Zeige QuelltextÄltere VersionenLinks hierherNach oben Letzte ÄnderungenPer E-Mail sendenDruckenPermalink × Inhaltsverzeichnis Konfigurationsbeispiele für AAIplus Attribute Resolver IdP 4.x IdP 3.x Attribute Filter Relying Party Konfigurationen Dies ist eine alte Version des Dokuments! Konfigurationsbeispiele für AAIplus Work in ProgressDiese Seite ist noch im Aufbau begriffen! Die u.g. Beispiele für Attribut-Konfigurationen beziehen sich auf die aktuell gültigen Best Practice Empfehlungen zur Verwendung von Attributen in der DFN-AAI. Attribute Resolver Beispiele für die Definition von eduPersonEntitlement und eduPerson(Scoped)Affiliation finden sich unter Attribut-Configuration für Verlagsanbieter, zu schacUserStatus siehe unter User Deprovisionierung. Beispiel für Shib IdP 4, Deployment-Empfehlungen bzgl. pairwise-id für Neuinstallationen IdP 4.x /opt/shibboleth-idp/conf/attribute-resolver.xml <AttributeDefinition id="uid" xsi:type="PrincipalName" /> <!-- dies hier ist nur eine Auswahl! Bei Bedarf weitere Attribut-Definitionen einfügen --> <AttributeDefinition id="mail" xsi:type="Simple"> <InputDataConnector ref="myLDAP" attributeNames="mail"/> </AttributeDefinition> <AttributeDefinition xsi:type="Template" id="displayName"> <InputDataConnector ref="myLDAP" attributeNames="givenName sn"/> <Template>${givenName} ${sn}</Template> </AttributeDefinition> <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple"> <InputDataConnector ref="staticAttributes" attributeNames="schacHomeOrganization" /> </AttributeDefinition> <AttributeDefinition xsi:type="Simple" id="o"> <InputDataConnector ref="staticAttributes" attributeNames="o"/> </AttributeDefinition> <!-- Identifier Attributes --> <AttributeDefinition id="subjectHash" xsi:type="ScriptedAttribute" dependencyOnly="true"> <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" /> <Script><![CDATA[ var digestUtils = Java.type("org.apache.commons.codec.digest.DigestUtils"); var saltedHash = digestUtils.sha256Hex(%{idp.persistentId.sourceAttribute}.getValues().get(0) + "%{idp.persistentId.salt}"); subjectHash.addValue(saltedHash); ]]></Script> </AttributeDefinition> <AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}"> <InputAttributeDefinition ref="subjectHash" /> </AttributeDefinition> <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}"> <InputDataConnector ref="myStoredId" attributeNames="persistentId"/> </AttributeDefinition> <!-- Deprecated - nur für Kompatibilität mit rückschrittlichen SPs --> <!-- gleicher Wert wie für Subject Id --> <AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}"> <InputAttributeDefinition ref="subjectHash" /> </AttributeDefinition> <!-- Targeted ID/Persistent ID --> <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> <InputDataConnector ref="myStoredId" attributeNames="persistentId"/> </AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <DataConnector id="staticAttributes" xsi:type="Static"> <Attribute id="schacHomeOrganization"> <Value>hochschule-example.de</Value> </Attribute> <Attribute id="schacHomeOrganizationType"> <Value>urn:schac:homeOrganizationType:eu:higherEducationalInstitution</Value> </Attribute> <Attribute id="o"> <Value>Test Organization</Value> </Attribute> </DataConnector> <DataConnector id="myStoredId" xsi:type="StoredId" generatedAttributeID="persistentId" encoding="BASE32" salt="%{idp.persistentId.salt}"> <InputAttributeDefinition ref="%{idp.persistentId.sourceAttribute}" /> <BeanManagedConnection>MyPidDataSource</BeanManagedConnection> </DataConnector> <DataConnector id="myLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}" failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}"> <FilterTemplate> <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]]> </FilterTemplate> <ConnectionPool minPoolSize="%{idp.pool.LDAP.minSize:3}" maxPoolSize="%{idp.pool.LDAP.maxSize:10}" blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" /> </DataConnector> IdP 3.x /opt/shibboleth-idp/conf/attribute-resolver.xml <AttributeDefinition id="uid" xsi:type="PrincipalName"> <DisplayName xml:lang="en">User Name</DisplayName> <DisplayName xml:lang="de">Nutzerkennung</DisplayName> <DisplayDescription xml:lang="en">Local User Id</DisplayDescription> <DisplayDescription xml:lang="de">Nutzerkennung der Heimateinrichtung</DisplayDescription> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" /> </AttributeDefinition> <!