Shibboleth IDP4 Notes: Difference between revisions

From NIEF Wiki
Jump to navigation Jump to search
 
(32 intermediate revisions by 2 users not shown)
Line 1: Line 1:
==About==
==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.
==Changes==
An important change is that Shibboleth IDP 4 has a new '''secrets.properties''' file within the credentials directory.  This file will override credentials that are put into the properties file in the config file likely leading to problems.  Be sure to migrate service credentials into this properties file.


== Sample attribute-filter ==
== Sample attribute-filter ==
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners.  It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.


     <AttributeFilterPolicy id="releaseAll">
     <AttributeFilterPolicy id="releaseNIEFAttributes">
         <PolicyRequirementRule xsi:type="ANY" />
         <PolicyRequirementRule xsi:type="ANY" />
        <AttributeRule attributeID="OrgId">
      <AttributeRule attributeID="niefEmail">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>
        <AttributeRule attributeID="empname">
      <AttributeRule attributeID="niefEmployer">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>
        <AttributeRule attributeID="LocalId">
      <AttributeRule attributeID="niefFedId">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>
        <AttributeRule attributeID="lastname">
      <AttributeRule attributeID="niefGivenName">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>
        <AttributeRule attributeID="firstname">
      <AttributeRule attributeID="niefIdentityProviderId">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>
        <AttributeRule attributeID="mail">
      <AttributeRule attributeID="niefSurName">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>
        <AttributeRule attributeID="gfipmmail">
      <AttributeRule attributeID="niefTelephoneNumber">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>
        <AttributeRule attributeID="fedid">
      <AttributeRule attributeID="niefIdentityProviderId">
            <PermitValueRule xsi:type="ANY" />
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      </AttributeRule>
      <AttributeRule attributeID="niefUniqueSubjectId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="nief28CFR">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefORI">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployerStateCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefPSO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefSLEO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefAAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIntelligenceAnalystIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefDisplayName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefLocalId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefNCICCertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefNDExPrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefPCIICertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFICAMAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
     </AttributeFilterPolicy>
     </AttributeFilterPolicy>


== Sample Attribute Definition ==
== Attribute Definitions ==
To Do: Create a NIEF Attribute Registry definition.
Add the [[NIEF Attribute Defintions]] to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:
 
{|class="wikitable"
!Id Within attribute-resolver.xml
!Attribute Name
!URL
|-
!colspan="3"|NIEF Mandatory
|-
|niefEmail
|Email Address Text
|https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
|-
|niefEmployer
|Employer Name
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
|-
|niefFedId
|Federation Id
|https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
|-
|niefGivenName
|Given Name
|https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
|-
|niefSurName
|Sur Name
|https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
|-
|niefTelephoneNumber
|Telephone Number
|https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
|-
|niefUniqueSubjectId
|Unique Subject Id
|https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
|-
!colspan="3"|NIEF Highly Recommended
|-
|nief28CFR
|28 CFR Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
|-
|niefElectronicAuthenticationAssuranceLevelCode
|Electronic Authentication Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
|-
|niefORI
|Employer ORI
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
|-
|niefEmployerOrganizationGeneralCategoryCode
|Employer Organization General Category Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
|-
|niefEmployerStateCode
|Employer State Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
|-
|niefIdentityProofingAssuranceLevelCode
|Identity Proofing Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
|-
|niefPSO
|Public Safety Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
|-
|niefSLEO
|Sworn Law Enforcement Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
|-
|niefAAL
|Authenticator Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
|-
|niefFAL
|Federation Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
|-
|niefIAL
|Identity Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
|-
!colspan="3"|NIEF Recommended
|-
|niefIntelligenceAnalystIndicator
|Intelligence Analyst Indicator
|https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
|-
|niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator
|Counter Terrorism Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator
|Criminal History Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator
|Criminal Intelligence Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator
|Criminal Investigative Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefDisplayName
|Display Name
|https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
|-
|niefGovernmentDataSelfSearchHomePrivilegeIndicator
|Government Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefLocalId
|Local Id
|https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
|-
|niefNCICCertificationIndicator
|NCIC Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
|-
|niefNDExPrivilegeIndicator
|NDEx Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
|-
|niefPCIICertificationIndicator
|PCII Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
|-
|niefFICAMAssuranceLevelCode
|FICAM Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0
 
