![Page 1: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/1.jpg)
IdP Basics & Installation
Shilen Patel - [email protected] Carter - [email protected] Guzman - [email protected]
![Page 2: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/2.jpg)
2Credits and Acknowledgements
These slides were created by Lukas Hämmerle and Chad La Joie from SWITCHaai.
Adapted by Shilen Patel for this presentation.
If you see this on a slide, hands-on work is required
![Page 3: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/3.jpg)
3Essential file editing commandsEditor Nano VIM EmacsOpen file $ nano file.xml $ vim file.xml $ emacs file.xml
Save file <ctrl>-o <esc>, :w <ctrl>-x, <ctrl>-s
Save and exit
<ctrl>-x <esc>, :wq <ctrl>-x, <ctrl>-c, y
Search string
<ctrl>-w, string <esc>, /string <ctrl>-s, string
Go to line number
<ctrl>--, number <esc>, number,<shift>-G
<esc>, number,<shift>-G
Pro and Cons
+ Easy- No highlighting
+ Highlighting- “Weird” to use
+ Very powerful- No highlighting
![Page 4: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/4.jpg)
4Tips and Tricks for Hands-on Part
Lines starting with $ usually commands to be executed
Character \ is line break symbol, which allows to break a line when typed
Watch out for invalid XML/configuration errorsReports errors regarding well-formedness and schema validity
$ xmlwf /path/some-XML-File.xml Reports errors and line/column number if XML is not well-formedE.g. shibboleth2.xml:261:2: mismatched tag
![Page 5: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/5.jpg)
Changes to VM
Modifications to VM:
1. cd /opt/installfest/setup/; ./setup.sh2. Update your hosts file to replace “100” with your participant number.3. In /etc/shibboleth/shibboleth2.xml - - Replace sp100.example.org to spXXX.example.org - Replace entityID for idp to https://idpXXX.example.org/idp/shibboleth (search for idp100) - <MetadataProvider type="Chaining"> <MetadataProvider type="XML" file="/opt/installfest/idps/idpXXX/idpXXX-metadata.xml"/> </MetadataProvider>
4. cp /opt/installfest/sps/spXXX/sp.key /etc/shibboleth/sp-key.pem5. cp /opt/installfest/sps/spXXX/sp.crt /etc/shibboleth/sp-cert.pem6. cp /opt/installfest/sps/spXXX/altspXXX-metadata.xml /var/www/html/altspXXX-metadata-remote.xml7. cp /opt/installfest/idps/idpXXX/idpXXX-metadata.xml /opt/tomcat-6.0.16/webapps/ROOT/ 8. ping spXXX.example.org from your host.
5
![Page 6: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/6.jpg)
6Current Environment
NetworkIDP: 10.0.1.XXXSP: 10.0.2.XXX
JavaTomcatThe following modifications have been made to the Tomcat installation
Endorse Xerces and Xalan “DelegateToApplicationProvider” Tomcat Connector
See https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepareLDAPShibboleth SP
![Page 7: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/7.jpg)
7More Tips and tricks
Restart your browser cookies after changesShouldn’t be necessary in most cases but is safer that way
Use SSH to connect to VM$ ssh [email protected]
![Page 8: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/8.jpg)
8Available Users in LDAP
alum1/passwordgivenName surname: Alumnus ExampleAffiliation: alumEntitlements:
student1/passwordgivenName surname: Student 1 ExampleAffiliation: student, libary-walk-inEntitlements: urn:example.org:res1:12345, urn:example.org:res2:09876, http://example.org/user, http://channel8.msdn.org/user
student2/passwordgivenName surname: Student 2 ExampleAffiliation: student, libary-walk-in, part-time-studentEntitlements: urn:example.org:res1:12345,http://channel8.msdn.org/user
![Page 9: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/9.jpg)
9More available Users in LDAP
staff1/passwordgivenName surname: Staff 1 ExampleAffiliation: staff, employeeEntitlements:
staff2/passwordgivenName surname: Staff 2 ExampleAffiliation: staff, part-time-employeeEntitlements:
![Page 10: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/10.jpg)
Your Laptop
Set your IP address to 10.0.3.X.Set your subnet mask to 255.255.0.0.Add the following to your hosts file (/etc/hosts for UNIX, C:\windows\system32\drivers\etc\hosts for Windows XP)10.0.1.XXX idpXXX.example.org10.0.1.XXX ds.example.org10.0.2.XXX spXXX.example.org10.0.2.XXX altspXXX.example.org
10
![Page 11: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/11.jpg)
11VM Operating System Environment
CentOS (Red Hat) 5 VMWare imageUser: “root” / Password: “password”SSH on port 22 is open and you can login with passwordApache 2.2, running on 443 port (https)Self-signed SSL certificatesAuthConfig added to /cgi-bin and /html for .htaccessApache ServerName set to spXXX.example.orgHostnames:idpXXX.example.org
