Lösungen zu den Übungen

Übung 1: Loglevel auf Debug einstellen


<!-- Datei: /opt/shibboleth-idp/conf/logback.xml -->
    <variable name="idp.loglevel.idp" value="DEBUG" />
    <variable name="idp.loglevel.ldap" value="INFO" />
    <variable name="idp.loglevel.messages" value="DEBUG" />
    <variable name="idp.loglevel.encryption" value="DEBUG" />
    <variable name="idp.loglevel.opensaml" value="INFO" />

# die Konfiguration neu laden:
# der langsame Weg:
systemctl restart tomcat9.service
# schneller, aber trotzdem mit kurzer Unterbrechung:
touch /opt/shibboleth-idp/war/idp.war
# ohne Unterbrechung: 5 Min. warten., siehe Reload-Intervalle in conf/services.properties

Übung 2: dfnEduPerson-Schema importieren


# Download der Transcoding Properties für dfnEduPerson:
wget https://download.aai.dfn.de/schema/dfnEduPerson.xml -O /opt/shibboleth-idp/conf/attributes/dfnEduPerson.xml
ls /opt/shibboleth-idp/conf/attributes/
custom  default-rules.xml  dfnEduPerson.xml  eduCourse.xml  eduPerson.xml  inetOrgPerson.xml  samlSubject.xml
# Einbinden in default-rules.xml
[...]
    <import resource="dfnEduPerson.xml" />
[...]

Übung 3: eduPersonScopedAffiliation aus eduPersonAffiliation bilden


<!-- Datei: /opt/shibboleth-idp/conf/attribute-resolver.xml -->
    <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}">
        <InputAttributeDefinition ref="eduPersonAffiliation" />
    </AttributeDefinition>

Übung 4: Attributfreigaben differenzieren

Für die attribute-filter.xml gibt es zwei mögliche Schreibweisen. Die erste wird in den mitgelieferten Beispieldateien verwendet. Die zweite (unten) ist kürzer und übersichtlicher.


<!-- 1. Schreibweise -->
<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
    <!-- Release to local SP1. -->
    <AttributeFilterPolicy id="SP1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>

    <!-- Release to local SP2. -->
    <AttributeFilterPolicy id="SP2">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="surname">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="uid">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>


<!-- 2. Schreibweise -->
<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
    <!-- Release to local SP1. -->
    <AttributeFilterPolicy id="SP1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
    </AttributeFilterPolicy>

    <!-- Release to local SP2. -->
    <AttributeFilterPolicy id="SP2">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
        <AttributeRule attributeID="surname"                    permitAny="true"/>
        <AttributeRule attributeID="givenName"                  permitAny="true"/>
        <AttributeRule attributeID="mail"                       permitAny="true"/>
        <AttributeRule attributeID="uid"                        permitAny="true"/>
    </AttributeFilterPolicy>

Übung 5: common-lib-terms für alle "member@local" übertragen

Doku: https://doku.tid.dfn.de/de:shibidp:config-attributes-publishers


<!-- Datei: /opt/shibboleth-idp/conf/attribute-resolver.xml -->
    <!-- definiert wird das Attribut eduPersonEntitlement -->
    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
        <!-- als Informationsquelle wird das Attribut eduPersonAffiliation genutzt -->
        <InputAttributeDefinition ref="eduPersonAffiliation" />
        <Script><![CDATA[
	      // wenn eduPersonAffiliation für die Person den Wert 'member' hat, ...
              if (eduPersonAffiliation.getValues().contains("member")) {
	            // ... dann bekommt eduPersonEntitlement den Wert 'urn:mace:dir:entitlement:common-lib-terms'
                    eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
              }
           ]]>
        </Script>
    </AttributeDefinition>

Anschließend muss das Attribut eduPersonEntitlement auch für die SPs freigegeben werden:


<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
    <!-- Release to local SP1. -->
    <AttributeFilterPolicy id="SP1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
        <AttributeRule attributeID="eduPersonEntitlement"       permitAny="true"/>
    </AttributeFilterPolicy>