|}
 
== Sample Attribute Resolver ==
This sample attribute resolver uses the NIEF Attribute Definitions above.  The "Simple" data connector type is a custom data connector that reads attributes from files on the filesystem.  The dataconnectors are also specified in this same file, but that is not included in this sample.  This requires specific attribute ids, that is how the attribute definition is applied to the attribute:
    <!-- Usually you need the userID resolved during authentication as an input to other data connectors />
    <AttributeDefinition id="uid" xsi:type="PrincipalName" />
    <!-- ========================================== -->
    <!--      Attribute Definitions                -->
    <!-- ========================================== -->
    <AttributeDefinition id="recipientId" xsi:type="ScriptedAttribute" >
        <Script> <![CDATA[
            recipientIdString = requestContext.getPeerEntityId();
            recipientId.addValue(recipientIdString);
        ]]></Script>
    </AttributeDefinition>
    <AttributeDefinition id="nief28CFR" xsi:type="Simple" >
        <InputDataConnector ref="File" attributeNames="CFRCertified"/>
    </AttributeDefinition>
    <AttributeDefinition id="niefEmail" xsi:type="Simple" >
        <InputDataConnector ref="File" attributeNames="email"/>
    </AttributeDefinition>
    <AttributeDefinition id="niefGivenName" xsi:type="Simple" >
        <InputDataConnector ref="File" attributeNames="firstname"/>
    </AttributeDefinition>
    <AttributeDefinition id="niefSurName" xsi:type="Simple" >
        <InputDataConnector ref="File" attributeNames="lastname"/>
    </AttributeDefinition>
    <AttributeDefinition id="niefIdentityProviderId" xsi:type="Template" >
        <InputDataConnector ref="staticAttributes" attributeNames="orgid"/>
        <Template>
          <![CDATA[
            NIEF:IDP:${orgid}
          ]]>
      </Template>
    </AttributeDefinition>
    <AttributeDefinition id="niefEmployer" xsi:type="Simple" >
        <InputDataConnector ref="staticAttributes" attributeNames="employer"/>
    </AttributeDefinition>
    <AttributeDefinition id="niefFedId" xsi:type="Template" >
        <InputDataConnector ref="staticAttributes" attributeNames="orgid"/>
        <InputDataConnector ref="File" attributeNames="email"/>
        <Template>
          <![CDATA[
              NIEF:IDP:${orgid}:USER:${email}
          ]]>
        </Template>
    </AttributeDefinition>
    <AttributeDefinition id="niefAAL" xsi:type="Simple" >
        <InputDataConnector ref="File" attributeNames="aal"/>
    </AttributeDefinition>
    <AttributeDefinition id="niefIAL" xsi:type="Simple" >
        <InputDataConnector ref="File" attributeNames="ial"/>
    </AttributeDefinition>
    <AttributeDefinition id="niefORI" xsi:type="Simple" >
        <InputDataConnector ref="File" attributeNames="ori"/>
    </AttributeDefinition>
    <AttributeDefinition id="niefPSO" xsi:type="Simple" >
        <InputDataConnector ref="File" attributeNames="pso"/>
    </AttributeDefinition>
    <AttributeDefinition id="niefSLEO" xsi:type="Simple" >
        <InputDataConnector ref="File" attributeNames="sleo"/>
    </AttributeDefinition>
 
=== Dataconnectors ===
Data connectors looks close to the same as Shibboleth 3, note the '''InputAttributeDefintion''' field is used instead of the old '''Dependency''' concept in Shib3. Here are three sample data connectors, two are built-in 'static' and 'HTTP', while 'Simple' is the one GTRI created that serves from the filesystem:
 
 
    <DataConnector id="staticAttributes" xsi:type="Static">
        <Attribute id="employer">
            <Value>Texas National Guard (DEMO)</Value>
        </Attribute>
        <Attribute id="orgid">
            <Value>tng-interop-idp</Value>
        </Attribute>
    </DataConnector>
 