spXXX.example.org
altspXXX.example.org (alternative SP hostname)
ds.example.org
![Page 12: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/12.jpg)
Restarting Processes
Apache/etc/init.d/httpd restart
Shibboleth SP/etc/init.d/shibd restart
TomcattomcatStop -- alias for /opt/tomcat-6.0.16/bin/shutdown.shtomcatStart -- alias for /opt/tomcat-6.0.16/bin/startup.sh
LDAP/etc/init.d/apacheds restart default
12
![Page 13: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/13.jpg)
13Terms: Entity ID
A unique identifier for a identity provider (IdP) or service provider (SP)
In shibboleth 2 the recommended format is a URLidp: https://HOSTNAME/idp/shibbolethsp: https://HOSTNAME/shibboleth
![Page 14: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/14.jpg)
14Terms: Relying Party
The SAML peer to which the IdP is communicating.
In all existing cases, the relying party of the IdP is always an SP. Some very advanced cases allow one IdP to be a relying party to another IdP.
![Page 15: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/15.jpg)
15Terms: Binding
A description of how a SAML message is attached to an underlying transport protocol, such as http or smtp.
For example: If the message is sent over HTTP what HTTP headers need to be set, what are the URL or form parameter names, etc.
![Page 16: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/16.jpg)
16Terms: Profile
A description of how to use SAML, over a specific binding, to accomplish a specific task (e.g. Single Signon) in an interoperable manner.
Profiles are the finest grained unit of interoperability within SAML.
![Page 17: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/17.jpg)
17Terms: Metadata
A description of the SAML features supported by a SAML entity. Most importantly this includes the URLs for communicating with an entity.
Shibboleth also uses this information to build technical trust between entities.
![Page 18: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/18.jpg)
18Installation
1. unzip /opt/installfest/distro/shibboleth-idp-2.0.0-bin.zip2. cd identityprovider3. chmod +x ant.sh4. ./ant.sh
a. answer yes to first questionb. use /opt/shibboleth-idp as your shib home directoryc. enter your hostname: idpXXX.example.orgd. enter password for your password
![Page 19: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/19.jpg)
19Tomcat Deployment
1. Create the file /opt/tomcat-6.0.16/conf/Catalina/localhost/idp.xml with the contents:<Context docBase=”/opt/shibboleth-idp/war/idp.war” privileged="true” antiResourceLocking="false” antiJARLocking="false” unpackWAR="false" />
2. Start Tomcat3. Test your install
https://idpXXX.example.org/idp/profile/Status
You should simply see an “ok” message.If you receive an error, check /opt/tomcat-6.0.16/logs/catalina.out.
![Page 20: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/20.jpg)
20SHIB_HOME
/opt/shibboleth-idp should now contain:binconfcredentialsliblogsmetadatawar
The Shibboleth documentation refers to this directory as SHIB_HOME
![Page 21: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/21.jpg)
21SHIB_HOME/bin
Contains command line tools
aacli: Attribute authority command line interface allows you to simulate an attribute query/release
version: Provides the version of the IdP
![Page 22: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/22.jpg)
22SHIB_HOME/conf
The IdP’s configuration files.
We’ll cover most as we go through the course. We will not cover service.xml or internal.xml as these control advanced features.
![Page 23: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/23.jpg)
23SHIB_HOME/credentials
Credentials used by the IdP.
By default the IdP’s generated key (idp.key), cert (idp.crt) and a keystore (idp.jks) containing both are put here.
Good location to place things like trust anchor X.509 certs, cached CRLs, etc.
![Page 24: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/24.jpg)
24SHIB_HOME/lib
The libraries (jars) that make up the IdP.
These are copies of those that occur in the IdP WAR file and are only used by the command line tools.
![Page 25: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/25.jpg)
25SHIB_HOME/logs
Location of the Shibboleth log files.
process log: detailed description the IdP processing requests
access log: record of all the clients that connect to the idPaudit log: record of all information sent out from the IdP
![Page 26: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/26.jpg)
26SHIB_HOME/metadata
Default location where various metadata files are stored.
