Installation and configuration of uApprove for Shibboleth Identity Provider

Introduction
Prerequisites
Installation
Configuration
Run
Troubleshooting
References
Bugs & Features
Update
Attribute In Attribute Requester's Metadata Plugin

1. Introduction

uApprove is an application which allows an end user to view the attribute set which will be sent to the visiting resource.

This guide describes the installation & configuration of a the uApprove for Shibboleth Identity Provider (IdP).
It covers the installation the IdP plugin as well as uApprove viewer application and their configuration with a flat file based or SQL based (Database) storage.

The example values used in this guide are:

idp.example.org: The DNS name of the Identity Provider
/opt/uApprove: The directory, where the uApprove is installed
/opt/uApprove/conf: The directory, where the uApprove config is located
/opt/shibboleth-identityprovider: The Shibboleth IdP installation directory (where install.sh lives)
/opt/tomcat: The directory, where Tomcat is installed.

2. Prerequisites

Before start install and configure uApprove, assure that the following prerequisites are met:

Shibboleth Identity Provider 2.2.: Shibboleth Identity Provider has to be deployed properly.
That implied that Java and Tomcat are working.
SQL Database: If a SQL Database as storage is used. A SQL Server has to be prepared.
Shipped uApprove is already configured for MySQL, but another SQL Server can be adapted. Brook Schofield documented how to use uApprove with an Oracle database.

3. Installation

Download and unzip the uApprove package:

wget http://www.switch.ch/aai/downloads/uApprove-2.2.1-bin.zip
unzip uApprove-2.2.1-bin.zip -d /opt/
ln -s /opt/uApprove-2.2.1 /opt/uApprove

Warning If you are updating uApprove, please take a look at the update section.

3.1 IdP-Plugin

Copy libraries and configuration:

cd /opt/uApprove
mkdir conf logs war
unzip idp-plugin-2.2.1-bin.zip
cp idp-plugin-2.2.1/conf-template/* conf/
cp idp-plugin-2.2.1/lib/* /opt/shibboleth-identityprovider/lib/

3.2 Viewer

Copy libraries and configuration:

cd /opt/uApprove
unzip viewer-2.2.1-bin.zip
cp viewer-2.2.1/conf-template/* conf/

4. Configuration

uApprove consist of two pieces of software, the IdP plugin which runs within the IdP context and the uApprove viewer application which is separated.
Both of them use a common data storage and the according libraries to operate with it.

4.1 uApprove common: Storage etc.

First you have to decide which storage implementation should be used:

File based: This is only recommended for small installation (< 100 users)
SQL Database: MySQL database is fully suppored, but any SQL Database which has an JDBC connector should work. May be advanced configuration is needed.

File based

A file based storage hast to be setup in /opt/uApprove/conf/common.properties:

#storageType=database
#databaseConfig=/opt/uApprove/conf/database.properties

storageType=file
flatFile = /opt/uApprove/data/uApprove-log.xml

NoteAssure that uApprove-log.xml is read- and writeable by Tomcat.

Database

First, a databases and a user have to be created:

mysql -u root -p
mysql>
CREATE DATABASE uApprove;
CREATE USER 'uApprove'@'localhost' IDENTIFIED BY 'uApprove';
GRANT USAGE ON *.* TO 'uApprove'@'localhost';
GRANT SELECT , INSERT , UPDATE , DELETE ON `uApprove`.* TO 'uApprove'@'localhost';
ALTER DATABASE uApprove DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;

Second, generate the table structures:

mysql -u root -p
mysql>
use uApprove;

create table ArpUser (
  idxArpUser int unsigned auto_increment primary key,
  auUserName varchar(255) not null,
  auLastTermsVersion varchar(255),
  auFirstAccess timestamp,
  auLastAccess timestamp
);
create index idxUserName on ArpUser (auUserName );

create table ShibProvider (
  idxShibProvider int unsigned auto_increment primary key,
  spProviderName varchar(255)
);

insert into ShibProvider (idxShibProvider) values (1);
create index idxProvidername on ShibProvider (spProviderName);

create table AttrReleaseApproval (
  idxAttrReleaseApproval int unsigned auto_increment primary key,
  araIdxArpUser int unsigned references ArpUser ( idxArpUser ),
  araIdxShibProvider int unsigned references ShibProvider( idxShibProvider ),
  araTimeStamp timestamp not null,
  araTermsVersion varchar(255),
  araAttributes text(2048)
);

create table ProviderAccess (
  idxProviderAccess int unsigned auto_increment primary key,
  paIdxArpUser int unsigned references ArpUser( idxArpUser ),
  paIdxShibProvider int unsigned references ShibProvider( idxShibProvider ),
  paAttributesSent text,
  paTermsVersion varchar(255),
  paIdxAttrReleaseApproval int unsigned references AttrReleaseApproval ( idxAttrReleaseApproval ),
  paShibHandle varchar(255),
  paTimeStamp timestamp not null
);

A Database setup is configured in /opt/uApprove/conf/common.properties:

storageType=database
databaseConfig=/opt/uApprove/conf/database.properties

#storageType=file
#flatFile=/opt/uApprove/data/uApprove-log.xml

Note uApprove supports JDBC connection pooling provided by the BoneCP library.
It is possible to configure container managed connections as well as application managed connection pooling.

All database specific configuration is done in /opt/uApprove/conf/database.properties:

sqlCommands=/opt/uApprove/conf/mysql.commands

# first option to use jndi and container managed connections
# resourceName=jdbc/mypool

# second option to use application managed connection pooling
# this is provided by the bonecp library http://jolbox.com/
# these are the required parameters
driver=com.mysql.jdbc.Driver
url=jdbc:mysql://localhost:3306/uApprove
user=uApprove
password=uApprove

# optional parameters for bonecp
#
# connectionTestStatement=SELECT 1
# minConnectionsPerPartition=1
# maxConnectionsPerPartition=5
# partitionCount=2

NoteIf another SQL server than MySQL is used, the values above has to be adjusted.
Don't forget to put according JDBC driver into the library folder.
If it is necessary, the SQL commands can be re-defined in /opt/uApprove/conf/custom-sql.commands

Other common configuration

The TermsOfUseManager, which shows a Terms of use text to the user is optional. If the TermsOfUseManager should be active, define the terms in /opt/uApprove/conf/common.properties:

termsOfUse=/opt/uApprove/conf/terms-of-use.xml

Note The shipped terms-of-use.xml is an empty one, which can be filled by custom terms of use version and text.
If you want see a real world example, take a look at the SWITCHaai VHO terms of use (doc/terms-of-use-SWITCH.xml).

Cause the IdP plugin and the viewer application exchange some confidential information, this is encrypted and decrypted by a shared secret (128 bit, 16 characters) in /opt/uApprove/conf/common.properties:

sharedSecret=QErDXYZEAoS6jooPvdBhQg==

For easy creating a random value, containing 16 chars, you can use the following command:

openssl rand -base64 16 2>/dev/null

4.2 IdP plugin configuration

Shibboleth IdP adjustments

The IdP plugin has to be enabled within Shibboleth IdP web application /opt/shibboleth-identityprovider/src/main/webapp/WEB-INF/web.xml:

<web-app>
  ...

  <filter>
    <filter-name>uApprove IdP plugin</filter-name>
    <filter-class>ch.SWITCH.aai.uApprove.idpplugin.Plugin</filter-class>
    <init-param>
      <param-name>Config</param-name>
      <param-value>
        /opt/uApprove/conf/idp-plugin.properties;
        /opt/uApprove/conf/common.properties;
      </param-value>
    </init-param>
  </filter>

  <filter-mapping>
    <filter-name>uApprove IdP plugin</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

</web-app>

Redeployment of Shibboleth IdP

cd /opt/shibboleth-identityprovider/
sh install.sh

The SP blacklist defines Resources which are excluded from the user consent.
The SP blacklist is optional and can be configured by /opt/uApprove/conf/idp-plugin.properties:

spBlacklist=/opt/uApprove/conf/sp-blacklist

In sp-blacklist, each line defines a regular expression pattern for black listed resource identifier:

