Shibboleth- und AAI Workshop, Berlin 2019-01-29



Übung 1

/opt/shibboleth-idp/conf/logback.xml:

    <variable name="idp.loglevel.idp" value="DEBUG" />
    <variable name="idp.loglevel.ldap" value="DEBUG" />
    <variable name="idp.loglevel.messages" value="INFO" />
    <variable name="idp.loglevel.encryption" value="INFO" />
    <variable name="idp.loglevel.opensaml" value="DEBUG" />

systemctl restart tomcat8.service
schneller: touch /opt/shibboleth-idp/war/idp.war
ohne Unterbrechung: 5 Min. warten.
curl https://idp.local/idp/profile/admin/reload-service?id=shibboleth.LoggingService

Übung 2
/opt/shibboleth-idp/conf/attribute-resolver.xml:
    
    <AttributeDefinition xsi:type="Template" id="eduPersonScopedAffiliation">
        <Dependency ref="eduPersonAffiliation" />
        <Template>${eduPersonAffiliation}@%{idp.scope}</Template>
        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
    </AttributeDefinition> 
    
    bis Shibboleth IdP 3.3.x
        <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation">
        <Dependency ref="eduPersonAffiliation" />
        <DisplayName xml:lang="en">Affiliation type (with institution)</DisplayName>
        <DisplayName xml:lang="de">Zugehörigkeit (+ Einrichtung)</DisplayName>
        <DisplayDescription xml:lang="en">Type of affiliation with Home Organization with scope</DisplayDescription>
        <DisplayDescription xml:lang="de">Art der Zugehörigkeit zur Heimateinrichtung mit Geltungsbereich</DisplayDescription>
        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
    </AttributeDefinition>

ab Shibboleth 3.4.0 (siehe unter https://wiki.shibboleth.net/confluence/display/IDP30/DeprecatedIdPV4)
    <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}">
        <InputAttributeDefinition ref="eduPersonAffiliation" />
        <DisplayName xml:lang="en">Affiliation type (with institution)</DisplayName>
        <DisplayName xml:lang="de">Zugehörigkeit (+ Einrichtung)</DisplayName>
        <DisplayDescription xml:lang="en">Type of affiliation with Home Organization with scope</DisplayDescription>
        <DisplayDescription xml:lang="de">Art der Zugehörigkeit zur Heimateinrichtung mit Geltungsbereich</DisplayDescription>
        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
    </AttributeDefinition>


Übung 3
<!-- Release to local SPs. -->
    <AttributeFilterPolicy id="SP1_locals">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />     
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>

    <AttributeFilterPolicy id="SP2_locals">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />

        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="surname">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="uid">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>


Übung 4 (siehe auch unter https://doku.tid.dfn.de/de:shibidp3attributes-publishers )

    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
        <InputAttributeDefinition ref="eduPersonAffiliation" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
        <Script>
          <![CDATA[
              if (eduPersonAffiliation.getValues().contains("member")) {
                      eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
              }
           ]]>
           </Script>
    </AttributeDefinition>

in /opt/shibboleth-idp/conf/attribute-filter.xml, damit es auch übermittelt wird:

    <!-- Release to local SP1. -->
    <AttributeFilterPolicy id="SP1_local">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
      <AttributeRule attributeID="eduPersonEntitlement">
        <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
    </AttributeFilterPolicy>


Übung 5 
(Beispiele für <PermitValueRule> ebenfalls unter https://doku.tid.dfn.de/de:shibidp3attributes-publishers )

Im resolver:
    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
        <InputAttributeDefinition ref="eduPersonAffiliation" />
        <InputAttributeDefinition ref="organizationalUnit" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
        <Script>
          <![CDATA[
              if (eduPersonAffiliation.getValues().contains("member")) {
                      eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
              }
                if (organizationalUnit.getValues().contains("politologie")) {
                    eduPersonEntitlement.getValues().add("https://sp2.local/entitlement/politologie");
                }
           ]]>
           </Script>
    </AttributeDefinition>

in filter für sp1
     <AttributeRule attributeID="eduPersonEntitlement">
        <PermitValueRule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms"/>
      </AttributeRule>