The IdP does not automatically load any metadata. Metadata read from a file, or stored backup copies of remote metadata are usually put in this directory.
![Page 27: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/27.jpg)
27SHIB_HOME/war
The location of the IdP WAR file created by the installer.
We point Tomcat to this file, instead of copying it to Tomcat, so that we don’t forget to copy new WARs if we rebuild the IdP (to add an extension, for example) or run into problems with Tomcat’s file caching mechanisms.
![Page 28: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/28.jpg)
28Now some sleight of hand
cp /opt/installfest/idps/idpXXX/idp.*/opt/shibboleth-idp/credentials
cp /opt/installfest/sps/spXXX/*.xml/opt/shibboleth-idp/metadata
![Page 29: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/29.jpg)
29Logging: Configuration
Logging configuration is controlled by the logging.xml config fileLog messages belong in a hierarchal category; most correspond to Java package namesLog messages have 5 levels: TRACE, DEBUG, INFO, WARN, ERROR
https://spaces.internet2.edu/display/SHIB2/IdPLogging
![Page 30: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/30.jpg)
30Logging: Configuration
Look at the IdP process log. Note how the messages are all info messages.Edit logging.xml and the change the logging level for the logger edu.internet2.middleware.shibboleth to DEBUGRestart the IdP and look at the process log again.The IdP will pick up change to logging.xml every 5 minutes.
![Page 31: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/31.jpg)
31Metadata: Goals
Load metadata for local SPs from the filesystemLoad another metadata from a remote location
![Page 32: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/32.jpg)
32Metadata: Configuration
Metadata is loaded in to the IdP by metadata providers.Metadata providers are configured in the relying-party.xml fileThis file may only contain one top-level provider. By default the top level provider is a chaining provider that contains other metadata providers and uses them in the order defined.
https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider
![Page 33: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/33.jpg)
33Metadata: Provider Config
• Metadata providers are configured using <MetadataProvider> element
• Every metadata provider has a:– unique ID given by the id attribute– type given by the xsi:type attribute
• Each type of metadata provider has its own set of configuration options
![Page 34: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/34.jpg)
34Metadata: Filesystem Provider
The filesystem metadata provider reads a metadata file from the local filesystem.Type attribute value:–FilesystemMetadataProvider
Configuration attribute:–metadataFile gives the path to the metadata file
![Page 35: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/35.jpg)
35Metadata: Local Metadata
In relying-party.xml add the following to the existing chaining metadata provider:
<MetadataProvider id=”spXXX"
xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata”
metadataFile=”/opt/shibboleth-idp/metadata/spXXX-metadata.xml” />
![Page 36: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/36.jpg)
36Metadata: Local Metadata
Define an additional metadata provider that loads metadata from:/opt/shibboleth-idp/metadata/altspXXX-metadata.xml
![Page 37: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/37.jpg)
37Metadata: File-backed HTTP Provider
Loads metadata via HTTP and backs it up to a local fileType attribute value:–FileBackedHTTPMetadataProvider
Configuration Attributes:–metadataURL: HTTP URL of metadata file–backingFile: location of the backup file
In production metadata signatures should be required and validated.
![Page 38: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/38.jpg)
38Metadata: Remote Metadata
Update the metadata provider for altspXXX to load metadata from http://spXXX.example.org/altspXXX-metadata-remote.xmland stores it to /opt/shibboleth-idp/metadata/altspXXX-metadata-remote.xml
![Page 39: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/39.jpg)
Metadata: Verify
Go to the following URLshttps://spXXX.example.org/securehttps://altspXXX.example.org/secure
You should see the following error, which makes sense since we haven’t configured the authentication piece yet.
39
![Page 40: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/40.jpg)
40Metadata: Watchout
The chaining metadata provider looks up relying party information in its children in the order they are defined. If two child providers load different metadata for the same entity only the first description will ever be used by the IdP. No attempt to merge the data is made.
![Page 41: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/41.jpg)
Authentication
![Page 42: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/42.jpg)
42Terms: Authentication Mechanism
A concrete mechanism used to authenticate a user.
Shibboleth 2 currently supports REMOTE_USER, user/pass against LDAP & Kerberos, and IP address based mechanisms.
![Page 43: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/43.jpg)
43Terms: Authentication Method
An identifier that a relying party may use to stipulate how authentication should be performed.
