summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--apache-sp/apache-conf/sp.conf5
-rw-r--r--apache-sp/secure/index.shtml1
-rw-r--r--idp/template-config/attribute-filter.xml179
-rw-r--r--idp/template-config/attribute-resolver.xml43
-rw-r--r--idp/template-config/test.xml57
5 files changed, 185 insertions, 100 deletions
diff --git a/apache-sp/apache-conf/sp.conf b/apache-sp/apache-conf/sp.conf
index 6678f8e..587004d 100644
--- a/apache-sp/apache-conf/sp.conf
+++ b/apache-sp/apache-conf/sp.conf
@@ -45,9 +45,9 @@ SSLHonorCipherOrder on
ShibRequireSession On
require valid-user
Options +Includes
- Header set X_REMOTE_USER %{eduPersonPrincipalName}e
+ Header set X_REMOTE_USER %{eppn}e
Header set UID %{uid}e
- Header set EPPN %{eduPersonPrincipalName}e
+ Header set EPPN %{eppn}e
Header set MAIL %{mail}e
Header set GIVENNAME %{givenName}e
Header set DISPLAYNAME %{displayName}e
@@ -55,6 +55,7 @@ SSLHonorCipherOrder on
Header set AFFILIATION %{affiliation}e
Header set UNSCOPED_AFFILIATION %{unscoped_affiliation}e
Header set EMPLOYEETYPE %{employeeType}e
+ Header set EDU_PERSON_ENTITLEMENT %{entitlement}e
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</Location>
diff --git a/apache-sp/secure/index.shtml b/apache-sp/secure/index.shtml
index f22666f..bd8233d 100644
--- a/apache-sp/secure/index.shtml
+++ b/apache-sp/secure/index.shtml
@@ -19,6 +19,7 @@
<li>employeeType: <!--#echo var="employeeType" --></li>
<li>Affiliation: <!--#echo var="AFFILIATION" --></li>
<li>Unscoped affiliation: <!--#echo var="UNSCOPED_AFFILIATION" --></li>
+ <li>eduPersonEntitlement: <!--#echo var="EDU_PERSON_ENTITLEMENT" --></li>
</ul>
<pre><!--#printenv --></pre>
</div>
diff --git a/idp/template-config/attribute-filter.xml b/idp/template-config/attribute-filter.xml
index 4543e99..eae2abe 100644
--- a/idp/template-config/attribute-filter.xml
+++ b/idp/template-config/attribute-filter.xml
@@ -13,44 +13,145 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
- <!-- Release some attributes to an SP. -->
- <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
- <AttributeFilterPolicy id="sp.nordu.dev">
- <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
- <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
- <AttributeRule attributeID="eduPersonPrincipalName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="uid">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="mail">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="givenName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="surname">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="displayName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="commonName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="employeeType">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="email">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="eduPersonEntitlement">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="mailLocalAddress">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
+ <AttributeFilterPolicy id="releaseTransientIdToAnyone">
+ <PolicyRequirementRule xsi:type="ANY" />
- </AttributeFilterPolicy>
+ <AttributeRule attributeID="transientId">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+
+ <!-- GEANT Data protection Code of Conduct -->
+ <AttributeFilterPolicy id="releaseToCoCo">
+ <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="cn">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="email">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="AND">
+ <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ <Rule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+ <Rule xsi:type="Value" value="student" ignoreCase="true" />
+ <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+ <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+ <Rule xsi:type="Value" value="member" ignoreCase="true" />
+ <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+ <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+ <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+ </Rule>
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonAffiliation">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganization">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganizationType">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- REFEDS Research and Schoolarship -->
+ <AttributeFilterPolicy id="releaseToRandS">
+ <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://refeds.org/category/research-and-scholarship" />
+
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="surname">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="email">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+ <Rule xsi:type="Value" value="student" ignoreCase="true" />
+ <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+ <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+ <Rule xsi:type="Value" value="member" ignoreCase="true" />
+ <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+ <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+ <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+ </PermitValueRule>
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- Release some attributes to an SP. -->
+ <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
+ <AttributeFilterPolicy id="sp.nordu.dev">
+ <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
+ <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="uid">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="mail">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="surname">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="commonName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="employeeType">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="email">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonEntitlement">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="mailLocalAddress">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+ <Rule xsi:type="Value" value="student" ignoreCase="true" />
