1 / 43

Shibboleth 2.0 IdP Training: Attributes

Shibboleth 2.0 IdP Training: Attributes. January, 2009. Terms: Attribute. A piece of information about a user Has a unique identifier and zero or more values Shibboleth attributes are protocol agnostic data structures. Terms: SAML Attribute. An attribute represented in SAML notation

genica
Download Presentation

Shibboleth 2.0 IdP Training: Attributes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth 2.0 IdP Training:Attributes • January, 2009

  2. Terms: Attribute • A piece of information about a user • Has a unique identifier and zero or more values • Shibboleth attributes are protocol agnostic data structures

  3. Terms: SAML Attribute • An attribute represented in SAML notation • Shibboleth encodes attributes into SAML attributes

  4. Terms: Data Connector • A plugin that defines multiple attributes from data sources • Shibboleth supports static, LDAP, relational database, computed and stored ID data connectors

  5. Terms: Attribute Definition • A plugin that creates a single attribute by transforming other attributes and state information • Attribute definition types: • simple, scoped, regex, mapping, template, scripting, principal name and principal authentication method

  6. Terms: Attribute Encoder • A plugin that converts an attribute into a protocol specific form, like a SAML attribute • Attribute encoders are associated with an attribute through the attribute’s definition

  7. Terms: Attribute Resolver • A subsystem in Shibboleth responsible for fetching, transforming and associating encoders with attributes • Only attributes produced by attribute definitions leave the resolver and are available to the other parts of Shibboleth

  8. Roadmap • Define a simple attribute with a static value • Define an attribute filter policy for that attribute • Define a simple attribute using values from a LDAP directory • Define another attribute filter policy • Define scoped attributes

  9. Data Connectors: Definition • Data connectors are defined in attribute-resolver.xml • Uses the <DataConnector> element • Every data connector must have: • Unique identifier – id attribute • Type – xsi:type attribute • Each type has its own set of configuration attributes

  10. Data Connector: Dependencies • Some connectors will need information collected by another plugin in order to work • <resolver:Dependency ref="refid" /> • Dependencies must be declared before any other configuration elements

  11. Data Connector: Static • Static data connectors add attributes to every resolved account • Data connector type: • Static • Configuration attributes: • (none)

  12. Data Connector: Static • Attributes produced by the data connector are defined by the <Attribute> element: • <Attribute id="attributeid"> • Values are added by the <Value> element: • <Value>attributevalue</Value> • Attributes may have more than one value

  13. Lab: Static Data Connector • Define a static data connector for a single attribute returning a single value

  14. Attribute Definition: Definition • Attribute definitions are defined in attribute-resolver.xml • Uses the <resolver:AttributeDefinition> element • Every attribute definition has: • Unique identifier – id attribute • Type – xsi:type attribute • Each type has its own set of configuration attributes

  15. Attribute Definition: Dependencies • Most attribute definitions will need information collected by another plugin in order to work • <resolver:Dependency ref="refid" /> • Dependencies must be declared before any other configuration elements

  16. Attribute Definition Type: Simple • Releases an attribute from the resolver • Attribute type value: • Simple • Configuration attributes: • sourceAttributeID

  17. Lab: Attribute Definition • Create an attribute definition for eduPersonAffiliation using static data connector.

  18. Attribute Encoders: Definition • Shibboleth uses SAML attributes • Attribute encoders allow conversion of attributes as SAML attributes • Configured as children of an attribute definition • Uses <resolver:AttributeEncoder> • Each must have a type – xsi:type • Each type has configuration attributes

  19. Attribute Encoder Type: Basic SAML 1 • SAML 1 encoder definition: • <resolver:AttributeEncoder • xsi:type="SAML1String" • xmlns="urn:mace:shibboleth:2.0:attribute-encoder" • name="attributenameURN" /> • Only the name attribute changes (URN): • <resolver:AttributeEncoder • xsi:type="SAML1String" • xmlns="urn:mace:shibboleth:2.0:attribute-encoder" name="urn:mace:dir:attribute-def:eduPersonAffiliation" />

