Data Connector

Archiv

Dieser Artikel ist ein Community-Beitrag für Shibboleth IdP 3.x. Es ist unklar, ob er für Shibboleth IdP 4.x so noch gilt.

Um für den Shibboleth Identity Provider der Version 3 einen Datenkonnektor selbst zu schreiben, müssen bestimmte Klassen erweitert werden und eigne Namespaces erzeugt werden.

Zu erweiternde Klassen

  • Data Connector Klasse: 
    net.shibboleth.idp.attribute.resolver.AbstractDataConnector
  • Parser: 
    net.shibboleth.idp.attribute.resolver.spring.dc.AbstractDataConnectorParser
  • Namespace Handler: 
    net.shibboleth.ext.spring.util.BaseSpringNamespaceHandler

Namespace Schema das erweitert werden muss

  • Namespace Schema: 
    urn:mace:shibboleth:2.0:resolver

Folgendes Beispiel implementiert das Attribut eduPersonTargetedId aus der Shibboleth Version 2.

Data Connector Beispiel: TargetedId

Data connector Class

TargetedIdSampleDataConnector.java
package org.example.shib_idp;
...
public class TargetedIdSampleDataConnector extends AbstractDataConnector {
 
   private static final Logger LOG = LoggerFactory.getLogger(TargetedIdSampleDataConnector.class);
   private final String salt = "A secret, random string.";
   private String relyingPartyId;
 
   @Override
   protected Map<String, IdPAttribute> doDataConnectorResolve( AttributeResolutionContext resolutionContext, 
   AttributeResolverWorkContext workContext) throws ResolutionException {
      // compute SHA-1 Hash for eduPersonTargetedId: entityId of requester + uid + "string ... "
      relyingPartyId = resolutionContext.getAttributeRecipientID();
      Map<String, IdPAttribute> result = new HashMap<String, IdPAttribute>();
      String username = resolutionContext.getPrincipal();
 
      IdPAttribute attribute = new IdPAttribute("eduPersonTargetedId");
      result.put("eduPersonTargetedId", attribute);
      List<IdPAttributeValue<?>> outputValues = new ArrayList<>(1);
                outputValues.add(new StringAttributeValue(getTargetedId(username)));
                attribute.setValues(outputValues);
      LOG.debug("Data connector added attribute: eduPersonTargetedId[" + getTargetedId(username) + "]");
 
      return result;
   }
 
   private String getTargetedId(final String source) throws ResolutionException{
        try {
            final MessageDigest md = MessageDigest.getInstance("SHA");
            md.update(relyingPartyId.getBytes());
            md.update((byte) '!');
            md.update(source.getBytes());
            md.update((byte) '!');
 
            return Base64Support.encode(md.digest(salt.getBytes()), Base64Support.UNCHUNKED);
        } catch (final NoSuchAlgorithmException e) {
            LOG.error("Digest algorithm SHA is not supported");
            throw new ResolutionException("Digest algorithm was not supported, unable to compute ID", e);
        }
   }
}

Data Connector Parser

TargetedIdSampleDataConnectorParser.java
package org.example.shib_idp;
...
public class TargetedIdSampleDataConnectorParser extends AbstractDataConnectorParser {
 
   public static final QName SCHEMA_NAME = new QName(TargetedIdSampleDataConnectorNamespaceHandler.NAMESPACE, "TargetedIdDataConnector");
 
     /** {@inheritDoc} */
    @Override protected Class<TargetedIdSampleDataConnector> getNativeBeanClass() {
        return TargetedIdSampleDataConnector.class;
    }
 
   @Override
   protected void doV2Parse(Element element, ParserContext parserContext,
         BeanDefinitionBuilder builder) {
      super.doParse(element, builder);      
   }
}

Data Connector Namespace Handler

TargetedIdSampleDataConnectorNamespaceHandler.java
package org.example.shib_idp;
 
import net.shibboleth.ext.spring.util.BaseSpringNamespaceHandler;
 
public class TargetedIdSampleDataConnectorNamespaceHandler extends BaseSpringNamespaceHandler {
 
    /** Namespace for this handler. */
    public static String NAMESPACE = "urn:example.org:shibboleth:2.0:resolver";
 
    /** {@inheritDoc} */
   @Override
   public void init() {
        registerBeanDefinitionParser(TargetedIdSampleDataConnectorParser.SCHEMA_NAME,
                new TargetedIdSampleDataConnectorParser());
   }
}

Schema Erweiterung

  • Die Schema Erweiterung muss im *.jar File unter schema/myConnectors.xsd liegen
schema/myConnectors.xsd
<?xml version="1.0" encoding="UTF-8"?>
<schema targetNamespace="urn:example.org:shibboleth:2.0:resolver" 
        xmlns="http://www.w3.org/2001/XMLSchema"
        xmlns:resolver="urn:mace:shibboleth:2.0:resolver" 
        elementFormDefault="qualified">
 
    <import namespace="urn:mace:shibboleth:2.0:resolver"
        schemaLocation="classpath:/schema/shibboleth-2.0-attribute-resolver.xsd" />
 
    <complexType name="TargetedIdDataConnector">
        <annotation>
            <documentation>
               Resolving eduPersonTargetedId as in version 2.
            </documentation>
        </annotation>
        <complexContent>
            <extension base="resolver:BaseDataConnectorType">
            </extension>
        </complexContent>
    </complexType>
</schema>

Spring Schema File

  • Das Schema File muss im *.jar File unter META-INF/spring.schemas liegen
META-INF/spring.schemas
urn\:example.org\:shibboleth\:2.0\:resolver = schema/myConnectors.xsd

Spring Handler File

  • Das Handler File muss im *.jar File unter META-INF/spring.handlers liegen
META-INF/spring.handlers
urn\:example.org\:shibboleth\:2.0\:resolver = org.example.shib_idp.TargetedIdSampleDataConnectorNamespaceHandler

Plug-In installieren

  • Aus den angegebenen Dateien ein *.jar file generieren (am besten mit mvn)
  • Dieses *.jar file in das lib Verzeichnis der Webapplication vom Shibboleth IdP kopieren.

Data Connector im Attribute Resolver benutzen

conf/attribute-resolver.xml
 <resolver:AttributeResolver
          xmlns:resolver="urn:mace:shibboleth:2.0:resolver" 
          xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
          xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" 
          xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
          xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" 
          xmlns:sec="urn:mace:shibboleth:2.0:security"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
          xmlns:tid="urn:example.org:shibboleth:2.0:resolver"
          xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
                              urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
                              urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
                              urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
                              urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
                              urn:example.org:shibboleth:2.0:resolver classpath:/schema/myConnectors.xsd
                              urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
...
<!-- TargetedId DataConnector -->
     <resolver:DataConnector id="myData" xsi:type="TargetedIdDataConnector" xmlns="urn:example.org:shibboleth:2.0:resolver">
     </resolver:DataConnector>
  • Zuletzt geändert: vor 4 Jahren