| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
docpublic:systemes:persistentnameid [2018/04/09 09:49]
procacci@tem-tsp.eu [saml-nameid.properties] |
docpublic:systemes:persistentnameid [2022/05/03 08:20] (current)
adminjp [idp v4 logs] |
| * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID | * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID |
| |
| ===== saml-nameid.properties ===== | ===== nameID ===== |
| | ==== saml-nameid.properties ==== |
| |
| configure saml-nameid.properties to set the source attribute of a computed persistent ID | configure saml-nameid.properties to set the source attribute of a computed persistent ID |
| |
| |
| then we need to uncommented bold section below in saml-nameid.xml expecting to get a Persitent nameID format for the targeted SP "https://services.renater.fr/shibboleth" | then we need to uncommented // <ref bean="shibboleth.SAML2PersistentGenerator" />// in saml-nameid.xml expecting to get a Persitent nameID format for the targeted SP "https://services.renater.fr/shibboleth" |
| |
| | === idp v4 === |
| |
| ===== saml-nameid.xml ===== | quite the same as in V3 , except here we choose mail attribute and validate advice to use BASE32 encoding |
| | |
| | <code> |
| | [root@idp4 conf]# vim saml-nameid.properties |
| | idp.persistentId.algorithm = SHA |
| | idp.persistentId.salt = secretpasslongenough16bytes |
| | idp.persistentId.sourceAttribute = mail |
| | idp.persistentId.useUnfilteredAttributes = true |
| | idp.persistentId.encoding = BASE32 |
| | |
| | idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator |
| | </code> |
| | |
| | |
| | ==== saml-nameid.xml ==== |
| |
| but finally , there's no need to get into CustomNameIDGenerationConfiguration : | but finally , there's no need to get into CustomNameIDGenerationConfiguration : |
| |
| cf metadata below | cf metadata below |
| ===== metada requesting persistendID ===== | |
| | === idp v4 === |
| | |
| | uncomment bean="shibboleth.SAML2PersistentGenerator" |
| | |
| | <code> |
| | [root@idp4 conf]# vim saml-nameid.xml |
| | |
| | <!-- SAML 2 NameID Generation --> |
| | <util:list id="shibboleth.SAML2NameIDGenerators"> |
| | |
| | <ref bean="shibboleth.SAML2TransientGenerator" /> |
| | |
| | <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> |
| | <ref bean="shibboleth.SAML2PersistentGenerator" /> |
| | </code> |
| | ==== metada requesting persistendID ==== |
| |
| example | example |
| oid 1.3.6.1.4.1.5923.1.1.1.10 stands for : eduPersonTargetedID ! (cf https://www.internet2.edu/products-services/trust-identity/mace-registries/internet2-object-identifier-oid-registrations/) | oid 1.3.6.1.4.1.5923.1.1.1.10 stands for : eduPersonTargetedID ! (cf https://www.internet2.edu/products-services/trust-identity/mace-registries/internet2-object-identifier-oid-registrations/) |
| |
| | ===== attribute eduPersonTargetedID ===== |
| | |
| | The NameID generation is separate from the attribute resolution. Now that we have the NameID working, we can generate the //eduPersonTargetedID// by modifying attribute-resolver-ldap.xml (attribute-resolver.xml). Here is my configuration: |
| | |
| | <code> |
| | <resolver:DataConnector xsi:type="dc:ComputedId" |
| | id="computedID" |
| | generatedAttributeID="computedID" |
| | sourceAttributeID="%{idp.persistentId.sourceAttribute}" |
| | salt="%{idp.persistentId.salt}"> |
| | <resolver:Dependency ref="myLDAP" /> |
| | </resolver:DataConnector> |
| | |
| | <resolver:AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID" |
| | nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="computedID"> |
| | <resolver:Dependency ref="computedID" /> |
| | <resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> |
| | <resolver:AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> |
| | </resolver:AttributeDefinition> |
| | </code> |
| | |
| | === resolver idp 4 === |
| | |
| | xml syntaxe changes sligthly : |
| | |
| | <code> |
| | [root@idp4 conf]# vim attribute-resolver-ldap.xml |
| | |
| | <!-- jeh edupersonTargetedID eduroam monitor --> |
| | <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID" |
| | nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" > |
| | <InputDataConnector ref="computed" attributeNames="computedId" /> |
| | <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> |
| | <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> |
| | </AttributeDefinition> |
| | |
| | <!-- jeh edupersonTargetedID eduroam monitor --> |
| | <DataConnector id="computed" xsi:type="ComputedId" |
| | excludeResolutionPhases="c14n/attribute" |
| | generatedAttributeID="computedId" |
| | salt="%{idp.persistentId.salt}" |
| | algorithm="%{idp.persistentId.algorithm:SHA}" |
| | encoding="BASE32"> |
| | |
| | <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" /> |
| | |
| | </DataConnector> |
| | </code> |
| | |
| | ===== test / validate with aacli ====== |
| | |
| | aacli.sh is a script that allows us to test locally what the IDP with send as nameIDs and attributes for a specific SP and associated principal (login) . we tes here our persistendID requested by SP and eduPersonTargetedID required : |
| | |
| | <code> |
| | [root@idp3 shibboleth-idp]# ./bin/aacli.sh --requester=https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp --configDir=conf/ --principal=procaccia --saml2 |
