Hallo zusammen

https://download.aai.dfn.de/ws/2018_fub/installationsfahrplan.txt

Logout IdP-seitig:
https://FQDN/idp/profile/Logout

conference WLAN-Passwort: fnbgv58a

Zu den Übungen:

##### Übung 1 #####
Loglevel  th-idp/conf/logback.xml:

    <!-- Logging level shortcuts. -->
    <variable name="idp.loglevel.idp" value="DEBUG" />
    <variable name="idp.loglevel.ldap" value="DEBUG" />
    <variable name="idp.loglevel.messages" value="INFO" />
    <variable name="idp.loglevel.encryption" value="INFO" />
    <variable name="idp.loglevel.opensaml" value="DEBUG" />
    <variable name="idp.loglevel.props" value="INFO" />

-> Config Reload triggern oder warten


##### Übung 2 #####
eduPersonScopedAffiliation aus eduPersonAffiliation bilden in /opt/shibboleth-idp/conf/attribute-resolver.xml:

    <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation">
        <Dependency ref="eduPersonAffiliation" />
        <DisplayName xml:lang="en">Affiliation type (with institution)</DisplayName>
        <DisplayName xml:lang="de">Zugehörigkeit (+ Einrichtung)</DisplayName>
        <DisplayDescription xml:lang="en">Type of affiliation with Home Organization with scope</DisplayDescription>
        <DisplayDescription xml:lang="de">Art der Zugehörigkeit zur Heimateinrichtung mit Geltungsbereich</DisplayDescription>
        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
    </AttributeDefinition>




curl "https://idp.local/idp/profile/admin/resolvertest?requester=https://sp1.local/shibboleth&principal=pingel&saml2=true"


##### Übung 3 #####

<AttributeFilterPolicy id="SPs_local1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />

        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
</AttributeFilterPolicy>



##### Übung 4 #####
In "attribute-resolver.xml" Original-Definition für "eduPersonEntitlement" auskommentieren und folgende einfügen:

    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
        <Dependency ref="eduPersonAffiliation" />
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false$
        <Script>
            <![CDATA[
                if (eduPersonAffiliation.getValues().contains("member")) {
                    eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
                }
            ]]>
        </Script>
    </AttributeDefinition>


Zusätzlich in "attribute-filter.xml" folgende Definition in der "AttributeFilterPolicy" für sp1 einfügen: 

        <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

In der Logdatei "idp-process.log" sollte nach dem Login dann ein Eintrag wie folgt erscheinen:

2018-11-20 16:06:01,481 - INFO [Shibboleth-Audit.SSO:275] - 20181120T150601Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_cc57077c1eebd6a6ddcabc3f69f482d4|https://sp1.local/shibboleth|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.local/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_7116e56c594dbba25872ba838f45398e|pingel|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|eduPersonEntitlement,eduPersonScopedAffiliation|NMTR6SVZOCUWF5MNGDDIYQQBY4QCB76N|_a7b633660ee23bd43ed99c284e617899|



##### Übung 5 #####

In "attribute-resolver.xml" das oben definierte Attribut organizationalUnit als Dependency in eduPersonEntitlement hinzufügen


<AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
    <Dependency ref="eduPersonAffiliation" />
		<Dependency ref="organizationalUnit" />
    ...

Dann im Script per if-Abfrage auf "politologie" überprüfen und nach Erfolg das Attribut "https://sp2.local/entitlement/politologie" hinzufügen.
  
        <Script>
	    <![CDATA[
		if (eduPersonAffiliation.getValues().contains("member")) {
			eduPersonEntitlement.getValues().add("common-lib-terms");
		}
		if (organizationalUnit.getValues().contains("politologie")) {
			eduPersonEntitlement.addValue("https://sp2.local/entitlement/politologie");
      oder: eduPersonEntitlement.getValues().add("https://sp2.local/entitlement/politologie");

		}
	    ]]>
 	</Script>
</AttributeDefinition>

Danach in "attribute-filter.xml" im Filter für SP1 mit folgender Regel nur das 'common-lib-terms' Attribut erlauben.

<AttributeFilterPolicy id="SP1_local">
...
	<AttributeRule attributeID="eduPersonEntitlement">
    <PermitValueRule xsi:type="OR"> 
			<Rule xsi:type="Value" value="common-lib-terms" />
	  </PermitValueRule>
	</AttributeRule>
  
  
EntityIDd des anfragenden SPs im Script bestimmen:
    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
        <Dependency ref="eduPersonAffiliation" />
        <Dependency ref="organizationalUnit" />
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
        <Script>
            <![CDATA[
                if (eduPersonAffiliation.getValues().contains("member")) {
                        eduPersonEntitlement.getValues().add("common-lib-terms");
                }
                if (organizationalUnit.getValues().contains("politologie") &&
                    profileContext.getInboundMessageContext().getSubcontext("org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext").getEntityId().equals("https://sp2.local/shibboleth")) {
                        eduPersonEntitlement.getValues().add("https://sp2.local/entitlement/politologie");
                }
            ]]>
        </Script>
    </AttributeDefinition>