Lösungen zu den Übungen
|
|
Übung 2: persistentID-Freigabe
2023-07-13 16:01:35,524 - 127.0.0.1 - INFO [Shibboleth-Audit.SSO:283] - 127.0.0.1|2023-07-13T14:01:21.357733203Z|2023-07-13T14:01:35.524627031Z|professorin|https://sp1.local/shibboleth|_ce92de69267400071da5ee034ee5a767|password|2023-07-13T14:01:34.520086902Z|eduPersonScopedAffiliation,mail,uid|AAdzZWNyZXQxfqnyxyDFz/Wls3uQu2wAc3bJHNkLie23TPItB6D2pJhw/sYqdurjV7ZyQCY3y7l6ZeJakp6QvJRAtYMOluYESBoDmYgOJva3R3PJc1SgWs8xVKHA2hRNjaZLmyixYReKzI9njezi|transient|false|false|AES128-GCM|Redirect|POST||Success||8f4e43c709c4d3c4704d0c11471839034ca721b8acd536da8194a876ab8b96b6|Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
2023-07-13 16:37:04,042 - 127.0.0.1 - INFO [Shibboleth-Audit.SSO:283] - 127.0.0.1|2023-07-13T14:35:51.081596867Z|2023-07-13T14:37:04.041804156Z|professorin|https://sp1.local/shibboleth|_ef7dde8b627ce15aa2580f954f987d88|password|2023-07-13T14:37:00.057545672Z|eduPersonScopedAffiliation,mail,uid|M22SVWRXLZIVUONQ55M522POYCQRIGJ4|persistent|false|false|AES128-GCM|Redirect|POST||Success||8d15478ef88fca9e6e35dafb04c524a2c4aad5edd44fea592024e74a25cf59cd|Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Übung 4: Loglevel auf Debug einstellen
# Datei: /opt/shibboleth-idp/conf/idp.properties
idp.loglevel.idp = DEBUG
idp.loglevel.messages = DEBUG
idp.loglevel.encryption = DEBUG
# die Konfiguration neu laden:
# der langsame Weg:
systemctl restart tomcat9.service
# schneller, aber trotzdem mit kurzer Unterbrechung:
touch /opt/shibboleth-idp/war/idp.war
# ohne Unterbrechung: 5 Min. warten., siehe Reload-Intervalle in conf/services.properties
Übung 5: dfnEduPerson-Schema importieren
# Download der Transcoding Properties für dfnEduPerson:
wget https://download.aai.dfn.de/schema/dfnEduPerson.xml -O /opt/shibboleth-idp/conf/attributes/dfnEduPerson.xml
ls /opt/shibboleth-idp/conf/attributes/
custom default-rules.xml dfnEduPerson.xml eduCourse.xml eduPerson.xml inetOrgPerson.xml samlSubject.xml
# Einbinden in default-rules.xml
[...]
<import resource="dfnEduPerson.xml" />
[...]
Übung 6: eduPersonScopedAffiliation aus eduPersonAffiliation bilden
<!-- Datei: /opt/shibboleth-idp/conf/attribute-resolver.xml -->
<AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}">
<InputAttributeDefinition ref="eduPersonAffiliation" />
</AttributeDefinition>
Übung 7: Attributfreigaben differenzieren
Für die attribute-filter.xml gibt es zwei mögliche Schreibweisen. Die erste wird in den mitgelieferten Beispieldateien verwendet. Die zweite (unten) ist kürzer und übersichtlicher.
<!-- 1. Schreibweise -->
<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
<!-- Release to local SP1. -->
<AttributeFilterPolicy id="SP1">
<PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- Release to local SP2. -->
<AttributeFilterPolicy id="SP2">
<PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- 2. Schreibweise -->
<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
<!-- Release to local SP1. -->
<AttributeFilterPolicy id="SP1">
<PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
</AttributeFilterPolicy>
<!-- Release to local SP2. -->
<AttributeFilterPolicy id="SP2">
<PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
<AttributeRule attributeID="surname" permitAny="true"/>
<AttributeRule attributeID="givenName" permitAny="true"/>
<AttributeRule attributeID="mail" permitAny="true"/>
<AttributeRule attributeID="uid" permitAny="true"/>
</AttributeFilterPolicy>
Übung 8: common-lib-terms für alle "member@local" übertragen
Doku: https://doku.tid.dfn.de/de:shibidp:config-attributes-publishers
<!-- Datei: /opt/shibboleth-idp/conf/attribute-resolver.xml -->
<!-- definiert wird das Attribut eduPersonEntitlement -->
<AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
<!-- als Informationsquelle wird das Attribut eduPersonAffiliation genutzt -->
<InputAttributeDefinition ref="eduPersonAffiliation" />
<Script><![CDATA[
// wenn eduPersonAffiliation für die Person den Wert 'member' hat, ...
