Dies ist eine alte Version des Dokuments!
Konfigurationsbeispiele für AAIplus
Work in Progress
Diese Seite ist noch im Aufbau begriffen!Die u.g. Beispiele für Attribut-Konfigurationen beziehen sich auf die aktuell gültigen Best Practice Empfehlungen zur Verwendung von Attributen in der DFN-AAI.
Attribute Resolver
Beispiele für die Definition von eduPersonEntitlement
und eduPerson(Scoped)Affiliation
finden sich unter Attribut-Configuration für Verlagsanbieter, zu schacUserStatus
siehe unter User Deprovisionierung.
Beispiel für Shib IdP 4, Deployment-Empfehlungen bzgl. pairwise-id für Neuinstallationen
- /opt/shibboleth-idp/conf/attribute-resolver.xml
<AttributeDefinition id="uid" xsi:type="PrincipalName"> <DisplayName xml:lang="en">User Name</DisplayName> <DisplayName xml:lang="de">Nutzerkennung</DisplayName> <DisplayDescription xml:lang="en">Local User Id</DisplayDescription> <DisplayDescription xml:lang="de">Nutzerkennung der Heimateinrichtung</DisplayDescription> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" /> </AttributeDefinition> <!-- dies hier ist nur eine Auswahl! Bei Bedarf weitere Attribut-Definitionen einfügen --> <AttributeDefinition id="mail" xsi:type="Simple"> <InputDataConnector ref="myLDAP" attributeNames="mail"/> <DisplayName xml:lang="en">E-mail</DisplayName> <DisplayName xml:lang="de">E-Mail</DisplayName> <DisplayDescription xml:lang="en">E-Mail address</DisplayDescription> <DisplayDescription xml:lang="de">E-Mail Adresse</DisplayDescription> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false"/> </AttributeDefinition> <AttributeDefinition xsi:type="Template" id="displayName"> <InputDataConnector ref="myLDAP" attributeNames="givenName sn"/> <DisplayName xml:lang="en">Display name</DisplayName> <DisplayName xml:lang="de">Angezeigter Name</DisplayName> <DisplayDescription xml:lang="en">Display name of a person</DisplayDescription> <DisplayDescription xml:lang="de">Angezeigter Name des Nutzers bzw. der Nutzerin</DisplayDescription> <Template>${givenName} ${sn}</Template> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> </AttributeDefinition> <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple"> <InputDataConnector ref="staticAttributes" attributeNames="schacHomeOrganization" /> <DisplayName xml:lang="en">Home organization (Schac)</DisplayName> <DisplayName xml:lang="de">Heimateinrichtung (Schac)</DisplayName> <DisplayDescription xml:lang="en">Home organization (Schac)</DisplayDescription> <DisplayDescription xml:lang="de">Heimateinrichtung (Schac)</DisplayDescription> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" encodeType="false" /> </AttributeDefinition> <AttributeDefinition xsi:type="Simple" id="o"> <InputDataConnector ref="staticAttributes" attributeNames="o"/> <DisplayName xml:lang="en">Home organization</DisplayName> <DisplayName xml:lang="de">Heimateinrichtung</DisplayName> <DisplayDescription xml:lang="en">Home organization</DisplayDescription> <DisplayDescription xml:lang="de">Heimateinrichtung</DisplayDescription> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" /> </AttributeDefinition> <!-- Identifier Attributes --> <AttributeDefinition id="subjectHash" xsi:type="ScriptedAttribute" dependencyOnly="true"> <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" /> <Script><![CDATA[ var digestUtils = Java.type("org.apache.commons.codec.digest.DigestUtils"); var saltedHash = digestUtils.sha256Hex(%{idp.persistentId.sourceAttribute}.getValues().get(0) + "%{idp.persistentId.salt}"); subjectHash.addValue(saltedHash); ]]></Script> </AttributeDefinition> <AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}"> <InputAttributeDefinition ref="subjectHash" /> <DisplayName xml:lang="en">Unique Subject ID</DisplayName> <DisplayName xml:lang="de">Eindeutige Subject ID</DisplayName> <DisplayDescription xml:lang="en">Unique ID: A unique identifier for a person, mainly for inter-institutional user identification</DisplayDescription> <DisplayDescription xml:lang="de">Eindeutige Nutzerkennung</DisplayDescription> <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:subject-id" friendlyName="subject-id" encodeType="false" /> </AttributeDefinition> <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}"> <InputDataConnector ref="myStoredId" attributeNames="persistentId"/> <DisplayName xml:lang="en">Pairwise ID (pseudonyme Kennung)</DisplayName> <DisplayName xml:lang="de">Pairwise ID (pseudonymous ID)</DisplayName> <DisplayDescription xml:lang="en">Targeted ID: A unique, opaque identifier for a person, different for each service provider.