | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0 | |||
|- | |||
|niefAAL | |||
|Authenticator Assurance Level | |||
|https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0 | |||
|- | |||
|niefFAL | |||
|Federation Assurance Level | |||
|https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0 | |||
|- | |||
|niefIAL | |||
|Identity Assurance Level | |||
|https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0 | |||
|- | |||
!colspan="3"|NIEF Recommended | |||
|- | |||
|niefIntelligenceAnalystIndicator | |||
|Intelligence Analyst Indicator | |||
|https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0 | |||
|- | |||
|niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator | |||
|Counter Terrorism Data Self Search Home Privilege Indicator | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0 | |||
|- | |||
|niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator | |||
|Criminal History Data Self Search Home Privilege Indicator | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0 | |||
|- | |||
|niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator | |||
|Criminal Intelligence Data Self Search Home Privilege Indicator | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0 | |||
|- | |||
|niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator | |||
|Criminal Investigative Data Self Search Home Privilege Indicator | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0 | |||
|- | |||
|niefDisplayName | |||
|Display Name | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0 | |||
|- | |||
|niefGovernmentDataSelfSearchHomePrivilegeIndicator | |||
|Government Data Self Search Home Privilege Indicator | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0 | |||
|- | |||
|niefLocalId | |||
|Local Id | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0 | |||
|- | |||
|niefNCICCertificationIndicator | |||
|NCIC Certification Indicator | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0 | |||
|- | |||
|niefNDExPrivilegeIndicator | |||
|NDEx Privilege Indicator | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0 | |||
|- | |||
|niefPCIICertificationIndicator | |||
|PCII Certification Indicator | |||
|https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0 | |||
|- | |||
|niefFICAMAssuranceLevelCode | |||
|FICAM Assurance Level Code | |||
|https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0 | |||
|} | |||
== Sample Attribute Resolver == | |||
This sample attribute resolver uses the NIEF Attribute Definitions above. The "Simple" data connector type is a custom data connector that reads attributes from files on the filesystem. The dataconnectors are also specified in this same file, but that is not included in this sample. This requires specific attribute ids, that is how the attribute definition is applied to the attribute: | |||
<!-- Usually you need the userID resolved during authentication as an input to other data connectors /> | |||
<AttributeDefinition id="uid" xsi:type="PrincipalName" /> | |||
<!-- ========================================== --> | |||
<!-- Attribute Definitions --> | |||
<!-- ========================================== --> | |||
<AttributeDefinition id="recipientId" xsi:type="ScriptedAttribute" > | |||
<Script> <![CDATA[ | |||
recipientIdString = requestContext.getPeerEntityId(); | |||
recipientId.addValue(recipientIdString); | |||
]]></Script> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="nief28CFR" xsi:type="Simple" > | |||
<InputDataConnector ref="File" attributeNames="CFRCertified"/> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="niefEmail" xsi:type="Simple" > | |||
<InputDataConnector ref="File" attributeNames="email"/> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="niefGivenName" xsi:type="Simple" > | |||
<InputDataConnector ref="File" attributeNames="firstname"/> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="niefSurName" xsi:type="Simple" > | |||
<InputDataConnector ref="File" attributeNames="lastname"/> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="niefIdentityProviderId" xsi:type="Template" > | |||
<InputDataConnector ref="staticAttributes" attributeNames="orgid"/> | |||
<Template> | |||
<![CDATA[ | |||
NIEF:IDP:${orgid} | |||
]]> | |||
</Template> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="niefEmployer" xsi:type="Simple" > | |||
