Shibboleth%202.0%20IdP%20Training:%20Attributes - PowerPoint PPT Presentation

About This Presentation
Title:

Shibboleth%202.0%20IdP%20Training:%20Attributes

Description:

Title: Shibboleth IdP Training: Attribute Resolution Author: Marcus M. Mizushima Last modified by: Nate Klingenstein Document presentation format – PowerPoint PPT presentation

Number of Views:149
Avg rating:3.0/5.0
Slides: 44
Provided by: Marcu209
Learn more at: http://checoweb.org
Category:

less

Transcript and Presenter's Notes

Title: Shibboleth%202.0%20IdP%20Training:%20Attributes


1
Shibboleth 2.0 IdP TrainingAttributes
  • January, 2009

2
Terms Attribute
  • A piece of information about a user
  • Has a unique identifier and zero or more values
  • Shibboleth attributes are protocol agnostic data
    structures

3
Terms SAML Attribute
  • An attribute represented in SAML notation
  • Shibboleth encodes attributes into SAML attributes

4
Terms Data Connector
  • A plugin that defines multiple attributes from
    data sources
  • Shibboleth supports static, LDAP, relational
    database, computed and stored ID data connectors

5
Terms Attribute Definition
  • A plugin that creates a single attribute by
    transforming other attributes and state
    information
  • Attribute definition types
  • simple, scoped, regex, mapping, template,
    scripting, principal name and principal
    authentication method

6
Terms Attribute Encoder
  • A plugin that converts an attribute into a
    protocol specific form, like a SAML attribute
  • Attribute encoders are associated with an
    attribute through the attributes definition

7
Terms Attribute Resolver
  • A subsystem in Shibboleth responsible for
    fetching, transforming and associating encoders
    with attributes
  • Only attributes produced by attribute definitions
    leave the resolver and are available to the other
    parts of Shibboleth

8
Roadmap
  • Define a simple attribute with a static value
  • Define an attribute filter policy for that
    attribute
  • Define a simple attribute using values from a
    LDAP directory
  • Define another attribute filter policy
  • Define scoped attributes

9
Data Connectors Definition
  • Data connectors are defined in attribute-resolver.
    xml
  • Uses the ltDataConnectorgt element
  • Every data connector must have
  • Unique identifier id attribute
  • Type xsitype attribute
  • Each type has its own set of configuration
    attributes

10
Data Connector Dependencies
  • Some connectors will need information collected
    by another plugin in order to work
  • ltresolverDependency ref"refid" /gt
  • Dependencies must be declared before any other
    configuration elements

11
Data Connector Static
  • Static data connectors add attributes to every
    resolved account
  • Data connector type
  • Static
  • Configuration attributes
  • (none)

12
Data Connector Static
  • Attributes produced by the data connector are
    defined by the ltAttributegt element
  • ltAttribute id"attributeid"gt
  • Values are added by the ltValuegt element
  • ltValuegtattributevaluelt/Valuegt
  • Attributes may have more than one value

13
Lab Static Data Connector
  • Define a static data connector for a single
    attribute returning a single value

14
Attribute Definition Definition
  • Attribute definitions are defined in
    attribute-resolver.xml
  • Uses the ltresolverAttributeDefinitiongt element
  • Every attribute definition has
  • Unique identifier id attribute
  • Type xsitype attribute
  • Each type has its own set of configuration
    attributes

15
Attribute Definition Dependencies
  • Most attribute definitions will need information
    collected by another plugin in order to work
  • ltresolverDependency ref"refid" /gt
  • Dependencies must be declared before any other
    configuration elements

16
Attribute Definition Type Simple
  • Releases an attribute from the resolver
  • Attribute type value
  • Simple
  • Configuration attributes
  • sourceAttributeID

17
Lab Attribute Definition
  • Create an attribute definition for
    eduPersonAffiliation using static data connector.

18
Attribute Encoders Definition
  • Shibboleth uses SAML attributes
  • Attribute encoders allow conversion of attributes
    as SAML attributes
  • Configured as children of an attribute definition
  • Uses ltresolverAttributeEncodergt
  • Each must have a type xsitype
  • Each type has configuration attributes

19
Attribute Encoder Type Basic SAML 1
  • SAML 1 encoder definition
  • ltresolverAttributeEncoder
  • xsitype"SAML1String"
  • xmlns"urnmaceshibboleth2.0attribute-encoder
    "
  • name"attributenameURN" /gt
  • Only the name attribute changes (URN)
  • ltresolverAttributeEncoder
  • xsitype"SAML1String"
  • xmlns"urnmaceshibboleth2.0attribute-encoder
    " name"urnmacedirattribute-defeduPersonAffil
    iation" /gt

