Attribute Resolution. 2 © 2010 SWITCH Terms: Attribute A piece of information about a user. Each attribute has a unique ID and has zero of more values.

Slides:



Advertisements
Similar presentations
UAG Authentication and Authorization- part1
Advertisements

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
IdP Basics & Installation. © 2010 SWITCH 2 Current Environment Network Java Tomcat LDAP –Create apacheDS run directory mkdir /var/run/apacheds/default.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
1 Active Directory (Week 8, Monday 2/26/2007) © Abdou Illia, Spring 2007.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
Authenticating REST/Mobile clients using LDAP and OERealm
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Configuring Apache tomcat Specifying the server port NOTE: Edit the install_dir/conf/server.xml and change the port attribute of the connector element.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Enabling Advanced Net8 Features. Configuring Advanced Network Address and Connect Data Information.
Session 5: Working with MySQL iNET Academy Open Source Web Development.
Shibboleth and uApprove at University of Michigan Luke Tracy – Ken Hammer –
Shibboleth IdP Training: Productionalization January, 2009.
WaveMaker Visual AJAX Studio 4.0 Training Authentication.
Active Directory Windows2003 Server. Agenda What is Active Directory What is Active Directory Building an Active Directory Building an Active Directory.
Struts J2EE web application framework “ Model 2 ” Model View Controller Controller Servlet Key features XML metadata Struts taglib Simplified form validation.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
The DSpace Course Module – User management and authentication options.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Shibboleth 2.0 IdP Training: Authentication January, 2009.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
10/25/20151 Single Sign-On Web Service Supervisors: Viktor Kulikov Alexander Sherman Liana Lipstov Pavel Bilenko.
ASP.NET The Clock Project. The ASP.NET Clock Project The ASP.NET Clock Project is the topic of Chapter 23. By completing the clock project, you will learn.
Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.
Authentication at Penn State: The Present State of Affairs and Future Directions James A. Vuccolo, Manager, Software Technologies Group Phil Pishioneri,
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Purpose  The purpose of the cross box handoff feature is to make the.
Introduction to Active Directory
Configuring and Deploying Web Applications Lesson 7.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Attribute Filtering. © 2010 SWITCH 2 Terms: Attribute Filter Policy A policy containing a trigger, that indicates if the policy is active, and a set of.
Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco.
Interstage BPM v11.2 1Copyright © 2010 FUJITSU LIMITED ADMINISTRATION.
19 Copyright © 2008, Oracle. All rights reserved. Security.
IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.
Chapter Overview Understanding Windows Name Resolution Using WINS.
User Portal Error Messages
CollegeSource Security Application &
Node.js Express Web Applications
Data Virtualization Tutorial… LDAP Domains in CIS
LOCO Extract – Transform - Load
Active Directory and Group Policy
Bodleian Libraries Authentication System: Dual sign-on from Primo
What’s changed in the Shibboleth 1.2 Origin
Active Directory (November 7, 2016) © Abdou Illia, Fall 2016.
Getting your metadata using PROC METADATA
Identity Management: Shibboleth Activity Update
Shibboleth and uApprove at University of Michigan
Allocating IP Addressing by Using Dynamic Host Configuration Protocol
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL
eSeries Entities By Julie Ladner
Developing with uConnect
Presentation transcript:

Attribute Resolution

2 © 2010 SWITCH Terms: Attribute A piece of information about a user. Each attribute has a unique ID and has zero of more values. Shibboleth attributes are protocol-agnostic data structures.

3 © 2010 SWITCH Terms: SAML Attribute An attribute that is represented in SAML notation. Shibboleth transforms attributes into SAML attributes by a process known as encoding.

4 © 2010 SWITCH Terms: Data Connector A plugin that creates multiple attributes from information in data sources like LDAP and databases. Shibboleth currently supports static, LDAP, relational database, computed, and stored ID data connectors.

