Shibboleth IDP4 Notes: Difference between revisions
Line 253: | Line 253: | ||
== Sample Attribute Resolver == | == Sample Attribute Resolver == | ||
This sample attribute resolver uses the NIEF Attribute Definitions above. This requires specific attribute ids, that is how the attribute definition is applied to the attribute: | This sample attribute resolver uses the NIEF Attribute Definitions above. The "Simple" data connector type is a custom data connector that reads attributes from files on the filesystem. The dataconnectors are also specified in this same file, but that is not included in this sample. This requires specific attribute ids, that is how the attribute definition is applied to the attribute: | ||
<!-- Usually you need the userID resolved during authentication as an input to other data connectors /> | <!-- Usually you need the userID resolved during authentication as an input to other data connectors /> | ||
<AttributeDefinition id="uid" xsi:type="PrincipalName" /> | <AttributeDefinition id="uid" xsi:type="PrincipalName" /> |
Revision as of 15:24, 19 April 2022
About
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.
Changes
An important change is that Shibboleth IDP 4 has a new secrets.properties file within the credentials directory. This file will override credentials that are put into the properties file in the config file likely leading to problems. Be sure to migrate service credentials into this properties file.
Sample attribute-filter
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.
<AttributeFilterPolicy id="releaseNIEFAttributes"> <PolicyRequirementRule xsi:type="ANY" /> <AttributeRule attributeID="niefEmail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefEmployer"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefFedId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefGivenName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIdentityProviderId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefSurName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefTelephoneNumber"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIdentityProviderId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefUniqueSubjectId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="nief28CFR"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefORI"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefEmployerStateCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefPSO"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefSLEO"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefAAL"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefFAL"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIAL"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIntelligenceAnalystIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefDisplayName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefLocalId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefNCICCertificationIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefNDExPrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefPCIICertificationIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefFICAMAssuranceLevelCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy>
Attribute Definitions
Add the NIEF Attribute Defintions to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:
Sample Attribute Resolver
This sample attribute resolver uses the NIEF Attribute Definitions above. The "Simple" data connector type is a custom data connector that reads attributes from files on the filesystem. The dataconnectors are also specified in this same file, but that is not included in this sample. This requires specific attribute ids, that is how the attribute definition is applied to the attribute:
<AttributeDefinition id="nief28CFR" xsi:type="Simple" > <InputDataConnector ref="File" attributeNames="CFRCertified"/> </AttributeDefinition> <AttributeDefinition id="niefEmail" xsi:type="Simple" > <InputDataConnector ref="File" attributeNames="email"/> </AttributeDefinition> <AttributeDefinition id="niefGivenName" xsi:type="Simple" > <InputDataConnector ref="File" attributeNames="firstname"/> </AttributeDefinition> <AttributeDefinition id="niefSurName" xsi:type="Simple" > <InputDataConnector ref="File" attributeNames="lastname"/> </AttributeDefinition> <AttributeDefinition id="niefIdentityProviderId" xsi:type="Template" > <InputDataConnector ref="staticAttributes" attributeNames="orgid"/> <Template> <![CDATA[ NIEF:IDP:${orgid} ]]> </Template> </AttributeDefinition> <AttributeDefinition id="niefEmployer" xsi:type="Simple" > <InputDataConnector ref="staticAttributes" attributeNames="employer"/> </AttributeDefinition> <AttributeDefinition id="niefFedId" xsi:type="Template" > <InputDataConnector ref="staticAttributes" attributeNames="orgid"/> <InputDataConnector ref="File" attributeNames="email"/> <Template> <![CDATA[ NIEF:IDP:${orgid}:USER:${email} ]]> </Template> </AttributeDefinition> <AttributeDefinition id="niefAAL" xsi:type="Simple" > <InputDataConnector ref="File" attributeNames="aal"/> </AttributeDefinition> <AttributeDefinition id="niefIAL" xsi:type="Simple" > <InputDataConnector ref="File" attributeNames="ial"/> </AttributeDefinition> <AttributeDefinition id="niefORI" xsi:type="Simple" > <InputDataConnector ref="File" attributeNames="ori"/> </AttributeDefinition> <AttributeDefinition id="niefPSO" xsi:type="Simple" > <InputDataConnector ref="File" attributeNames="pso"/> </AttributeDefinition> <AttributeDefinition id="niefSLEO" xsi:type="Simple" > <InputDataConnector ref="File" attributeNames="sleo"/> </AttributeDefinition>
Metadata Providers
The following are sample metadata providers that are useful for systems that are working with NIEF. The first is a sample of the NIEF Production metadata provider and the second is an example of the NIEF Testbed provider. In both cases the associated certificate would need to be downloaded and put into the credentials directory for this provider to work:
NIEF Metadata Provider (Production)
<MetadataProvider id="NiefMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/nief-metadata.xml" metadataURL="https://nief.org/trust-fabric/nief-trust-fabric.xml"> <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/nief-ca.cer" /> <MetadataFilter xsi:type="EntityRole"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider>
NIEF Testbed Metadata Provider
<MetadataProvider id="HTTPMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml" metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml"> <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" /> <MetadataFilter xsi:type="EntityRole"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider>
Data Connector Information
Shibboleth 4 supports more DataConnector types than previous versions of Shibbboleth.
HTTPConnector
Shibboleth Documentation on this connector: https://wiki.shibboleth.net/confluence/display/IDP4/HTTPConnector
GTRI created a sample HTTPConnector that implementes the IIR protocol: https://wiki.nief.org/wiki/Shibboleth_HTTP_Dataconnector