    <DataConnector id="File" xsi:type="txdps:Test"
                  pathToAttributeFiles="/opt/shibboleth-idp/users/"
                  uidAttribute="uid">
        <InputAttributeDefinition ref="uid" />
    </DataConnector>
 
  <DataConnector id="iirHTTP" xsi:type="HTTP"
      httpClientRef="shibboleth.NonCachingHttpClient">
    <InputAttributeDefinition ref="niefEmail" />
    <URLTemplate>
        <![CDATA[
        https://tca.iir.com/api/LookupTestCompleted?code=D7utRK84NO8sDTYRjh0UGP3fNXLjrH96FMlKs21YqcBpyTeZp6k/rw==
        ]]>
    </URLTemplate>
    <BodyTemplate MIMEType="application/json">
        <![CDATA[
        { 'email': '$niefEmail.get(0)' }
        ]]>
    </BodyTemplate>
    <ResponseMapping>
        <Script>
        <![CDATA[
        var logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");
        var HashSet = Java.type("java.util.HashSet");
        var HttpClientSupport = Java.type("net.shibboleth.utilities.java.support.httpclient.HttpClientSupport");
        var IdPAttribute = Java.type("net.shibboleth.idp.attribute.IdPAttribute");
        var StringAttributeValue = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
        // Limits length to 64k
        var body = HttpClientSupport.toString(response.getEntity(), "UTF-8", 65536);
        logger.info("Query Response = " + body);
        var result = JSON.parse(body);
        //logger.info("Parsed JSON Completed = " + result.completed);
        var attr = new IdPAttribute("CFRCertified");
        var values = new HashSet();
        if (result.completed) {
          values.add(new StringAttributeValue("true"));
        } else {
          values.add(new StringAttributeValue("false"));
        }
        attr.setValues(values);
        connectorResults.add(attr);
        ]]>
        </Script>
    </ResponseMapping>
    <ResultCache expireAfterWrite="PT5M"/>
  </DataConnector>


Quick Test, create a properties file per attribute in the ''attributes/custom'' directory:  
== Metadata Providers ==
The following are sample metadata providers that are useful for systems that are working with NIEF.  The first is a sample of the NIEF Production metadata provider and the second is an example of the NIEF Testbed provider.  In both cases the associated certificate would need to be downloaded and put into the credentials directory for this provider to work:
* [[https://nief.org/trust-fabric/nief-ca.crt NIEF CA Cert]]
* [[https://ref.gfipm.net/ref-gfipm-ca.crt NIEF Testbed Cert]]


    id=gfipmmail
=== NIEF Metadata Provider (Production) ===
    transcoder=SAML2StringTranscoder
    saml2.name=gfipm:2.0:user:EmailAddressText


     id=firstname
     <MetadataProvider id="NiefMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/nief-metadata.xml" metadataURL="https://nief.org/trust-fabric/nief-trust-fabric.xml">
    transcoder=SAML2StringTranscoder
        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/nief-ca.cer" />
    saml2.name=gfipm:2.0:user:GivenName
        <MetadataFilter xsi:type="EntityRole">
            <RetainedRole>md:SPSSODescriptor</RetainedRole>
        </MetadataFilter>
    </MetadataProvider>


    id=lastname
    transcoder=SAML2StringTranscoder
    saml2.name=gfipm:2.0:user:SurName


== GFIPM Reference Fed Metadata Provider ==
=== NIEF Testbed Metadata Provider ===


     <MetadataProvider id="HTTPMetadata"
     <MetadataProvider id="HTTPMetadata"
Line 60: Line 399:
         </MetadataFilter>
         </MetadataFilter>
     </MetadataProvider>
     </MetadataProvider>
== Data Connector Information ==
Shibboleth 4 supports more DataConnector types than previous versions of Shibbboleth.
=== HTTPConnector ===
Shibboleth Documentation on this connector: https://wiki.shibboleth.net/confluence/display/IDP4/HTTPConnector
GTRI created a sample HTTPConnector that implementes the IIR protocol: https://wiki.nief.org/wiki/Shibboleth_HTTP_Dataconnector
== Ongoing Notes ==
[[Create a NIEF Attribute Registry]]

Latest revision as of 18:23, 24 May 2022

About

Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

Changes

An important change is that Shibboleth IDP 4 has a new secrets.properties file within the credentials directory. This file will override credentials that are put into the properties file in the config file likely leading to problems. Be sure to migrate service credentials into this properties file.

