[[Persistent NameID]]
Trace:
Show pageOld revisions
AdminRecent ChangesSitemap

* ancien site

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
docpublic:systemes:persistentnameid [2018/04/09 10:04]
procacci@tem-tsp.eu [metada requesting persistendID] 		docpublic:systemes:persistentnameid [2022/05/03 08:20] (current)
adminjp [idp v4 logs]
Line 44: Line 44:
  
 then we need to uncommented // <ref bean="shibboleth.SAML2PersistentGenerator" />//  in saml-nameid.xml expecting to get a Persitent nameID format for the targeted SP "https://services.renater.fr/shibboleth" then we need to uncommented // <ref bean="shibboleth.SAML2PersistentGenerator" />//  in saml-nameid.xml expecting to get a Persitent nameID format for the targeted SP "https://services.renater.fr/shibboleth"
 +
 +=== idp v4 ===
 +
 +quite the same as in V3 , except here we choose mail attribute and validate advice to use BASE32 encoding 
 +
 +<code>
 +[root@idp4 conf]# vim saml-nameid.properties
 +idp.persistentId.algorithm = SHA
 +idp.persistentId.salt = secretpasslongenough16bytes
 +idp.persistentId.sourceAttribute = mail
 +idp.persistentId.useUnfilteredAttributes = true
 +idp.persistentId.encoding = BASE32
 +
 +idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
 +</code>
  
  
Line 78: Line 93:
  
 cf metadata below  cf metadata below 
 +
 +=== idp v4 ===
 +
 +uncomment bean="shibboleth.SAML2PersistentGenerator"
 +
 +<code>
 +[root@idp4 conf]# vim saml-nameid.xml
 +
 +<!-- SAML 2 NameID Generation -->
 +    <util:list id="shibboleth.SAML2NameIDGenerators">
 +
 +        <ref bean="shibboleth.SAML2TransientGenerator" />
 +
 +        <!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
 +        <ref bean="shibboleth.SAML2PersistentGenerator" />
 +</code>
 ==== metada requesting persistendID ==== ==== metada requesting persistendID ====
  
Line 133: Line 164:
 </code> </code>
  
 +=== resolver idp 4 ===
  
-==== test / validate with aacli =====+xml syntaxe changes sligthly :  
 + 
 +<code> 
 +[root@idp4 conf]# vim attribute-resolver-ldap.xml  
 + 
 +<!--  jeh edupersonTargetedID eduroam monitor --> 
 +     <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID" 
 +                                nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
 +      <InputDataConnector ref="computed" attributeNames="computedId" /> 
 +      <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" /> 
 +      <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> 
 +  </AttributeDefinition> 
 +   
 + <!--  jeh edupersonTargetedID eduroam monitor --> 
 +    <DataConnector id="computed" xsi:type="ComputedId" 
 +        excludeResolutionPhases="c14n/attribute" 
 +            generatedAttributeID="computedId" 
 +            salt="%{idp.persistentId.salt}" 
 +            algorithm="%{idp.persistentId.algorithm:SHA}" 
 +        encoding="BASE32"> 
 + 
 +        <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" /> 
 + 
 +        </DataConnector> 
 +</code> 
 + 
 +===== test / validate with aacli =====
 + 
 +aacli.sh is a script that allows us to test locally what the IDP with send as nameIDs and attributes for a specific SP and associated principal (login) . we tes here our persistendID requested by SP and eduPersonTargetedID required :
  
 <code> <code>
Line 200: Line 260:
 </code> </code>
  
 +=== aacli idp v4 ===
 +
 +<code>
 +[root@idp4 shibboleth-idp]# ./bin/aacli.sh --requester=https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp --configDir=conf/ --principal=proc
 +
 +{
 +"requester": "https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp",
 +"principal": "proc",
 +"attributes": [
 +  {
 +    "name": "eduPersonTargetedID",
 +    "values": [
 +        "RJRXNKY474MMFO27SECRE3DKNTPAKY5V"
 +    ]
 +  },
 +  {
 +    "name": "displayName",
 +    "values": [
 +        "Jeh PROC"
 +    ]
 +  },
 +  {
 +    "name": "mail",
 +    "values": [
 +        "jeh.proc@em-tsp.eu"
 +    ]
 +  }
 +]
 +}
 +</code>
 +
 +
 +==== idp v4 logs ====
 +
 +<code>
 +2022-05-02 22:50:53,593 - 157.159.10.9 - INFO [Shibboleth-Audit.SSO:283] - 157.159.10.9|2022-05-02T20:50:25.379162Z|2022-05-02T20:50:53.593227Z|procac|https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp|_5265b1224215d57621ebc3dd7e2263a5|password|2022-05-02T20:50:41.088993Z|mail,eduPersonTargetedID,displayName|AAdzZWNyZXQxfd6FaL2H/oTzHRhzrhRYxB4SV1aFGDPXSKgf8zyheoU7yyMyorGzsRIiss4rp0v/kQTJARgY693ws9C2ZVVfJ1AguusrwvXlzIDKsXNispCRrjWnL7UOuyXxgfPo1I9EopKzRRcf0HI2RXd9cRI7UQIuuI1ufkrTMS/TzuuSEZzd96bfeUA=|transient|false|true|AES128-CBC|Redirect|POST||Success||d2c06d37c962ed62666b31a6791aaf0a1b27467c8719dcbb865de58ed67b78f5|Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.3
 +</code>
  
docpublic/systemes/persistentnameid.1523268251.txt.gz · Last modified: 2018/04/09 10:04 by procacci@tem-tsp.eu
Show pageOld revisions
[unknown link type]Back to top
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0