Authentication method identifiers correspond to a prescription of how authentication is done (even if the details are only in someone’s head).
![Page 44: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/44.jpg)
44Terms: Login Handler
An IdP component that correlates all supported authentication methods with currently configured authentication mechanisms.
A login handler may map more than one authentication method to the same authentication mechanism.
![Page 45: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/45.jpg)
45Terms: Session
State information about the user, currently active authentication methods, and services to which they are signed into.
A user’s IdP session is created the first time they authenticate but may outlive the lifetime of all authentication methods.
![Page 46: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/46.jpg)
46Authentication: Goals
Configure UsernamePassword login handler to authenticate against LDAP.
![Page 47: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/47.jpg)
47Login Handler: Configuration
Login handlers are configured in handler.xml•<LoginHandler> defines a login handlerEvery login handler definition has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.
https://spaces.internet2.edu/display/SHIB2/IdPUserAuthn
![Page 48: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/48.jpg)
48Login Handler: Configuration
Each <LoginHandler> must contain at least one <AuthenticationMethod> which indicates what authentication method the login handler provides.
![Page 49: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/49.jpg)
49Login Handler: UsernamePassword
Login handler that prompts for a username/password and validates against a JAAS module (LDAP & Kerberos 5 currently supported)Type attribute value:UsernamePasswordConfiguration attributes:–jaasConfigurationLocation path to the JAAS configuration file
![Page 50: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/50.jpg)
50Login Handler: UsernamePassword
Edit the login.config1.Uncomment the LDAP login modules2.Configure it like this:
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host=”127.0.0.1” port=“10389” base="ou=people,dc=example,dc=org" userField="uid";
![Page 51: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/51.jpg)
51Login Handler: UsernamePassword
Edit handler.xml1.Comment out RemoteUser handler2.Uncomment UsernamePassword handler
![Page 52: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/52.jpg)
52LoginHandler: UsernamePassword
1.Restart Tomcat2.Access
https://spXXX.example.org/cgi-bin/attribute-viewer
3.Use student1/password as the username/password
![Page 53: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/53.jpg)
53LoginHandler: UsernamePassword
The login page presented to the user is /opt/installfest/distro/identityprovider/resources/webpages/login.jsp
You may define more than one UsernamePassword login handler, with different authentication methods. For example one that work with LDAP and another that works with KerberosYou may define more than one LDAP host so that if one is down another is used.
![Page 54: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/54.jpg)
54LoginHandler: Authentication Duration
Each authentication mechanism supports an activity timeoutAfter this timeout expires the mechanism is considered inactive for that user.If the user attempts to access a new service provider that requires that authentication mechanism they must re-authenticate.
![Page 55: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/55.jpg)
55LoginHandler: Authentication Duration
It is configured by the authenticationDuration attribute on the <LoginHandler>Its value is the number of minutes of inactivity and its default value is 30.
![Page 56: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/56.jpg)
56Forced Authentication
SAML 2 allows a service provider to force authentication of the user, even if the user has an existing session.Accesshttps://spXXX.example.org/Shibboleth.sso/Login?forceAuthn=true&target=https://spXXX.example.org/cgi-bin/attribute-viewer
Note that it requires you to authenticate again even though the user has a session.
![Page 57: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/57.jpg)
57Force Authentication
Only works with mechanisms that can re-authenticate a user.RemoteUser does not support forced authentication.The service provider will receive an error if the IdP can not support forced authentication
![Page 58: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/58.jpg)
58Authentication Method Selection
An SP may provide a list of acceptable methodsThe IdP then checks to see if any active mechanism provides any of those methods, if so, single sign on occursOtherwise the IdP picks supported, but not yet active, method and uses that.
![Page 59: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/59.jpg)
Attribute Resolution
![Page 60: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/60.jpg)
60Terms: Attribute
A piece of information about a user. Each attribute has a unique ID and has zero of more values.
Shibboleth attributes are protocol-agnostic data structures.
![Page 61: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/61.jpg)
61Terms: SAML Attribute
An attribute that is represented in SAML notation.
Shibboleth transforms attributes into SAML attributes by a process known as encoding.
![Page 62: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/62.jpg)
62Terms: Data Connector
A plugin that creates multiple attributes from information in data sources like LDAP and databases.
Shibboleth currently supports static, LDAP, relational database, computed, and stored ID data connectors.
![Page 63: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/63.jpg)
63Terms: Attribute Definition
A plugin that creates a single attribute by transforming other attributes and state information.
