Shibboleth IDP4 Notes: Difference between revisions
Jump to navigation
Jump to search
Line 105: | Line 105: | ||
</AttributeFilterPolicy> | </AttributeFilterPolicy> | ||
== Attribute Definition == | |||
Add the [[NIEF Attribute Defintions]] to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml: | |||
{|class="wikitable" | {|class="wikitable" | ||
!Id Within attribute-resolver.xml | !Id Within attribute-resolver.xml |
Revision as of 02:21, 6 May 2021
About
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.
Sample attribute-filter
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.
<AttributeFilterPolicy id="releaseAll"> <PolicyRequirementRule xsi:type="ANY" /> <AttributeRule attributeID="niefEmail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefEmployer"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefFedId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefGivenName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIdentityProviderId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefSurName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefTelephoneNumber"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIdentityProviderId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefUniqueSubjectId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="nief28CFR"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefORI"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefEmployerStateCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefPSO"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefSLEO"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefAAL"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefFAL"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIAL"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefIntelligenceAnalystIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefDisplayName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefLocalId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefNCICCertificationIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefNDExPrivilegeIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefPCIICertificationIndicator"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="niefFICAMAssuranceLevelCode"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy>
Attribute Definition
Add the NIEF Attribute Defintions to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:
Quick Test, create a properties file per attribute in the attributes/custom directory:
id=gfipmmail transcoder=SAML2StringTranscoder saml2.name=gfipm:2.0:user:EmailAddressText
id=firstname transcoder=SAML2StringTranscoder saml2.name=gfipm:2.0:user:GivenName
id=lastname transcoder=SAML2StringTranscoder saml2.name=gfipm:2.0:user:SurName
GFIPM Reference Fed Metadata Provider
<MetadataProvider id="HTTPMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml" metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml"> <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" /> <MetadataFilter xsi:type="EntityRole"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider>