個別のページに移動
NameIDとは別に//saml2:AttributeStatement/saml2:Attribute[@FriendlyName="eduPersonTargetedID"]としてeduPersonTargetedID属性を送信する設定は下記の通りです。
NameID
//saml2:AttributeStatement/saml2:Attribute
[@FriendlyName="eduPersonTargetedID"]
eduPersonTargetedID
computedIdでの設定を下記に示します。persistent-idの設定をあらかじめ実行しておくことが前提で、定義されたconf/saml-nameid.propertiesのプロパティを参照しています。
conf/saml-nameid.propertiesの
conf/attribute-resolver.xml
<!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <!-- Schema: eduPerson attributes --> <!-- Attribute Definition for eduPersonTargetedID --> <resolver:AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="computedID"> <resolver:Dependency ref="computedID" /> <resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> <resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </resolver:AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <!-- Computed targeted ID connector --> <resolver:DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc" id="computedID" generatedAttributeID="computedID" sourceAttributeID="%{idp.persistentId.sourceAttribute}" salt="%{idp.persistentId.salt}"> <resolver:Dependency ref="%{idp.persistentId.sourceAttribute}" /> </resolver:DataConnector>
conf/attribute-filter.xmlの例
conf/attribute-filter.xml
<!-- Release to sp.example.jp --> <afp:AttributeFilterPolicy id="PolicyforSP1ExampleJP"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.example.jp/shibboleth-sp" /> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>
storedIdでの設定を下記に示します。persistent-idの設定をあらかじめ実行しておくことが前提で、定義されたconf/global.xmlのbean MyDataSourceとconf/saml-nameid.propertiesのプロパティを参照します。
conf/global.xml
MyDataSource
conf/saml-nameid.propertiesのプ
<!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <!-- Schema: eduPerson attributes --> <!-- Attribute Definition for eduPersonTargetedID --> <resolver:AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="storedID"> <resolver:Dependency ref="storedID" /> <resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> <resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </resolver:AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <!-- Stored targeted ID connector --> <resolver:DataConnector xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc" id="storedID" generatedAttributeID="storedID" sourceAttributeID="%{idp.persistentId.sourceAttribute}" salt="%{idp.persistentId.salt}"> <resolver:Dependency ref="%{idp.persistentId.sourceAttribute}" /> <BeanManagedConnection>MyDataSource</BeanManagedConnection> </resolver:DataConnector>
conf/c14n/subject-c14n.xmlconf/c14n/subject-c14n.xmlの<ref bean="c14n/SAML2Persistent" />をアンコメントします。
conf/c14n/subject-c14n.xml
<ref bean="c14n/SAML2Persistent" />
<!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. --> <ref bean="c14n/SAML2Persistent" />
<!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. --> - <!-- <ref bean="c14n/SAML2Persistent" /> --> + <ref bean="c14n/SAML2Persistent" />
以下は全てのSPに対して適用する方法です。特定のSPに対してのみ適用する場合は、そのSP用のbeanをRelyingPartyOverridesに作成し、プロファイルに以下の設定を行ってください。
conf/relying-party.xmlbean[@parent="Shibboleth.SSO"]にp:includeAttributeStatement="true"を追加します。
conf/relying-party.xml
bean[@parent="Shibboleth.SSO"]
p:includeAttributeStatement="true"
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" p:includeAttributeStatement="true" /> <ref bean="SAML1.AttributeQuery" /> <ref bean="SAML1.ArtifactResolution" /> <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> <ref bean="SAML2.ECP" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> <ref bean="SAML2.ArtifactResolution" /> <ref bean="Liberty.SSOS" /> </list> </property> </bean>
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> - <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> + <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" p:includeAttributeStatement="true" /> <ref bean="SAML1.AttributeQuery" /> <ref bean="SAML1.ArtifactResolution" /> <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> <ref bean="SAML2.ECP" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> <ref bean="SAML2.ArtifactResolution" /> <ref bean="Liberty.SSOS" /> </list> </property> </bean>
conf/relying-party.xml以下のようにshibboleth.RelyingPartyOverridesの子要素として当該SP向けの設定を追加してください。・SPのentityIDは適切なものに置き換えてください。・変化を最小限にするため基本的には設定は同ファイルのshibboleth.DefaultRelyingPartyの設定と同じくし、SAML2.SSOにp:encryptAssertions="false"を追加してください。DefaultRelyingPartyにある他のbeanも必要ならコピー&ペーストしてください。・他にもRelyingPartyOverridesの子要素があり当該SPが他のoverrideにすでに記述されている場合、マージは行われませんので同等の設定になるように1つにまとめるようにしてください。
shibboleth.RelyingPartyOverrides
shibboleth.DefaultRelyingParty
SAML2.SSO
p:encryptAssertions="false"
<!-- Container for any overrides you want to add. --> <util:list id="shibboleth.RelyingPartyOverrides"> ... <bean p:id="example.NoEncryptAssertions" parent="RelyingPartyByName"> <constructor-arg name="relyingPartyIds"> <list> <value>https://sp.example.ac.jp/shibboleth-sp</value> </list> </constructor-arg> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" p:encryptAssertions="false" /> <ref bean="SAML2.Logout" /> </list> </property> </bean> </util:list>
<!-- Container for any overrides you want to add. --> <util:list id="shibboleth.RelyingPartyOverrides"> ... + <bean p:id="example.NoEncryptAssertions" parent="RelyingPartyByName"> + <constructor-arg name="relyingPartyIds"> + <list> + <value>https://sp.example.ac.jp/shibboleth-sp</value> + </list> + </constructor-arg> + <property name="profileConfigurations"> + <list> + <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" p:encryptAssertions="false" /> + <ref bean="SAML2.Logout" /> + </list> + </property> + </bean> + </util:list>