Shibboleth currently supports simple, scoping, regex, mapping, template, scripting, principal name, and principal authentication method attribute definitions.
![Page 64: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/64.jpg)
64Terms: Attribute Encoder
A plugin that converts an attribute into a protocol specific form, like a SAML attribute.
Attribute encoders are associated with an attribute through the attribute’s attribute definition.
![Page 65: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/65.jpg)
65Terms: Principal Connector
A plugin that converts a name identifier, provided by a relying party, into the internally used userid.
![Page 66: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/66.jpg)
66Terms: Attribute Resolver
A subsystem in Shibboleth responsible for fetching, transforming, and associating encoders with attributes.
Only attributes produced by attribute definitions leave the resolver and are available to other parts of the system.
![Page 67: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/67.jpg)
67A bit of logging configuration
Edit logging.xmlTurn the logging level of each currently defined logger to WARNAdd a new logger:<logger name=“edu.internet2.middleware.shibboleth.common.attribute”> <level value=“DEBUG” /></logger>
![Page 68: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/68.jpg)
68Attribute Goals
Define a simple attribute with a static value.Gather user information from an LDAP directoryCreate attribute definition that release some information with simple values and other information with scoped values
![Page 69: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/69.jpg)
69Data Connector: Configuration
Data connectors are configured in attribute-resolver.xml•<DataConnector> defines a data connectorEvery data connector has a id attribute that uniquely identifies it.Every data connector has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.
https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute
![Page 70: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/70.jpg)
70Data Connector: Configuration
Some connectors will need information collected by another plugin in order to work. This is represented by a <resolver:Dependency ref=“NAME” />
The dependency is declared before any other configuration elements.
The value of the ref attribute is the ID of the plugin upon which the connector depends.
![Page 71: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/71.jpg)
71Data Connector: Static
Static data connector adds attributes to every resolved account.Type attribute value:StaticConfiguration attributes:none
https://spaces.internet2.edu/display/SHIB2/ResolverStaticDataConnector
![Page 72: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/72.jpg)
72Data Connector: Static
The produced attributes are defined by:<Attribute id=“ATTRIBUTE_ID”>Values are added by:<Value>VALUE</Value>An attribute may have more than one value.
![Page 73: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/73.jpg)
73Data Connector: Static
Create an attribute ‘eduPersonAffiliation’ that has one value ‘member’
<resolver:DataConnector id="staticEPA” xsi:type="Static” xmlns="urn:mace:shibboleth:2.0:resolver:dc">
<Attribute id="eduPersonAffiliation"> <Value>member</Value> </Attribute>
</resolver:DataConnector>
![Page 74: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/74.jpg)
74Attribute Definition: Configuration
Attribute definitions are configured in attribute-resolver.xml•<AttributeDefinition> defines a definitionEvery definition has a id attribute that uniquely identifies it.Every definition has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.
https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute
![Page 75: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/75.jpg)
75Attribute Definition: Configuration
Most definitions will need information collected by another plugin in order to work. This is represented by a <resolver:Dependency ref=“NAME” />
The dependency is declared before any other configuration elements.
The value of the ref attribute is the ID of the plugin upon which the definition depends.
![Page 76: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/76.jpg)
76Attribute Definition: Simple
Attribute definition that simply releases an attribute from the resolver.Type attribute value:SimpleConfiguration attributes:sourceAttributeID - the name of the attribute, provided the dependencies, that will provide the values for this attribute
https://spaces.internet2.edu/display/SHIB2/ResolverSimpleAttributeDefinition
![Page 77: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/77.jpg)
77Attribute Definition: ePA
Putting it all together we define an attribute definition for eduPersonAffiliation as follows:
<resolver:AttributeDefinition id="eduPersonAffiliation” xsi:type="Simple” xmlns="urn:mace:shibboleth:2.0:resolver:ad”
sourceAttributeID="eduPersonAffiliation">
<resolver:Dependency ref=”staticEPA” />
</resolver:AttributeDefinition>
![Page 78: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/78.jpg)
78Attribute Definition: Testing
Restart the IdPClear your browser session or restart your browserWatch the logs using tail -f /opt/shibboleth-idp/logs/idp-process.log
Log in to https://spXXX.example.org/cgi-bin/attribute-viewer
You should see the following message:No attributes remained after encoding and filtering by value, no attribute statement built
![Page 79: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/79.jpg)
79Attribute Encoders: Configuration
Attribute encoders are configured as children of an attribute definition.•<AttributeEncoder> defines an encoderEvery definition has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.
