GakuNinShibInstall

スペース ショートカット

ページ ツリー

比較バージョン

古いバージョン 3

changes.mady.by.user (not used) motonori@nii.ac.jp

保存しました

次と比較

新しいバージョン 4

changes.mady.by.user Takeshi Nishimura

保存しました

キー

  • この行は追加されました。
  • この行は削除されました。
  • 書式設定が変更されました。

...

Replace the variable $IDP_HOME$ by the correct path, e.g. /opt/shibboleth-idp (so that the whole value looks like file:/opt/shibboleth-idp/conf/uApprove.properties for example).

Put the correct metadata of the IdP as $IDP_HOME$/conf/relying-party.xml. And, edit the $IDP_HOME$/conf/relying-party.xml to read $IDP_HOME$/metadata/idp-metadata.xml:

...

ヒント

  1. According to isRequired attribute of <RequestedAttribute> element and you want to set desired if it is set to true, optional if it is set to false, and not displayed if the attribute has no <RequestedAttribute> element and the metadata has no <AttributeConsumingService> element, the rule is rewritable as below:

    uApprove.jp 2.2.1uApprove JP 2.5.0

    <PermitValueRule xsi:type="uajpmf:AttributeUapprove"
                    isApproved="true" requestedOnly="true" />

    <PermitValueRule xsi<PermitValueRule xsi:type="uajpmf:AttributeInMetadata" onlyIfChecked="true"
                     onlyIfRequired="false" matchIfMetadataSilent="false" />

  2. According to isRequired attribute of <RequestedAttribute> element and you want to set desired if it is set to true, optional if it is set to false, and also optional if the metadata has no <AttributeConsumingServie> element, the rule is rewritable as below. But, in uajpmf:AttributeUapprove the attribute which has no <RequestedAttribute> element in <AttributeConsumingService> element it becomes optional, in uajpmf:AttributeInMetadata, it is not displayed:

    uApprove.jp 2.2.1uApprove JP 2.5.0

    <PermitValueRule xsi:type="uajpmf:AttributeUapprove"
                     isApproved="true" requestedOnly="false" />

    <PermitValueRule xsi<PermitValueRule xsi:type="uajpmf:AttributeInMetadata" onlyIfChecked="true"
                     onlyIfRequired="false" matchIfMetadataSilent="true" />

  3. The policy which has <AttributeConsumingService> element in metadata, it is not rewritable straight forward, <PolicyRequirementRule> element should be set to <basic:ANY> element and set onlyIfRequired="true" matchIfMetadataSilent="false" at each rule:

    uApprove.jp 2.2.1uApprove JP 2.5.0

    <PolicyRequirementRule xsi<PolicyRequirementRule xsi:type="uajpmf:AttributeUapprove" />

    <PolicyRequirementRule PolicyRequirementRule xsi:type="basic:ANY" />

    <PermitValueRule xsi:type="uajpmf:AttributeUapprove"
                     isApproved="true" requestedOnly="false" />

     

    <PermitValueRule xsi<PermitValueRule xsi:type="uajpmf:AttributeInMetadata" onlyIfChecked="true"
                     onlyIfRequired="false" matchIfMetadataSilent="false" />

情報

In the table above, attributes written in italic is default value so that may be omitted in the actual configuration.

...

In your attribute filter policy file you’ll need to add the namespace declaration for this plugin. To do this:

  • Add the attribute xmlns:uajpmf="http://www.gakunin.jp/ns/uapprove-jp/afp/mf" before before the xmlns:xsi attribute on the root <AttributeFilterPolicyGroup> element.
  • Add the following at the end of the whitespace delimited list of values for the xsi:schemaLocation attribute: 
    http://www.gakunin.jp/ns/uApprove-jp/afp/mf classpath:/schema/shibboleth-2.0-afp-mf-uApprovejp.xsd.

Define the Rule

This rule is defined by the <PermitValueRule xsi:type="uajpmf:AttributeInMetadata"> element with the following optional attribute:

...

You need to add the definition of name space for this plugin to profile handler file(ex. $IDP_HOME$/conf/handler.xml) like,

  1. add add xmlns:uajpph="http://www.gakunin.jp/ns/uapprove-jp/profile-handler" attribute attribute before xmlns:xsi attribute in the root element.
  2. add below to the list of xsi:schemaLocation attribute values.
    http://www.gakunin.jp/ns/uapprove-jp/profile-handler classpath classpath:/schema/shibboleth-2.0-idp-profile-handler-uapprovejp.xsd

 

コード ブロック
languagexml
...
<ph:ProfileHandlerGroup
        xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler"
        xmlns:uajpph="http://www.gakunin.jp/ns/uapprove-jp/profile-handler"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
                            http://www.gakunin.jp/ns/uapprove-jp/profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler-uapprovejp.xsd">
...

...

You need to change AttributeQuery profile handler like:

  1. change value of xsi:type attribute from ph:SAML1AttributeQuery to uajpph:SAML1AttributeQueryUApprove.
  2. change value of xsi:type attribute from ph:SAML2AttributeQuery to uajpph:SAML2AttributeQueryUApprove.

...

The notification of the using purpose of attributes on SP can be used to add uajpmd:description to <RequestedAttribute> element, or add <uajpmd:RequestedAttributeExtension> element in <Extensions> element in <SPSSODescriptor> element.

...

This attribute is defined by the <ResquestedAttribute> element:

uajpmd:description

String indicated of the using purpose of attributes on SP

Example the <RequestedAttribute> element with uajpmd:descrption:

コード ブロック
languagexml
       <md:RequestedAttribute FriendlyName="mail"
                Name="urn:oid:0.9.2342.19200300.100.1.3"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                uajpmd:description="The mail attribute is used as the initial value of the mail address field of the registration form."/>

...

The <uajpmd:Description> element describes the using purpose of attributes on SP and defines with the following attributes:

xml:lang

The language used in the using purpose of attributes on SP

...