Sample attribute-filter

The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.

   <AttributeFilterPolicy id="releaseNIEFAttributes">
       <PolicyRequirementRule xsi:type="ANY" />
      <AttributeRule attributeID="niefEmail">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployer">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFedId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefGivenName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProviderId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefSurName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefTelephoneNumber">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProviderId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefUniqueSubjectId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="nief28CFR">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefORI">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployerStateCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefPSO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefSLEO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefAAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIntelligenceAnalystIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefDisplayName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefLocalId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefNCICCertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefNDExPrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefPCIICertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFICAMAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
   </AttributeFilterPolicy>

Attribute Definitions

Add the NIEF Attribute Defintions to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:

Id Within attribute-resolver.xml Attribute Name URL
NIEF Mandatory
niefEmail Email Address Text https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
niefEmployer Employer Name https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
niefFedId Federation Id https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
niefGivenName Given Name https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
niefIdentityProviderId Identity Provider Id https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
niefSurName Sur Name https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
niefTelephoneNumber Telephone Number https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
niefIdentityProviderId Identity Provider Id https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
niefUniqueSubjectId Unique Subject Id https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
NIEF Highly Recommended
nief28CFR 28 CFR Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
niefElectronicAuthenticationAssuranceLevelCode Electronic Authentication Assurance Level Code https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
niefORI Employer ORI https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
niefEmployerOrganizationGeneralCategoryCode Employer Organization General Category Code https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
niefEmployerStateCode Employer State Code https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
niefIdentityProofingAssuranceLevelCode Identity Proofing Assurance Level Code https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
niefPSO Public Safety Officer Indicator https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
niefSLEO Sworn Law Enforcement Officer Indicator https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
niefAAL Authenticator Assurance Level https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
niefFAL Federation Assurance Level https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
niefIAL Identity Assurance Level https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
NIEF Recommended
niefIntelligenceAnalystIndicator Intelligence Analyst Indicator https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator Counter Terrorism Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator Criminal History Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator Criminal Intelligence Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator Criminal Investigative Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
niefDisplayName Display Name https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
niefGovernmentDataSelfSearchHomePrivilegeIndicator Government Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
niefLocalId Local Id https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
niefNCICCertificationIndicator NCIC Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
niefNDExPrivilegeIndicator NDEx Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
niefPCIICertificationIndicator PCII Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
niefFICAMAssuranceLevelCode FICAM Assurance Level Code https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

Sample Attribute Resolver

This sample attribute resolver uses the NIEF Attribute Definitions above. The "Simple" data connector type is a custom data connector that reads attributes from files on the filesystem. The dataconnectors are also specified in this same file, but that is not included in this sample. This requires specific attribute ids, that is how the attribute definition is applied to the attribute:

   <AttributeDefinition id="recipientId" xsi:type="ScriptedAttribute" >
       <Script> <![CDATA[
            recipientIdString = requestContext.getPeerEntityId();
            recipientId.addValue(recipientIdString);
        ]]></Script>
   </AttributeDefinition>
   <AttributeDefinition id="nief28CFR" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="CFRCertified"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefEmail" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="email"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefGivenName" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="firstname"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefSurName" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="lastname"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefIdentityProviderId" xsi:type="Template" >
       <InputDataConnector ref="staticAttributes" attributeNames="orgid"/>
       <Template>
         <![CDATA[
            NIEF:IDP:${orgid}
         ]]>
      </Template>
   </AttributeDefinition>
   <AttributeDefinition id="niefEmployer" xsi:type="Simple" >
       <InputDataConnector ref="staticAttributes" attributeNames="employer"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefFedId" xsi:type="Template" >
       <InputDataConnector ref="staticAttributes" attributeNames="orgid"/>
       <InputDataConnector ref="File" attributeNames="email"/>
       <Template>
         <![CDATA[
              NIEF:IDP:${orgid}:USER:${email}
         ]]>
       </Template>
   </AttributeDefinition>
   <AttributeDefinition id="niefAAL" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="aal"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefIAL" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="ial"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefORI" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="ori"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefPSO" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="pso"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefSLEO" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="sleo"/>
   </AttributeDefinition>

