GakuNinShibInstall

スペース ショートカット

ページ ツリー

比較バージョン

古いバージョン 17

changes.mady.by.user Takeshi Nishimura

保存しました

次と比較

新しいバージョン 現在

changes.mady.by.user Takeshi Nishimura

保存しました

キー

  • この行は追加されました。
  • この行は削除されました。
  • 書式設定が変更されました。

...

パネル
borderColorsilver
bgColorwhite
title$IDP_HOME$/conf/global.xml

...

<bean id="shibboleth.FallbackLanguages" parent="shibboleth.CommaDelimStringArray" c:_0="#{'%{idp.ui.fallbackLanguages:}'.trim()}" />
<util<util:map idmap id="shibboleth.CustomViewContext">
    <entry key="OptionalAttributeFunction">
        <bean class="jp.gakunin.idp.consent.logic.impl.OptionalAttributeFunction" />
    </entry>
    <entry key="AttributeIntendedUseFunction">
        <bean class="jp.gakunin.idp.consent.logic.impl.AttributeIntendedUseFunction" p:defaultLanguages-ref="shibboleth.FallbackLanguages" />
    </entry>
</util:map>

...

Modify <constructor-arg name="strategy"> in bean named "shibboleth.AttributeFilterService" to as below in $IDP_HOME$/system/conf/services-system.xml:

...

パネル
borderColorsilver
bgColorwhite
title$IDP_HOME$/system/conf/services-system.xml

...

<bean id="shibboleth.AttributeFilterService" class="net.shibboleth.ext.spring.service.ReloadableSpringService"
        depends-on="shibboleth.VelocityEngine"
        p:serviceConfigurations-ref="#{'%{idp.service.attribute.filter.resources:shibboleth.AttributeFilterResources}'.trim()}"
        p:failFast="%{idp.service.attribute.filter.failFast:%{idp.service.failFast:false}}"
        p:reloadCheckDelay="%{idp.service.attribute.filter.checkInterval:PT0S}"
        p:beanPostProcessors-ref="shibboleth.IdentifiableBeanPostProcessor"
        p:beanFactoryPostProcessors-ref="shibboleth.PropertySourcesPlaceholderConfigurer">
    <constructor-arg name="claz" value="net.shibboleth.idp.attribute.filter.AttributeFilter" />
    <constructor-arg name="strategy">
        <bean class="jp.gakunin.idp.attribute.filter.spring.impl.AttributeFilterServiceStrategy"
            depends-on="shibboleth.AttributeRegistryService"
            p:transcoderRegistry-ref="shibboleth.AttributeRegistryService"
            id="ShibbolethAttributeFilter"/>
    </constructor-arg>
</bean>

...


Modify the class definition in bean named "IsConsentRequiredPredicate" to as below in $IDP_HOME$/system/flows/intercept/attribute-release-beans.xml:

...

パネル
borderColorsilver
bgColorwhite
title$IDP_HOME$/conf/global.xml

<!-- Use this file to define any custom beans needed globally. -->
<bean id="shibboleth.JPAStorageService"
      class="org.opensaml.storage.impl.JPAStorageService"
      p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"
      c:factory-ref="shibboleth.JPAStorageService.entityManagerFactory" />

<bean id="shibboleth.JPAStorageService.entityManagerFactory"
      class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
     <property name="packagesToScan" value="org.opensaml.storage.impl" />
     <property name="dataSource" ref="shibboleth.MySQLDataSource" />
     <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter" />
     <property name="jpaDialect">
          <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
     </property>
</bean>

<bean id="shibboleth.JPAStorageService.JPAVendorAdapter"
      class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"
      p:database="MYSQL" />

<bean id="shibboleth.MySQLDataSource"
      class="org.apache.commons.dbcp2.BasicDataSource"
      p:driverClassName="com.mysql.jdbc.Driver"
      p:url="jdbc:mysql://localhost:3306/shibboleth"
      p:username="shibboleth"
      p:password="shibpassword"
      p:maxTotal="10"
      p:maxIdle="5"
      p:maxWaitMillis="15000"
      p:testOnBorrow="true"
      p:validationQuery="select 1"
      p:validationQueryTimeout="5" />

...