-- dies hier ist nur eine Auswahl! Bei Bedarf weitere Attribut-Definitionen einfügen --> <AttributeDefinition id="mail" xsi:type="Simple"> <InputDataConnector ref="myLDAP" attributeNames="mail"/> <DisplayName xml:lang="en">E-mail</DisplayName> <DisplayName xml:lang="de">E-Mail</DisplayName> <DisplayDescription xml:lang="en">E-Mail address</DisplayDescription> <DisplayDescription xml:lang="de">E-Mail Adresse</DisplayDescription> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false"/> </AttributeDefinition> <AttributeDefinition xsi:type="Template" id="displayName"> <InputDataConnector ref="myLDAP" attributeNames="givenName sn"/> <DisplayName xml:lang="en">Display name</DisplayName> <DisplayName xml:lang="de">Angezeigter Name</DisplayName> <DisplayDescription xml:lang="en">Display name of a person</DisplayDescription> <DisplayDescription xml:lang="de">Angezeigter Name des Nutzers bzw. der Nutzerin</DisplayDescription> <Template>${givenName} ${sn}</Template> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> </AttributeDefinition> <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple"> <InputDataConnector ref="staticAttributes" attributeNames="schacHomeOrganization" /> <DisplayName xml:lang="en">Home organization (Schac)</DisplayName> <DisplayName xml:lang="de">Heimateinrichtung (Schac)</DisplayName> <DisplayDescription xml:lang="en">Home organization (Schac)</DisplayDescription> <DisplayDescription xml:lang="de">Heimateinrichtung (Schac)</DisplayDescription> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" encodeType="false" /> </AttributeDefinition> <AttributeDefinition xsi:type="Simple" id="o"> <InputDataConnector ref="staticAttributes" attributeNames="o"/> <DisplayName xml:lang="en">Home organization</DisplayName> <DisplayName xml:lang="de">Heimateinrichtung</DisplayName> <DisplayDescription xml:lang="en">Home organization</DisplayDescription> <DisplayDescription xml:lang="de">Heimateinrichtung</DisplayDescription> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" /> </AttributeDefinition> <!-- Identifier Attributes --> <AttributeDefinition id="subjectHash" xsi:type="ScriptedAttribute" dependencyOnly="true"> <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" /> <Script><![CDATA[ var digestUtils = Java.type("org.apache.commons.codec.digest.DigestUtils"); var saltedHash = digestUtils.sha256Hex(%{idp.persistentId.sourceAttribute}.getValues().get(0) + "%{idp.persistentId.salt}"); subjectHash.addValue(saltedHash); ]]></Script> </AttributeDefinition> <AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}"> <InputAttributeDefinition ref="subjectHash" /> <DisplayName xml:lang="en">Unique Subject ID</DisplayName> <DisplayName xml:lang="de">Eindeutige Subject ID</DisplayName> <DisplayDescription xml:lang="en">Unique ID: A unique identifier for a person, mainly for inter-institutional user identification</DisplayDescription> <DisplayDescription xml:lang="de">Eindeutige Nutzerkennung</DisplayDescription> <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:subject-id" friendlyName="subject-id" encodeType="false" /> </AttributeDefinition> <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}"> <InputDataConnector ref="myStoredId" attributeNames="persistentId"/> <DisplayName xml:lang="en">Pairwise ID (pseudonyme Kennung)</DisplayName> <DisplayName xml:lang="de">Pairwise ID (pseudonymous ID)</DisplayName> <DisplayDescription xml:lang="en">Targeted ID: A unique, opaque identifier for a person, different for each service provider.</DisplayDescription> <DisplayDescription xml:lang="de">Targeted ID: Eindeutige, opake Nutzerkennung, unterschiedlich pro Service Provider.</DisplayDescription> <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:pairwise-id" friendlyName="pairwise-id" encodeType="false" /> </AttributeDefinition> <!-- Deprecated - nur für Kompatibilität mit rückschrittlichen SPs --> <!