Skip to content

Instantly share code, notes, and snippets.

@thomasdarimont

thomasdarimont/shib_attr.md

Forked from rantt/shib_attr.md
Last active August 29, 2015 14:25
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thomasdarimont/f2f27b5347c2dc1ad682 to your computer and use it in GitHub Desktop.
Save thomasdarimont/f2f27b5347c2dc1ad682 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
shib_attr.md

This assumes that you already have the Shibboleth IdP installed. If you haven't done that yet you can read how to set it up at Install CAF FedSSO (Shibboleth) w/ idp-caf-installer

Tasks

Allow the following attributes to be released from our Identity Provider (IdP) to a Service Provider (SP). In this case I'll be giving access to testshib.org and CAF (eduroam). Since I don't have an SP I use testshib.org so I can see what gets processed on the SP side.

  • eduPersonTargetedID: unique id autogenerated by Shibboleth
  • eduPersonPrincipalName: if you’re using the CAF installer, this will be built from the “sAMAccountName” field in AD with @domain.ca on the end (for example, “user@domain.ca”)
  • mail: email address, comes from “mail” field in AD (example: user@example.com)
  • cn: common name, comes from “cn” field in AD (example: Jon Doe)
  • sn: last name, comes from “sn” field in AD (example: Doe)
  • givenName: first name, comes from “givenName” field in AD (example: Jon)

ldapsearch on an AD Global Catalogue

I first wanted to make sure that I was able to access the information I was going to need from Active Directory. So first I installed the ldap utilities apt-get install ldap-utils. From my IdP I then used ldapsearch to query the fields I'm looking for.

# Lookup using LDAPS port 3269
# host:  ldaps://ad.domain.ca
# port:  3269
# bind user: bindaccount
# basedn: DC=AD,DC=DOMAIN,DC=CA
# filter by (my user account John) "sAMAccountName=John"
# return sAMAccountName userPrincipalName mail sn cn givenName

> ldapsearch -LLL -x -h ldaps://ad.domain.ca -p 3269 -D bindaccount@domain.ca -W -b DC=AD,DC=DOMAIN,DC=CA "sAMAccountName=john" sAMAccountName userPrincipalName mail sn cn givenName
Enter LDAP Password:

dn: CN=John Doe,OU=MYGROUP,DC=AD,DC=DOMAIN,DC=CA
cn: John Doe
sn: Doe
sAMAccountName: john
userPrincipalName: john@domain.ca
mail: john@domain.ca

# refldaps://ForestDnsZones.AD.domain.ca/DC=ForestDnsZones,DC=AD,DC=DOMAIN,DC=CA

# refldaps://DomainDnsZones.AD.domain.ca/DC=DomainDnsZones,DC=AD,DC=DOMAIN,DC=CA

# refldaps://AD.domain.ca/CN=Configuration,DC=AD,DC=DOMAIN,DC=CA

No problems reaching AD and all the fields I want are accessible.

attribute-resolver.xml

You need to define the attributes you want to retrieve from Active Directory. This should be done for you by the CAF installer, eduPersonTargedID is a little tricky so I'll come back to that. For now I'll add the attributes for eduPersonPrincipalName, mail, cn, sn and givenName.

Uncomment or add the attribute definitions

<resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="domain.ca" sourceAttributeID="sAMAccountName">
	<resolver:Dependency ref="myLDAP" />
	<resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
	<resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
</resolver:AttributeDefinition>
 ...
<resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
	<resolver:Dependency ref="myLDAP" />
	<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" />
	<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
...
<resolver:AttributeDefinition xsi:type="ad:Simple" id="commonName" sourceAttributeID="cn">
	<resolver:Dependency ref="myLDAP" />
	<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:cn" />
	<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" />
</resolver:AttributeDefinition>
...
<resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
	<resolver:Dependency ref="myLDAP" />
	<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" />
	<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
</resolver:AttributeDefinition>
...
<resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
	<resolver:Dependency ref="myLDAP" />
	<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" />
	<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
</resolver:AttributeDefinition>

NOTE This appears to be case sensitive so it's important to put sAMAccountName and NOT samaccountname

Adding eduPersonTargetedID

NOTE If you selected yes for 'Install support for ePTID' then you can skip this step, since eduPersonTargetedId should already be installed and active. If you selected no you can use the following steps to use a ComputedId instead.

