Fragen an die Dozent/innen:
können wir die relying-party datei doch konfigurien?

Unterlagen & VM zum Workshop:
https://download.aai.dfn.de/ws/2018_fub/

log files  :
/var/log/tomcat8/catalina.out
/opt/shibboleth-idp/logs/idp-process.log

Übung 1:
Datei /opt/shibboleth-idp/conf/logback.xml anpassen:
    <!-- Logging level shortcuts. -->
    <!-- <variable name="idp.loglevel.idp" value="INFO" /> -->
    <variable name="idp.loglevel.idp" value="DEBUG" />
    <!-- <variable name="idp.loglevel.ldap" value="WARN" /> -->
    <variable name="idp.loglevel.ldap" value="DEBUG" />
    <variable name="idp.loglevel.messages" value="INFO" />
    <variable name="idp.loglevel.encryption" value="INFO" />
    <!-- <variable name="idp.loglevel.opensaml" value="INFO" /> -->
    <variable name="idp.loglevel.opensaml" value="DEBUG" />
    <variable name="idp.loglevel.props" value="INFO" />

curl https://idp.local/idp/profile/admin/reload-service?id=shibboleth.LoggingService
siehe https://wiki.shibboleth.net/confluence/display/IDP30/ReloadableServices

Übung 2:
Datei /opt/shibboleth-idp/conf/attribute-resolver.xml anpassen:

Vorher abhängig von myLDAP (von dort werden die bereits gescopten Daten geholt):
<AttributeDefinition xsi:type="Prescoped" id="eduPersonScopedAffiliation"sourceAttributeID="eduPersonScopedAffiliation">
        <Dependency ref="myLDAP" />
        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
</AttributeDefinition>

Jetzt werden die Daten von 'eduPersonAffiliation' geholt und zusätzlich mit einem Scope angereichert:
<AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" >
        <Dependency ref="eduPersonAffiliation" />
        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
</AttributeDefinition>

eduPersonScopedAffiliation war vorher schon scoped und hatte bereits den scope="{idp.scope}"...

noch Übung 2: die sourecAttriuteID kann mit angegeben werden, in vielen Fällen muss sie vorhanden sein, in diesem Beispiel nicht, tut aber auch nicht weh:

    <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation">
        <Dependency ref="eduPersonAffiliation" />
        <DisplayName xml:lang="en">Affiliation type (with institution)</DisplayName>
        <DisplayName xml:lang="de">Zugehörigkeit (+ Einrichtung)</DisplayName>
        <DisplayDescription xml:lang="en">Type of affiliation with Home Organization with scope</DisplayDescription>
        <DisplayDescription xml:lang="de">Art der Zugehörigkeit zur Heimateinrichtung mit Geltungsbereich</DisplayDescription>
        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
    </AttributeDefinition>

Testen mit:
curl "https://idp.local/idp/profile/admin/resolvertest?requester=https://sp1.local/shibboleth&principal=pingel&saml2"

Übung 3:
Datei /opt/shibboleth-idp/conf/attribute-filter.xml anpassen:

    <AttributeFilterPolicy id="SP1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>

    <AttributeFilterPolicy id="SP2">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="surname">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="uid">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>

Testen mit::
curl "https://idp.local/idp/profile/admin/resolvertest?requester=https://sp1.local/shibboleth&principal=pingel&saml2"
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_a3376bab0f21551a435438c4e8036caa"
    IssueInstant="2018-11-21T15:20:01.277Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
    <saml2:Subject>
        <saml2:NameID
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
            NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp1.local/shibboleth">NMTR6SVZOCUWF5MNGDDIYQQBY4QCB76N</saml2:NameID>
    </saml2:Subject>
    <saml2:AttributeStatement>
        <saml2:Attribute FriendlyName="eduPersonScopedAffiliation"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>ldapblubaffiliation@local</saml2:AttributeValue>
            <saml2:AttributeValue>employee@local</saml2:AttributeValue>
            <saml2:AttributeValue>member@local</saml2:AttributeValue>
            <saml2:AttributeValue>staff@local</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

Lösung 4:
Datei /opt/shibboleth-idp/conf/attribute-resolver.xml anpassen:

   <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
        <Dependency ref="eduPersonAffiliation" />
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
        <Script>
                <![CDATA[
                if (eduPersonAffiliation.getValues().contains("member")) {
                        eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
                }
               
