Versions Compared

Old Version 19

changes.mady.by.user Vladimir Mencl

Saved on

compared with

New Version Current

changes.mady.by.user Vladimir Mencl

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
outlinetrue
indent20px

Federation Details

...

Federation name

...

Tuakiri Production

...

Tuakiri TEST

...

Metadata name

...

tuakiri.ac.nz

...

test.tuakiri.ac.nz

...

Metadata distribution point

...

https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-signed.xml

...

https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml

...

Metadata signing certificate

...

https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-cert.pem

...

https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-cert.pem

...

Federation Registry URL

...

https://registry.tuakiri.ac.nz/federationregistry/

...

https://registry.test.tuakiri.ac.nz/federationregistry/

...

Discovery Service / WAYF URL

...

https://directory.tuakiri.ac.nz/ds/DS

...

Excerpt Include
Tuakiri Metadata
Tuakiri Metadata
nopaneltrue

Registering an IdP into the Federation Registry

...

Multiexcerpt
MultiExcerptNameidp-register-ecp


Note

As of version 2.6.0, the Federation Registry automatically registers the ECP endpoint on new registrations, so no explicit action should be required.  To add an ECP endpoint to an existing IdP registration, perform the following:

In the Federation Registry registration for your IdP:

...


The IdP also needs to be configured to support ECP.

...

Multiexcerpt
MultiExcerptNameidp3-load-metadata

  • Configure the IdP to load the Federation Metadata in /opt/shibboleth-idp/conf/metadata-providers.xml by adding the following snippet into the Chaining MetadataProvider.

    Code Block
    xml
    xml
        <MetadataProvider id="TuakiriMetadata"
                      xsi:type="FileBackedHTTPMetadataProvider"
                  refreshDelayFactor="0.125"
                  maxRefreshDelay="PT2H"
                  backingFile="%{idp.home}/metadata/tuakiri-metadata.xml"
                  metadataURL="https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-signed.xml">

            <MetadataFilter xsi:type="SignatureValidation"
                    certificateFile="${idp.home}/credentials/tuakiri-metadata-cert.pem"
                    requireSignedRoot="falsetrue">
            </MetadataFilter>
            <MetadataFilter xsi:type="EntityRoleWhiteList">
                    <RetainedRole>md:SPSSODescriptor</RetainedRole>
            </MetadataFilter>

    </MetadataProvider>
     

    • Note: validity checking is implicitly turned on, so it is not needed to explicitly add the RequiredValidUntil metadata filter, which would only be useful to reject metadata published with a validity longer then maxValidityInterval milliseconds.  We recommend to rely on signature validation.  The Tuakiri metadata are being generated with a validity of one week.
    • Note: by default, metadata get refreshed only every 3 hours (0.75 factor out of 4 hours maximum refresh interval).  
      • To make metadata changes propagate faster (reload every 15 minutes), set the maximum refresh interval to 2 hours and the factor to 0.125 as above.
      • To avoid re-fetching the file even when not changed, turn on caching (memory caching is enough as we already do have a backing file)
    • See the IDP30 https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration and https://wiki.shibboleth.net/confluence/display/IDP30/FileBackedHTTPMetadataProvider documentation for more information.
    • Note: in IdP 3.0.0, the RetainedRole element was incorrectly using the namespace samlmd - as of 3.1.1, the namespace declared in metadata-providers.xml and used in the examples is md, consistent with other use.
  • This definition is referring to a certificate used to verify the signature - store the certificate in /opt/shibboleth-idp/credentials
     No Format
    wget https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-cert.pem -O $IDP_HOME/credentials/tuakiri-metadata-cert.pem


     Note
    titleTuakiri-TEST specific
    When building a TEST IdP and registering into Tuakiri-TEST instead, please load instead the Tuakiri-TEST metadata with:
     Code Block
    xml
    xml
        <MetadataProvider id="TuakiriTESTMetadata"
                      xsi:type="FileBackedHTTPMetadataProvider"
                  refreshDelayFactor="0.125"
                  maxRefreshDelay="PT2H"
                  backingFile="%{idp.home}/metadata/tuakiri-test-metadata.xml"
                  metadataURL="https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml">

            <MetadataFilter xsi:type="SignatureValidation"
                    certificateFile="${idp.home}/credentials/tuakiri-test-metadata-cert.pem"
                    requireSignedRoot="falsetrue">
            </MetadataFilter>
            <MetadataFilter xsi:type="EntityRoleWhiteList">
                    <RetainedRole>md:SPSSODescriptor</RetainedRole>
            </MetadataFilter>

    </MetadataProvider>

    and fetch the Tuakiri-TEST metadata signing certificate instead:
     No Format
    wget https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-cert.pem -O $IDP_HOME/credentials/tuakiri-test-metadata-cert.pem

...