    <!-- Release to local SP2. -->
    <AttributeFilterPolicy id="SP2">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        <AttributeRule attributeID="eduPersonAffiliation"       permitAny="true"/>
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
        <AttributeRule attributeID="surname"                    permitAny="true"/>
        <AttributeRule attributeID="givenName"                  permitAny="true"/>
        <AttributeRule attributeID="mail"                       permitAny="true"/>
        <AttributeRule attributeID="uid"                        permitAny="true"/>
        <AttributeRule attributeID="eduPersonEntitlement"       permitAny="true"/>
    </AttributeFilterPolicy>

Die SAML-Assertion vom Login von pingel:

<!-- idp-process.log -->
2020-10-27 14:54:07,079 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_3a89275f3cd179685b22a3cf616c518a" IssueInstant="2020-10-27T13:54:06.179Z" Version="2.0">
   <saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp1.local/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">NMTR6SVZOCUWF5MNGDDIYQQBY4QCB76N</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_72e4da8e1fa8dfcea0f85a340ded8b7c" NotOnOrAfter="2020-10-27T13:59:06.581Z" Recipient="https://sp1.local/Shibboleth.sso/SAML2/POST"/>
      </saml2:SubjectConfirmation>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2020-10-27T13:54:06.179Z" NotOnOrAfter="2020-10-27T13:59:06.179Z">
      <saml2:AudienceRestriction>
         <saml2:Audience>https://sp1.local/shibboleth</saml2:Audience>
      </saml2:AudienceRestriction>
   </saml2:Conditions>
   <saml2:AuthnStatement AuthnInstant="2020-10-27T13:53:52.456Z" SessionIndex="_d8a534b987abc20fe007a9cc80af7bdb">
      <saml2:SubjectLocality Address="127.0.0.2"/>
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
   <saml2:AttributeStatement>
      <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>staff@local</saml2:AttributeValue>
         <saml2:AttributeValue>member@local</saml2:AttributeValue>
         <saml2:AttributeValue>employee@local</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
      </saml2:Attribute>
   </saml2:AttributeStatement>
</saml2:Assertion>

Die SAML-Assertion vom Login von nichts:

<!-- idp-process.log -->
2020-10-27 15:05:06,463 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_ff10c860b5fb1aa50de68aafb6b397c6" IssueInstant="2020-10-27T14:05:06.264Z" Version="2.0">
   <saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp1.local/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">J2V3ARQY7FDYV4QV7J2R27VZXIET4LUD</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_64a321653d02549eab2ea4e703d41121" NotOnOrAfter="2020-10-27T14:10:06.311Z" Recipient="https://sp1.local/Shibboleth.sso/SAML2/POST"/>
      </saml2:SubjectConfirmation>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2020-10-27T14:05:06.264Z" NotOnOrAfter="2020-10-27T14:10:06.264Z">
      <saml2:AudienceRestriction>
         <saml2:Audience>https://sp1.local/shibboleth</saml2:Audience>
      </saml2:AudienceRestriction>
   </saml2:Conditions>
   <saml2:AuthnStatement AuthnInstant="2020-10-27T14:05:05.857Z" SessionIndex="_279bb080ea001840d00450f6c4a72f68">
      <saml2:SubjectLocality Address="127.0.0.2"/>
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
</saml2:Assertion>

Übung 6: Einzelnes Entitlement an nur einen SP übertragen

Beispiel für PermitValueRule ebenfalls unter https://doku.tid.dfn.de/de:shibidp:config-attributes-publishers


<!-- Datei: /opt/shibboleth-idp/conf/attribute-resolver.xml -->
    <AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
        <InputAttributeDefinition ref="eduPersonAffiliation" />
	<!-- hier muss die OU als zweite Infoquelle eingebunden werden -->
        <InputAttributeDefinition ref="organizationalUnit" />
        <Script>
          <![CDATA[
              if (eduPersonAffiliation.getValues().contains("member")) {
                  eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
              }
              if (organizationalUnit.getValues().contains("politologie")) {
                  eduPersonEntitlement.getValues().add("https://sp2.local/entitlement/politologie");
              }
           ]]>
           </Script>
    </AttributeDefinition>

<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
    <!-- Release to local SP1. -->
    <AttributeFilterPolicy id="SP1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
            <!-- an SP1 nur common-lib-terms übertragen -->
        <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" />
        </AttributeRule>
    </AttributeFilterPolicy>