<InputDataConnector ref="staticAttributes" attributeNames="employer"/> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="niefFedId" xsi:type="Template" > | |||
<InputDataConnector ref="staticAttributes" attributeNames="orgid"/> | |||
<InputDataConnector ref="File" attributeNames="email"/> | |||
<Template> | |||
<![CDATA[ | |||
NIEF:IDP:${orgid}:USER:${email} | |||
]]> | |||
</Template> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="niefAAL" xsi:type="Simple" > | |||
<InputDataConnector ref="File" attributeNames="aal"/> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="niefIAL" xsi:type="Simple" > | |||
<InputDataConnector ref="File" attributeNames="ial"/> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="niefORI" xsi:type="Simple" > | |||
<InputDataConnector ref="File" attributeNames="ori"/> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="niefPSO" xsi:type="Simple" > | |||
<InputDataConnector ref="File" attributeNames="pso"/> | |||
</AttributeDefinition> | |||
<AttributeDefinition id="niefSLEO" xsi:type="Simple" > | |||
<InputDataConnector ref="File" attributeNames="sleo"/> | |||
</AttributeDefinition> | |||
=== Dataconnectors === | |||
Data connectors looks close to the same as Shibboleth 3, note the '''InputAttributeDefintion''' field is used instead of the old '''Dependency''' concept in Shib3. Here are three sample data connectors, two are built-in 'static' and 'HTTP', while 'Simple' is the one GTRI created that serves from the filesystem: | |||
<DataConnector id="staticAttributes" xsi:type="Static"> | |||
<Attribute id="employer"> | |||
<Value>Texas National Guard (DEMO)</Value> | |||
</Attribute> | |||
<Attribute id="orgid"> | |||
<Value>tng-interop-idp</Value> | |||
</Attribute> | |||
</DataConnector> | |||
<DataConnector id="File" xsi:type="txdps:Test" | |||
pathToAttributeFiles="/opt/shibboleth-idp/users/" | |||
uidAttribute="uid"> | |||
<InputAttributeDefinition ref="uid" /> | |||
</DataConnector> | |||
<DataConnector id="iirHTTP" xsi:type="HTTP" | |||
httpClientRef="shibboleth.NonCachingHttpClient"> | |||
<InputAttributeDefinition ref="niefEmail" /> | |||
<URLTemplate> | |||
<![CDATA[ | |||
https://tca.iir.com/api/LookupTestCompleted?code=D7utRK84NO8sDTYRjh0UGP3fNXLjrH96FMlKs21YqcBpyTeZp6k/rw== | |||
]]> | |||
</URLTemplate> | |||
<BodyTemplate MIMEType="application/json"> | |||
<![CDATA[ | |||
{ 'email': '$niefEmail.get(0)' } | |||
]]> | |||
</BodyTemplate> | |||
<ResponseMapping> | |||
<Script> | |||
<![CDATA[ | |||
var logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute"); | |||
var HashSet = Java.type("java.util.HashSet"); | |||
var HttpClientSupport = Java.type("net.shibboleth.utilities.java.support.httpclient.HttpClientSupport"); | |||
var IdPAttribute = Java.type("net.shibboleth.idp.attribute.IdPAttribute"); | |||
var StringAttributeValue = Java.type("net.shibboleth.idp.attribute.StringAttributeValue"); | |||
// Limits length to 64k | |||
var body = HttpClientSupport.toString(response.getEntity(), "UTF-8", 65536); | |||
logger.info("Query Response = " + body); | |||
var result = JSON.parse(body); | |||
//logger.info("Parsed JSON Completed = " + result.completed); | |||
var attr = new IdPAttribute("CFRCertified"); | |||
var values = new HashSet(); | |||
if (result.completed) { | |||
values.add(new StringAttributeValue("true")); | |||
} else { | |||
values.add(new StringAttributeValue("false")); | |||
} | |||
attr.setValues(values); | |||
connectorResults.add(attr); | |||
]]> | |||
</Script> | |||
</ResponseMapping> | |||
<ResultCache expireAfterWrite="PT5M"/> | |||
</DataConnector> | |||
== Metadata Providers == | |||
The following are sample metadata providers that are useful for systems that are working with NIEF. The first is a sample of the NIEF Production metadata provider and the second is an example of the NIEF Testbed provider. In both cases the associated certificate would need to be downloaded and put into the credentials directory for this provider to work: | |||
* [[https://nief.org/trust-fabric/nief-ca.crt NIEF CA Cert]] | |||
* [[https://ref.gfipm.net/ref-gfipm-ca.crt NIEF Testbed Cert]] | |||
=== NIEF Metadata Provider (Production) === | |||
<MetadataProvider id="NiefMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/nief-metadata.xml" metadataURL="https://nief.org/trust-fabric/nief-trust-fabric.xml"> | |||
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/nief-ca.cer" /> | |||
<MetadataFilter xsi:type="EntityRole"> | |||
<RetainedRole>md:SPSSODescriptor</RetainedRole> | |||
</MetadataFilter> | |||
</MetadataProvider> | |||
=== NIEF Testbed Metadata Provider === | |||
<MetadataProvider id="HTTPMetadata" | |||
xsi:type="FileBackedHTTPMetadataProvider" | |||
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml" | |||
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml"> | |||
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" /> | |||
<MetadataFilter xsi:type="EntityRole"> | |||
<RetainedRole>md:SPSSODescriptor</RetainedRole> | |||
</MetadataFilter> | |||
</MetadataProvider> | |||
== Data Connector Information == | |||
Shibboleth 4 supports more DataConnector types than previous versions of Shibbboleth. | |||
=== HTTPConnector === | |||
Shibboleth Documentation on this connector: https://wiki.shibboleth.net/confluence/display/IDP4/HTTPConnector | |||
GTRI created a sample HTTPConnector that implementes the IIR protocol: https://wiki.nief.org/wiki/Shibboleth_HTTP_Dataconnector | |||
== Ongoing Notes == | |||
[[Create a NIEF Attribute Registry]] | |||
Latest revision as of 18:23, 24 May 2022
About
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.
Changes
An important change is that Shibboleth IDP 4 has a new secrets.properties file within the credentials directory. This file will override credentials that are put into the properties file in the config file likely leading to problems. Be sure to migrate service credentials into this properties file.
Sample attribute-filter
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.
<AttributeFilterPolicy id="releaseNIEFAttributes">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="niefEmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployer">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFedId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSurName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefTelephoneNumber">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefUniqueSubjectId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="nief28CFR">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefORI">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerStateCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPSO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSLEO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefAAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIntelligenceAnalystIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefDisplayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefLocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNCICCertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNDExPrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPCIICertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFICAMAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
Attribute Definitions
Add the NIEF Attribute Defintions to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:
Sample Attribute Resolver
This sample attribute resolver uses the NIEF Attribute Definitions above. The "Simple" data connector type is a custom data connector that reads attributes from files on the filesystem. The dataconnectors are also specified in this same file, but that is not included in this sample. This requires specific attribute ids, that is how the attribute definition is applied to the attribute:
<AttributeDefinition id="recipientId" xsi:type="ScriptedAttribute" >
<Script> <![CDATA[
recipientIdString = requestContext.getPeerEntityId();
recipientId.addValue(recipientIdString);
]]></Script>
</AttributeDefinition>
<AttributeDefinition id="nief28CFR" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="CFRCertified"/>
</AttributeDefinition>
<AttributeDefinition id="niefEmail" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="email"/>
</AttributeDefinition>
<AttributeDefinition id="niefGivenName" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="firstname"/>
</AttributeDefinition>
<AttributeDefinition id="niefSurName" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="lastname"/>
</AttributeDefinition>
<AttributeDefinition id="niefIdentityProviderId" xsi:type="Template" >
<InputDataConnector ref="staticAttributes" attributeNames="orgid"/>