# Example 1: specific resource
https://sp\.example\.org/shibboleth

# Example 2: all applications within a Service Provider
https://sp\.example\.org/.*

# Example 3: all Service Provider within a specific domain
https://.*\.example\.org/.*

If the database storage is used, it is possible to log each provider access, which means every attribute release is stored in the database.
It is also possible, that the IdP plugin runs in monitoring only mode, which logs every provider access, but do not interact with the user (for user consent)
If the viewer web application is used, the IdP plugin has to know, where it is deployed.
it is possible to tell the IdP plugin, that it should take care about isPassive requests.
The configuration is done in /opt/uApprove/conf/idp-plugin.properties:

logProviderAccess=false
monitoringOnly=false
uApproveViewer=https://idp.example.org/uApprove/Controller
isPassiveSupport=false

Attributes ordering and blacklisting

uApprove shows all attributes which will be released for the current user to the target resource.

It is possible to define a order of the attribute listing and if necessary, attributes can also be hidden. The configuration of the attribute list is optional done by /opt/uApprove/conf/idp-plugin.properties:

attributeList=/opt/uApprove/conf/attribute-list

An attribute-list can be look like:

# Defined attribute order
surname
givenName
postalAddress
...

# attributes to hide
!persistentId
!transientId

Note The attribute name in attribute-list has to comply with the attribute id in /opt/shibboleth-idp/conf/attribute-resolver.xml

4.3 Viewer configuration

Define a tomcat deployment descriptor for the uApprove webapp in /opt/tomcat/conf/Catalina/localhost/uApprove.xml:

<Context docBase="/opt/uApprove/war/uApprove.war"
         privileged="true"
         antiResourceLocking="false"
         antiJARLocking="false"
         unpackWAR="false" />

Adjust the viewer application according you configuration directory in /opt/uApprove/viewer-2.2.1/webapp/WEB-INF/web.xml:

<web-app>
  ...
  <context-param>
    <param-name>Config</param-name>
    <param-value>
        /opt/uApprove/conf/viewer.properties;
        /opt/uApprove/conf/common.properties;
    </param-value>
  </context-param>
  ...
<web-app>

Deployment of the uApprove webapp

cd /opt/uApprove/viewer-2.2.1/
ant deploy -Duapprove.deployment=/opt/uApprove/war

Localization

The viewer web application ist multi lingual for the static text and dynamic text, like attribute names and descrptions.
For the static text, the following languages are supported: en, de, fr, it, pt.
For the attribute names and descriptions, the localized content is taken from /opt/shibboleth-idp/conf/attribute-resolver.xml (Shibboleth IdP resolver). It's possible to adjust or extent it:

...

<resolver:AttributeDefinition id="postalAddress" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="postalAddress">
  <resolver:Dependency ref="myLDAP" />
  <resolver:DisplayName xml:lang="en">Business postal address</resolver:DisplayName>
  <resolver:DisplayName xml:lang="de">Geschäftsadresse</resolver:DisplayName>
  <resolver:DisplayName xml:lang="fr">Adresse Professionnelle</resolver:DisplayName>
  <resolver:DisplayName xml:lang="it">Indirizzo professionale</resolver:DisplayName>
  <resolver:DisplayDescription xml:lang="en">Business postal address: Campus or office address</resolver:DisplayDescription>
  <resolver:DisplayDescription xml:lang="de">Adresse am Arbeitsplatz</resolver:DisplayDescription>
  <resolver:DisplayDescription xml:lang="fr">Adresse de l'institut, de l'universite</resolver:DisplayDescription>
  <resolver:DisplayDescription xml:lang="it">Indirizzo professionale: Indirizzo dell'istituto o dell'ufficio</resolver:DisplayDescription>
  <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                             name="urn:mace:dir:attribute-def:postalAddress" />
  <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                             name="urn:oid:2.5.4.16" friendlyName="postalAddress" />
</resolver:AttributeDefinition>
...

Note For the SWITCHaai attributes, there is a prepared doc/attribute-descriptions.xml for the languages: en, de, fr, it.