+ <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+ <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+ <Rule xsi:type="Value" value="member" ignoreCase="true" />
+ <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+ <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+ <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="organizationName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
</AttributeFilterPolicyGroup>
diff --git a/idp/template-config/attribute-resolver.xml b/idp/template-config/attribute-resolver.xml
index e761920..1020fc4 100644
--- a/idp/template-config/attribute-resolver.xml
+++ b/idp/template-config/attribute-resolver.xml
@@ -106,8 +106,28 @@
</AttributeDefinition>
<!-- Schema: eduPerson attributes -->
- <AttributeDefinition id="memberOf" xsi:type="Simple" sourceAttributeID="memberOf">
- <Dependency ref="myLDAP" />
+
+ <AttributeDefinition id="mappedEduPersonEntitlement" xsi:type="Mapped" sourceAttributeID="memberOf" dependencyOnly="true">
+ <Dependency ref="myLDAPGROUPS" />
+ <ValueMap>
+ <ReturnValue>urn:x-ldapgroup:ndn-sysadmin</ReturnValue>
+ <SourceValue>cn=ndn-sysadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+ </ValueMap>
+ <ValueMap>
+ <ReturnValue>urn:x-ldapgroup:ndn-netadmin</ReturnValue>
+ <SourceValue>cn=ndn-netadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+ </ValueMap>
+ <ValueMap>
+ <ReturnValue>urn:x-ldapgroup:ndn-secadmin</ReturnValue>
+ <SourceValue>cn=ndn-secadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+ </ValueMap>
+ </AttributeDefinition>
+
+ <AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" sourceAttributeID="staticeduPersonEntitlement">
+ <Dependency ref="mappedEduPersonEntitlement" />
+ <Dependency ref="staticAttributes" />
+ <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
+ <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
</AttributeDefinition>
<!-- Idp-Installer: the source for this attribute is from the database StoredId and no longer the classic computedID -->
<!--
@@ -180,6 +200,16 @@
]]>
</FilterTemplate>
</DataConnector>
+ <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory"
+ ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+ baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+ <FilterTemplate>
+ <![CDATA[
+ %{idp.attribute.resolver.LDAP.searchFilter}
+ ]]>
+ </FilterTemplate>
+ <ReturnAttributes>memberOf</ReturnAttributes>
+ </DataConnector>
<DataConnector id="staticAttributes" xsi:type="Static">
<Attribute id="o">
@@ -194,6 +224,15 @@
<Attribute id="norEduOrgAcronym">
<Value>NORDUNet</Value>
</Attribute>
+ <Attribute id="staticeduPersonEntitlement">
+ <Value>urn:mace:dir:entitlement:common-lib-terms</Value>
+ <Value>urn:mace:terena.org:tcs:escience-user</Value>
+ <Value>urn:mace:terena.org:tcs:personal-user</Value>
+ <Value>urn:mace:rediris.es:entitlement:wiki:tfemc2</Value>
+ <Value>urn:mace:swami.se:gmai:sunet-baas:admin</Value>
+ <Value>urn:mace:swami.se:gmai:sunet-iaas:admin</Value>
+ <Value>urn:mace:swami.se:gmai:sunet-iaas:user</Value>
+ </Attribute>
</DataConnector>
diff --git a/idp/template-config/test.xml b/idp/template-config/test.xml
deleted file mode 100644
index ea5c36e..0000000
--- a/idp/template-config/test.xml
+++ /dev/null
@@ -1,57 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- This file is an EXAMPLE metadata configuration file.
-<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
- xmlns="urn:mace:shibboleth:2.0:metadata"
- xmlns:resource="urn:mace:shibboleth:2.0:resource"
- xmlns:security="urn:mace:shibboleth:2.0:security"
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
- urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
- urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
- urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
-
- <!-- ==========================================================================================
- <!-- Metadata Configuration
- <!--
- <!-- Below you place the mechanisms which define how to load the metadata for SP(s) you will
- <!-- provide service to.
- <!--
- <!-- Two examples are provided. The Shibboleth Documentation at
- <!-- https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration
- <!-- provides more details.
- <!--
- <!-- NOTE. This file SHOULD NOT contain the metadata for this IdP.
- <!-- ==========================================================================================
-
- <!--
- <MetadataProvider id="HTTPMetadata"
- xsi:type="FileBackedHTTPMetadataProvider"
- backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
- metadataURL="http://WHATEVER">
-
- <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
- <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
- <MetadataFilter xsi:type="EntityRoleWhiteList">
- <RetainedRole>md:SPSSODescriptor</RetainedRole>
- </MetadataFilter>
- </MetadataProvider>
-
-
- <MetadataProvider id="SWAMID2"
- xsi:type="FileBackedHTTPMetadataProvider"
- metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"
- backingFile="%{idp.home}/metadata/swamid-2.0.xml">
-
- <MetadataFilter xsi:type="SignatureValidation"
- requireSignedRoot="true"
- certificateFile="%{idp.home}/credentials/md-signer2.crt" />
- <MetadataFilter xsi:type="EntityRoleWhiteList">
- <RetainedRole>md:SPSSODescriptor</RetainedRole>
- </MetadataFilter>
- </MetadataProvider>
-
-
- <MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" />
-
-</MetadataProvider>
generated by cgit v1.1 at 2025-07-03 23:16:35 +0000