This is an old revision of the document!
Attr Filter
Reference
EduPersonEntitlement
references
Indications Mines-Telecom
resolver script
exemple de script de provisioning de l'attribut eduPersonEntitlement servant à déterminer l'acces d'un invidu à differentes ressources. ici nous nous basons sur 3 attributs de l'annuaire
- schacUserStatus
- email
- eduPersonPrimaryOrgUnitDN
permettant respectivement de déterminer les droits applicatifs (schacUserStatus), l'identité personnelle basée sur le mail et l'appartenance à un structure organisationnelle.
/opt/shibboleth-idp/conf/attribute-resolver.xml
<!-- eduPersonEntitlement -->
<resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" >
<resolver:Dependency ref="ldapTMSP" />
<resolver:Dependency ref="schacUserStatus" />
<resolver:Dependency ref="email" />
<resolver:Dependency ref="eduPersonPrimaryOrgUnitDN" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="entitlement" />
<Script>
<![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
eduPersonEntitlement = new BasicAttribute("eduPersonEntitlement");
if (schacUserStatus != null && email != null ) {
for ( i = 0; schacUserStatus != null && i < schacUserStatus.getValues().size(); i++ ){
value = schacUserStatus.getValues().get(i);
if (schacUserStatus.getValues().get(i).matches(".*cert.*")) {
eduPersonEntitlement.getValues().add("urn:mace:terena.org:tcs:personal-user");
}//if
else if (schacUserStatus.getValues().get(i).matches(".*conge.*")) {
eduPersonEntitlement.getValues().add("urn:mace:it-sudparis.eu:it:personal-conges");
}//if
else if (schacUserStatus.getValues().get(i).matches(".*wpublic.*")) {
eduPersonEntitlement.getValues().add("urn:mace:it-sudparis.eu:it:personal-webspace");
}//if
}
if (email.getValues().get(0).match("^Prenom1.Nom1@it-sudparis.eu$")) {
eduPersonEntitlement.getValues().add("urn:mace:terena.org:tcs:personal-admin");
}//if
if (email.getValues().get(0).match("^Prenom2.Nom2@it-sudparis.eu$")) {
eduPersonEntitlement.getValues().add("urn:mace:terena.org:tcs:personal-admin");
}//if
}//IF
if (eduPersonPrimaryOrgUnitDN != null ) {
if (eduPersonPrimaryOrgUnitDN.getValues().get(0).match(".*DISI.*")) {
eduPersonEntitlement.getValues().add("urn:mace:it-sudparis.eu:it:dsi-user");
}//if
}
else eduPersonEntitlement.getValues().add("");
]]>
</Script>
</resolver:AttributeDefinition>
Filter Rules
Les règles de filtrage permettent de définir suivant la ressource accédée (SP), quelles valeurs de l'attribut eduPersonEntitlement nous allons lui fournir.
<!-- Release eduPersonEntitlement and it's associated permissible values
to SP that is a member of FedeIT or Fede Mines -->
<AttributeFilterPolicy id="releaseEPeToMinesTelecom">
<PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="https://federation.institut-telecom.fr/" />
<basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://www.mines-nantes.fr/" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:it-sudparis.eu:it:personal-conges" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:it-sudparis.eu:it:personal-webspace" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:it-sudparis.eu:it:struc-dsi-user" ignoreCase="true" />
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
<!--Release eduPersonEntitlement and it's associated permissible values
to 2 SP; TCS and wpublic -->
<AttributeFilterPolicy id="releaseEPeToTCS">
<PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://tcs-personal-portal.terena.org/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://www-public.it-sudparis.eu" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:terena.org:tcs:personal-user" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:terena.org:tcs:personal-admin" ignoreCase="true" />
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
a titre d'exemple ici:
La première règle (AttributeFilterPolicy id=“releaseEPeToMinesTelecom”) envoie aux SP de la fédé Mines-Telecom (groupID) les valeurs de l'attribut eduPersonEntitlement
- value=“urn:mace:it-sudparis.eu:it:personal-conges”
- value=“urn:mace:it-sudparis.eu:it:personal-webspace”
- value=“urn:mace:it-sudparis.eu:it:struc-dsi-user”
Le 2eme (AttributeFilterPolicy id=“releaseEPeToTCS”) envoie au SP TCS de certif personnels et au SP www-public explicitements les valeurs de ce meme attribut les concernants plus spécifiquement:
- value=“urn:mace:terena.org:tcs:personal-user”
- value=“urn:mace:terena.org:tcs:personal-admin”
Exemples d'acces
Ressource fédé mines-telecom
- SP appartenant au groupID “mines-telecom”
http://infopedia.it-sudparis.eu/test/shib/shibtest.php
entitlement
- urn:mace:it-sudparis.eu:it:personal-webspace
- urn:mace:it-sudparis.eu:it:personal-conges
- urn:mace:it-sudparis.eu:it:struc-dsi-user
* SP appartenant à la fédé “Renater/TCS …”
http://www-public.it-sudparis.eu/test/shib/shibtest.php
entitlement
- urn:mace:terena.org:tcs:personal-user
- urn:mace:terena.org:tcs:personal-admin
Debug Log IDP
on vois bien dans le reponse de l'IDP, quand on accede au SP de TCS, qu'il filtre les bonnes valeurs:
$ tail -f /opt/shibboleth-idp/logs/idp-process.log | grep -i edupersonentitlement 17:39:21.459 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:316] - Resolved attribute eduPersonEntitlement containing 5 values 17:39:21.477 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:156] - Processing permit value rule for attribute eduPersonEntitlement for principal procacci 17:39:21.477 - TRACE [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:168] - The following value for attribute eduPersonEntitlement does not meet permit value rule: urn:mace:it-sudparis.eu:it:personal-webspace 17:39:21.477 - TRACE [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:168] - The following value for attribute eduPersonEntitlement does not meet permit value rule: urn:mace:it-sudparis.eu:it:personal-conges 17:39:21.477 - TRACE [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:168] - The following value for attribute eduPersonEntitlement does not meet permit value rule: urn:mace:it-sudparis.eu:it:struc-dsi-user
Debug Mailing list
