...

• saml-nameid.xml
<ref bean="shibboleth.SAML2PersistentGenerator" /> をアンコメントして有効にします。

  コード ブロック
  language xml title saml-nameid.xml
  <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <!-- -->

• saml-nameid.properties
  idp.persistentId.generator, idp.persistentId.store, idp.persistentId.sourceAttributeとidp.persistentId.saltを設定します。

  コード ブロック
  language sass title saml-nameid.properties
  # Set to shibboleth.StoredPersistentIdGenerator for db-backed storage # and uncomment/name the PersistentIdStore bean to use idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator idp.persistentId.store = PersistentIdStore # Set this to null to skip hash-based generation of first stored ID #idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator # Otherwise for computed PersistentIDs set the source attribute and salt. idp.persistentId.sourceAttribute = uid4ppersistentId idp.persistentId.salt = changethistosomethingrandom

• global.xml
idp.persistentId.storeの値をglobal.xmlの//beanで定義します。

  コード ブロック
  language xml title global.xml (Tomcat 7の場合)
  <!-- Use this file to define any custom beans needed globally. --> <bean id="shibboleth.MySQLDataSource" class="org.apache.tomcat.dbcp.dbcp.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth" p:username="username" p:password="password" p:maxActive="10" p:maxIdle="5" p:maxWait="15000" p:testOnBorrow="true" p:validationQuery="select 1" p:validationQueryTimeout="5" /> <bean id="PersistentIdStore" class="net.shibboleth.idp.saml.nameid.impl.JDBCPersistentIdStore" p:dataSource-ref="shibboleth.MySQLDataSource" />

  コード ブロック
  language xml title global.xml (Tomcat 8の場合)
  <!-- Use this file to define any custom beans needed globally. --> <bean id="shibboleth.MySQLDataSource" class="org.apache.tomcat.dbcp.dbcp2.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth" p:username="username" p:password="password" p:maxIdle="5" p:testOnBorrow="true" p:validationQuery="select 1" p:validationQueryTimeout="5" /> <bean id="PersistentIdStore" class="net.shibboleth.idp.saml.nameid.impl.JDBCPersistentIdStore" p:dataSource-ref="shibboleth.MySQLDataSource" />

  注意
  Tomat 8の場合に、p:maxActiveおよびp:maxWaitを指定するとエラーとなり、Shibboleth IdPが起動しない。

• attribute-resolver.xmlとattribute-filter.xml
idp.persistentId.sourceAttributeの値をattribute-resolver.xmlの//resolver:AttributeDefinitionで定義して、attribute-filter.xmlで送信設定を行います。

  コード ブロック
  language xml title attribute-resolver.xml
  <!-- ========================================== --> <!-- PersistentId Definition --> <!-- ========================================== --> <!-- Attribute Definition for %{idp.persistentId.sourceAttribute} --> <resolver:AttributeDefinition id="%{idp.persistentId.sourceAttribute}" xsi:type="ad:Simple" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> </resolver:AttributeDefinition>

  コード ブロック
  language xml title attribute-filter.xml
  <!-- Release to anyone --> <afp:AttributeFilterPolicy id="PolicyforAnyone"> <afp:PolicyRequirementRule xsi:type="basic:ANY" /> <afp:AttributeRule attributeID="%{idp.persistentId.sourceAttribute}"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>

eduPersonTargetedId 属性の送信

//saml2:Subject/saml2:NameIDとは別に//saml2:AttributeStatement/saml2:Attribute[@FriendlyName="eduPersonTargetedID"]としてeduPersonTargetedId属性を送信する設定は下記の通りです。

なお、この機能はShibboleth IdP 3ではDeprecated Featuresとなっています。

computedId

computedIdでの設定を下記に示します。Shibboleth IdP 2と同じ設定で送信可能です。

• attribute-resolver.xml

  コード ブロック
  language xml title attribute-resolver.xml
  <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <!-- Schema: eduPerson attributes --> <!-- Attribute Definition for eduPersonTargetedID --> <resolver:AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="computedID"> <resolver:Dependency ref="computedID" /> <resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> <resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </resolver:AttributeDefinition>     <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <!-- Computed targeted ID connector --> <resolver:DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc" id="computedID" generatedAttributeID="computedID" sourceAttributeID="uid" salt="changethistosomethingrandom"> <resolver:Dependency ref="myLDAP" /> </resolver:DataConnector>

• attribute-filter.xml

  コード ブロック
  language xml title attribute-filter.xml
  <!-- Release to sp.example.jp --> <afp:AttributeFilterPolicy id="PolicyforSP1ExampleJP"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.example.jp/shibboleth-sp" /> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>

参考

• [Shibboleth wiki] Identity Provider 3
• [SWITCH] Shibboleth Identity Provider (IdP) 3 Installation Guide
• [SWITCH] Shibboleth IdPv3: Considerations in the Context of SWITCHaai
• [upki-fed:00880] Re: Shibboleth IdP 3.0 リリース