Title: Shibboleth 2.0 IdP Training: Attributes
1Shibboleth 2.0 IdP TrainingAttributes
2Terms Attribute
- A piece of information about a user
- Has a unique identifier and zero or more values
- Shibboleth attributes are protocol agnostic data
structures
3Terms SAML Attribute
- An attribute represented in SAML notation
- Shibboleth encodes attributes into SAML attributes
4Terms Data Connector
- A plugin that defines multiple attributes from
data sources - Shibboleth supports static, LDAP, relational
database, computed and stored ID data connectors
5Terms Attribute Definition
- A plugin that creates a single attribute by
transforming other attributes and state
information - Attribute definition types
- simple, scoped, regex, mapping, template,
scripting, principal name and principal
authentication method
6Terms Attribute Encoder
- A plugin that converts an attribute into a
protocol specific form, like a SAML attribute - Attribute encoders are associated with an
attribute through the attributes definition
7Terms Attribute Resolver
- A subsystem in Shibboleth responsible for
fetching, transforming and associating encoders
with attributes - Only attributes produced by attribute definitions
leave the resolver and are available to the other
parts of Shibboleth
8Roadmap
- Define a simple attribute with a static value
- Define an attribute filter policy for that
attribute - Define a simple attribute using values from a
LDAP directory - Define another attribute filter policy
- Define scoped attributes
9Data Connectors Definition
- Data connectors are defined in attribute-resolver.
xml - Uses the ltDataConnectorgt element
- Every data connector must have
- Unique identifier id attribute
- Type xsitype attribute
- Each type has its own set of configuration
attributes
10Data Connector Dependencies
- Some connectors will need information collected
by another plugin in order to work - ltresolverDependency ref"refid" /gt
- Dependencies must be declared before any other
configuration elements
11Data Connector Static
- Static data connectors add attributes to every
resolved account - Data connector type
- Static
- Configuration attributes
- (none)
12Data Connector Static
- Attributes produced by the data connector are
defined by the ltAttributegt element - ltAttribute id"attributeid"gt
- Values are added by the ltValuegt element
- ltValuegtattributevaluelt/Valuegt
- Attributes may have more than one value
13Lab Static Data Connector
- Define a static data connector for a single
attribute returning a single value
14Attribute Definition Definition
- Attribute definitions are defined in
attribute-resolver.xml - Uses the ltresolverAttributeDefinitiongt element
- Every attribute definition has
- Unique identifier id attribute
- Type xsitype attribute
- Each type has its own set of configuration
attributes
15Attribute Definition Dependencies
- Most attribute definitions will need information
collected by another plugin in order to work - ltresolverDependency ref"refid" /gt
- Dependencies must be declared before any other
configuration elements
16Attribute Definition Type Simple
- Releases an attribute from the resolver
- Attribute type value
- Simple
- Configuration attributes
- sourceAttributeID
17Lab Attribute Definition
- Create an attribute definition for
eduPersonAffiliation using static data connector.
