- Created by Daniel Yu, last modified on Jul 02, 2018
Step-by-step guide
For Univeristy of Chicago Shibboleth IdP, the following files need to be modified.
Files modified
iam-jetty-base/idp/conf/attribute-resolver.xml
iam-jetty-base/idp/conf/authn/authn-comparison.xml
iam-jetty-base/idp/conf/authn/general-authn.xml
iam-jetty-base/idp/conf/intercept/context-check-intercept-config.xml
iam-jetty-base/idp/flows/authn/checker.groovy
general-authn.xml Expand source
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <util:list id="shibboleth.AvailableAuthenticationFlows"> <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:lifetime="PT60S" p:inactivityTimeout="PT60S"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> </list> </property> </bean> <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow" p:nonBrowserSupported="false"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:ietf:rfc:1510" /> </list> </property> </bean> <bean id="authn/External" parent="shibboleth.AuthenticationFlow" p:nonBrowserSupported="false" /> <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow" p:nonBrowserSupported="false" /> <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" /> <bean id="authn/X509" parent="shibboleth.AuthenticationFlow" p:nonBrowserSupported="false"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:ietf:rfc:2246" /> </list> </property> </bean> <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:ietf:rfc:2246" /> </list> </property> </bean> <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:forcedAuthenticationSupported="true"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/sfa" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> </list> </property> </bean> <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow" p:forcedAuthenticationSupported="true" p:nonBrowserSupported="false"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="http://uchicago.edu/duo" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://uchicago.edu/duo" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" /> </list> </property> </bean> <bean id="authn/lfr" parent="shibboleth.AuthenticationFlow" p:forcedAuthenticationSupported="true"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://uchicago.edu/iam/lfr" /> </list> </property> </bean> <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:forcedAuthenticationSupported="true"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="http://uchicago.edu/duo" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://uchicago.edu/duo" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://uchicago.edu/iam/lfr" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/mfa" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="https://refeds.org/profile/sfa" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password" /> </list> </property> </bean> </util:list> <util:map id="shibboleth.AuthenticationPrincipalWeightMap"> <entry> <key> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> </key> <value>1</value> </entry> </util:map> </beans>
authn-comparison.xml Expand source
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <bean id="shibboleth.BetterClassRefMatchFactory" parent="shibboleth.InexactMatchFactory"> <property name="matchingRules"> <map> <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password"> <list> <value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value> <value>http://uchicago.edu/duo</value> <value>http://id.incommon.org/assurance/silver</value> <value>https://refeds.org/profile/mfa</value> </list> </entry> <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"> <list> <value>http://uchicago.edu/duo</value> <value>https://refeds.org/profile/mfa</value> </list> </entry> </map> </property> </bean> <bean id="shibboleth.MinimumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> <bean id="shibboleth.MaximumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> <bean id="shibboleth.BetterDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> <bean id="shibboleth.MinimumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> <bean id="shibboleth.MaximumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> <util:map id="shibboleth.AuthnComparisonRules"> <!-- Exact matching, this can be left as-is. --> <entry key-ref="shibboleth.SAMLAuthnMethodExact" value-ref="shibboleth.ExactMatchFactory"/> <entry key-ref="shibboleth.SAMLACClassRefExact" value-ref="shibboleth.ExactMatchFactory"/> <entry key-ref="shibboleth.SAMLACDeclRefExact" value-ref="shibboleth.ExactMatchFactory"/> <!-- Minimum matching, leave to allow degeneration into exact, or replace with custom rules. --> <entry key-ref="shibboleth.SAMLACClassRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> <entry key-ref="shibboleth.SAMLACDeclRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> <!-- Maximum matching, leave to allow degeneration into exact, or replace with custom rules. --> <entry key-ref="shibboleth.SAMLACClassRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> <entry key-ref="shibboleth.SAMLACDeclRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> <!-- Better matching, refers to empty ruleset that has to be populated to work. --> <entry key-ref="shibboleth.SAMLACClassRefBetter" value-ref="shibboleth.BetterClassRefMatchFactory"/> <entry key-ref="shibboleth.SAMLACDeclRefBetter" value-ref="shibboleth.BetterDeclRefMatchFactory"/> </util:map> </beans>
context-check-intercept-config Expand source
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <bean id="shibboleth.context-check.Condition" parent="shibboleth.Conditions.AND"> <constructor-arg> <list> <bean class="net.shibboleth.idp.profile.logic.AuthnClassPredicate" c:authnClassesToMatch-ref="authnClassesToMatch" c:authnClassesToForgive-ref="authnClassesToForgive" c:predicateToDelegate-ref="attributePredicate" /> </list> </constructor-arg> </bean> <util:set id="authnClassesToMatch"> <value>http://id.incommon.org/assurance/silver</value> <value>http://uchicago.edu/duo</value> <value>https://refeds.org/profile/mfa</value> </util:set> <util:set id="authnClassesToForgive"> <value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value> <value>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</value> <value>https://refeds.org/profile/sfa</value> </util:set> <bean id="attributePredicate" class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"> <property name="attributeValueMap"> <map> <entry key="eduPersonAssurance"> <list> <value>http://id.incommon.org/assurance/silver</value> <value>http://uchicago.edu/duo</value> <value>https://refeds.org/profile/mfa</value> </list> </entry> </map> </property> </bean> </beans>
checker.groovy Expand source
//Adding REFEDS expresso profile to secondFactorMap def secondFactorMap = [ "http://uchicago.edu/duo": "authn/Duo", "http://id.incommon.org/assurance/silver": "authn/Duo", "https://refeds.org/assurance/profile/espresso": "authn/Duo" ]
attribute-resolver.xml Expand source
<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="eduPersonAssurance" sourceAttributeID="ucisMemberOf"> <resolver:Dependency ref="directory"/> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance"/> <ValueMap> <ReturnValue>http://id.incommon.org/assurance/silver</ReturnValue> <SourceValue>uc:reference:account:assurance:silver:authorized</SourceValue> </ValueMap> <ValueMap> <ReturnValue>http://uchicago.edu/duo</ReturnValue> <SourceValue>uc:applications:shibboleth:mcb:duo-eligible</SourceValue> </ValueMap> <ValueMap> <ReturnValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ReturnValue> <SourceValue>uc:applications:shibboleth:mcb:password</SourceValue> </ValueMap> <ValueMap> <ReturnValue>https://refeds.org/assurance/profile/espresso</ReturnValue> <SourceValue>uc:reference:account:assurance:refeds:espresso</SourceValue> </ValueMap> <ValueMap> <ReturnValue>https://refeds.org/assurance/profile/cappuccino</ReturnValue> <SourceValue>uc:reference:account:assurance:refeds:cappuccino</SourceValue> </ValueMap> </resolver:AttributeDefinition>
Related articles
Content by label
There is no content with the specified labels