| | |
| | 2017-12-19 13:38:33,906 - DEBUG [org.opensaml.saml.saml2.profile.impl.EncryptAssertions:132] - Profile Action EncryptAssertions: Assertion before encryption: |
| | <?xml version="1.0" encoding="UTF-8"?> |
| | <saml2:Assertion ID="_f4d649d8cada1f44d2efa5ff53ff3324" |
| | IssueInstant="2017-12-19T12:38:33.763Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> |
| | <saml2:Issuer>https://idp3.tem-tsp.eu/idp/shibboleth</saml2:Issuer> |
| | <saml2:Subject> |
| | <saml2:NameID |
| | Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" |
| | NameQualifier="https://idp3.tem-tsp.eu/idp/shibboleth" SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp">cypRgyH6cq0Iifq1UFZGlgCKLDB=</saml2:NameID> |
| | <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> |
| | <saml2:SubjectConfirmationData Address="191.160.129.124" |
| | InResponseTo="_652d7ff66093e86dc79aa45711b99f7dfdcf7a2501" |
| | NotOnOrAfter="2017-12-19T12:43:33.835Z" Recipient="https://monitor.eduroam.org/sp/module.php/saml/sp/saml2-acs.php/default-sp"/> |
| | </saml2:SubjectConfirmation> |
| | </saml2:Subject> |
| | <saml2:Conditions NotBefore="2017-12-19T12:38:33.763Z" NotOnOrAfter="2017-12-19T12:43:33.763Z"> |
| | <saml2:AudienceRestriction> |
| | <saml2:Audience>https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp</saml2:Audience> |
| | </saml2:AudienceRestriction> |
| | </saml2:Conditions> |
| | <saml2:AuthnStatement AuthnInstant="2017-12-19T12:38:27.135Z" SessionIndex="_26a4eacab6d659a933907f74b73cf807"> |
| | <saml2:SubjectLocality Address="191.160.129.124"/> |
| | <saml2:AuthnContext> |
| | <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> |
| | </saml2:AuthnContext> |
| | </saml2:AuthnStatement> |
| | <saml2:AttributeStatement> |
| | <saml2:Attribute FriendlyName="uid" |
| | Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> |
| | <saml2:AttributeValue |
| | xmlns:xsd="http://www.w3.org/2001/XMLSchema" |
| | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">procaccia</saml2:AttributeValue> |
| | </saml2:Attribute> |
| | <saml2:Attribute FriendlyName="mail" |
| | Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> |
| | <saml2:AttributeValue |
| | xmlns:xsd="http://www.w3.org/2001/XMLSchema" |
| | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">jehan.procaccia@tem-tsp.eu</saml2:AttributeValue> |
| | </saml2:Attribute> |
| | <saml2:Attribute FriendlyName="eduPersonTargetedID" |
| | Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> |
| | <saml2:AttributeValue> |
| | <saml2:NameID |
| | Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" |
| | NameQualifier="https://idp3.tem-tsp.eu/idp/shibboleth" SPNameQualifier="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp">cypRgyH6cq0Iifq1UFZGlgCKLDB=</saml2:NameID> |
| | </saml2:AttributeValue> |
| | </saml2:Attribute> |
| | <saml2:Attribute FriendlyName="eduPersonPrincipalName" |
| | Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> |
| | <saml2:AttributeValue |
| | xmlns:xsd="http://www.w3.org/2001/XMLSchema" |
| | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">procaccia@tem-tsp.eu</saml2:AttributeValue> |
| | </saml2:Attribute> |
| | </saml2:AttributeStatement> |
| | </saml2:Assertion> |
| | |
| | 2017-12-19 13:38:34,036 - INFO [Shibboleth-Audit.SSO:241] - 20171219T123834Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_652d7ff66093e86dc79aa45711b99f7dfdcf7a2501|https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp3.tem-tsp.eu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_e20f43530af84efaaf7f001d4ecc0f6f|procaccia|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport| |
| | |
| | uid,mail,eduPersonTargetedID,eduPersonPrincipalName|cypRgyH6cq0Iifq1UFZGlgCKLDA=|_f4d649d8cada1f44d2efa5ff53ff3324| |
| | </code> |
| | |
| | === aacli idp v4 === |
| | |
| | <code> |
| | [root@idp4 shibboleth-idp]# ./bin/aacli.sh --requester=https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp --configDir=conf/ --principal=proc |
| | |
| | { |
| | "requester": "https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp", |
| | "principal": "proc", |
| | "attributes": [ |
| | { |
| | "name": "eduPersonTargetedID", |
| | "values": [ |
| | "RJRXNKY474MMFO27SECRE3DKNTPAKY5V" |
| | ] |
| | }, |
| | { |
| | "name": "displayName", |
| | "values": [ |
| | "Jeh PROC" |
| | ] |
| | }, |
| | { |
| | "name": "mail", |
| | "values": [ |
| | "jeh.proc@em-tsp.eu" |
| | ] |
| | } |
| | ] |
| | } |
| | </code> |
| | |
| | |
| | ==== idp v4 logs ==== |
| | |
| | <code> |
| | 2022-05-02 22:50:53,593 - 157.159.10.9 - INFO [Shibboleth-Audit.SSO:283] - 157.159.10.9|2022-05-02T20:50:25.379162Z|2022-05-02T20:50:53.593227Z|procac|https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp|_5265b1224215d57621ebc3dd7e2263a5|password|2022-05-02T20:50:41.088993Z|mail,eduPersonTargetedID,displayName|AAdzZWNyZXQxfd6FaL2H/oTzHRhzrhRYxB4SV1aFGDPXSKgf8zyheoU7yyMyorGzsRIiss4rp0v/kQTJARgY693ws9C2ZVVfJ1AguusrwvXlzIDKsXNispCRrjWnL7UOuyXxgfPo1I9EopKzRRcf0HI2RXd9cRI7UQIuuI1ufkrTMS/TzuuSEZzd96bfeUA=|transient|false|true|AES128-CBC|Redirect|POST||Success||d2c06d37c962ed62666b31a6791aaf0a1b27467c8719dcbb865de58ed67b78f5|Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.3 |
| | </code> |
| |
