Shibboleth IDP4 Notes: Difference between revisions
Line 254: | Line 254: | ||
== Metadata Providers == | == Metadata Providers == | ||
The following are sample metadata providers that are useful for systems that are working with NIEF. The first is a sample of the NIEF Production metadata provider and the second is an example of the NIEF Testbed provider. In both cases the associated certificate would need to be downloaded and put into the credentials directory for this provider to work: | The following are sample metadata providers that are useful for systems that are working with NIEF. The first is a sample of the NIEF Production metadata provider and the second is an example of the NIEF Testbed provider. In both cases the associated certificate would need to be downloaded and put into the credentials directory for this provider to work: | ||
* [[https://nief.org/trust-fabric/nief-ca.crt|NIEF CA Cert]] | |||
* [[https://ref.gfipm.net/ref-gfipm-ca.crt|NIEF Testbed Cert]] | |||
=== NIEF Metadata Provider (Production) === | === NIEF Metadata Provider (Production) === |
Revision as of 16:35, 5 August 2021
About
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.
Changes
An important change is that Shibboleth IDP 4 has a new secrets.properties file within the credentials directory. This file will override credentials that are put into the properties file in the config file likely leading to problems. Be sure to migrate service credentials into this properties file.
Sample attribute-filter
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.
<AttributeFilterPolicy id="releaseNIEFAttributes"> <PolicyRequirementRule xsi:type="ANY" /> <AttributeRule attributeID="niefEmail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefEmployer"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefFedId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefGivenName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIdentityProviderId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefSurName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefTelephoneNumber"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIdentityProviderId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefUniqueSubjectId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="nief28CFR"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefORI"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefEmployerStateCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefPSO"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefSLEO"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefAAL"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefFAL"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIAL"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIntelligenceAnalystIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefDisplayName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefLocalId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefNCICCertificationIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefNDExPrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefPCIICertificationIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefFICAMAssuranceLevelCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy>
Attribute Definitions
Add the NIEF Attribute Defintions to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:
Metadata Providers
The following are sample metadata providers that are useful for systems that are working with NIEF. The first is a sample of the NIEF Production metadata provider and the second is an example of the NIEF Testbed provider. In both cases the associated certificate would need to be downloaded and put into the credentials directory for this provider to work:
- [CA Cert]
- [Testbed Cert]
NIEF Metadata Provider (Production)
<MetadataProvider id="NiefMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/nief-metadata.xml" metadataURL="https://nief.org/trust-fabric/nief-trust-fabric.xml"> <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/nief-ca.cer" /> <MetadataFilter xsi:type="EntityRole"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider>
NIEF Testbed Metadata Provider
<MetadataProvider id="HTTPMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml" metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml"> <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" /> <MetadataFilter xsi:type="EntityRole"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider>
Data Connector Information
Shibboleth 4 supports more DataConnector types than previous versions of Shibbboleth.
HTTPConnector
Shibboleth Documentation on this connector: https://wiki.shibboleth.net/confluence/display/IDP4/HTTPConnector
GTRI created a sample HTTPConnector that implementes the IIR protocol: https://wiki.nief.org/wiki/Shibboleth_HTTP_Dataconnector