if (eduPersonAffiliation.getValues().contains("member")) {
// ... dann bekommt eduPersonEntitlement den Wert 'urn:mace:dir:entitlement:common-lib-terms'
eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
}
]]>
</Script>
</AttributeDefinition>
Anschließend muss das Attribut eduPersonEntitlement auch für die SPs freigegeben werden:
<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
<!-- Release to local SP1. -->
<AttributeFilterPolicy id="SP1">
<PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
<AttributeRule attributeID="eduPersonEntitlement" permitAny="true"/>
</AttributeFilterPolicy>
<!-- Release to local SP2. -->
<AttributeFilterPolicy id="SP2">
<PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
<AttributeRule attributeID="eduPersonAffiliation" permitAny="true"/>
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
<AttributeRule attributeID="surname" permitAny="true"/>
<AttributeRule attributeID="givenName" permitAny="true"/>
<AttributeRule attributeID="mail" permitAny="true"/>
<AttributeRule attributeID="uid" permitAny="true"/>
<AttributeRule attributeID="eduPersonEntitlement" permitAny="true"/>
</AttributeFilterPolicy>
Die SAML-Assertion vom Login von professorin:
<!-- idp-process.log -->
2021-09-08 13:36:22,449 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cf4228f862a4b997bbbd7b5c3b395299" IssueInstant="2021-09-08T11:36:21.671Z" Version="2.0">
<saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp1.local/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ZrUq2jdeUVo5sO9Z3WnuwKEUGTw=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_1565b5838dd009ff423216c6fc6646c7" NotOnOrAfter="2021-09-08T11:41:21.902Z" Recipient="https://sp1.local/Shibboleth.sso/SAML2/POST"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-09-08T11:36:21.671Z" NotOnOrAfter="2021-09-08T11:41:21.671Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://sp1.local/shibboleth</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-09-08T11:36:14.437Z" SessionIndex="_e30db63df76c093a938fa393916fb621">
<saml2:SubjectLocality Address="127.0.0.2"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>member@local</saml2:AttributeValue>
<saml2:AttributeValue>employee@local</saml2:AttributeValue>
<saml2:AttributeValue>staff@local</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
Die SAML-Assertion vom Login von extern:
<!-- idp-process.log -->
2021-09-08 15:23:18,904 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_21d13a8ab75ca1dbed651b2fcd99a7ca" IssueInstant="2021-09-08T13:23:18.177Z" Version="2.0">
<saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp1.local/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">InPeS420PHTUEZKu84vtf1k1POg=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_798fb58891f4b5587829169c23ff1d09" NotOnOrAfter="2021-09-08T13:28:18.440Z" Recipient="https://sp1.local/Shibboleth.sso/SAML2/POST"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-09-08T13:23:18.177Z" NotOnOrAfter="2021-09-08T13:28:18.177Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://sp1.local/shibboleth</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-09-08T13:23:15.009Z" SessionIndex="_0df1859fae1395ca878f0887a71db2ef">
<saml2:SubjectLocality Address="127.0.0.2"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
Übung 9: Einzelnes Entitlement an nur einen SP übertragen
Beispiel für PermitValueRule ebenfalls unter https://doku.tid.dfn.de/de:shibidp:config-attributes-publishers
<!-- Datei: /opt/shibboleth-idp/conf/attribute-resolver.xml -->
<AttributeDefinition xsi:type="ScriptedAttribute" id="eduPersonEntitlement">
<InputAttributeDefinition ref="eduPersonAffiliation" />
<!-- hier muss die OU als zweite Infoquelle eingebunden werden -->
<InputAttributeDefinition ref="organizationalUnit" />
<Script>
<![CDATA[
if (eduPersonAffiliation.getValues().contains("member")) {
eduPersonEntitlement.getValues().add("urn:mace:dir:entitlement:common-lib-terms");
}
if (organizationalUnit.getValues().contains("politologie")) {
eduPersonEntitlement.getValues().add("https://sp2.local/entitlement/politologie");
}
]]>
</Script>
</AttributeDefinition>
<!-- Datei: /opt/shibboleth-idp/conf/attribute-filter.xml -->
<!-- Release to local SP1. -->
<AttributeFilterPolicy id="SP1">
<PolicyRequirementRule xsi:type="Requester" value="https://sp1.local/shibboleth" />
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
<!-- an SP1 nur common-lib-terms übertragen -->
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- Release to local SP2. -->
<AttributeFilterPolicy id="SP2">
<PolicyRequirementRule xsi:type="Requester" value="https://sp2.local/shibboleth" />
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true"/>
<AttributeRule attributeID="surname" permitAny="true"/>
<AttributeRule attributeID="givenName" permitAny="true"/>
<AttributeRule attributeID="mail" permitAny="true"/>
<AttributeRule attributeID="uid" permitAny="true"/>
<!-- an SP2 jeden Wert übertragen -->
<AttributeRule attributeID="eduPersonEntitlement" permitAny="true"/>
</AttributeFilterPolicy>
Die SAML-Assertion vom Login von polstudi:
2021-09-08 15:49:44,041 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_882ef083bbb4c9e645a6a6b7839d2a0e" IssueInstant="2021-09-08T13:49:43.780Z" Version="2.0">
<saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp2.local/sh
ibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">7DK9v7LlqyUH10fSxvDUzB7QOC4=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_fdd852ae1ef5a6a05e6f3824d21dd66c" NotOnOrAfter="2021-09-08T13:54:43.881Z" Recipient="https://
sp2.local/Shibboleth.sso/SAML2/POST"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-09-08T13:49:43.780Z" NotOnOrAfter="2021-09-08T13:54:43.780Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://sp2.local/shibboleth</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-09-08T13:49:15.505Z" SessionIndex="_ec3568d922ba0643ad2099f3ebabfee1">
<saml2:SubjectLocality Address="127.0.0.2"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>polstudi</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>max.strebsam@student.nodomain.local</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>member@local</saml2:AttributeValue>
<saml2:AttributeValue>student@local</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
<saml2:AttributeValue>https://sp2.local/entitlement/politologie</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
Der Account biostudi bekommt am SP2 die Antwort Unauthorized. Die SAML-Assertion von biostudi:
2021-09-08 15:54:09,910 - 127.0.0.2 - DEBUG [org.opensaml.saml.saml2.encryption.Encrypter:339] - Assertion before encryption:
<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_52497b5b2012df6280564883ab4c101b" IssueInstant="2021-09-08T13:54:09.571Z" Version="2.0">
<saml2:Issuer>https://idp.local/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth" SPNameQualifier="https://sp2.local/sh
ibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">SAmLpofK57Ut0PZPw8dXfpNvr/c=</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="127.0.0.2" InResponseTo="_731de97903ade13a8e162d6a5eacd03a" NotOnOrAfter="2021-09-08T13:59:09.806Z" Recipient="https://
sp2.local/Shibboleth.sso/SAML2/POST"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-09-08T13:54:09.571Z" NotOnOrAfter="2021-09-08T13:59:09.571Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://sp2.local/shibboleth</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-09-08T13:54:03.476Z" SessionIndex="_e458dbaf0a8b5c299b0ad5232f4279bb">
<saml2:SubjectLocality Address="127.0.0.2"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>biostudi</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>mia.studi@student.nodomain.local</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>member@local</saml2:AttributeValue>
<saml2:AttributeValue>student@local</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>Mia</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
Gegenprobe: polstudi meldet sich am SP1 an, wohin das Politologie-Entitlement nicht übertragen werden soll. Hier nur das Attribute Statement aus der SAML-Assertion:
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonScopedAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>member@local</saml2:AttributeValue>
<saml2:AttributeValue>student@local</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Übung 10: Vergleich von Identifiern
SAML-Assertion von professorin (gekürzt):
...
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth"
SPNameQualifier="https://sp1.local/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ZrUq2jdeUVo5sO9Z3WnuwKEUGTw=</saml2:NameID>
</saml2:Subject>
...
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="samlSubjectID" Name="urn:oasis:names:tc:SAML:attribute:subject-id"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>5241e5ad778e6a9de03336337da47ddaabf354ecd3deaa0913518eb7647398cb@local</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="samlPairwiseID" Name="urn:oasis:names:tc:SAML:attribute:pairwise-id"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>ZrUq2jdeUVo5sO9Z3WnuwKEUGTw=@local</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonUniqueId" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>5241e5ad778e6a9de03336337da47ddaabf354ecd3deaa0913518eb7647398cb@local</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
...
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.local/idp/shibboleth"
SPNameQualifier="https://sp2.local/shibboleth" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">teBAMDTLTCUHqqO5vycFPrwhKos=</saml2:NameID>
</saml2:Subject>
...
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="samlPairwiseID" Name="urn:oasis:names:tc:SAML:attribute:pairwise-id"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>teBAMDTLTCUHqqO5vycFPrwhKos=@local</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonUniqueId" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>5241e5ad778e6a9de03336337da47ddaabf354ecd3deaa0913518eb7647398cb@local</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="samlSubjectID" Name="urn:oasis:names:tc:SAML:attribute:subject-id"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>5241e5ad778e6a9de03336337da47ddaabf354ecd3deaa0913518eb7647398cb@local</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>