Shibboleth IDP4 Notes: Difference between revisions

From NIEF Wiki
Jump to navigation Jump to search
Line 249: Line 249:


|}
|}
Quick Test, create a properties file per attribute in the ''attributes/custom'' directory:
    id=gfipmmail
    transcoder=SAML2StringTranscoder
    saml2.name=gfipm:2.0:user:EmailAddressText
    id=firstname
    transcoder=SAML2StringTranscoder
    saml2.name=gfipm:2.0:user:GivenName
    id=lastname
    transcoder=SAML2StringTranscoder
    saml2.name=gfipm:2.0:user:SurName


== GFIPM Reference Fed Metadata Provider ==
== GFIPM Reference Fed Metadata Provider ==

Revision as of 02:21, 6 May 2021

About

Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

Sample attribute-filter

The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.

   <AttributeFilterPolicy id="releaseAll">
       <PolicyRequirementRule xsi:type="ANY" />
      <AttributeRule attributeID="niefEmail">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployer">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFedId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefGivenName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProviderId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefSurName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefTelephoneNumber">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProviderId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefUniqueSubjectId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="nief28CFR">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefORI">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployerStateCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefPSO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefSLEO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefAAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIntelligenceAnalystIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefDisplayName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefLocalId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefNCICCertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefNDExPrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefPCIICertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFICAMAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
   </AttributeFilterPolicy>


Attribute Definitions

Add the NIEF Attribute Defintions to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:

Id Within attribute-resolver.xml Attribute Name URL
NIEF Mandatory
niefEmail Email Address Text https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
niefEmployer Employer Name https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
niefFedId Federation Id https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
niefGivenName Given Name https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
niefIdentityProviderId Identity Provider Id https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
niefSurName Sur Name https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
niefTelephoneNumber Telephone Number https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
niefIdentityProviderId Identity Provider Id https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
niefUniqueSubjectId Unique Subject Id https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
NIEF Highly Recommended
nief28CFR 28 CFR Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
niefElectronicAuthenticationAssuranceLevelCode Electronic Authentication Assurance Level Code https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
niefORI Employer ORI https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
niefEmployerOrganizationGeneralCategoryCode Employer Organization General Category Code https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
niefEmployerStateCode Employer State Code https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
niefIdentityProofingAssuranceLevelCode Identity Proofing Assurance Level Code https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
niefPSO Public Safety Officer Indicator https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
niefSLEO Sworn Law Enforcement Officer Indicator https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
niefAAL Authenticator Assurance Level https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
niefFAL Federation Assurance Level https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
niefIAL Identity Assurance Level https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
NIEF Recommended
niefIntelligenceAnalystIndicator Intelligence Analyst Indicator https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator Counter Terrorism Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator Criminal History Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator Criminal Intelligence Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator Criminal Investigative Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
niefDisplayName Display Name https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
niefGovernmentDataSelfSearchHomePrivilegeIndicator Government Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
niefLocalId Local Id https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
niefNCICCertificationIndicator NCIC Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
niefNDExPrivilegeIndicator NDEx Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
niefPCIICertificationIndicator PCII Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
niefFICAMAssuranceLevelCode FICAM Assurance Level Code https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

GFIPM Reference Fed Metadata Provider

   <MetadataProvider id="HTTPMetadata"
                     xsi:type="FileBackedHTTPMetadataProvider"
                     backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
                     metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
       <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
       <MetadataFilter xsi:type="EntityRole">
           <RetainedRole>md:SPSSODescriptor</RetainedRole>
       </MetadataFilter>
   </MetadataProvider>