Versions Compared

Old Version 12

changes.mady.by.user Vladimir Mencl

Saved on

compared with

New Version Current

changes.mady.by.user Vladimir Mencl

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: change code to noformat to preserve indentation

...

  • download rns-attribute-filter.xml  and metadata-based-attribute-filter.xml from https://github.com/REANNZ/Tuakiri-public/tree/master/shibboleth-idp/idp into your /opt/shibboleth-idp/conf  :

    Code Block
    wget -O /opt/shibboleth-idp/conf/rns-attribute-filter.xml https://github.com/REANNZ/Tuakiri-public/raw/master/shibboleth-idp/idp/rns-attribute-filter.xml
wget -O /opt/shibboleth-idp/conf/metadata-based-attribute-filter.xml https://github.com/REANNZ/Tuakiri-public/raw/master/shibboleth-idp/idp/metadata-based-attribute-filter.xml


    Warning

    If deploying these rules on a TEST IdP connected to Tuakiri-TEST, edit the downloaded metadata-based-attribute-filter.xml  and change the PoliceRequirementRule  at the top of the file as per the instructions in the file.


  • add the files to the list of attribute filters in /opt/shibboleth-idp/conf/services.xml stored in the shibboleth.AttributeFilterResources list:

    Code Blocknoformat
        <util:list id ="shibboleth.AttributeFilterResources">
        <value>%{idp.home}/conf/attribute-filter.xml</value>
        <value>%{idp.home}/conf/rns-attribute-filter.xml</value>
        <value>%{idp.home}/conf/metadata-based-attribute-filter.xml</value>
        ...


    Note

    With the metadata-based-attribute-filter.xml  filter in place, the original attribute filter generated by the Federation Registry (loaded by the IdP in the same section) can be removed - it would be only duplicating the metadata-based attribute filter for Tuakiri SPs.  (The only exception are value-specific rules with regular expressions - please contact Tuakiri at tuakiri@reannz.co.nz if your IdP uses these).

    After removing the remotely loaded attribute filter, we recommend to reduce the reload interval of attribute filter files from 15m to 5s (now that all files are local).  In /opt/shibboleth-idp/conf/services.properties , change idp.service.attribute.filter.checkInterval  to PT5S :

    Code Block
    idp.service.attribute.filter.checkInterval = PT5S

    Note that if the Tuakiri-generated attribute filter was loaded from a local file refreshed by an external script (cron job), when no longer loaded this file, the cron job can be (and should be) removed.


  • and restart the IdP to pick up the change:

    Code Block
    service tomcat restart


...