Versions Compared

Old Version 2

changes.mady.by.user Peter Brand

Saved on

compared with

New Version 3

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add schac transcoding rules

The Shibboleth IDP's Attribute Resolver collects data from authoritative sources (systems of record) and transforms and encodes the data as needed, before it is passed on to the attribute filter.

All parts of the resolver are always executed in a default configuration, even though much of the data gathered may be discarded later on in the attribute release/filtering stage. Because of this all configured data sources (such as LDAP Direcory Services or Relational Database Systems) should be highly available (and contain up-to-date, correct data, of course) – at least as highly available as you expect your IDP deployment to be. With LDAP directory servers achieving redundancy and replication usually is a much simpler (and cheaper) task than with RDBMSs, so sometimes it's worth the extra effort of synchronising data from other sources into an LDAP directory first , and only pointing the IDP to these LDAP data sources. But all of this depends on local Identity Management decisions and processes and no one recipe will fit all. Feel free to discuss pros and cons of approaches and tools on the eduID.at community mailing list.

Attribute resolver examples can be found in the We'll essentially replace the default /opt/shibboleth-idp/conf/ directory of a default Shibboleth IDPv3 installation: attribute-resolver.xml, attribute-resolver-ldap.xml and attribute-resolver-full.xml. Only the file attribute-resolver.xml is used by default, though, and we'll replace its content with our own definitions below, though keeping all the attribute ids that are now standardised (via the IDP's Attribute Registry feature, more on that below). Backup copies of all configuration files can always be found in /opt/shibboleth-idp/dist/conf/ for comparison and as source for copying/pasting of more/other definitions. In fact much of the content below is just collected from those example configuration files.

The attribute resolver The attribute resolver contains two kinds of configuration items: DataConnectors, which supply input data from data sources as the LDAP or Database servers described above, and AttributeDefintions, which transform and encode the individual data elements (e.g. name, email address) retrieved from those DataConnectors into their .  For the proper on-the-wire representation as SAML attributes . Every AttributeDefintion specifies how it should be represented on-the-wire with AttributeEncoder elements, and its InputDataConnector child element (s) reference from where which input data should come from (DataConnectors or other AttributeDefinitions) .

Table of Contents
excludeXML root element

XML root element

or for other protocols) the IDP comes with a default set of transcoding rules referenced in /opt/shibboleth-idp/conf/attributes/default-rules.xml. (Deployers of earlier versions of the software will notice how short and clean AttributeDefinitions can be, and the "missing" DisplayName and AttributeEncoder elements can all be found in the referenced transcoding rules, e.g. conf/attributes/inetOrgPerson.xml, conf/attributes/eduPerson.xml and so on.)

Note
titlePreparation for missing SCHAC transcoding rules

Since IDPv4 currently does not come with transcoding rules for SCHAC Attributes we're adding those from a configuration snipped curated by our friends at DFN:

Download the referenced XML file to /opt/shibboleth-idp/conf/attributes/schac.xml:

No Format
curl -sSo /opt/shibboleth-idp/conf/attributes/schac.xml https://download.aai.dfn.de/schema/dfnMisc.xml

and then add an include for it to /opt/shibboleth-idp/conf/attributes/default-rules.xml:

Code Block
languagexml
<import resource="schac.xml" />

With these amended rules we can now make use of the same short/clean AttributeDefinitions for SCHAC-defined attributes as for inetOrgPerson, eduPerson, etc.


Table of Contents
excludeXML root element

XML root element

This is the XML "containerThis is the XML "container" element all AttributeDefinitions and DataConnectors need to be wrapped in. Be sure to also properly close the root element with the final line </AttributeResolver> as shown below:

...

Code Block
languagehtml/xml
<!-- https://wiki.univie.ac.at/display/federation/schacHomeOrganization -->
<AttributeDefinition id="schacHomeOrganization" xsi:type="Simple">
    <InputDataConnector ref="staticAttributes" attributeNames="schacHomeOrganization" />
    <DisplayName xml:lang="de">Institutionskürzel</DisplayName>
    <DisplayName xml:lang="en">Institution id</DisplayName>
    <AttributeEncoder xsi:type="SAML1String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" encodeType="false" / -->
<AttributeDefinition id="schacHomeOrganization" xsi:type="Simple">
    <AttributeEncoder<InputDataConnector xsi:typeref="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" encodeType="falsestaticAttributes" attributeNames="schacHomeOrganization" />
</AttributeDefinition>

...