Child pages
  • Advanced Exercises

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Exercises after installation #1 (Control of Attribute release on IdP)

1.Change the configuration of attribute-filter.xml to be unable to send any attribute to the SP.

Change /opt/shibboleth-idp/conf/attribute-filter.xml

Panel

    <!--  Release the transient ID to anyone -->
<!--
    <afp:AttributeFilterPolicy id="PolicyforAnyone">
        <afp:PolicyRequirementRule xsi:type="basic:ANY" />

        <afp:AttributeRule attributeID="transientId">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>
-->

</AttributeFilterPolicyGroup>

 

2.Change the configuration of attribute-filter.xml to be able to send only eduPersonTargetedID and eduPersonPrincipalName to the SP.

Change /opt/shibboleth-idp/conf/attribute-filter.xml

Panel

    <afp:AttributeFilterPolicy id="PolicyforAnyone">
        <afp:PolicyRequirementRule xsi:type="basic:ANY" />
<!--
        <afp:AttributeRule attributeID="transientId">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
-->
        <afp:AttributeRule attributeID="eduPersonPrincipalName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="eduPersonTargetedID">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>

 

3.Change the configuration of attribute-resolver.xml to send the eduPersonEntitlement of janedoe to be admin.
Reference: URL: https://wiki.shibboleth.net/confluence/x/GoBC

Change /opt/shibboleth-idp/conf/attribute-resolver.xml

Panel

 <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="eduPersonEntitlement">
        <resolver:Dependency ref="mappedEntitlement" />
        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition id="mappedEntitlement" xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uid">
        <resolver:Dependency ref="myLDAP" />
        <ValueMap>
            <ReturnValue>admin</ReturnValue>
            <SourceValue>janedoe</SourceValue>
        </ValueMap>
    </resolver:AttributeDefinition>

 

4.Change the configuration of attribute-filter.xml to send be able to send the specific value of eduPersonEntitlement such as common-lib-terms to a certain SP.
Reference: https://wiki.shibboleth.net/confluence/x/84BC

Change /opt/shibboleth-idp/conf/attribute-filter.xml

Panel

<!--  Release attributes to sp.example.asia SP -->
   
    <afp:AttributeFilterPolicy id="PolicyforSpExampleAsia">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value=https://sp.example.asia/shibboleth />

        <afp:AttributeRule attributeID="eduPersonEntitlement">
               <afp:PermitValueRule xsi:type="basic:AttributeValueString" value="urn:mace:dir:entitlement:common-lib-terms"/>
        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>

 

In order to check this configuration, change /opt/shibboleth-idp/conf/attribute-resolver.xml to send common-lib-terms.

Panel

 <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="eduPersonEntitlement">
        <resolver:Dependency ref="mappedEntitlement" />
        <resolver:Dependency ref="staticAttributes" />

        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
    </resolver:AttributeDefinition>

    <resolver:AttributeDefinition id="mappedEntitlement" xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uid">
        <resolver:Dependency ref="myLDAP" />
        <ValueMap>
            <ReturnValue>admin</ReturnValue>
            <SourceValue>janedoe</SourceValue>
        </ValueMap>
    </resolver:AttributeDefinition>

Panel

    <!-- Example Static Connector -->
    <!-- -->
    <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
        <dc:Attribute id="eduPersonEntitlement">

            <dc:Value>urn:mace:dir:entitlement:common-lib-terms</dc:Value>
        </dc:Attribute>
    </resolver:DataConnector>
    <!-- -->

 

 

Exercises after installation #2 (Control of Attributes received by SP)

1.Change the configuration of attribute-policy.xml to filter our any attribute received from the IdP.

Change /etc/shibboleth/attribute-policy.xml

Panel

    <afp:AttributeFilterPolicy>
        <!-- This policy is in effect in all cases. -->
        <afp:PolicyRequirementRule xsi:type="ANY"/>

        <!-- Catch-all that passes everything else through unmolested. -->
        <afp:AttributeRule attributeID="*">
<!--
            <afp:PermitValueRule xsi:type="ANY"/>
-->
        </afp:AttributeRule>
       
    </afp:AttributeFilterPolicy>

 

2.Change of the configuration of IdP to be able to send multiple values of eduPersonEntitlement, then receive only one of them by the SP configuration (attribute-policy.xml).

Change /etc/shibboleth/attribute-policy.xml in order to receive only common-lib-terms.

Panel
         <afp:AttributeRule attributeID="entitlement">
            <afp:PermitValueRule id="eduPersonEntitlementValues" xsi:type="AttributeValueString"
               value="urn:mace:dir:entitlement:common-lib-terms"/>
        </afp:AttributeRule> 

 

3.Change the configuration of SP to allow the access in the case that eduPersonAffiliation equal to staff.

Change /etc/httpd/conf.d/shib.conf

Panel

(snip)
<Location /secure>
  AuthType shibboleth
  ShibCompatWith24 On
  ShibRequestSetting requireSession 1
  require shib-session
  require shib-attr unscoped-affiliation staff
</Location>