Versionen im Vergleich

Alte Version 38

changes.mady.by.user Peter Brand

Gespeichert am

verglichen mit

Neue Version 39

changes.mady.by.user Peter Brand

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.
Kommentar: new filtering terms

...

Codeblock
languagehtml/xml
titleAll IDPs registered with ACOnet
<MetadataProvider type="XML" url="https://eduid.at/md/aconet-registered.xml"
          validate="true" backingFilePath="aconet-metadata.xml" reloadInterval="7200">
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
    <MetadataFilter type="Signature" certificate="aconet-metadata-signing.crt" verifyBackup="false"/>
    <MetadataFilter type="EntityRoleWhiteList">
        <RetainedRole>md:IDPSSODescriptor</RetainedRole>
        <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
    </MetadataFilter>
    <DiscoveryFilter type="BlacklistExclude" matcher="EntityAttributes" trimTags="true"
      attributeName="http://macedir.org/entity-category"
      attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>

...

Codeblock
languagehtml/xml
titleAll IDPs registered with ACOnet plus Interfederation IDPs
<MetadataProvider type="XML" url="https://eduid.at/md/aconet-interfed.xml"
          validate="true" backingFilePath="aconet-metadata.xml" reloadInterval="7200">
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
    <MetadataFilter type="Signature" certificate="aconet-metadata-signing.crt" verifyBackup="false"/>
    <MetadataFilter type="EntityRoleWhiteList">
        <RetainedRole>md:IDPSSODescriptor</RetainedRole>
        <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
    </MetadataFilter>
    <DiscoveryFilter type="BlacklistExclude" matcher="EntityAttributes" trimTags="true"
      attributeName="http://macedir.org/entity-category"
      attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>

...

Of course the eduID.at key for signature validation needs to be downloaded/configured on these SPs just like on any other (i.e., SPs that are registered with the eduID.at federation) even though the SP itself is not exposed to the federation. That also means the institutional IDP needs a way to register those SPs, but usually an XML file with SAML metadata managed directly at the IDP is sufficient for this.

Prevent all access from OpenIDP (

...

Exclude IDPs)

If deployers of a Service Provider are certain they don't have a current (or future) use for identities provided by the ACOnet OpenIDP they could can filter it out at the metadata level, preventing any logins from that IDP wholesale:

Codeblock
languagehtml/xml
<MetadataProvider type="XML" url="https://eduid.at/md/aconet-registered.xml"
          validate="true" backingFilePath="aconet-metadata.xml" reloadInterval="14400">
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
    <MetadataFilter type="Signature" certificate="aconet-metadata-signing.crt" verifyBackup="false"/>
    <MetadataFilter type="BlacklistExclude">
        <Exclude>https://openidp.aco.net/saml</Exclude>
    </MetadataFilter>
</MetadataProvider>

Note that if you're using the Shibboleth EDS Discovery Service you could chose to only hide an entity in the discovery service, but keep it's metadata available to the Shibboleth SP. This allows continued use of the "hidden" IDP (e.g. for testing purposes) without showing the IDP publicly in the EDS interface. (Of course you'd need to provide other methods or documentation for the ones supposed to use such "hidden" IDPs.)

Hide IDPs that have asked not to be shown (

...

Exclude IDP

...

from Discovery)

Here's a combined example of how to hide two specific IDPs by name from the EDS, as well as hiding all IDPs tagged with the REFEDS Hide-from-Discovery category:

Codeblock
languagehtml/xml
<MetadataProvider type="XML" url="https://eduid.at/md/aconet-registered.xml" ...>
    <MetadataFilter ...>
    <DiscoveryFilter type="BlacklistExclude" matcher="Name" Name="https://idp.example.org/shibboleth"/>
    <DiscoveryFilter type="BlacklistExclude" matcher="Name" Name="https://another.idp.example.org/shibboleth"/>
    <DiscoveryFilter type="BlacklistExclude" matcher="EntityAttributes" 
      attributeName="http://macedir.org/entity-category"
      attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>

...