Exercises after installation #1 (Control of Attribute release on IdP)
1.Change the configuration of attribute-filter.xml to be unable to send any attribute to the SP.
Change /opt/shibboleth-idp/conf/attribute-filter.xml
<!-- Release the transient ID to anyone -->
<!--
<afp:AttributeFilterPolicy id="PolicyforAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="transientId">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
-->
</AttributeFilterPolicyGroup>
2.Change the configuration of attribute-filter.xml to be able to send only eduPersonTargetedID and eduPersonPrincipalName to the SP.
Change /opt/shibboleth-idp/conf/attribute-filter.xml
<afp:AttributeFilterPolicy id="PolicyforAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<!--
<afp:AttributeRule attributeID="transientId">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
-->
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
3.Change the configuration of attribute-resolver.xml to send the eduPersonEntitlement of janedoe to be admin.
Reference: URL: https://wiki.shibboleth.net/confluence/x/GoBC
Change /opt/shibboleth-idp/conf/attribute-resolver.xml
<resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="eduPersonEntitlement"> <resolver:Dependency ref="mappedEntitlement" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:eduPersonEntitlement" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="mappedEntitlement" xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <ValueMap> <ReturnValue>admin</ReturnValue> <SourceValue>janedoe</SourceValue> </ValueMap> </resolver:AttributeDefinition>
4.Change the configuration of attribute-filter.xml to send be able to send the specific value of eduPersonEntitlement such as common-lib-terms to a certain SP.
Reference: https://wiki.shibboleth.net/confluence/x/84BC
Change /opt/shibboleth-idp/conf/attribute-filter.xml
<!-- Release attributes to sp.example.asia SP --> <afp:AttributeFilterPolicy id="PolicyforSpExampleAsia"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value=https://sp.example.asia/shibboleth /> <afp:AttributeRule attributeID="eduPersonEntitlement"> <afp:PermitValueRule xsi:type="basic:AttributeValueString" value="urn:mace:dir:entitlement:common-lib-terms"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
In order to check this configuration, change /opt/shibboleth-idp/conf/attribute-resolver.xml to send common-lib-terms.
<resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="eduPersonEntitlement"> <resolver:Dependency ref="mappedEntitlement" />
<resolver:Dependency ref="staticAttributes" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:mace:dir:attribute-def:eduPersonEntitlement" /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="mappedEntitlement" xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <ValueMap> <ReturnValue>admin</ReturnValue> <SourceValue>janedoe</SourceValue> </ValueMap> </resolver:AttributeDefinition>
<!-- Example Static Connector -->
<!-- -->
<resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
<dc:Attribute id="eduPersonEntitlement">
<dc:Value>urn:mace:dir:entitlement:common-lib-terms</dc:Value>
</dc:Attribute>
</resolver:DataConnector>
<!-- -->
Exercises after installation #2 (Control of Attributes received by SP)
1.Change the configuration of attribute-policy.xml to filter our any attribute received from the IdP.
Change /etc/shibboleth/attribute-policy.xml
<afp:AttributeFilterPolicy> <!-- This policy is in effect in all cases. --> <afp:PolicyRequirementRule xsi:type="ANY"/> <!-- Catch-all that passes everything else through unmolested. --> <afp:AttributeRule attributeID="*"><!-- <afp:PermitValueRule xsi:type="ANY"/>--> </afp:AttributeRule> </afp:AttributeFilterPolicy>
2.Change of the configuration of IdP to be able to send multiple values of eduPersonEntitlement, then receive only one of them by the SP configuration (attribute-policy.xml).
Change /etc/shibboleth/attribute-policy.xml in order to receive only common-lib-terms.
<afp:AttributeRule attributeID="entitlement"> <afp:PermitValueRule id="eduPersonEntitlementValues" xsi:type="AttributeValueString" value="urn:mace:dir:entitlement:common-lib-terms"/> </afp:AttributeRule>
3.Change the configuration of SP to allow the access in the case that eduPersonAffiliation equal to staff.
Change /etc/httpd/conf.d/shib.conf
(snip)<Location /secure> AuthType shibboleth ShibCompatWith24 On ShibRequestSetting requireSession 1 require shib-session require shib-attr unscoped-affiliation staff</Location>