パネル
borderColorsilver
bgColorwhite

<EntityDescriptor entityID="https://sp.example.org/shibboleth">

    <!-- ... -->

    <SPSSODescriptor>
        <Extensions>
            <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
                <mdui:DisplayName xml:lang="en">Example SP</mdui:DisplayName>
                <!-- Service names in other languages -->
                <mdui:Description xml:lang="en">Some description of Example SP</mdui:Description>
                <!-- Service descriptions in other languages -->
            </mdui:UIInfo>
        </Extensions>

        <!-- ... -->

        <AttributeConsumingService index="1">
            <ServiceName xml:lang="en">Example SP</ServiceName>
            <!-- Service names in other languages -->
            <ServiceDescription xml:lang="en">Some description of Example SP</ServiceDescription>
            <!-- Service descriptions in other languages -->
        </AttributeConsumingService>

        <!-- ... -->

    </SPSSODescriptor>
</EntityDescriptor>

...

  • Add the attribute xmlns:uajpmf="http://www.gakunin.jp/ns/uapprove-jp/afp/mf" before the xmlns:xsi attribute on the root <AttributeFilterPolicyGroup> element.
  • Add the following at the end of the whitespace delimited list of values for the xsi:schemaLocation attribute:
            http://www.gakunin.jp/ns/uapprove-jp/afp/mf http://www.gakunin.jp/schema/idp/gakunin-afp-mf-uapprovejp.xsd

Define the Rule

This rule is defined by the <PermitValueRule xsi:type="uajpmf:AttributeInMetadata"> element with the following optional attribute:

...

パネル
borderColorsilver
bgColorwhite
<!--    ==================================================================================
case 1: rule which compares metadata definitions with attributes mail, 
     eduPersonPrincipalName, eduPersonAffiliation.

     Metadata which is marked as required, Everything is required information
     and always released.

     Metadate which is marked as optional:
     * mail attribute is required information and always released.
     * eduPersonPrincipalName attribute is optional information. In attribute 
       selection window, it is displayed with checkbox. If the user checked the
       checkbox, it is released.
     * eduPersonAffiliation attribute is not released.

     No attributes are released when SP has no <AttributeConsumingService>
     element in metadata.
        ================================================================================== -->
<AttributeFilterPolicy id="PolicyforSPwithAttributeConsumingService">
    <PolicyRequirementRule xsi:type="basic:ANY" />

    <AttributeRule attributeID="mail">
        <PermitValueRule xsi:type="uajpmf:AttributeInMetadata"
                             onlyIfRequired="false" />
    </AttributeRule>

    <AttributeRule attributeID="eduPersonPrincipalName">
        <PermitValueRule xsi:type="uajpmf:AttributeInMetadata"
                             onlyIfRequired="false"
                             onlyIfChecked="true" />
    </AttributeRule>

    <AttributeRule attributeID="eduPersonAffiliation">
        <PermitValueRule xsi:type="uajpmf:AttributeInMetadata" />
    </AttributeRule>

</AttributeFilterPolicy>

<!--    ==================================================================================
case 2: Example rule to add rule to SP which has no <AttributeConsumingService> 
     element in metadata.

     When SP has no <AttributeConsumingService> element:
     * mail attribute is required information and always released.
     * eduPersonPrincipalName attribute is optional information. In attribute 
       selection window, it is displayed with checkbox. If the user checked the
       checkbox, it is released.
     * eduPersonAffiliation attribute is not released.

     When SP has <AttributeConsumingService> element, it is the same as case 1.
        ================================================================================== -->
<AttributeFilterPolicy id="PolicyforSPwithoutAttributeConsumingService">
    <PolicyRequirementRule xsi:type="basic:ANY" />

    <AttributeRule attributeID="mail">
        <PermitValueRule xsi:type="uajpmf:AttributeInMetadata"
                             matchIfMetadataSilent="true"
                             onlyIfRequired="false" />
    </AttributeRule>

    <AttributeRule attributeID="eduPersonPrincipalName">
        <PermitValueRule xsi:type="uajpmf:AttributeInMetadata"
                             matchIfMetadataSilent="true"
                             onlyIfRequired="false"
                             onlyIfChecked="true" />
    </AttributeRule>

    <AttributeRule attributeID="eduPersonAffiliation">
        <PermitValueRule xsi:type="uajpmf:AttributeInMetadata" />
    </AttributeRule>

</AttributeFilterPolicy>

...