https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute
![Page 80: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/80.jpg)
80Attribute Encoder: Basic SAML 1
A SAML 1 encoder always looks like this:
<resolver:AttributeEncoder xsi:type="SAML1String”xmlns="urn:mace:shibboleth:2.0:attribute:encoder”name="urn:mace:dir:attribute-def:eduPersonAffiliation” />
Only the name changes
https://spaces.internet2.edu/display/SHIB2/SAML1StringAttributeEncoder
![Page 81: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/81.jpg)
81Attribute Encoder: Basic SAML 2
A SAML 2 encoder always looks like this:
<resolver:AttributeEncoder xsi:type="SAML2String”xmlns="urn:mace:shibboleth:2.0:attribute:encoder”name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1”
friendlyName=“eduPersonAffiliation” />
Only the name and friendly name changes
https://spaces.internet2.edu/display/SHIB2/SAML2StringAttributeEncoder
![Page 82: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/82.jpg)
82Attribute Encoder: Configuration
Add SAML 1 and SAML 2 attribute encoders to your eduPersonAffiliation
eduPersonAffiliation:urn:mace:dir:attribute-def:eduPersonAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.1
![Page 83: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/83.jpg)
83Data Connector: LDAP
Data connector that pulls user information from LDAPType attribute value:LDAPDirectoryConfiguration Attributes:ldapURL - ldap server connection URLbaseDN - search filter base DNprincipal - DN of user to connect ascredential - principal’s password
https://spaces.internet2.edu/display/SHIB2/ResolverLDAPDataConnector
![Page 84: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/84.jpg)
84Data Connector: LDAP
Lastly the LDAP data connector contains a child element <FilterTemplate>The template is used to construct the query filter, for now we’ll use(uid=$requestContext.principalName)
![Page 85: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/85.jpg)
85Data Connector: LDAP
If you put it all together you should get: <resolver:DataConnector id=”myLDAP” xsi:type="LDAPDirectory” xmlns="urn:mace:shibboleth:2.0:resolver:dc” ldapURL="ldap://127.0.0.1:10389” baseDN="ou=people,dc=example,dc=org” principal="uid=admin,ou=system” principalCredential=”password”>
<FilterTemplate> (uid=$requestContext.principalName) </FilterTemplate> </resolver:DataConnector>
![Page 86: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/86.jpg)
86Attribute Definition: ePA
Add the LDAP data connector as a dependency to your eduPersonAffiliation attribute definition.Run another testNote how the LDAP’s values are added to the value from the static data connector?
![Page 87: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/87.jpg)
87Attribute Definition: ePPA
Create a simple attribute definition, called eduPersonPrimaryAffiliation that has a sourceAttributeID of eduPersonPrimaryAffiliation and depends myLDAP
Add attribute SAML1/2 string encoders:urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.5
![Page 88: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/88.jpg)
88Attribute Scoping
Some attribute values may have ScopesScopes provide a domain within which an attribute value is validExample:Georgetown University has a main campus, a law school, and a medical school. A professor at the law school may not have the same rights as a professor at the medical school.
![Page 89: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/89.jpg)
89Attribute Definition: Scoped
An attribute definition that adds a static scopeType attribute value:ScopedConfiguration Attributes:–sourceAttributeID - ID of the attribute whose values will be scoped–scope - scope added to the attribute values
https://spaces.internet2.edu/display/SHIB2/ResolverScopedAttributeDefinition
![Page 90: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/90.jpg)
90Attribute Definition: Scoped
Create an attribute definition for eduPersonScopedAffiliation.