Dataconnectors

Data connectors looks close to the same as Shibboleth 3, note the InputAttributeDefintion field is used instead of the old Dependency concept in Shib3. Here are three sample data connectors, two are built-in 'static' and 'HTTP', while 'Simple' is the one GTRI created that serves from the filesystem:


   <DataConnector id="staticAttributes" xsi:type="Static">
       <Attribute id="employer">
           <Value>Texas National Guard (DEMO)</Value>
       </Attribute>
       <Attribute id="orgid">
           <Value>tng-interop-idp</Value>
       </Attribute>
   </DataConnector>
   <DataConnector id="File" xsi:type="txdps:Test"
                  pathToAttributeFiles="/opt/shibboleth-idp/users/"
                  uidAttribute="uid">
       <InputAttributeDefinition ref="uid" />
   </DataConnector>
 <DataConnector id="iirHTTP" xsi:type="HTTP"
     httpClientRef="shibboleth.NonCachingHttpClient">
   <InputAttributeDefinition ref="niefEmail" />
   <URLTemplate>
       <![CDATA[
       https://tca.iir.com/api/LookupTestCompleted?code=D7utRK84NO8sDTYRjh0UGP3fNXLjrH96FMlKs21YqcBpyTeZp6k/rw==
       ]]>
   </URLTemplate>
   <BodyTemplate MIMEType="application/json">
       <![CDATA[
       { 'email': '$niefEmail.get(0)' }
       ]]>
   </BodyTemplate>
   <ResponseMapping>
       <Script>
       <![CDATA[
       var logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");
       var HashSet = Java.type("java.util.HashSet");
       var HttpClientSupport = Java.type("net.shibboleth.utilities.java.support.httpclient.HttpClientSupport");
       var IdPAttribute = Java.type("net.shibboleth.idp.attribute.IdPAttribute");
       var StringAttributeValue = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
       // Limits length to 64k
       var body = HttpClientSupport.toString(response.getEntity(), "UTF-8", 65536);
       logger.info("Query Response = " + body);
       var result = JSON.parse(body);
       //logger.info("Parsed JSON Completed = " + result.completed);
       var attr = new IdPAttribute("CFRCertified");
       var values = new HashSet();
       if (result.completed) {
          values.add(new StringAttributeValue("true"));
       } else {
          values.add(new StringAttributeValue("false"));
       }
       attr.setValues(values);
       connectorResults.add(attr);
       ]]>
       </Script>
   </ResponseMapping>
   <ResultCache expireAfterWrite="PT5M"/>
 </DataConnector>

Metadata Providers

The following are sample metadata providers that are useful for systems that are working with NIEF. The first is a sample of the NIEF Production metadata provider and the second is an example of the NIEF Testbed provider. In both cases the associated certificate would need to be downloaded and put into the credentials directory for this provider to work:

NIEF Metadata Provider (Production)

   <MetadataProvider id="NiefMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/nief-metadata.xml" metadataURL="https://nief.org/trust-fabric/nief-trust-fabric.xml">
       <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/nief-ca.cer" />
       <MetadataFilter xsi:type="EntityRole">
           <RetainedRole>md:SPSSODescriptor</RetainedRole>
       </MetadataFilter>
   </MetadataProvider>


NIEF Testbed Metadata Provider

   <MetadataProvider id="HTTPMetadata"
                     xsi:type="FileBackedHTTPMetadataProvider"
                     backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
                     metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
       <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
       <MetadataFilter xsi:type="EntityRole">
           <RetainedRole>md:SPSSODescriptor</RetainedRole>
       </MetadataFilter>
   </MetadataProvider>

Data Connector Information

Shibboleth 4 supports more DataConnector types than previous versions of Shibbboleth.

HTTPConnector

Shibboleth Documentation on this connector: https://wiki.shibboleth.net/confluence/display/IDP4/HTTPConnector

GTRI created a sample HTTPConnector that implementes the IIR protocol: https://wiki.nief.org/wiki/Shibboleth_HTTP_Dataconnector

Ongoing Notes

Create a NIEF Attribute Registry