This attribute is a little different because it's a calcualted value based on an existing field. In our case I used the sAMAccountName since it's a unique and not reused by other users.

Uncomment the SAML2 Attribute Definition

<resolver:AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID"
	nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="computedID">
	<resolver:Dependency ref="computedID" />
	<resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
	<resolver:AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
</resolver:AttributeDefinition>

Also uncomment the 'ComputedId' Data Connector

<!-- Computed targeted ID connector -->
<resolver:DataConnector xsi:type="dc:ComputedId"
	id="computedID"
	generatedAttributeID="computedID"
	sourceAttributeID="uid"
	salt="your random string here">
	<resolver:Dependency ref="myLDAP" />
</resolver:DataConnector>

I replaced uid with sAMAccountName and 'your random string here' with a value generated by openssl rand -base64 36

attribute-filter.xml

Now that we have the attributes we need to tell our IdP to release them to specific SP's. In this case testshib.org and CAF.

Uncomment or add the following Filter Policies

<afp:AttributeFilterPolicy id="releaseToSPtestshib">
    <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.testshib.org/shibboleth-sp" />

    <afp:AttributeRule attributeID="eduPersonTargetedID">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="eduPersonPrincipalName">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="email">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="commonName">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="surname">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="givenName">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

</afp:AttributeFilterPolicy>


<afp:AttributeFilterPolicy id="releaseToCateduroamorg">
    <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp" />

    <afp:AttributeRule attributeID="eduPersonTargetedID">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="eduPersonPrincipalName">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="email">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="commonName">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="surname">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

    <afp:AttributeRule attributeID="givenName">
      <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>

</afp:AttributeFilterPolicy>

Restart Tomcat apply the following changes sudo service tomcat6 restart

NOTE If you're using http://testshib.org remember to comment out (or remove) the filter policy for testshib.org when you're done testing.

Testing Attributes

aacli

From /opt/shibboleth-idp/bin/

# Testing attributes requested by testshib.org for user John

> ./aacli.sh --principal=john --configDir=/opt/shibboleth-idp/conf --requester=https://sp.testshib.org/shibboleth-sp

# Testing attributes requested by CAF for user John

> ./aacli.sh --principal=john --configDir=/opt/shibboleth-idp/conf  --requester=https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp

Since the same attributes are released to both SP's, either one should return something like:

<?xml version="1.0" encoding="UTF-8"?><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
   <saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">john@domain.ca</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Doe</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="email" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">john@domain.ca</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="cn" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John Doe</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://shibtest.domain.ca/idp/shibboleth" SPNameQualifier="https://sp.testshib.org/shibboleth-sp">jGo83jDDlVDlCsyh7RXFkzBaBEA=</saml2:NameID>
      </saml2:AttributeValue>
   </saml2:Attribute>
</saml2:AttributeStatement>

testshib.org

This is really useful for debugging since you can see the error messages that would appear on the SP side, like not being able to communicate with your IdP. You can setup your IdP with testshib.org by visiting the site and following the instructions for uploading you metadata.xml. Assuming you already have this setup:

You'll get presented by a page with the results of the connection. If you click on the shibd.log button you can see what exactly got sent to the sp server.

Troubleshooting

invalid certificate

run openssl s_client -connect shibtest.domain.ca:8443 | tee logfile and compare the returned certificate to the one being sent in the metadata.xml file. They should be the same.

response from attribute authority was empty

Your either not releasing any attributes to that SP, or the ones you are releasing are blank or unavailable (ie. not found or not returned by Active Directory)

CURLSOAPTransport failed while contacting SOAP endpoint (https://youridp:8443/shibboleth-idp/): Operation timed out after 20000 milliseconds with 0 bytes received

Port 8443 is inaccessible to the SP, most likey it's firewalled on the IdP (or the network the IdP is on). Another, possibility is that SOAP services aren't working on your IdP. I had this problem on my IdP because of a misnamed java library. I had to move /usr/share/tomcat6/lib/tomcat6-dta-ssl-1.0.0.jar.1 to /usr/share/tomcat6/lib/tomcat6-dta-ssl-1.0.0.jar . If this library is missing you can download it here

Links

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare https://wiki.shibboleth.net/confluence/display/SHIB2/IdPTroubleshootingCommonErrors https://shibsp.ntu.ac.uk/confluence/display/SHIB2/Generating+and+Returning+eduPersonTargetedID

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment