Konfigurationsbeispiele für AAIplus

Work in Progress

Diese Seite ist noch im Aufbau begriffen!

Die u.g. Beispiele für Attribut-Konfigurationen beziehen sich auf die aktuell gültigen Best Practice Empfehlungen zur Verwendung von Attributen in der DFN-AAI.

Beispiele für die Definition von eduPersonEntitlement und eduPerson(Scoped)Affiliation finden sich unter Attribut-Configuration für Verlagsanbieter, zu schacUserStatus siehe unter User Deprovisionierung.


FIXME Beispiel für Shib IdP 4, Deployment-Empfehlungen bzgl. pairwise-id für Neuinstallationen


/opt/shibboleth-idp/conf/attribute-resolver.xml
    <AttributeDefinition id="uid" xsi:type="PrincipalName">
        <DisplayName xml:lang="en">User Name</DisplayName>
        <DisplayName xml:lang="de">Nutzerkennung</DisplayName>
        <DisplayDescription xml:lang="en">Local User Id</DisplayDescription>
        <DisplayDescription xml:lang="de">Nutzerkennung der Heimateinrichtung</DisplayDescription>
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
    </AttributeDefinition>
 
    <!-- dies hier ist nur eine Auswahl! Bei Bedarf weitere Attribut-Definitionen einfügen -->
 
    <AttributeDefinition id="mail" xsi:type="Simple">
        <InputDataConnector ref="myLDAP" attributeNames="mail"/>
        <DisplayName xml:lang="en">E-mail</DisplayName>
        <DisplayName xml:lang="de">E-Mail</DisplayName>
        <DisplayDescription xml:lang="en">E-Mail address</DisplayDescription>
        <DisplayDescription xml:lang="de">E-Mail Adresse</DisplayDescription>
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false"/>
    </AttributeDefinition>
 
    <AttributeDefinition xsi:type="Template" id="displayName">
        <InputDataConnector ref="myLDAP" attributeNames="givenName sn"/>
        <DisplayName xml:lang="en">Display name</DisplayName>
        <DisplayName xml:lang="de">Angezeigter Name</DisplayName>
        <DisplayDescription xml:lang="en">Display name of a person</DisplayDescription>
        <DisplayDescription xml:lang="de">Angezeigter Name des Nutzers bzw. der Nutzerin</DisplayDescription>
        <Template>${givenName} ${sn}</Template> 
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
    </AttributeDefinition>
 
    <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple">
        <InputDataConnector ref="staticAttributes" attributeNames="schacHomeOrganization" />
        <DisplayName xml:lang="en">Home organization (Schac)</DisplayName>
        <DisplayName xml:lang="de">Heimateinrichtung (Schac)</DisplayName>
        <DisplayDescription xml:lang="en">Home organization (Schac)</DisplayDescription>
        <DisplayDescription xml:lang="de">Heimateinrichtung (Schac)</DisplayDescription>
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" encodeType="false" />
    </AttributeDefinition>
 
    <AttributeDefinition xsi:type="Simple" id="o">
        <InputDataConnector ref="staticAttributes" attributeNames="o"/>
        <DisplayName xml:lang="en">Home organization</DisplayName>
        <DisplayName xml:lang="de">Heimateinrichtung</DisplayName>
        <DisplayDescription xml:lang="en">Home organization</DisplayDescription>
        <DisplayDescription xml:lang="de">Heimateinrichtung</DisplayDescription>
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
    </AttributeDefinition>
 
    <!-- Identifier Attributes -->
 
    <AttributeDefinition id="subjectHash" xsi:type="ScriptedAttribute" dependencyOnly="true">
        <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
        <Script><![CDATA[
          var digestUtils = Java.type("org.apache.commons.codec.digest.DigestUtils");
          var saltedHash  = digestUtils.sha256Hex(%{idp.persistentId.sourceAttribute}.getValues().get(0) + "%{idp.persistentId.salt}");
          subjectHash.addValue(saltedHash);
        ]]></Script>
    </AttributeDefinition>
 
    <AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}">
        <InputAttributeDefinition ref="subjectHash" />
        <DisplayName xml:lang="en">Unique Subject ID</DisplayName>
        <DisplayName xml:lang="de">Eindeutige Subject ID</DisplayName>
        <DisplayDescription xml:lang="en">Unique ID: A unique identifier for a person, mainly for inter-institutional user identification</DisplayDescription>
        <DisplayDescription xml:lang="de">Eindeutige Nutzerkennung</DisplayDescription>
        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:subject-id" friendlyName="subject-id" encodeType="false" />
    </AttributeDefinition>
 
    <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
        <InputDataConnector ref="myStoredId" attributeNames="persistentId"/>
        <DisplayName xml:lang="en">Pairwise ID (pseudonyme Kennung)</DisplayName>
        <DisplayName xml:lang="de">Pairwise ID (pseudonymous ID)</DisplayName>
        <DisplayDescription xml:lang="en">Targeted ID: A unique, opaque identifier for a person, different for each service provider.</DisplayDescription>
        <DisplayDescription xml:lang="de">Targeted ID: Eindeutige, opake Nutzerkennung, unterschiedlich pro Service Provider.</DisplayDescription>
        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:pairwise-id" friendlyName="pairwise-id" encodeType="false" />
    </AttributeDefinition>
 
    <!-- Deprecated - nur für Kompatibilität mit rückschrittlichen SPs --> 
 
    <!-- gleicher Wert wie für Subject Id -->
    <AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}">
        <InputAttributeDefinition ref="subjectHash" />
        <DisplayName xml:lang="en">Unique ID</DisplayName>
        <DisplayName xml:lang="de">Eindeutige ID</DisplayName>
        <DisplayDescription xml:lang="en">Unique ID: A unique identifier for a person, mainly for inter-institutional user identification</DisplayDescription>
        <DisplayDescription xml:lang="de">Eindeutige Nutzerkennung</DisplayDescription>
        <AttributeEncoder xsi:type="SAML2String"
                  name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" />
    </AttributeDefinition>
 
    <!-- Targeted ID/Persistent ID -->
    <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
        <InputDataConnector ref="myStoredId" attributeNames="persistentId"/>
        <DisplayName xml:lang="en">Targeted ID (pseudonyme Kennung)</DisplayName>
        <DisplayName xml:lang="de">Targeted ID (pseudonymous ID)</DisplayName>
        <DisplayDescription xml:lang="en">Targeted ID: A unique, pseudonymous identifier for a person, different for each service provider.</DisplayDescription>
        <DisplayDescription xml:lang="de">Targeted ID: Eindeutige, pseudonyme Nutzerkennung, unterschiedlich pro Service Provider.</DisplayDescription>
        <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
    </AttributeDefinition>
 
 
    <!-- ========================================== -->
    <!--      Data Connectors                       -->
    <!-- ========================================== -->
 
    <DataConnector id="staticAttributes" xsi:type="Static">
        <Attribute id="schacHomeOrganization">
            <Value>hochschule-example.de</Value>
        </Attribute>
        <Attribute id="schacHomeOrganizationType">
            <Value>urn:schac:homeOrganizationType:eu:higherEducationalInstitution</Value>
        </Attribute>
        <Attribute id="o">
            <Value>Test Organization</Value>
        </Attribute>
    </DataConnector>
 
    <DataConnector id="myStoredId"
        xsi:type="StoredId"
        generatedAttributeID="persistentId"
        encoding="BASE32"
        salt="%{idp.persistentId.salt}">
        <InputAttributeDefinition ref="%{idp.persistentId.sourceAttribute}" />
        <BeanManagedConnection>MyPidDataSource</BeanManagedConnection>
    </DataConnector>
 
    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
        principal="%{idp.attribute.resolver.LDAP.bindDN}"
        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
                trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
        <FilterTemplate>
            <![CDATA[
                %{idp.attribute.resolver.LDAP.searchFilter}
            ]]>
        </FilterTemplate>
            <ConnectionPool
            minPoolSize="%{idp.pool.LDAP.minSize:3}"
            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
            failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
    </DataConnector>

Damit Endnutzer*innen in die Lage versetzt werden können, über das User Consent Modul die Übertragung optionaler Attribute an- oder abzuwählen, muss onlyIfRequired=„false“ gesetzt werden.

/opt/shibboleth-idp/conf/attribute-filter.xml
    <AttributeFilterPolicy id="releaseToAAIplus">
 
       <PolicyRequirementRule 
               xsi:type="EntityAttributeExactMatch"
               attributeName="http://macedir.org/entity-category"
               attributeValue="http://aai.dfn.de/category/aai-plus" />
 
       <AttributeRule attributeID="samlSubjectID">
          <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/>
       </AttributeRule>
 
       <AttributeRule attributeID="samlPairwiseID">
          <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/>
       </AttributeRule>
 
       <AttributeRule attributeID="displayName">
          <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/>
       </AttributeRule>
 
       <AttributeRule attributeID="mail">
          <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/>
       </AttributeRule>
 
       <AttributeRule attributeID="schacHomeOrganization">
         <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/>
       </AttributeRule>       
 
       <AttributeRule attributeID="o">
          <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/>
       </AttributeRule>
 
       <AttributeRule attributeID="schacUserStatus">
         <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/>
       </AttributeRule>
 
       <AttributeRule attributeID="eduPersonScopedAffiliation">
          <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/>
       </AttributeRule>
 
       <AttributeRule attributeID="eduPersonEntitlement">
          <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/>
       </AttributeRule>
 
       <AttributeRule attributeID="eduPersonOrcid">
          <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/>
       </AttributeRule>
 
       <AttributeRule attributeID="eduPersonAssurance">
          <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/>
       </AttributeRule>
 
</AttributeFilterPolicy>
/opt/shibboleth-idp/conf/relying-party.xml
    <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
            <!-- hier nix -->
            </list>
        </property>
    </bean>
 
    <!-- für die üblichen AAI-Szenarien reichen die Profile SSO und SLO aus, die transient Id wird für Logout benötigt -->
 
    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <bean parent="SAML2.SSO" 
                      p:postAuthenticationFlows="#{{'terms-of-use', 'attribute-release'}}"
                      p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
                <ref bean="SAML2.Logout" />
            </list>
        </property>
    </bean>
 
    <!-- Bestimmte SPs dürfen Attribute Queries durchführen: -->
 
    <bean parent="RelyingPartyByName" 
          c:relyingPartyIds="#{{'https://testsp.aai.dfn.de/shibboleth', 'https://testsp2.aai.dfn.de/shibboleth'}}">
        <property name="profileConfigurations">
            <list>
                <bean parent="SAML2.SSO" 
                      p:postAuthenticationFlows="#{{'terms-of-use', 'attribute-release'}}"
                      p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
                <ref bean="SAML2.Logout" />
                <ref bean="SAML2.AttributeQuery" />
            </list>
        </property>
    </bean>
  • Zuletzt geändert: vor 6 Wochen