5 © 2010 SWITCH Terms: Attribute Definition A plugin that creates a single attribute by transforming other attributes and state information. Shibboleth currently supports simple, scoping, regex, mapping, template, scripting, principal name, and principal authentication method attribute definitions.

6 © 2010 SWITCH Terms: Attribute Encoder A plugin that converts an attribute into a protocol specific form, like a SAML attribute. Attribute encoders are associated with an attribute through the attribute’s attribute definition.

7 © 2010 SWITCH Terms: Principal Connector A plugin that converts a name identifier, provided by a relying party, into the internally used userid.

8 © 2010 SWITCH Terms: Attribute Resolver A subsystem in Shibboleth responsible for fetching, transforming, and associating encoders with attributes. Only attributes produced by attribute definitions leave the resolver and are available to other parts of the system.

9 © 2010 SWITCH A bit of logging configuration Edit logging.xml Turn the logging level of each currently defined logger to WARN Add a new logger:

10 © 2010 SWITCH Attribute Goals Define a simple attribute with a static value. Gather user information from an LDAP directory Create attribute definition that release some information with simple values and other information with scoped values

11 © 2010 SWITCH Data Connector: Configuration Data connectors are configured in attribute-resolver.xml defines a data connector Every data connector has a id attribute that uniquely identifies it. Every data connector has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.

12 © 2010 SWITCH Data Connector: Configuration Some connectors will need information collected by another plugin in order to work. This is represented by a The dependency is declared before any other configuration elements. The value of the ref attribute is the ID of the plugin upon which the connector depends.

13 © 2010 SWITCH Data Connector: Static Static data connector adds attributes to every resolved account. Type attribute value: Static Configuration attributes: none

14 © 2010 SWITCH Data Connector: Static The produced attributes are defined by: Values are added by: VALUE An attribute may have more than one value.

15 © 2010 SWITCH Data Connector: Static Create an attribute ‘eduPersonAffiliation’ that has one value ‘member’ member

16 © 2010 SWITCH Data Connector Resolution Restart the IdP and login again Do you see anything in your log file about the static data connector being invoked? The IdP only invokes a data connector if another an attribute definition or another invoked data connector depends on it.

17 © 2010 SWITCH Attribute Definition: Configuration Attribute definitions are configured in attribute- resolver.xml defines a definition Every definition has a id attribute that uniquely identifies it. Every definition has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.

18 © 2010 SWITCH Attribute Definition: Configuration Most definitions will need information collected by another plugin in order to work. This is represented by a The dependency is declared before any other configuration elements. The value of the ref attribute is the ID of the plugin upon which the definition depends.

19 © 2010 SWITCH Attribute Definition: Simple Attribute definition that simply releases an attribute from the resolver. Type attribute value: Simple Configuration attributes: sourceAttributeID - the name of the attribute, provided the dependencies, that will provide the values for this attribute

20 © 2010 SWITCH Attribute Definition: ePA Putting it all together we define an attribute definition for eduPersonAffiliation as follows: <resolver:AttributeDefinition id="eduPersonAffiliation” xsi:type="Simple” xmlns="urn:mace:shibboleth:2.0:resolver:ad” sourceAttributeID="eduPersonAffiliation">

21 © 2010 SWITCH Attribute Definition: Testing Restart the IdP Watch the logs using tail -f /opt/shibboleth-idp/logs/idp-process.log Log in to

22 © 2010 SWITCH Attribute Encoders: Configuration Attribute encoders are configured as children of an attribute definition. defines an encoder Every definition has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.