<Template>
<![CDATA[
NIEF:IDP:${orgid}
]]>
</Template>
</AttributeDefinition>
<AttributeDefinition id="niefEmployer" xsi:type="Simple" >
<InputDataConnector ref="staticAttributes" attributeNames="employer"/>
</AttributeDefinition>
<AttributeDefinition id="niefFedId" xsi:type="Template" >
<InputDataConnector ref="staticAttributes" attributeNames="orgid"/>
<InputDataConnector ref="File" attributeNames="email"/>
<Template>
<![CDATA[
NIEF:IDP:${orgid}:USER:${email}
]]>
</Template>
</AttributeDefinition>
<AttributeDefinition id="niefAAL" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="aal"/>
</AttributeDefinition>
<AttributeDefinition id="niefIAL" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="ial"/>
</AttributeDefinition>
<AttributeDefinition id="niefORI" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="ori"/>
</AttributeDefinition>
<AttributeDefinition id="niefPSO" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="pso"/>
</AttributeDefinition>
<AttributeDefinition id="niefSLEO" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="sleo"/>
</AttributeDefinition>
Dataconnectors
Data connectors looks close to the same as Shibboleth 3, note the InputAttributeDefintion field is used instead of the old Dependency concept in Shib3. Here are three sample data connectors, two are built-in 'static' and 'HTTP', while 'Simple' is the one GTRI created that serves from the filesystem:
<DataConnector id="staticAttributes" xsi:type="Static">
<Attribute id="employer">
<Value>Texas National Guard (DEMO)</Value>
</Attribute>
<Attribute id="orgid">
<Value>tng-interop-idp</Value>
</Attribute>
</DataConnector>
<DataConnector id="File" xsi:type="txdps:Test"
pathToAttributeFiles="/opt/shibboleth-idp/users/"
uidAttribute="uid">
<InputAttributeDefinition ref="uid" />
</DataConnector>
<DataConnector id="iirHTTP" xsi:type="HTTP"
httpClientRef="shibboleth.NonCachingHttpClient">
<InputAttributeDefinition ref="niefEmail" />
<URLTemplate>
<![CDATA[
https://tca.iir.com/api/LookupTestCompleted?code=D7utRK84NO8sDTYRjh0UGP3fNXLjrH96FMlKs21YqcBpyTeZp6k/rw==
]]>
</URLTemplate>
<BodyTemplate MIMEType="application/json">
<![CDATA[
{ 'email': '$niefEmail.get(0)' }
]]>
</BodyTemplate>
<ResponseMapping>
<Script>
<![CDATA[
var logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");
var HashSet = Java.type("java.util.HashSet");
var HttpClientSupport = Java.type("net.shibboleth.utilities.java.support.httpclient.HttpClientSupport");
var IdPAttribute = Java.type("net.shibboleth.idp.attribute.IdPAttribute");
var StringAttributeValue = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
// Limits length to 64k
var body = HttpClientSupport.toString(response.getEntity(), "UTF-8", 65536);
logger.info("Query Response = " + body);
var result = JSON.parse(body);
//logger.info("Parsed JSON Completed = " + result.completed);
var attr = new IdPAttribute("CFRCertified");
var values = new HashSet();
if (result.completed) {
values.add(new StringAttributeValue("true"));
} else {
values.add(new StringAttributeValue("false"));
}
attr.setValues(values);
connectorResults.add(attr);
]]>
</Script>
</ResponseMapping>
<ResultCache expireAfterWrite="PT5M"/>
</DataConnector>
Metadata Providers
The following are sample metadata providers that are useful for systems that are working with NIEF. The first is a sample of the NIEF Production metadata provider and the second is an example of the NIEF Testbed provider. In both cases the associated certificate would need to be downloaded and put into the credentials directory for this provider to work:
NIEF Metadata Provider (Production)
<MetadataProvider id="NiefMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/nief-metadata.xml" metadataURL="https://nief.org/trust-fabric/nief-trust-fabric.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/nief-ca.cer" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
NIEF Testbed Metadata Provider
<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
Data Connector Information
Shibboleth 4 supports more DataConnector types than previous versions of Shibbboleth.
HTTPConnector
Shibboleth Documentation on this connector: https://wiki.shibboleth.net/confluence/display/IDP4/HTTPConnector
GTRI created a sample HTTPConnector that implementes the IIR protocol: https://wiki.nief.org/wiki/Shibboleth_HTTP_Dataconnector