Changes between Version 21 and Version 22 of spiam2018
- Timestamp:
- Sep 18, 2018, 10:23:10 AM (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
spiam2018
v21 v22 407 407 }}} 408 408 === Enable Attribute Support on Shibboleth SP === 409 20. Enable attribute by remove comment from the related content into "`/etc/shibboleth/attribute-map.xml`" Disable First deprecated/incorrect version of `persistent-id` from `attribute-map.xml` 410 409 20. Enable attributes by remove comment from the related content into `/etc/shibboleth/attribute-map.xml` 410 411 Also you have to Disable `First deprecated/incorrect version` from `attribute-map.xml` 412 {{{ 413 <!-- <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id"> 414 <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> 415 <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> 416 </Attribute> --> 417 }}} 411 418 === Enable Single Logout === 412 419 21. Change <Logout> element in /etc/shibboleth/shibboleth2.xml. They get passed as attributes to the SAML2 logoutInitiator that gets created by the Logout element. The fully unfolded configuration with settings identical to default is: … … 449 456 450 457 451 * To release specific attributes for a SP you can add it to `/opt/shibboleth-idp/conf/attribute-filter.xml` 458 23. Now you may visit https://sp.instXY.ac.lk/secure and try login using your IDP's credentials, check out the consent page at the first login. 459 460 You will only see the `Scoped Affiliation` attribute of the user as by default other attributes are not included in your attribute filter file. 461 462 * To release specific attributes for a SP you can add it to `/opt/shibboleth-idp/conf/attribute-filter.xml` of your '''IDP''' 452 463 453 464 Consult Service Provider guidelines and https://fr-training.ac.lk/attribute-filter-LEARN-Production.xml on deciding what attributes you should release. 454 465 466 As an example lets allow EPPN, CN, mail and mobile for your sp. 467 468 On your IDP, 469 470 {{{ 471 vim /opt/shibboleth-idp/conf/attribute-filter.xml 472 }}} 473 474 Add the following to the tail before the closing `</AttributeFilterPolicyGroup>` tag. 475 {{{ 476 <!-- Release some attributes to SP. --> 477 <AttributeFilterPolicy id="sp.instXY"> 478 <PolicyRequirementRule xsi:type="Requester" value="https://sp.instXY.ac.lk/shibboleth" /> 479 480 <AttributeRule attributeID="eduPersonPrincipalName"> 481 <PermitValueRule xsi:type="ANY" /> 482 </AttributeRule> 483 484 <AttributeRule attributeID="commonName"> 485 <PermitValueRule xsi:type="ANY" /> 486 </AttributeRule> 487 488 <AttributeRule attributeID="mobile"> 489 <PermitValueRule xsi:type="ANY" /> 490 </AttributeRule> 491 492 <AttributeRule attributeID="mail"> 493 <PermitValueRule xsi:type="ANY" /> 494 </AttributeRule> 495 </AttributeFilterPolicy> 496 497 }}} 498 455 499 Reload shibboleth.!AttributeFilterService to apply the new SP 456 500 457 23. Now you may visit https://sp.instXY.ac.lk/secure and try login using your IDP's credentials, check out the consent page at the first login. 501 {{{ 502 /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.AttributeFilterService 503 }}} 504 505 506 Re-visit `https://sp.instXY.ac.lk/secure` , at the login consent page you can check the attributes that are released by the filter created above. 507 508 Once you accept the consent you can see the attributes that were used by your SP. If you can't see attributes like `mobile` in your page, you need to allow them on your attribute-map of the SP. 509 510 To do that edit `/etc/shibboleth/attribute-map.xml` on your '''SP''' 511 512 {{{ 513 vim /etc/shibboleth/attribute-map.xml 514 }}} 515 516 Uncomment '''Examples of LDAP-based attributes''' section at the end and before the closing `</Attributes>` line, include, 517 518 {{{ 519 <Attribute name="urn:oid:0.9.2342.19200300.100.1.41" id="mobile"/> 520 <Attribute name="urn:mace:dir:attribute-def:mobile" id="mobile"/> 521 }}} 522 523 And restart shibd and apache2 services.
