Exercises after installation #1 (Control of Attribute release on IdP)
1.Change the configuration of attribute-filter.xml to be unable to send any attribute to the SP.
Change /opt/shibboleth-idp/conf/attribute-filter.xml
<!-- Release the transient ID to anyone -->
<!--
<afp:AttributeFilterPolicy id="PolicyforAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="transientId">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
-->
</AttributeFilterPolicyGroup>
2.Change the configuration of attribute-filter.xml to be able to send only eduPersonTargetedID and eduPersonPrincipalName to the SP.
Change /opt/shibboleth-idp/conf/attribute-filter.xml
<afp:AttributeFilterPolicy id="PolicyforAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<!--
<afp:AttributeRule attributeID="transientId">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
-->
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
3.Change the configuration of attribute-resolver.xml to send the eduPersonEntitlement of janedoe to be admin.
Reference: URL: https://wiki.shibboleth.net/confluence/x/GoBC
Change /opt/shibboleth-idp/conf/attribute-resolver.xml
<resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="eduPersonEntitlement">
<resolver:Dependency ref="mappedEntitlement" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="mappedEntitlement" xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
<ValueMap>
<ReturnValue>admin</ReturnValue>
<SourceValue>janedoe</SourceValue>
</ValueMap>
</resolver:AttributeDefinition>
4.Change the configuration of attribute-filter.xml to send be able to send the specific value of eduPersonEntitlement such as common-lib-terms to a certain SP.
Reference: https://wiki.shibboleth.net/confluence/x/84BC
Change /opt/shibboleth-idp/conf/attribute-filter.xml
<!-- Release attributes to sp.example.asia SP -->
<afp:AttributeFilterPolicy id="PolicyforSpExampleAsia">
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value=https://sp.example.asia/shibboleth />
<afp:AttributeRule attributeID="eduPersonEntitlement">
<afp:PermitValueRule xsi:type="basic:AttributeValueString" value="urn:mace:dir:entitlement:common-lib-terms"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
In order to check this configuration, change /opt/shibboleth-idp/conf/attribute-resolver.xml to send common-lib-terms.
<resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="eduPersonEntitlement">
<resolver:Dependency ref="mappedEntitlement" />
<resolver:Dependency ref="staticAttributes" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="mappedEntitlement" xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
<ValueMap>
<ReturnValue>admin</ReturnValue>
<SourceValue>janedoe</SourceValue>
</ValueMap>
</resolver:AttributeDefinition>
<!-- Example Static Connector -->
<!-- -->
<resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
<dc:Attribute id="eduPersonEntitlement">
<dc:Value>urn:mace:dir:entitlement:common-lib-terms</dc:Value>
</dc:Attribute>
</resolver:DataConnector>
<!-- -->
Exercises after installation #2 (Control of Attributes received by SP)
1.Change the configuration of attribute-policy.xml to filter our any attribute received from the IdP.
Change /etc/shibboleth/attribute-policy.xml
<afp:AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<afp:PolicyRequirementRule xsi:type="ANY"/>
<!-- Catch-all that passes everything else through unmolested. -->
<afp:AttributeRule attributeID="*">
<!--
<afp:PermitValueRule xsi:type="ANY"/>
-->
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
2.Change of the configuration of IdP to be able to send multiple values of eduPersonEntitlement, then receive only one of them by the SP configuration (attribute-policy.xml).
Change /etc/shibboleth/attribute-policy.xml in order to receive only common-lib-terms.
<afp:AttributeRule attributeID="entitlement">
<afp:PermitValueRule id="eduPersonEntitlementValues" xsi:type="AttributeValueString"
value="urn:mace:dir:entitlement:common-lib-terms
"/>
</afp:AttributeRule>
3.Change the configuration of SP to allow the access in the case that eduPersonAffiliation equal to staff.
Change /etc/httpd/conf.d/shib.conf
(snip)<Location /secure>
AuthType shibboleth
ShibCompatWith24 On
ShibRequestSetting requireSession 1
require shib-session
require shib-attr unscoped-affiliation staff
</Location>