Shibboleth IDP4 Notes

From NIEF Wiki
Jump to navigation Jump to search

About

Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

Changes

An important change is that Shibboleth IDP 4 has a new secrets.properties file within the credentials directory. This file will override credentials that are put into the properties file in the config file likely leading to problems. Be sure to migrate service credentials into this properties file.

Sample attribute-filter

The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.

   <AttributeFilterPolicy id="releaseNIEFAttributes">
       <PolicyRequirementRule xsi:type="ANY" />
      <AttributeRule attributeID="niefEmail">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployer">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFedId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefGivenName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProviderId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefSurName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefTelephoneNumber">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProviderId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefUniqueSubjectId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="nief28CFR">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefORI">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefEmployerStateCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefPSO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefSLEO">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefAAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIAL">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefIntelligenceAnalystIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefDisplayName">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefLocalId">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefNCICCertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefNDExPrivilegeIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefPCIICertificationIndicator">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
      <AttributeRule attributeID="niefFICAMAssuranceLevelCode">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
   </AttributeFilterPolicy>

Attribute Definitions

Add the NIEF Attribute Defintions to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:

Id Within attribute-resolver.xml Attribute Name URL
NIEF Mandatory
niefEmail Email Address Text https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
niefEmployer Employer Name https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
niefFedId Federation Id https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
niefGivenName Given Name https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
niefIdentityProviderId Identity Provider Id https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
niefSurName Sur Name https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
niefTelephoneNumber Telephone Number https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
niefIdentityProviderId Identity Provider Id https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
niefUniqueSubjectId Unique Subject Id https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
NIEF Highly Recommended
nief28CFR 28 CFR Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
niefElectronicAuthenticationAssuranceLevelCode Electronic Authentication Assurance Level Code https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
niefORI Employer ORI https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
niefEmployerOrganizationGeneralCategoryCode Employer Organization General Category Code https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
niefEmployerStateCode Employer State Code https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
niefIdentityProofingAssuranceLevelCode Identity Proofing Assurance Level Code https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
niefPSO Public Safety Officer Indicator https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
niefSLEO Sworn Law Enforcement Officer Indicator https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
niefAAL Authenticator Assurance Level https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
niefFAL Federation Assurance Level https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
niefIAL Identity Assurance Level https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
NIEF Recommended
niefIntelligenceAnalystIndicator Intelligence Analyst Indicator https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator Counter Terrorism Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator Criminal History Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator Criminal Intelligence Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator Criminal Investigative Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
niefDisplayName Display Name https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
niefGovernmentDataSelfSearchHomePrivilegeIndicator Government Data Self Search Home Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
niefLocalId Local Id https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
niefNCICCertificationIndicator NCIC Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
niefNDExPrivilegeIndicator NDEx Privilege Indicator https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
niefPCIICertificationIndicator PCII Certification Indicator https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
niefFICAMAssuranceLevelCode FICAM Assurance Level Code https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

Sample Attribute Resolver

This sample attribute resolver uses the NIEF Attribute Definitions above. The "Simple" data connector type is a custom data connector that reads attributes from files on the filesystem. The dataconnectors are also specified in this same file, but that is not included in this sample. This requires specific attribute ids, that is how the attribute definition is applied to the attribute:

   <AttributeDefinition id="recipientId" xsi:type="ScriptedAttribute" >
       <Script> <![CDATA[
            recipientIdString = requestContext.getPeerEntityId();
            recipientId.addValue(recipientIdString);
        ]]></Script>
   </AttributeDefinition>
   <AttributeDefinition id="nief28CFR" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="CFRCertified"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefEmail" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="email"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefGivenName" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="firstname"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefSurName" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="lastname"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefIdentityProviderId" xsi:type="Template" >
       <InputDataConnector ref="staticAttributes" attributeNames="orgid"/>
       <Template>
         <![CDATA[
            NIEF:IDP:${orgid}
         ]]>
      </Template>
   </AttributeDefinition>
   <AttributeDefinition id="niefEmployer" xsi:type="Simple" >
       <InputDataConnector ref="staticAttributes" attributeNames="employer"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefFedId" xsi:type="Template" >
       <InputDataConnector ref="staticAttributes" attributeNames="orgid"/>
       <InputDataConnector ref="File" attributeNames="email"/>
       <Template>
         <![CDATA[
              NIEF:IDP:${orgid}:USER:${email}
         ]]>
       </Template>
   </AttributeDefinition>
   <AttributeDefinition id="niefAAL" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="aal"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefIAL" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="ial"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefORI" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="ori"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefPSO" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="pso"/>
   </AttributeDefinition>
   <AttributeDefinition id="niefSLEO" xsi:type="Simple" >
       <InputDataConnector ref="File" attributeNames="sleo"/>
   </AttributeDefinition>