  20. Attribute Encoder Type: Basic SAML 2 • Similar to the SAML 1 encoder but uses the OID name for the attribute name and adds a friendly name: • <resolver:AttributeEncoder • xsi:type="SAML2String" • xmlns="urn:mace:shibboleth:2.0:attribute-encoder" • name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" • friendlyName="eduPersonAffiliation" />

  21. Roadmap • Define a simple attribute with a static value • Define an attribute filter policy for that attribute • Define a simple attribute using values from a LDAP directory • Define another attribute filter policy • Define scoped attributes

  22. Terms: Attribute Filter Policy • Describes what attributes are available to service providers

  23. Terms: Policy Requirement Rule • A specific requirement that must be met • An attribute filter policy may only have one requirement rule but some allow child rules

  24. Terms: Attribute Rule • A rule specific to an attribute • Determines which values of the attribute are released • An attribute filter policy may have any number of attribute rules

  25. Terms: Permit Value Rule • Determines if an attribute value is to be released to a relying party

  26. Terms: Attribute Filter Policy Group • A collection of attribute filter policies • Unit of configuration loaded by the attribute filtering engine

  27. Lab: Release eduPersonAffiliation • Define an attribute filter policy that releases eduPersonAffiliation to anyone

  28. Roadmap • Define a simple attribute with a static value • Define an attribute filter policy for that attribute • Define a simple attribute using values from a LDAP directory • Define another attribute filter policy • Define scoped attributes

  29. Data Connector: LDAP • Data connector that retrieves information from an LDAP directory • Attribute Type: • LDAPDirectory • Configuration Attributes: • ldapURL • baseDN • principal • credential

  30. Data Connector: LDAP • Child element • <FilterTemplate> • Search filter template • (uid=$requestContext.principalName)

  31. Data Connector: LDAP • A Sample: • <resolver:DataConnector id="localLDAP" • xsi:type="LDAPDirectory" • xmlns="urn:mace:shibboleth:2.0:resolver:dc" • ldapURL="ldap://127.0.0.1:389" • baseDN="ou=people,dc=example,dc=org" • principal="uid=admin,ou=system" • principalCredential="password"> • <FilterTemplate> • (uid=$requestContext.principalName) • </FilterTemplate> • </resolver:DataConnector>

  32. Lab: LDAP Data Connector • Define a LDAP Data Connector that connects to the shared LDAP server in the training lab

  33. Attribute Definition: LDAP • Use the attribute definition dependency to define the LDAP data connector as a source: • <resolver:Dependency ref="localLDAP" /> • If you define multiple dependencies, the returned values will be combined

  34. Lab: LDAP Attribute Definition • Add the LDAP data connector as a dependency to the attribute definition for eduPersonAffiliation

  35. Roadmap • Define a simple attribute with a static value • Define an attribute filter policy for that attribute • Define a simple attribute using values from a LDAP directory • Define another attribute filter policy • Define a scoped attribute

  36. Scoped Attributes • Two parts • Value – separator – Scope • student@example.edu • The scope indicates a domain where the value is valid

  37. Attribute Definition: Scoped • Adds a static scope • Attribute Type: • Scoped • Configuration attributes: • sourceAttributeID • scope

  38. Attribute Definition: Prescoped • Already contain the scope within the data source • Attribute Type: • Prescoped • Configuration attributes: • sourceAttributeID • scopeDelimiter

  39. Lab: Create a Scoped Attribute • Define a Prescoped Attribute Definition that generates and sends eduPersonPrincipalName from the LDAP directory

  40. Attribute Encoders: Scoped • Can Convert into a SAML attribute in two ways: • As an attribute for the SAML <AttributeValue> • <AttributeValue Scope="…"> • Using the inline notation • value@scope • Set by the scopeType attribute: • attribute • inline

  41. Lab: Release eduPersonPrincipalName • Define an attribute filter policy that releases eduPersonPrincipalName to the test SP

  42. More on Dependencies • Any resolver definition can have any number of dependencies • Dependency results are merged • Attributes definitions may be defined as for dependency purposes only

  43. References • For more information on attributes: • https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute

More Related