Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
en:aai:assurance_sp [2021/12/29 14:03] – [Apache Access Rules] Wolfgang Pempe | en:aai:assurance_sp [2023/01/12 19:24] – [Apache Access Rules] Wolfgang Pempe |
---|
====== REFEDS Assurance Framework - Service Provider ====== | ====== REFEDS Assurance Framework - Service Provider ====== |
([[en:aai:assurance|general information on identity assurance]]) | ([[en:aai:assurance|general information on identity assurance]]) |
| |
<callout type="danger" title="Work in Progress"> | |
This page is still under construction! | |
</callout> | |
| |
===== First Steps and Requirements ===== | ===== First Steps and Requirements ===== |
| |
==== Metadata ==== | ==== Metadata ==== |
* Laut [[de:aai:assurance#roadmap_zur_umstellung|Roadmap]] wird es ab 1.4.2022 keine nach Verlässlichkeitsklassen getrennten Metadatendateien mehr geben. Die [[de:metadata|Metadaten]] aller produktiven Identity Provider in der DFN-AAI sind unter https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml verfügbar. Die Beispiele unter [[de:production|Produktivbetrieb]] sind bereits entsprechend angepasst. Bis Jahresende 2022 ist nach wie vor eine Unterscheidung anhand eines [[de:entity_attributes#verlaesslichkeitsklasse_des_idp|Entity Attributs]] möglich. Ein Beispiel für einen entsprechenden Metadata Filter findet sich [[de:aai:mdq#ausschliesslich_idps_aus_dfn-aai_advanced|auf der Seite zur MDQ-Dokumentation]]. | * According to the [[en:aai:assurance#roadmap_for_the_changeover|roadmap]], there will no longer be metadata files separated by Degrees of Reliance as of May 20th, 2022. The [[en:metadata|metadata]] of all productive Identity Providers in DFN-AAI is available at https://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml. The examples under [[en:production|productive operations]] have already been modified accordingly. Until the end of 2022, differentiation based on an Entity Attribute is still possible. Examples of a corresponding metadata filter can be found on the [[en:aai:mdq|MDQ documentation]] and [[en:production|Production Environment]] pages. |
* Um zu signalisieren, dass der Service Provider Verlässlichkeitsangaben benötigt und verarbeitet, die über das Attribut [[de:common_attributes#a14|eduPersonAssurance]] transportiert werden, sollte in der [[de:metadata_admin_tool|Metadatenverwaltung]] unter //Attribute Consuming Service// das Attribut ''eduPersonAssurance'' als ''isRequired=true'' deklariert werden. | * In order to signal that the Service Provider requires and processes assurance information transported via the [[de:common_attributes#a14|eduPersonAssurance]] attribute, the ''eduPersonAssurance'' attribute should be declared as ''isRequired=true'' in the metadata administration tool under Attributes Consuming Service. |
==== Apache Access Rules ==== | ==== Apache Access Rules ==== |
| In this example, access to the resources protected by the SP is granted to persons whose digital identity meets the conditions for $PREFIX$/IAP/medium and $PREFIX$/ATP/ePA-1m. |
| |
The following example assumes that only staff members (''staff'') of certain institutions, for whom $PREFIX$/ID/unique, $PREFIX$/IAP/medium und $PREFIX$/ATP/ePA-1m are met, are to be granted access to the resource protected by the service provider. Die Liste der zugriffsberechtigten Identity Provider bzw. Heimateinrichtungen wird über einen [[de:shibsp#filtermechanismen|entsprechenden Metadata Filter]] festgelegt. \\ | <file apache /etc/apache2/sites-enabled/sp.uni-beispiel.de.conf> |
**Hinweis:** Das Attribut ''eduPersonAssurance'' wird in ''attribute-map.xml'' standardmäßig auf eine Variable namens ''assurance'' abgebildet, bei ''eduPersonAffiliation'' ist dies ''unscoped-affiliation''. | <Location /protected> |
| AuthType shibboleth |
| ShibRequestSetting requireSession true |
| <RequireAll> |
| Require shib-attr assurance https://refeds.org/assurance/IAP/medium |
| Require shib-attr assurance https://refeds.org/assurance/ATP/ePA-1m |
| </RequireAll> |
| </Location> |
| </file> |
| |
| The following example assumes that only staff members (''staff'') of certain institutions, for whom $PREFIX$/ID/unique, $PREFIX$/IAP/medium und $PREFIX$/ATP/ePA-1m are met, are to be granted access to the resource protected by the service provider. The list of access-authorized identity providers or home institutions is defined via a [[de:shibsp#filtermechanismen|metadata filter]]. \\ |
| **Please note:** The attribute ''eduPersonAssurance'' is mapped to a variable named ''assurance'' by default in ''attribute-map.xml'', in case of ''eduPersonAffiliation'' the variable is named ''unscoped-affiliation''. |
| |
<file apache /etc/apache2/sites-enabled/sp.uni-beispiel.de.conf> | <file apache /etc/apache2/sites-enabled/sp.uni-beispiel.de.conf> |
</file> | </file> |
| |
==== Literature ==== | **XML Access Control:** For more ways to configure access control using the Shibboleth SP, please refer to [[https://www.switch.ch/aai/guides/sp/access-rules|the documentation provided by SWITCH]] |
| |
| ==== Further Reading ==== |
* [[https://doi.org/10.5281/zenodo.3627594|Comparison Guide to Identity Assurance Mappings for Infrastructures]] | * [[https://doi.org/10.5281/zenodo.3627594|Comparison Guide to Identity Assurance Mappings for Infrastructures]] |
* [[https://doi.org/10.5281/zenodo.4916049|Making Identity Assurance and Authentication Strength Work for Federated Infrastructures]] | * [[https://doi.org/10.5281/zenodo.4916049|Making Identity Assurance and Authentication Strength Work for Federated Infrastructures]] |
| |
{{tag>assurance}} | {{tag>assurance}} |