For archival purposes, we also keep the original instructions for configuring the Tuakiri metadata into a 2.x IdP - unfold the box below to see the IdP 2.x compatible syntax:
 Expand
titleLegacy IdP 2.x configuration to load Tuakiri metadata

 Multiexcerpt
MultiExcerptNameidp-load-metadata

  • Download the metadata signing certificate into $IDP_HOME/credentials:
     No Format
    wget https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-cert.pem -O $IDP_HOME/credentials/tuakiri-metadata-cert.pem

  • In $IDP_HOME/conf/relying-party.xml
    • Add the following snippet into the ChainingMetadataProvider:
       Code Block
      xml
      xml
              <!-- Tuakiri -->
        <metadata:MetadataProvider id="Tuakiri" xsi:type="metadata:ResourceBackedMetadataProvider">
          <metadata:MetadataFilter xsi:type="metadata:ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
            <metadata:MetadataFilter xsi:type="metadata:SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                            trustEngineRef="shibboleth.MetadataTrustEngine"
                            requireSignedMetadata="true" />
          </metadata:MetadataFilter>
          <metadata:MetadataResource xsi:type="resource:FileBackedHttpResource"
                          url="https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-signed.xml"
                          file="/opt/shibboleth-idp/metadata/tuakiri-metadata.xml" />
        </metadata:MetadataProvider>


    • And add the following snippet into the <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature"> element:
       Code Block
      xml
      xml
              <security:Credential id="Tuakiri-FederationCredentials" xsi:type="security:X509Filesystem">
            <security:Certificate>/opt/shibboleth-idp/credentials/tuakiri-metadata-cert.pem</security:Certificate>
        </security:Credential>


       Note
      Remember to uncomment the <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature"> element if it is still commented out (it is commented out in the default configuration).
 



Configure attribute release/filtering through the federation
...
 Multiexcerpt
MultiExcerptNameidp3-load-attribute-filter

 Multiexcerpt
MultiExcerptNameidp-request-attribute-filter
  • Contact the federation administrators (by emailing tuakiri@reannz.co.nz) and request a URL for the Attribute Filter for your IdP.
    • In the request, please include:
      • The name (hostname or entityID) of your IdP
      • An email address that should receive notifications whenever the attribute filter changes (these are notifications only, no action will be required).
    • The attribute filter may have to be manually added to the list of attribute filters published. Once created, the URL will have the form of: https://directory.tuakiri.ac.nz/attribute-filter/<institution-domain>.xml
  • Edit $IDP_HOME/conf/services.xml and add the additional attribute filter as an additional resource in the shibboleth.AttributeFilterResources util:list bean, using the built-in FileBackedHTTPResource:
     Code Block
    languagehtml/xml
            <bean id="TuakiriAttributeFilterResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
              c:client-ref="shibboleth.MemoryCachingHttpClient" 
              c:url="https://directory.tuakiri.ac.nz/attribute-filter/institution.domain.ac.nz.xml"
              c:backingFile="%{idp.home}/conf/tuakiri-attribute-filter.xml"/>


  • For Tuakiri-TEST, the configuration would be the same, just the URL would be different - please use the URL provided by the federation administrators.
 
...


For archival purposes, we also keep the original instructions for configuring the Tuakiri-managed attribute filter into a 2.x IdP - unfold the box below to see the IdP 2.x compatible syntax:
 Expand
titleLegacy IdP 2.x syntax to load an attribute filter

 Multiexcerpt
MultiExcerptNameidp-load-attribute-filter
After requesting the attribute filter:

  • Add the following entry into <srv:Service id="shibboleth.AttributeFilterEngine" in $IDP_HOME/conf/service.xml(note that the URL varies for each IdP and has to be obtained from the federation administrators):
     Code Block
    xml
    xml
            <srv:ConfigurationResource xsi:type="resource:FileBackedHttpResource"
                              url="https://directory.tuakiri.ac.nz/attribute-filter/<institution-domain>.xml"
                              file="/opt/shibboleth-idp/conf/tuakiri-attribute-filter.xml" />


     Note
    Note: if your $IDP_HOME is different from /opt/shibboleth-idp, change the file path in the above snippet accordingly.

     Note
    If configuring this in Shibboleth IdP 2.1.x, do not use the srv: namespace prefix - i.e., use just:
     Code Block
    xml
    xml
            <ConfigurationResource xsi:type="resource:FileBackedHttpResource"
                      url="https://directory.tuakiri.ac.nz/attribute-filter/<institution-domain>.xml"
                      file="/opt/shibboleth-idp/conf/tuakiri-attribute-filter.xml" />




  • We also strongly recommend you configure your IdP to periodically reload this file - we recommend at 2 hour intervals. This is documented in detail in the IdP Install Manual: Reloading configuration section and Load AAF Atribute Attribute Filter sections. The simple step is to add the configurationResourcePollingFrequency="PT2H0M0.000S" and configurationResourcePollingRetryAttempts="10" attributes to the <srv:Service id="shibboleth.AttributeFilterEngine"element. If you already have these attributes set for reloading the local configuration file - with a shorter interval, please adjust them accordingly to 2 hours for the remotely loaded attribute filter:
     No Format
        <srv:Service id="shibboleth.AttributeFilterEngine"
+             configurationResourcePollingFrequency="PT2H0M0.000S" configurationResourcePollingRetryAttempts="10"
             xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">

...
 




Now your IdP should be able to access service providers within the Tuakiri federation.
...
 Excerpt Include
Fetching Metadata and Attribute Filter and caching them locally
Fetching Metadata and Attribute Filter and caching them locally
nopaneltrue