<resolver:AttributeDefinition id=”eduPersonScopedAffiliation" xsi:type=”Scoped”xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID=”eduPersonAffiliation” scope=“example.org”>
<resolver:Dependency ref=”myLDAP”/>
</resolver:AttributeDefinition>
![Page 91: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/91.jpg)
91Attribute Definition: Prescoped
Prescoped attribute values already contain the scope within the datasourceType attribute value:PrescopedConfiguration Attributes:–sourceAttributeID - ID of the attribute with prescoped values–scopeDelimiter - the scope delimiter used in the attributes values (default: @)
https://spaces.internet2.edu/display/SHIB2/ResolverPrescopedAttributeDefinition
![Page 92: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/92.jpg)
92Attribute Definition: Prescoped
Create an attribute definition that operates on the prescoped eduPersonPrincipalName attribute
<resolver:AttributeDefinition id=”eduPersonPrincipalName" xsi:type=”Prescoped”xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID=”eduPersonPrincipalName”>
<resolver:Dependency ref=”myLDAP" />
</resolver:AttributeDefinition>
![Page 93: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/93.jpg)
93Attribute Encoders: Scoped
An attributes scope may be written into a SAML message in two ways:As an attribute on the SAML <AttributeValue Scope=“…”>Using inline value@scope notation
Notation used may be controlled by the scopeType attribute on the encoder. Values: attribute, inline
![Page 94: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/94.jpg)
94Attribute Encoders: Scoped
SAML 1 Scoped Value Encoder<resolver:AttributeEncoder xsi:type="SAML1ScopedString”xmlns="urn:mace:shibboleth:2.0:attribute:encoder”name="urn:mace:dir:attribute-def:eduPersonPrincipalName” />
SAML 2 Scoped Valued Encoder<resolver:AttributeEncoder xsi:type="SAML2ScopedString”xmlns="urn:mace:shibboleth:2.0:attribute:encoder”name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6”
friendlyName=“eduPersonPrincipalName” />
![Page 95: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/95.jpg)
95More about Dependencies
Any resolver plugin may have any number of dependencies.If more than one dependency provides the same attribute the dependent plugin operates on the effective union of valuesAttribute definitions may be marked with a dependencyOnly=“true” attribute. This ensures the value is never released outside the resolver (and speeds up filtering a bit).
![Page 96: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/96.jpg)
96Data Connector Failover
Data connectors may define failover connectors such that if the data connector fails the failover connector is invoked.If more than one failover connector is defined they are tried in order until one succeeds.They are defined using:<resolver:FailoverDataConnector ref="CONNECTOR_ID_1" />
![Page 97: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/97.jpg)
InCommon Recommendation
http://www.incommonfederation.org/attributesummary.html
So what if you have an existing LDAP with different attribute names? Change your LDAP schema if feasible Create additional attributes to use with Shibboleth Or just map the existing attributes with the “correct” ones using the attribute definition.
<resolver:AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" scope="example.org" sourceAttributeID="affiliation"> <resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
<resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" /> </resolver:AttributeDefinition>
97
![Page 98: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/98.jpg)
Attribute Filtering
![Page 99: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/99.jpg)
99Terms: Attribute Filter Policy
A policy containing a trigger, that indicates if the policy is active, and a set of attribute value filters.
![Page 100: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/100.jpg)
100Terms: Policy Requirement Rule
A specific requirement that must be met in order for an attribute filter policy to in effect.
An attribute filter policy may only have one requirement rule but some rules allow child rules to be declared and combined.
![Page 101: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/101.jpg)
101Terms: Attribute Rule
A rule, specific to an attribute, that determines which values are released to a relying party.
An attribute filter policy may have any number of attribute rules.
![Page 102: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/102.jpg)
102Terms: Permit Value Rule
A rule that determines if an attribute value is permitted to be released to a relying party.
![Page 103: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/103.jpg)
103Terms: Attribute Filter Policy Group
A collection of attribute filter policies.
These is the unit of configuration loaded by the attribute filtering engine.
![Page 104: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/104.jpg)
104Terms: Attribute Authority
The entity that answers attribute requests.
This normally entails an attribute resolution phase followed by an attribute filtering phase.
![Page 105: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/105.jpg)
105Attribute Filter Policy: Configuration
Attribute filters are defined in attribute-filter.xmlAttribute filter policies are declared with <AttributeFilterPolicy>
Every filter policy has a single id attribute that provides a unique name for the policy.
https://spaces.internet2.edu/display/SHIB2/IdPAddAttributeFilter
![Page 106: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/106.jpg)
106Policy Requirement Rule
•<PolicyRequirementRule> defines a requirement rule.Every rule has a xsi:type attribute that defines its type. Each type has its own set of configuration options.Every attribute filter policy must have one, and only one, policy requirement rule
![Page 107: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/107.jpg)
107Policy Requirement Rule: Any
Requirement rule that always evaluates to trueType attribute value:basic:ANYConfiguration Attributes:none
![Page 108: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/108.jpg)
108Attribute Filter Policy: Configuration
A filter policy that releases information to anyone.