The viewer uses the language from the users browsers request, if that language is not available, the default locale en will be taken.
It is possible to enforce a specific language. This can be defined optional in /opt/uApprove/conf/viewer.properties:

useLocale=US_en

Global consent

It is possible that a user can give global attribute release consent, which mean, that she/he is never be asked again by uApprove. If it is required, that a user has to give consent to each different resource access, global consent has to be disabled in /opt/uApprove/conf/viewer.properties:

globalConsentPossible=true

Logging

The viewer web application uses LogBack (see references) like the Shibboleth IdP.
The logback configuration file is defined in /opt/uApprove/conf/viewer.properties:

loggingConfig=/opt/uApprove/conf/logging.xml

Adjust logging.xml for the log location, assure that the file is writeable by Tomcat:

<configuration>
  ...
  <appender class="ch.qos.logback.core.FileAppender" name="RootFileAppender">
    <file>/opt/uApprove/logs/uApprove.log</file>
    ...
  </appender>
  ...
</configuration>

Apache in front of Tomcat

If you are using Apache HTTPd in front of your Tomcat setup, proxy the viewer web application in /etc/apache2/sites-enabled/idp.example.org:

<VirtualHost idp.example.org:443>
  ...
  <Location /uApprove>
    Allow from all
    ProxyPass ajp://localhost:8009/uApprove
  </Location>
  ...
</VirtualHost>

Restart Apache HTTPd:

/etc/init.d/apache2 restart

4.4 Reset-approvals configuration

The optional reset-approvals can be operated in two ways:

In-flow mode: The In-flow operation means, that a user can reset his setting during the login process. As exampple this is done by a checkbox on the login form.
Standalone mode: The standalone operation can is as JSP which can be called directly.

Warning The reset-approvals application can only used with a database setup.

In-flow mode

For enabling the In-Flow reset-approvals application, the Shibboleth UsernamePassword login form /opt/tomcat/webapps/idp/login.jsp can be adapted by adding a checkbox:

Warning Followed, the In-Flow reset-settings application configuration is for the shipped JAAS UsernamePassword login handler. If you are using another login handler (i.e. RemoteUser) you have to assure, that the GET parameter is transmitted to the IdP plugin.

...
<form ...>
  <table>
  ...
    <tr>
      <td colspan="2">
        <input type="checkbox" name="resetuserconsent" value="true" />
        Reset my attribute release approvals
      </td>
    </tr>
  </table>
</form>
...

Standalone mode

For the standalone mode, the JSP has to be protected either by container managed authentication or Shibboleth Service Provider, that the REMOTE_USER is provided.

The standalone JSP can be called like https://idp.example.org/uApprove/reset-approvals.jsp?standalone_next_url=http://go.here.org/after/reset. The parameter standalone_next_url has to be set.

5. Run

Restart Tomcat:

/opt/tomcat/bin/shutdown.sh && sleep 10 && /opt/tomcat/bin/startup.sh

Note If the Tomcat manager (http://idp.example.org:8080/manager/html/) is installed, web applications can easily be restarted separate.

Note Check the logs, if the startup of the IdP and uApprove web application was succesful.
If it was succesful, try to access any Service Provider using your Identity Provider.

6. Troubleshooting

6.1 Logging

Cause the IdP plugin runs within the Shibboleth IdP web application, it uses the IdP logger. The IdP logger is configured by /etc/shibboleth-idp/logging.xml:

...
<logger name="ch.SWITCH.aai">
  <level value="DEBUG" />
</logger>
...

The logging of uApprove viewer application is configured as described. Adjust the log level to DEBUG.

Tomcat, Jasper JSP compiling for 1.5 target

uApprove is shipped for a JDK 1.5 target. However your Tomcat setup runs with an JDK ≥ 1.5, it could be that the Jasper engine compiles the JSP's on the fly for another target (e.g. 1.3). The following configuration in TOMCAT_HOME\conf\web.xml specifies for which target the JSP's has to be compiled:

<servlet>
  ...
  <init-param>
    <param-name>compilerSourceVM</param-name>
    <param-value>1.5</param-value>
  </init-param>
  <init-param>
    <param-name>compilerTargetVM</param-name>
    <param-value>1.5</param-value>
  </init-param>
  ...
</servlet>

7. References

8. Further information

uApprove.jp: uApprove including selection of optional attributes to be released (Japanese federation GakuNin)

9. Bugs & features

Please use our issue tracking system for bugs, improvements and questions.