-- gleicher Wert wie für Subject Id --> <AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}"> <InputAttributeDefinition ref="subjectHash" /> <DisplayName xml:lang="en">Unique ID</DisplayName> <DisplayName xml:lang="de">Eindeutige ID</DisplayName> <DisplayDescription xml:lang="en">Unique ID: A unique identifier for a person, mainly for inter-institutional user identification</DisplayDescription> <DisplayDescription xml:lang="de">Eindeutige Nutzerkennung</DisplayDescription> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" /> </AttributeDefinition> <!-- Targeted ID/Persistent ID --> <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> <InputDataConnector ref="myStoredId" attributeNames="persistentId"/> <DisplayName xml:lang="en">Targeted ID (pseudonyme Kennung)</DisplayName> <DisplayName xml:lang="de">Targeted ID (pseudonymous ID)</DisplayName> <DisplayDescription xml:lang="en">Targeted ID: A unique, pseudonymous identifier for a person, different for each service provider.</DisplayDescription> <DisplayDescription xml:lang="de">Targeted ID: Eindeutige, pseudonyme Nutzerkennung, unterschiedlich pro Service Provider.</DisplayDescription> <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <DataConnector id="staticAttributes" xsi:type="Static"> <Attribute id="schacHomeOrganization"> <Value>hochschule-example.de</Value> </Attribute> <Attribute id="schacHomeOrganizationType"> <Value>urn:schac:homeOrganizationType:eu:higherEducationalInstitution</Value> </Attribute> <Attribute id="o"> <Value>Test Organization</Value> </Attribute> </DataConnector> <DataConnector id="myStoredId" xsi:type="StoredId" generatedAttributeID="persistentId" encoding="BASE32" salt="%{idp.persistentId.salt}"> <InputAttributeDefinition ref="%{idp.persistentId.sourceAttribute}" /> <BeanManagedConnection>MyPidDataSource</BeanManagedConnection> </DataConnector> <DataConnector id="myLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> <FilterTemplate> <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]]> </FilterTemplate> <ConnectionPool minPoolSize="%{idp.pool.LDAP.minSize:3}" maxPoolSize="%{idp.pool.LDAP.maxSize:10}" blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> </DataConnector> Attribute Filter Damit Endnutzer*innen in die Lage versetzt werden können, über das User Consent Modul die Übertragung optionaler Attribute an- oder abzuwählen, muss onlyIfRequired=„false“ gesetzt werden. /opt/shibboleth-idp/conf/attribute-filter.xml <AttributeFilterPolicy id="releaseToAAIplus"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://aai.dfn.de/category/aai-plus" /> <AttributeRule attributeID="samlSubjectID"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="samlPairwiseID"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="schacHomeOrganization"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="o"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="schacUserStatus"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="eduPersonEntitlement"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="eduPersonOrcid"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> <AttributeRule attributeID="eduPersonAssurance"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule> </AttributeFilterPolicy> Relying Party Konfigurationen /opt/shibboleth-idp/conf/relying-party.xml <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> <!-- hier nix --> </list> </property> </bean> <!-- für die üblichen AAI-Szenarien reichen die Profile SSO und SLO aus, die transient Id wird für Logout benötigt --> <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:postAuthenticationFlows="#{{'terms-of-use', 'attribute-release'}}" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> <ref bean="SAML2.Logout" /> </list> </property> </bean> <!-- Bestimmte SPs dürfen Attribute Queries durchführen: --> <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'https://testsp.aai.dfn.de/shibboleth', 'https://testsp2.aai.dfn.de/shibboleth'}}"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:postAuthenticationFlows="#{{'terms-of-use', 'attribute-release'}}" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> </list> </property> </bean> idp3, idp4 idp4 subjectidentifierattributes aaiplus attributfreigabe pairwise-id subject-id Zuletzt geändert: vor 3 Jahren Anmelden