                ]]>
        </Script>
    </AttributeDefinition>

und Datei /opt/shibboleth-idp/conf/attribute-filter.xml anpassen:

   <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" />
        </AttributeRule>

    <AttributeFilterPolicy id="SPs_locals">
        <PolicyRequirementRule xsi:type="OR">
            <Rule xsi:type="Requester" value="https://sp1.local/shibboleth" />
            <Rule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" />
        </AttributeRule>
    </AttributeFilterPolicy>

      <AttributeRule attributeID="eduPersonEntitlement">
        <PermitValueRule xsi:type="ANY" />
      </AttributeRule>

Lösung 5:
Datei attribute-resolver.xml anpassen:

    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
        <Dependency ref="myLDAP" />
        <Dependency ref="eduPersonAffiliation" />
        <Dependency ref="organizationalUnit" />
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
        <Script>
                <![CDATA[
                        if (eduPersonAffiliation.getValues().contains("member")) {
                                eduPersonEntitlement.getValues().add("urn:mace:dir:common-lib-terms");
                        }
                        if (organizationalUnit.getValues().contains("politologie")) {
                                eduPersonEntitlement.getValues().add("https://sp2.local/entitlement/politologie");
                        }
                ]]>
        </Script>
    </AttributeDefinition>

Datei attribute-filter.xml anpassen:

    <AttributeFilterPolicy id="SP1_local">
        <PolicyRequirementRule xsi:type="OR">
            <Rule xsi:type="Requester" value="https://sp1.local/shibboleth" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="Value" value="urn:mace:dir:common-lib-terms" />
        </AttributeRule>
    </AttributeFilterPolicy>

    <AttributeFilterPolicy id="SP2_local">
        <PolicyRequirementRule xsi:type="OR">
            <Rule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="surname">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="uid">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

    </AttributeFilterPolicy>

Test für sp1:
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_77dfdf0a8dcc9bfaefd57178686e64e2"
    IssueInstant="2018-11-21T16:34:54.895Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
    <saml2:Subject>
        <saml2:NameID
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
            NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp1.local/shibboleth">ZBMAAJIQSD5FFOU7Q3OCTV3M2K5H57J6</saml2:NameID>
    </saml2:Subject>
    <saml2:AttributeStatement>
        <saml2:Attribute FriendlyName="eduPersonEntitlement"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>urn:mace:dir:common-lib-terms</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="eduPersonScopedAffiliation"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>employee@local</saml2:AttributeValue>
            <saml2:AttributeValue>member@local</saml2:AttributeValue>
            <saml2:AttributeValue>staff@local</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

Test für sp2:
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_78e1d70d0f5b5be11f9126e825a48189"
    IssueInstant="2018-11-21T16:35:47.174Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
    <saml2:Subject>
        <saml2:NameID
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
            NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp2.local/shibboleth">GUD2KCXZX2VIX3SCQVJOLCAPC3LGDOIW</saml2:NameID>
    </saml2:Subject>
    <saml2:AttributeStatement>
        <saml2:Attribute FriendlyName="eduPersonEntitlement"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>https://sp2.local/entitlement/politologie</saml2:AttributeValue>
            <saml2:AttributeValue>urn:mace:dir:common-lib-terms</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="uid"
            Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>pingel</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="mail"
            Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>maria.pingel@nodomain.local</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="eduPersonScopedAffiliation"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>employee@local</saml2:AttributeValue>
            <saml2:AttributeValue>member@local</saml2:AttributeValue>
            <saml2:AttributeValue>staff@local</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>Pingel</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

EntityIDd des anfragenden SPs im Script bestimmen:
    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
        <Dependency ref="eduPersonAffiliation" />
        <Dependency ref="organizationalUnit" />
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
        <Script>
            <![CDATA[
                if (eduPersonAffiliation.getValues().contains("member")) {
                        eduPersonEntitlement.getValues().add("common-lib-terms");
                }
                if (organizationalUnit.getValues().contains("politologie") &&
                    profileContext.getInboundMessageContext().getSubcontext("org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext").getEntityId().equals("https://sp2.local/shibboleth")) {
                        eduPersonEntitlement.getValues().add("https://sp2.local/entitlement/politologie");
                }
            ]]>
        </Script>
    </AttributeDefinition>