<AttributeFilterPolicy id=”attributesToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
</AttributeFilterPolicy>
![Page 109: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/109.jpg)
109Attribute Rule: Configuration
A rule representing the set of values released to a relying party.•<AttributeRule> defines a rule.Every rule has an attributeID attribute that identifies the attribute, by ID, to which the rule applies
![Page 110: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/110.jpg)
110Permit Value Rule: Configuration
A rule that signifies a value should be released to the requester.•<PermitValueRule> defines a rule.Every rule has a xsi:type attribute that defines its type. Each type has its own set of configuration options.
![Page 111: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/111.jpg)
111Permit Value Rule: Any
Rule that always evaluates to trueType attribute value:basic:ANYConfiguration Attributes:none
![Page 112: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/112.jpg)
112Attribute Filter Policy: Configuration
A filter policy that releases eduPersonPrimaryAffiliation to anyone.
<AttributeFilterPolicy id=”attributesToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
<AttributeRule attributeID=“eduPersonPrimaryAffiliation”>
<PermitValueRule xsi:type=“basic:ANY” />
</AttributeRule>
</AttributeFilterPolicy>
![Page 113: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/113.jpg)
113Attribute Filter Policy: Configuration
Add a new attribute rule that also releases all eduPersonAffiliation values to everyone.
![Page 114: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/114.jpg)
114Policy Requirement Rule: Attribute Requester String
A policy requirement rule that evaluates to true if the attribute requester matches a stringType attribute value:basic:AttributeRequesterStringConfiguration Attributes:–value - the entity ID of the attribute requester–ignoreCase - if case should be ignored during evaluation
![Page 115: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/115.jpg)
115Attribute Filter Policy: Configuration
Create a new attribute filter policy rule whose requirement is that the requester is https://spXXX.example.org/shibboleth and that releases eduPersonPrincipalName.
![Page 116: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/116.jpg)
116Permit Value Rule: AND, OR, NOT
Evaluates to true/false before evaluating the AND/OR/NOT of child rule(s).Type attribute value:basic:AND, basic:OR, basic:NOTAdditional Configuration:Each of these rules operate on child rules defined using <basic:Rule> with an xsi:type of the permit value rule to be and/or/not’ed
![Page 117: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/117.jpg)
117Permit Value Rule: Attribute Value String
A policy requirement rule that evaluates to true if the attribute value matches a stringType attribute value:basic:AttributeValueStringConfiguration Attributes:–value - the principal name of the user–ignoreCase - true if values case should be ignored during comparison
![Page 118: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/118.jpg)
118Attribute Rule: Configuration
A rule that allows only certain eduPersonAffiliation values
<AttributeRule attributeID=“eduPersonAffiliation”>
<PermitValueRule xsi:type=“basic:OR”>
<basic:Rule xsi:type=“basic:AttributeValueString”
value=“student” />
<basic:Rule xsi:type=“basic:AttributeValueString”
value=“staff” />
</PermitValueRule>
</AttributeRule>
![Page 119: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/119.jpg)
119Attribute Rule Configuration
Create permit value rules for the two affiliation attributes that only allow the values: faculty, staff, student, alum, member, affiliate, employee, library-walk-in
![Page 120: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/120.jpg)
120Group/User Policies
To create a “group policy” define a policy whose policy requirement rule matches on an attribute value carrying your group information.To create a “user policy” define a policy whose policy requirement rule matches on the value of the principal’s name.
![Page 121: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/121.jpg)
121Attribute Filtering Gotchyas
Only those values explicitly permitted are ever releasedThere is no way to expressly deny the release of an attributes so be careful how your attribute filter policies overlap (deny value rules will be in 2.1)Rules that operate on an attributes’ values will not take scopes into consideration
![Page 122: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/122.jpg)
New Features
![Page 123: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/123.jpg)
123Shibboleth IdP 2.1
Expected release in October 2008.
Clustering support
Resource files available through Subversion
Deny release of attributes
![Page 124: IdP Basics & Installation - Duke Universitypeople.duke.edu/~shilen/shibtraining/idp.pdfIdP Basics & Installation Shilen Patel - shilen@duke.edu ... ... record of all the clients that](https://reader036.vdocuments.site/reader036/viewer/2022062504/5b0b337b7f8b9a0b0f8cfa07/html5/thumbnails/124.jpg)
124Documented Roadmap for 2.2
Back-channel SLO profile
X.509 authentication
User consent on attribute release
Many more features planned....
https://spaces.internet2.edu/display/SHIB2/Shibboleth+2.2+Roadmap