...
saml-nameid.xml
<ref bean="shibboleth.SAML2PersistentGenerator" />
をアンコメントして有効にします。コード ブロック language xml title saml-nameid.xml <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <!-- -->
saml-nameid.properties
idp.persistentId.generator,
idp.persistentId.store, idp.persistentId.sourceAttributeとidp.persistentId.salt
を設定します。コード ブロック language sass title saml-nameid.properties # Set to shibboleth.StoredPersistentIdGenerator for db-backed storage # and uncomment/name the PersistentIdStore bean to use idp.persistentId.generator = shibboleth.StoredPersistentIdGenerator idp.persistentId.store = PersistentIdStore # Set this to null to skip hash-based generation of first stored ID #idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator # Otherwise for computed PersistentIDs set the source attribute and salt. idp.persistentId.sourceAttribute = uid4ppersistentId idp.persistentId.salt = changethistosomethingrandom
global.xml
idp.persistentId.storeの値をglobal.xmlの//bean
で定義します。コード ブロック language xml title global.xml (Tomcat 7の場合) <!-- Use this file to define any custom beans needed globally. --> <bean id="shibboleth.MySQLDataSource" class="org.apache.tomcat.dbcp.dbcp.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth" p:username="username" p:password="password" p:maxActive="10" p:maxIdle="5" p:maxWait="15000" p:testOnBorrow="true" p:validationQuery="select 1" p:validationQueryTimeout="5" /> <bean id="PersistentIdStore" class="net.shibboleth.idp.saml.nameid.impl.JDBCPersistentIdStore" p:dataSource-ref="shibboleth.MySQLDataSource" />
コード ブロック language xml title global.xml (Tomcat 8の場合) <!-- Use this file to define any custom beans needed globally. --> <bean id="shibboleth.MySQLDataSource" class="org.apache.tomcat.dbcp.dbcp2.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://localhost:3306/shibboleth" p:username="username" p:password="password" p:maxIdle="5" p:testOnBorrow="true" p:validationQuery="select 1" p:validationQueryTimeout="5" /> <bean id="PersistentIdStore" class="net.shibboleth.idp.saml.nameid.impl.JDBCPersistentIdStore" p:dataSource-ref="shibboleth.MySQLDataSource" />
注意 Tomat 8の場合に、
p:maxActive
およびp:maxWait
を指定するとエラーとなり、Shibboleth IdPが起動しない。attribute-resolver.xml
とattribute-filter.xml
idp.persistentId.sourceAttribute
の値をattribute-resolver.xml
の//resolver:AttributeDefinition
で定義して、attribute-filter.xml
で送信設定を行います。コード ブロック language xml title attribute-resolver.xml <!-- ========================================== --> <!-- PersistentId Definition --> <!-- ========================================== --> <!-- Attribute Definition for %{idp.persistentId.sourceAttribute} --> <resolver:AttributeDefinition id="%{idp.persistentId.sourceAttribute}" xsi:type="ad:Simple" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> </resolver:AttributeDefinition>
コード ブロック language xml title attribute-filter.xml <!-- Release to anyone --> <afp:AttributeFilterPolicy id="PolicyforAnyone"> <afp:PolicyRequirementRule xsi:type="basic:ANY" /> <afp:AttributeRule attributeID="%{idp.persistentId.sourceAttribute}"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>
eduPersonTargetedId 属性の送信
//saml2:Subject/saml2:NameID
とは別に//saml2:AttributeStatement/saml2:Attribute
[@FriendlyName="eduPersonTargetedID"]
としてeduPersonTargetedId
属性を送信する設定は下記の通りです。
なお、この機能はShibboleth IdP 3ではDeprecated Featuresとなっています。
computedId
computedIdでの設定を下記に示します。Shibboleth IdP 2と同じ設定で送信可能です。
attribute-resolver.xml
コード ブロック language xml title attribute-resolver.xml <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <!-- Schema: eduPerson attributes --> <!-- Attribute Definition for eduPersonTargetedID --> <resolver:AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="computedID"> <resolver:Dependency ref="computedID" /> <resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> <resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </resolver:AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <!-- Computed targeted ID connector --> <resolver:DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc" id="computedID" generatedAttributeID="computedID" sourceAttributeID="uid" salt="changethistosomethingrandom"> <resolver:Dependency ref="myLDAP" /> </resolver:DataConnector>
attribute-filter.xml
コード ブロック language xml title attribute-filter.xml <!-- Release to sp.example.jp --> <afp:AttributeFilterPolicy id="PolicyforSP1ExampleJP"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.example.jp/shibboleth-sp" /> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>