18Attribute Encoders Definition
- Shibboleth uses SAML attributes
- Attribute encoders allow conversion of attributes
as SAML attributes - Configured as children of an attribute definition
- Uses ltresolverAttributeEncodergt
- Each must have a type xsitype
- Each type has configuration attributes
19Attribute Encoder Type Basic SAML 1
- SAML 1 encoder definition
- ltresolverAttributeEncoder
- xsitype"SAML1String"
- xmlns"urnmaceshibboleth2.0attribute-encoder
" - name"attributenameURN" /gt
- Only the name attribute changes (URN)
- ltresolverAttributeEncoder
- xsitype"SAML1String"
- xmlns"urnmaceshibboleth2.0attribute-encoder
" name"urnmacedirattribute-defeduPersonAffil
iation" /gt
20Attribute Encoder Type Basic SAML 2
- Similar to the SAML 1 encoder but uses the OID
name for the attribute name and adds a friendly
name - ltresolverAttributeEncoder
- xsitype"SAML2String"
- xmlns"urnmaceshibboleth2.0attribute-encoder
" - name"urnoid1.3.6.1.4.1.5923.1.1.1.1"
- friendlyName"eduPersonAffiliation" /gt
21Roadmap
- Define a simple attribute with a static value
- Define an attribute filter policy for that
attribute - Define a simple attribute using values from a
LDAP directory - Define another attribute filter policy
- Define scoped attributes
22Terms Attribute Filter Policy
- Describes what attributes are available to
service providers
23Terms Policy Requirement Rule
- A specific requirement that must be met
- An attribute filter policy may only have one
requirement rule but some allow child rules
24Terms Attribute Rule
- A rule specific to an attribute
- Determines which values of the attribute are
released - An attribute filter policy may have any number of
attribute rules
25Terms Permit Value Rule
- Determines if an attribute value is to be
released to a relying party
26Terms Attribute Filter Policy Group
- A collection of attribute filter policies
- Unit of configuration loaded by the attribute
filtering engine
27Lab Release eduPersonAffiliation
- Define an attribute filter policy that releases
eduPersonAffiliation to anyone
28Roadmap
- Define a simple attribute with a static value
- Define an attribute filter policy for that
attribute - Define a simple attribute using values from a
LDAP directory - Define another attribute filter policy
- Define scoped attributes
29Data Connector LDAP
- Data connector that retrieves information from an
LDAP directory - Attribute Type
- LDAPDirectory
- Configuration Attributes
- ldapURL
- baseDN
- principal
- credential
30Data Connector LDAP
- Child element
- ltFilterTemplategt
- Search filter template
- (uidrequestContext.principalName)
31Data Connector LDAP
- A Sample
- ltresolverDataConnector id"localLDAP"
- xsitype"LDAPDirectory"
- xmlns"urnmaceshibboleth2.0resolverdc"
- ldapURL"ldap//127.0.0.1389"
- baseDN"oupeople,dcexample,dcorg"
- principal"uidadmin,ousystem"
- principalCredential"password"gt
- ltFilterTemplategt
- (uidrequestContext.principalName)
- lt/FilterTemplategt
- lt/resolverDataConnectorgt
32Lab LDAP Data Connector
- Define a LDAP Data Connector that connects to the
shared LDAP server in the training lab
33Attribute Definition LDAP
- Use the attribute definition dependency to define
the LDAP data connector as a source - ltresolverDependency ref"localLDAP" /gt
- If you define multiple dependencies, the returned
values will be combined
34Lab LDAP Attribute Definition
- Add the LDAP data connector as a dependency to
the attribute definition for eduPersonAffiliation
35Roadmap
- Define a simple attribute with a static value
- Define an attribute filter policy for that
attribute - Define a simple attribute using values from a
LDAP directory - Define another attribute filter policy
- Define a scoped attribute
36Scoped Attributes
- Two parts
- Value separator Scope
- student_at_example.edu
- The scope indicates a domain where the value is
valid
37Attribute Definition Scoped
- Adds a static scope
- Attribute Type
- Scoped
- Configuration attributes
- sourceAttributeID
- scope
38Attribute Definition Prescoped
- Already contain the scope within the data source
- Attribute Type
- Prescoped
- Configuration attributes
- sourceAttributeID
- scopeDelimiter
39Lab Create a Scoped Attribute
- Define a Prescoped Attribute Definition that
generates and sends eduPersonPrincipalName from
the LDAP directory
40Attribute Encoders Scoped
- Can Convert into a SAML attribute in two ways
- As an attribute for the SAML ltAttributeValuegt
- ltAttributeValue Scope""gt
- Using the inline notation
- value_at_scope
- Set by the scopeType attribute
- attribute
- inline
41Lab Release eduPersonPrincipalName
- Define an attribute filter policy that releases
eduPersonPrincipalName to the test SP
42More on Dependencies
- Any resolver definition can have any number of
dependencies - Dependency results are merged
- Attributes definitions may be defined as for
dependency purposes only
43References
- For more information on attributes
- https//spaces.internet2.edu/display/SHIB2/Id
PAddAttribute