</DisplayDescription> <DisplayDescription xml:lang="de">Targeted ID: Eindeutige, opake Nutzerkennung, unterschiedlich pro Service Provider.</DisplayDescription> <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:pairwise-id" friendlyName="pairwise-id" encodeType="false" /> </AttributeDefinition> <!-- Deprecated - nur für Kompatibilität mit rückschrittlichen SPs --> <!-- gleicher Wert wie für Subject Id --> <AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}"> <InputAttributeDefinition ref="subjectHash" /> <DisplayName xml:lang="en">Unique ID</DisplayName> <DisplayName xml:lang="de">Eindeutige ID</DisplayName> <DisplayDescription xml:lang="en">Unique ID: A unique identifier for a person, mainly for inter-institutional user identification</DisplayDescription> <DisplayDescription xml:lang="de">Eindeutige Nutzerkennung</DisplayDescription> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" /> </AttributeDefinition> <!-- Targeted ID/Persistent ID --> <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> <InputDataConnector ref="myStoredId" attributeNames="persistentId"/> <DisplayName xml:lang="en">Targeted ID (pseudonyme Kennung)</DisplayName> <DisplayName xml:lang="de">Targeted ID (pseudonymous ID)</DisplayName> <DisplayDescription xml:lang="en">Targeted ID: A unique, pseudonymous identifier for a person, different for each service provider.</DisplayDescription> <DisplayDescription xml:lang="de">Targeted ID: Eindeutige, pseudonyme Nutzerkennung, unterschiedlich pro Service Provider.</DisplayDescription> <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <DataConnector id="staticAttributes" xsi:type="Static"> <Attribute id="schacHomeOrganization"> <Value>hochschule-example.de</Value> </Attribute> <Attribute id="schacHomeOrganizationType"> <Value>urn:schac:homeOrganizationType:eu:higherEducationalInstitution</Value> </Attribute> <Attribute id="o"> <Value>Test Organization</Value> </Attribute> </DataConnector> <DataConnector id="myStoredId" xsi:type="StoredId" generatedAttributeID="persistentId" encoding="BASE32" salt="%{idp.persistentId.salt}"> <InputAttributeDefinition ref="%{idp.persistentId.sourceAttribute}" /> <BeanManagedConnection>MyPidDataSource</BeanManagedConnection> </DataConnector> <DataConnector id="myLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> <FilterTemplate> <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]]> </FilterTemplate> <ConnectionPool minPoolSize="%{idp.pool.LDAP.minSize:3}" maxPoolSize="%{idp.pool.LDAP.maxSize:10}" blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> </DataConnector>
Attribute Filter
Damit Endnutzer*innen in die Lage versetzt werden können, über das User Consent Modul die Übertragung optionaler Attribute an- oder abzuwählen, muss onlyIfRequired=„false“
gesetzt werden.
- /opt/shibboleth-idp/conf/attribute-filter.xml
<AttributeFilterPolicy id="releaseToAAIplus"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://aai.dfn.de/category/aai-plus" /> <AttributeRule attributeID="samlSubjectID"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="samlPairwiseID"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="schacHomeOrganization"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="o"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="schacUserStatus"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="eduPersonEntitlement"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="eduPersonOrcid"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="eduPersonAssurance"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> </AttributeFilterPolicy>
Relying Party Konfigurationen
- /opt/shibboleth-idp/conf/relying-party.xml
<bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> <!-- hier nix --> </list> </property> </bean> <!-- für die üblichen AAI-Szenarien reichen die Profile SSO und SLO aus, die transient Id wird für Logout benötigt --> <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:postAuthenticationFlows="#{{'terms-of-use', 'attribute-release'}}" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> <ref bean="SAML2.Logout" /> </list> </property> </bean> <!-- Bestimmte SPs dürfen Attribute Queries durchführen: --> <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'https://testsp.aai.dfn.de/shibboleth', 'https://testsp2.aai.dfn.de/shibboleth'}}"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:postAuthenticationFlows="#{{'terms-of-use', 'attribute-release'}}" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> </list> </property> </bean>