    <!-- Release to local SP2. -->
    <AttributeFilterPolicy id="SP2">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
        <AttributeRule attributeID="surname"                    permitAny="true"/>
        <AttributeRule attributeID="givenName"                  permitAny="true"/>
        <AttributeRule attributeID="mail"                       permitAny="true"/>
        <AttributeRule attributeID="uid"                        permitAny="true"/>
        <!-- an SP2 jeden Wert übertragen -->
        <AttributeRule attributeID="eduPersonEntitlement"       permitAny="true"/>
    </AttributeFilterPolicy>

Die SAML-Assertion vom Login von adler:

2020-10-27 17:01:28,761 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_633a6edf738b17bd602c12d321d6314e" IssueInstant="2020-10-27T16:01:28.009Z" Vers
ion="2.0">
   <saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp2.local/shibboleth" xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion">57S46FXPIOZE2XHVYAUSF5Q4T2L5ZYDO</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_34c05c7299c04a27987f1af98d0ab472" NotOnOrAfter="2020-10-27T16:06:28.368Z" Recipient="https://sp2.local/Shibboleth.s
so/SAML2/POST"/>
      </saml2:SubjectConfirmation>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2020-10-27T16:01:28.009Z" NotOnOrAfter="2020-10-27T16:06:28.009Z">
      <saml2:AudienceRestriction>
         <saml2:Audience>https://sp2.local/shibboleth</saml2:Audience>
      </saml2:AudienceRestriction>
   </saml2:Conditions>
   <saml2:AuthnStatement AuthnInstant="2020-10-27T16:01:20.668Z" SessionIndex="_6584c47c39be9c47eb81ccdcab6cfde2">
      <saml2:SubjectLocality Address="127.0.0.2"/>
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
   <saml2:AttributeStatement>
      <saml2:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>employee</saml2:AttributeValue>
         <saml2:AttributeValue>faculty</saml2:AttributeValue>
         <saml2:AttributeValue>member</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>member@local</saml2:AttributeValue>
         <saml2:AttributeValue>faculty@local</saml2:AttributeValue>
         <saml2:AttributeValue>employee@local</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>adler</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>joerg.adler@nodomain.local</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
         <saml2:AttributeValue>https://sp2.local/entitlement/politologie</saml2:AttributeValue>
      </saml2:Attribute>
   </saml2:AttributeStatement>
</saml2:Assertion>

Der Account nichts bekommt am SP2 die Antwort Unauthorized. Die SAML-Assertion von nichts:

2020-10-27 17:09:40,158 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_dccd0a751a71e6483cab69a6faf94725" IssueInstant="2020-10-27T16:09:39.886Z" Vers
ion="2.0">
   <saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp2.local/shibboleth" xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion">KZAPSNYSEHPEH5B4TATJOUCOYTRN6GCQ</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_3cdc01edab77ce493cee3b40f1fbdacc" NotOnOrAfter="2020-10-27T16:14:40.035Z" Recipient="https://sp2.local/Shibboleth.sso/SAML2/POST"/>
      </saml2:SubjectConfirmation>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2020-10-27T16:09:39.886Z" NotOnOrAfter="2020-10-27T16:14:39.886Z">
      <saml2:AudienceRestriction>
         <saml2:Audience>https://sp2.local/shibboleth</saml2:Audience>
      </saml2:AudienceRestriction>
   </saml2:Conditions>
   <saml2:AuthnStatement AuthnInstant="2020-10-27T16:09:35.694Z" SessionIndex="_bb2d23db23074c0f4003268abae10e9a">
      <saml2:SubjectLocality Address="127.0.0.2"/>
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
   <saml2:AttributeStatement>
      <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>hans.nichts@external.nodomain.local</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>nichts</saml2:AttributeValue>
      </saml2:Attribute>
   </saml2:AttributeStatement>
</saml2:Assertion>

Gegenprobe: adler meldet sich am SP1 an, wohin das Politologie-Entitlement nicht übertragen werden soll. Hier nur das Attribute Statement:


   <saml2:AttributeStatement>
      <saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>member@local</saml2:AttributeValue>
         <saml2:AttributeValue>faculty@local</saml2:AttributeValue>
         <saml2:AttributeValue>employee@local</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml2:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
      </saml2:Attribute>
   </saml2:AttributeStatement>