23 © 2010 SWITCH Attribute Encoder: Basic SAML 1 A SAML 1 encoder always looks like this: Only the name changes

24 © 2010 SWITCH Attribute Encoder: Basic SAML 2 A SAML 2 encoder always looks like this: <resolver:AttributeEncoder xsi:type="SAML2String” xmlns="urn:mace:shibboleth:2.0:attribute:encoder” name="urn:oid: ” friendlyName=“eduPersonAffiliation” /> Only the name and friendly name changes

25 © 2010 SWITCH Attribute Encoder: Configuration Add SAML 1 and SAML 2 attribute encoders to your eduPersonAffiliation eduPersonAffiliation: urn:mace:dir:attribute-def:eduPersonAffiliation urn:oid:

26 © 2010 SWITCH Attribute Goals Define a simple attribute with a static value. Gather user information from an LDAP directory Create attribute definition that release some information with simple values and other information with scoped values

27 © 2010 SWITCH Data Connector: LDAP Data connector that pulls user information from LDAP Type attribute value: LDAPDirectory Configuration Attributes: ldapURL - ldap server connection URL baseDN - search filter base DN principal - DN of user to connect as credential - principal’s password

28 © 2010 SWITCH Data Connector: LDAP Lastly the LDAP data connector contains a child element The template is used to construct the query filter, for now we’ll use (uid=$requestContext.principalName)

29 © 2010 SWITCH Data Connector: LDAP If you put it all together you should get: (uid=$requestContext.principalName)

30 © 2010 SWITCH Attribute Definition: ePA Add the LDAP data connector as a dependency to your eduPersonAffiliation attribute definition. Run another test Note how the LDAP’s values are added to the value from the static data connector?

31 © 2010 SWITCH Attribute Definition: ePPA Create a simple attribute definition, called eduPersonPrimaryAffiliation that has a sourceAttributeID of eduPersonPrimaryAffiliation and depends localLDAP Add attribute SAML1/2 string encoders: urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation urn:oid:

32 © 2010 SWITCH Attribute Scoping Some attribute values may have Scopes Scopes provide a domain within which an attribute value is valid Example: Georgetown University has a main campus, a law school, and a medical school. A professor at the law school may not have the same rights as a professor at the medical school.

33 © 2010 SWITCH Attribute Definition: Scoped An attribute definition that adds a static scope Type attribute value: Scoped Configuration Attributes: sourceAttributeID - ID of the attribute whose values will be scoped scope - scope added to the attribute values

34 © 2010 SWITCH Attribute Definition: Scoped Create an attribute definition for eduPersonScopedAffiliation. <resolver:AttributeDefinition id=”eduPersonScopedAffiliation" xsi:type=”Scoped” xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID=”eduPersonAffiliation” scope=“example.org”>

35 © 2010 SWITCH Attribute Definition: Prescoped Prescoped attribute values already contain the scope within the datasource Type attribute value: Prescoped Configuration Attributes: sourceAttributeID - ID of the attribute with prescoped values scopeDelimiter - the scope delimiter used in the attributes values

36 © 2010 SWITCH Attribute Definition: Prescoped Create an attribute definition that operates on the prescoped eduPersonPrincipalName attribute <resolver:AttributeDefinition id=”eduPersonPrincipalName" xsi:type=”Prescoped” xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID=”eduPersonPrincipalName”>

37 © 2010 SWITCH Attribute Encoders: Scoped An attributes scope may be written into a SAML message in two ways: –As an attribute on the SAML –Using inline notation Notation used may be controlled by the scopeType attribute on the encoder. Values: attribute, inline

38 © 2010 SWITCH Attribute Encoders: Scoped SAML 1 Scoped Value Encoder SAML 2 Scoped Valued Encoder <resolver:AttributeEncoder xsi:type="SAML2ScopedString” xmlns="urn:mace:shibboleth:2.0:attribute:encoder” name="urn:oid: ” friendlyName=“eduPersonPrincipalName” />

39 © 2010 SWITCH More about Dependencies Any resolver plugin may have any number of dependencies. If more than one dependency provides the same attribute the dependant plugin operates on the effective union of values Attribute definitions may be marked with a dependencyOnly=“true” attribute. This ensures the value is never released outside the resolver (and speeds up filtering a bit).

40 © 2010 SWITCH Data Connector Failover Data connectors may define failover connectors such that if the data connector fails the failover connector is invoked. If more than one failover connector is defined they are tried in order until one succeeds. They are defined using:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.