20
Attribute Encoder Type Basic SAML 2
  • Similar to the SAML 1 encoder but uses the OID
    name for the attribute name and adds a friendly
    name
  • ltresolverAttributeEncoder
  • xsitype"SAML2String"
  • xmlns"urnmaceshibboleth2.0attribute-encoder
    "
  • name"urnoid1.3.6.1.4.1.5923.1.1.1.1"
  • friendlyName"eduPersonAffiliation" /gt

21
Roadmap
  • Define a simple attribute with a static value
  • Define an attribute filter policy for that
    attribute
  • Define a simple attribute using values from a
    LDAP directory
  • Define another attribute filter policy
  • Define scoped attributes

22
Terms Attribute Filter Policy
  • Describes what attributes are available to
    service providers

23
Terms Policy Requirement Rule
  • A specific requirement that must be met
  • An attribute filter policy may only have one
    requirement rule but some allow child rules

24
Terms Attribute Rule
  • A rule specific to an attribute
  • Determines which values of the attribute are
    released
  • An attribute filter policy may have any number of
    attribute rules

25
Terms Permit Value Rule
  • Determines if an attribute value is to be
    released to a relying party

26
Terms Attribute Filter Policy Group
  • A collection of attribute filter policies
  • Unit of configuration loaded by the attribute
    filtering engine

27
Lab Release eduPersonAffiliation
  • Define an attribute filter policy that releases
    eduPersonAffiliation to anyone

28
Roadmap
  • Define a simple attribute with a static value
  • Define an attribute filter policy for that
    attribute
  • Define a simple attribute using values from a
    LDAP directory
  • Define another attribute filter policy
  • Define scoped attributes

29
Data Connector LDAP
  • Data connector that retrieves information from an
    LDAP directory
  • Attribute Type
  • LDAPDirectory
  • Configuration Attributes
  • ldapURL
  • baseDN
  • principal
  • credential

30
Data Connector LDAP
  • Child element
  • ltFilterTemplategt
  • Search filter template
  • (uidrequestContext.principalName)

31
Data Connector LDAP
  • A Sample
  • ltresolverDataConnector id"localLDAP"
  • xsitype"LDAPDirectory"
  • xmlns"urnmaceshibboleth2.0resolverdc"
  • ldapURL"ldap//127.0.0.1389"
  • baseDN"oupeople,dcexample,dcorg"
  • principal"uidadmin,ousystem"
  • principalCredential"password"gt
  • ltFilterTemplategt
  • (uidrequestContext.principalName)
  • lt/FilterTemplategt
  • lt/resolverDataConnectorgt

32
Lab LDAP Data Connector
  • Define a LDAP Data Connector that connects to the
    shared LDAP server in the training lab

33
Attribute Definition LDAP
  • Use the attribute definition dependency to define
    the LDAP data connector as a source
  • ltresolverDependency ref"localLDAP" /gt
  • If you define multiple dependencies, the returned
    values will be combined

34
Lab LDAP Attribute Definition
  • Add the LDAP data connector as a dependency to
    the attribute definition for eduPersonAffiliation

35
Roadmap
  • Define a simple attribute with a static value
  • Define an attribute filter policy for that
    attribute
  • Define a simple attribute using values from a
    LDAP directory
  • Define another attribute filter policy
  • Define a scoped attribute

36
Scoped Attributes
  • Two parts
  • Value separator Scope
  • student_at_example.edu
  • The scope indicates a domain where the value is
    valid

37
Attribute Definition Scoped
  • Adds a static scope
  • Attribute Type
  • Scoped
  • Configuration attributes
  • sourceAttributeID
  • scope

38
Attribute Definition Prescoped
  • Already contain the scope within the data source
  • Attribute Type
  • Prescoped
  • Configuration attributes
  • sourceAttributeID
  • scopeDelimiter

39
Lab Create a Scoped Attribute
  • Define a Prescoped Attribute Definition that
    generates and sends eduPersonPrincipalName from
    the LDAP directory

40
Attribute Encoders Scoped
  • Can Convert into a SAML attribute in two ways
  • As an attribute for the SAML ltAttributeValuegt
  • ltAttributeValue Scope""gt
  • Using the inline notation
  • value_at_scope
  • Set by the scopeType attribute
  • attribute
  • inline

41
Lab Release eduPersonPrincipalName
  • Define an attribute filter policy that releases
    eduPersonPrincipalName to the test SP

42
More on Dependencies
  • Any resolver definition can have any number of
    dependencies
  • Dependency results are merged
  • Attributes definitions may be defined as for
    dependency purposes only

43
References
  • For more information on attributes
  • https//spaces.internet2.edu/display/SHIB2/Id
    PAddAttribute
Write a Comment
User Comments (0)
About PowerShow.com