Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:persistentnameid [2018/04/09 10:02]
procacci@tem-tsp.eu [attribute eduPersonTargetedID]
+++ docpublic:systemes:persistentnameid [2022/05/03 08:20] (current)
adminjp [idp v4 logs]
@@ Line 12: / Line 12: @@
   *  https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID
-===== saml-nameid.properties =====
+===== nameID =====
+==== saml-nameid.properties ====
 configure saml-nameid.properties to set the source attribute of a computed persistent ID
@@ Line 44: / Line 45: @@
 then we need to uncommented // <ref bean="shibboleth.SAML2PersistentGenerator" />//  in saml-nameid.xml expecting to get a Persitent nameID format for the targeted SP "https://services.renater.fr/shibboleth"
+=== idp v4 ===
-===== saml-nameid.xml =====
+quite the same as in V3 , except here we choose mail attribute and validate advice to use BASE32 encoding
+<code>
+[root@idp4 conf]# vim saml-nameid.properties
+idp.persistentId.algorithm = SHA
+idp.persistentId.salt = secretpasslongenough16bytes
+idp.persistentId.sourceAttribute = mail
+idp.persistentId.useUnfilteredAttributes = true
+idp.persistentId.encoding = BASE32
+idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
+</code>
+==== saml-nameid.xml ====
 but finally , there's no  need to get into CustomNameIDGenerationConfiguration :
@@ Line 77: / Line 93: @@
 cf metadata below
-===== metada requesting persistendID =====
+=== idp v4 ===
+uncomment bean="shibboleth.SAML2PersistentGenerator"
+<code>
+[root@idp4 conf]# vim saml-nameid.xml
+<!-- SAML 2 NameID Generation -->
+    <util:list id="shibboleth.SAML2NameIDGenerators">
+        <ref bean="shibboleth.SAML2TransientGenerator" />
+        <!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
+        <ref bean="shibboleth.SAML2PersistentGenerator" />
+</code>
+==== metada requesting persistendID ====
 example
@@ Line 132: / Line 164: @@
 </code>
+=== resolver idp 4 ===
-==== test / validate with aacli =====
+xml syntaxe changes sligthly :
+<code>
+[root@idp4 conf]# vim attribute-resolver-ldap.xml
+<!--  jeh edupersonTargetedID eduroam monitor -->
+     <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID"
+                                nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" >
+      <InputDataConnector ref="computed" attributeNames="computedId" />
+      <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
+      <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
+  </AttributeDefinition>
+ <!--  jeh edupersonTargetedID eduroam monitor -->
+    <DataConnector id="computed" xsi:type="ComputedId"
+        excludeResolutionPhases="c14n/attribute"
+            generatedAttributeID="computedId"
+            salt="%{idp.persistentId.salt}"
+            algorithm="%{idp.persistentId.algorithm:SHA}"
+        encoding="BASE32">
+        <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
+        </DataConnector>
+</code>
+===== test / validate with aacli ======
+aacli.sh is a script that allows us to test locally what the IDP with send as nameIDs and attributes for a specific SP and associated principal (login) . we tes here our persistendID requested by SP and eduPersonTargetedID required :
 <code>
@@ Line 199: / Line 260: @@
 </code>
+=== aacli idp v4 ===
+<code>
+[root@idp4 shibboleth-idp]# ./bin/aacli.sh --requester=https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp --configDir=conf/ --principal=proc
+{
+"requester": "https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp",
+"principal": "proc",
+"attributes": [
+  {
+    "name": "eduPersonTargetedID",
+    "values": [
+        "RJRXNKY474MMFO27SECRE3DKNTPAKY5V"
+    ]
+  },
+  {
+    "name": "displayName",
+    "values": [
+        "Jeh PROC"
+    ]
+  },
+  {
+    "name": "mail",
+    "values": [
+        "jeh.proc@em-tsp.eu"
+    ]
+  }
+]
+}
+</code>
+==== idp v4 logs ====
+<code>
+-05-02 22:50:53,593 - 157.159.10.9 - INFO [Shibboleth-Audit.SSO:283] - 157.159.10.9|2022-05-02T20:50:25.379162Z|2022-05-02T20:50:53.593227Z|procac|https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp|_5265b1224215d57621ebc3dd7e2263a5|password|2022-05-02T20:50:41.088993Z|mail,eduPersonTargetedID,displayName|AAdzZWNyZXQxfd6FaL2H/oTzHRhzrhRYxB4SV1aFGDPXSKgf8zyheoU7yyMyorGzsRIiss4rp0v/kQTJARgY693ws9C2ZVVfJ1AguusrwvXlzIDKsXNispCRrjWnL7UOuyXxgfPo1I9EopKzRRcf0HI2RXd9cRI7UQIuuI1ufkrTMS/TzuuSEZzd96bfeUA=|transient|false|true|AES128-CBC|Redirect|POST||Success||d2c06d37c962ed62666b31a6791aaf0a1b27467c8719dcbb865de58ed67b78f5|Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.3
+</code>

docpublic/systemes/persistentnameid.1523268158.txt.gz · Last modified: 2018/04/09 10:02 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top