In case of general contact, please write us at aai@switch.ch.

10. Update

This section explains, how to update uApprove 2.x to 2.2.1. The prerequisite is that uApprove is already deployed sucessfully.

Warning If you are updating from IdP 2.0, make sure that the PreviousSession LoginHandler in handler.xml is restored to the original value.
Remove the attribute servletPath.

Warning If you are updating from an existing ArpViewer 2.x to uApprove, please consult the new configuration files, cause they changed.

Warning If you are updating uApprove, be aware of overwrite the configuration files.

Warning If you are updating uApprove from 2.x to 2.2.1 please be aware of the url-pattern change of the IdP plugin filter! See 4.2.

Warning If you are updating uApprove from 2.x to 2.2.1 please be aware , that the attribute-list configuration moved from viewer.properties to idp-plugin.properties! See 4.2.

Warning If you are updating uApprove from 2.x to 2.2.1 please be aware, that the code of attributes.jsp has changed, in case you have customized this page.

Download the latest release

Unzip uApprove:

unzip uApprove-2.2.1-bin.zip -d /opt/
rm /opt/uApprove
ln -s /opt/uApprove-2.2.1 /opt/uApprove
cd /opt/uApprove
mkdir conf logs war
unzip viewer-2.2.1-bin.zip
unzip idp-plugin-2.2.1-bin.zip

Copy the plugin libaries into the IdP install directory and remove the old ones (common-*.jar and idp-plugin-*.jar) as well as the dependencies (bonecp-*.jar, guava-*.jar, vt-crypt-*.jar, mysql-connector-*.jar and json-simple-*.jar) if they have changed:
```
cp /opt/uApprove/idp-plugin-2.2.1/lib/* /opt/shibboleth-identityprovider/lib/
```

Reuse the old web.xml:

cp /opt/uApprove-2.x/viewer-2.x/webapp/WEB-INF/web.xml /opt/uApprove/viewer-2.2.1/webapp/WEB-INF/

Copy your working configuration:

cp /opt/uApprove-2.x/conf/* /opt/uApprove/conf/

If you have customized JSPs, stylesheets or logo copy them over as well.

Redeploy the IdP:

cd /opt/shibboleth-identityprovider/
sh install.sh

Redeploy the uApprove webapp:

/opt/tomcat/bin/shutdown.sh
cd /opt/uApprove/viewer-2.2.1/
ant deploy -Duapprove.deployment=/opt/uApprove/war
/opt/tomcat/bin/startup.sh

Attribute In Attribute Requester's Metadata Plugin

Installation

The plugin is installed by default with uApprove (idp-plugin-2.2.1.jar).

Configuration Attribute In Requester's Metadata Matching Rule

This rule allows the release of an attribute if, via its metadata, the SP indicates a need/desire for the attribute. The attributes are indicated by means of <AttributeConsumingService> elements within the <SPSSODescriptor> element. See SAML metadata for more information.

While this rule does have some minor support for dealing with attribute values within the metadata it is limited and should be considered experimental.

Note Please be aware of the following:

This filter requires the attribute requester's metadata be loaded and available.
The requester's metadata must have an <SPSSODescriptor role since that is the role that contains the listed attributes.
This matching function only operates as a value rule and only really makes sense as a permit value rule.

Define the Namespace

In you attribute filter policy file you'll need to add the namespace declaration for this plugin. To do this:

Add the attribute xmlns:ua="http://www.switch.ch/aai/idp/uApprove/mf" before the xmlns:xsi attribute on the root <AttributeFilterPolicyGroup> element.
Add the following at the end of the whitespace delimited list of values for the xsi:schemaLocation attribute: http://www.switch.ch/aai/idp/uApprove/mf classpath:/schema/uApprove-mf.xsd

Define the Rule

This rule is defined by the element <PermitValueRule xsi:type="ua:AttributeInMetadata"> with the following optional attribute:

onlyIfRequired: Boolean flag indicated that only those attributes which are marked as required should be released, those marked as optional will not be. Default value: true

Example Permit Value Rule using the AttributeInMetadata Match Function:

<PermitValueRule xsi:type="ua:AttributeInMetadata" onlyIfRequired="false">