Dataconnectors

Data connectors looks close to the same as Shibboleth 3, note the InputAttributeDefintion field is used instead of the old Dependency concept in Shib3. Here are three sample data connectors, two are built-in 'static' and 'HTTP', while 'Simple' is the one GTRI created that serves from the filesystem:


   <DataConnector id="staticAttributes" xsi:type="Static">
       <Attribute id="employer">
           <Value>Texas National Guard (DEMO)</Value>
       </Attribute>
       <Attribute id="orgid">
           <Value>tng-interop-idp</Value>
       </Attribute>
   </DataConnector>
   <DataConnector id="File" xsi:type="txdps:Test"
                  pathToAttributeFiles="/opt/shibboleth-idp/users/"
                  uidAttribute="uid">
       <InputAttributeDefinition ref="uid" />
   </DataConnector>
 <DataConnector id="iirHTTP" xsi:type="HTTP"
     httpClientRef="shibboleth.NonCachingHttpClient">
   <InputAttributeDefinition ref="niefEmail" />
   <URLTemplate>
       <![CDATA[
       https://tca.iir.com/api/LookupTestCompleted?code=D7utRK84NO8sDTYRjh0UGP3fNXLjrH96FMlKs21YqcBpyTeZp6k/rw==
       ]]>
   </URLTemplate>
   <BodyTemplate MIMEType="application/json">
       <![CDATA[
       { 'email': '$niefEmail.get(0)' }
       ]]>
   </BodyTemplate>
   <ResponseMapping>
       <Script>
       <![CDATA[
       var logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");
       var HashSet = Java.type("java.util.HashSet");
       var HttpClientSupport = Java.type("net.shibboleth.utilities.java.support.httpclient.HttpClientSupport");
       var IdPAttribute = Java.type("net.shibboleth.idp.attribute.IdPAttribute");
       var StringAttributeValue = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
       // Limits length to 64k
       var body = HttpClientSupport.toString(response.getEntity(), "UTF-8", 65536);
       logger.info("Query Response = " + body);
       var result = JSON.parse(body);
       //logger.info("Parsed JSON Completed = " + result.completed);
       var attr = new IdPAttribute("CFRCertified");
       var values = new HashSet();
       if (result.completed) {
          values.add(new StringAttributeValue("true"));
       } else {
          values.add(new StringAttributeValue("false"));
       }
       attr.setValues(values);
       connectorResults.add(attr);
       ]]>
       </Script>
   </ResponseMapping>
   <ResultCache expireAfterWrite="PT5M"/>
 </DataConnector>

Metadata Providers

The following are sample metadata providers that are useful for systems that are working with NIEF. The first is a sample of the NIEF Production metadata provider and the second is an example of the NIEF Testbed provider. In both cases the associated certificate would need to be downloaded and put into the credentials directory for this provider to work:

NIEF Metadata Provider (Production)

   <MetadataProvider id="NiefMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/nief-metadata.xml" metadataURL="https://nief.org/trust-fabric/nief-trust-fabric.xml">
       <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/nief-ca.cer" />
       <MetadataFilter xsi:type="EntityRole">
           <RetainedRole>md:SPSSODescriptor</RetainedRole>
       </MetadataFilter>
   </MetadataProvider>


NIEF Testbed Metadata Provider

   <MetadataProvider id="HTTPMetadata"
                     xsi:type="FileBackedHTTPMetadataProvider"
                     backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
                     metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
       <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
       <MetadataFilter xsi:type="EntityRole">
           <RetainedRole>md:SPSSODescriptor</RetainedRole>
       </MetadataFilter>
   </MetadataProvider>

Data Connector Information

Shibboleth 4 supports more DataConnector types than previous versions of Shibbboleth.

HTTPConnector

Shibboleth Documentation on this connector: https://wiki.shibboleth.net/confluence/display/IDP4/HTTPConnector

GTRI created a sample HTTPConnector that implementes the IIR protocol: https://wiki.nief.org/wiki/Shibboleth_HTTP_Dataconnector

Ongoing Notes

Create a NIEF Attribute Registry