Shibboleth IDP4 Notes: Difference between revisions

From NIEF Wiki
Jump to navigation Jump to search
Line 6: Line 6:
     <AttributeFilterPolicy id="releaseAll">
     <AttributeFilterPolicy id="releaseAll">
         <PolicyRequirementRule xsi:type="ANY" />
         <PolicyRequirementRule xsi:type="ANY" />
        <AttributeRule attributeID="OrgId">
      <AttributeRule attributeID="niefEmail">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>      <AttributeRule attributeID="niefEmployer">
        <AttributeRule attributeID="empname">
          <PermitValueRule xsi:type="ANY" />
            <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefFedId">
        </AttributeRule>
          <PermitValueRule xsi:type="ANY" />
        <AttributeRule attributeID="LocalId">
      </AttributeRule>      <AttributeRule attributeID="niefGivenName">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>      <AttributeRule attributeID="niefIdentityProviderId">
        <AttributeRule attributeID="lastname">
          <PermitValueRule xsi:type="ANY" />
            <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefSurName">
        </AttributeRule>
          <PermitValueRule xsi:type="ANY" />
        <AttributeRule attributeID="firstname">
      </AttributeRule>      <AttributeRule attributeID="niefTelephoneNumber">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>      <AttributeRule attributeID="niefIdentityProviderId">
        <AttributeRule attributeID="mail">
          <PermitValueRule xsi:type="ANY" />
            <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefUniqueSubjectId">
        </AttributeRule>
          <PermitValueRule xsi:type="ANY" />
        <AttributeRule attributeID="gfipmmail">
      </AttributeRule>      <AttributeRule attributeID="nief28CFR">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>      <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
        <AttributeRule attributeID="fedid">
          <PermitValueRule xsi:type="ANY" />
            <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefORI">
        </AttributeRule>
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefEmployerStateCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefPSO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefSLEO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefAAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefFAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefIAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefIntelligenceAnalystIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefDisplayName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefLocalId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefNCICCertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefNDExPrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefPCIICertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>      <AttributeRule attributeID="niefFICAMAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
     </AttributeFilterPolicy>
     </AttributeFilterPolicy>



Revision as of 00:59, 6 May 2021

About

Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

Sample attribute-filter

   <AttributeFilterPolicy id="releaseAll">
       <PolicyRequirementRule xsi:type="ANY" />
      <AttributeRule attributeID="niefEmail">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefEmployer">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefFedId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefGivenName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefIdentityProviderId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefSurName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefTelephoneNumber">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefIdentityProviderId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefUniqueSubjectId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="nief28CFR">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefORI">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefEmployerStateCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefPSO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefSLEO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefAAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefFAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefIAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefIntelligenceAnalystIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefDisplayName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefLocalId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefNCICCertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefNDExPrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefPCIICertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>       <AttributeRule attributeID="niefFICAMAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
   </AttributeFilterPolicy>

Sample Attribute Definition

To Do: Create a NIEF Attribute Registry definition.

If you add the NIEF Attribute Defintions you can reference this table for the IDs to use within the Attribute Resolver:

Id Within attribute-resolver.xml Attribute Name URL
NIEF Mandatory
niefEmail Email Address Text https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
niefEmployer Employer Name https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
niefFedId Federation Id https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
niefGivenName Given Name https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
niefIdentityProviderId Identity Provider Id https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
niefSurName Sur Name https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
niefTelephoneNumber Telephone Number https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
niefIdentityProviderId Identity Provider Id https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
niefUniqueSubjectId Unique Subject Id https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
NIEF Highly Recommended
nief28CFR 28 CFR Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
niefElectronicAuthenticationAssuranceLevelCode Electronic Authentication Assurance Level Code https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
niefORI Employer ORI https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
niefEmployerOrganizationGeneralCategoryCode Employer Organization General Category Code https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
niefEmployerStateCode Employer State Code https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
niefIdentityProofingAssuranceLevelCode Identity Proofing Assurance Level Code https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
niefPSO Public Safety Officer Indicator https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
niefSLEO Sworn Law Enforcement Officer Indicator https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
niefAAL Authenticator Assurance Level https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
niefFAL Federation Assurance Level https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
niefIAL Identity Assurance Level https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
NIEF Recommended
niefIntelligenceAnalystIndicator Intelligence Analyst Indicator https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator Counter Terrorism Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator Criminal History Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator Criminal Intelligence Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator Criminal Investigative Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
niefDisplayName Display Name https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
niefGovernmentDataSelfSearchHomePrivilegeIndicator Government Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
niefLocalId Local Id https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
niefNCICCertificationIndicator NCIC Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
niefNDExPrivilegeIndicator NDEx Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
niefPCIICertificationIndicator PCII Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
niefFICAMAssuranceLevelCode FICAM Assurance Level Code https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

Quick Test, create a properties file per attribute in the attributes/custom directory:

   id=gfipmmail
   transcoder=SAML2StringTranscoder
   saml2.name=gfipm:2.0:user:EmailAddressText
   id=firstname
   transcoder=SAML2StringTranscoder
   saml2.name=gfipm:2.0:user:GivenName
   id=lastname
   transcoder=SAML2StringTranscoder
   saml2.name=gfipm:2.0:user:SurName

GFIPM Reference Fed Metadata Provider

   <MetadataProvider id="HTTPMetadata"
                     xsi:type="FileBackedHTTPMetadataProvider"
                     backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
                     metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
       <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
       <MetadataFilter xsi:type="EntityRole">
           <RetainedRole>md:SPSSODescriptor</RetainedRole>
       </MetadataFilter>
   </MetadataProvider>