File(s): conf/relying-party.xml, conf/idp.properties
Format: Native Spring
| Table of Contents |
|---|
Overview
The relying-party.xml file is used to specify the functional features (SAML and otherwise) you want the IdP to support (these are termed "profiles"), and to customize IdP or profile settings based on the identity, or a few other characteristics, of a relying party service.
You can modify this file to:
control which profiles are supported for particular partners (or for anonymous requests)
alter default profile or global settings
define and attach custom security configurations at various levels, such as:
turning off encryption of assertions and other content
changing which layer signing is performed (responses vs. assertions)
supporting multiple signing credentials
customizing algorithms
The goal of any deployment is to reduce the number of customizations used, so the ideal is to rarely have to modify this configuration. Further, there are more modern techniques that allow many or most uses of this file to be replaced by MetadataDrivenConfiguration; that is, instead of creating explicit rules in this file, it's usually cleaner in the long run to add information to SP metadata to effect the change desired. Over time, it becomes easier to get a feel for when it's easier to use metadata and when it's easier to use overrides.
...
The absolute rule is that the file MUST contain three named beans:
shibboleth.UnverifiedRelyingParty
shibboleth.DefaultRelyingParty
shibboleth.RelyingPartyOverrides
All three are defined for you by default.
The first two must define beans that derive from the RelyingPartyConfiguration class, but this is automatically done by inheriting (via the parent attribute) from the bean named RelyingParty.
...
The "default" RP bean applies to requests from peers that do not fit the conditions attached to any overrides, and are thus handled with default settings. By default, this relies on a variety of built-in settings, and activates a number of the usual profiles, though the exact list may vary over time with particular releases (things that used to be common may become rare).
The last bean is a List<RelyingPartyConfiguration> for any overrides. Those beans will generally be of special types that determine their applicability, or will generically contain an activationCondition property that determines whether one applies to a request or not.
...
To simplify this in the most common scenarios, we have included additional parent beans that can be inherited from to more easily express these conditions. Right now, we have these built-in helpers:
RelyingPartyByName
RelyingPartyByGroup
RelyingPartyByEntitiesDescriptor 4.1
RelyingPartyByTag
RelyingPartyByMappedTag
Examples
| Code Block | language | xml||||||
|---|---|---|---|---|---|---|---|
| Expand | |||||||
| |||||||
| true
|
(Note that the second example above uses a Spring Expression Language inline list. This can get arbitrarily long, so the third example shows this in a more readable syntax for longer lists.)
The following example notwithstanding, it's not advisable to create policy based on groups because those hierarchies are very dependent on metadata aggregation and publishing approaches that are much less common today.
| Code Blockexpand | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
| collapse
| true
|
There is also support for group matching based on a SAML metadata feature called an <AffiliationDescriptor>, and you are able to create locally (or even remotely) expressed group memberships using that technique, by supplying supplemental metadata to the system. If you want to optimize by ignoring the possibility of <AffiliationDescriptor> use, the RelyingPartyByEntitiesDescriptor bean has been added (as of V4.1) to bypass that step and suppress some logging that shows up during the affiliation lookup.
An alternative grouping strategy is based on <EntityAttributes> metadata extension tags. The tag-based approach is a generally recommended way of doing simple overrides that might apply to a large number of systems, and is a bridge between the "explicit" syntax and the more generic MetadataDrivenConfiguration approach.
| Code Blockexpand | |||||||
|---|---|---|---|---|---|---|---|
| |||||||
| true
|
In addition to the original bean, the RelyingPartyByMappedTag bean allows you to optimize tag-based overrides by relying on the decoding of tags in the metadata into internal IdPAttribute objects via the AttributeRegistryConfiguration. Even without dedicated rules, the system can auto-decode URI-named SAML Attribute extensions into IdPAttributes with a corresponding name "as is", so generally the mapped variant should work the same way and will be faster.
Finally, the most general example involves defining your own bean and a custom condition. An example using a regular expression:
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| Expand | ||||||||
| ||||||||
| collapse
| true
|
Multiple Overrides
If more than one override is defined, then it is possible for the activation conditions of multiple overrides to be satisfied by a request. Overrides have "first one wins" match semantics whose ordering is determined by their position in the shibboleth.RelyingPartyOverrides list bean. This leads to a rule of thumb for overrides: more general matches (i.e. by group) should be placed after more specific matches (i.e. by name).
...
Every relying party configuration (default or override) has a profileConfigurations property whose value is a list of ProfileConfiguration beans that determine which profiles can be used. Any profile not explicitly listed will be disabled and requests for it will fail internally with an error.
Profiles are activated within relying party configurations in most cases by referencing beans defined within the system that apply the default settings for each profile. This wouldn't apply to custom profiles defined in extensions, but it does apply to the built-in feature set. We've pre-defined beans for the built-in profiles as follows:
Liberty.SSOS (this undocumented feature supports SAML-based security delegation and has been provisionally deprecated in this release)
They ones that are active by default are included in the shibboleth.DefaultRelyingParty bean's profileConfigurations property, by reference. You can turn them on or off using comments or by deleting them.
...
| Localtabgroup | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||
To statically override a default profile option, you can replace a
The
In the most advanced cases, most all profile settings can be derived at runtime using Java functions or scripts, termed "lookup strategies", instead of declaring them statically. This can be done for default or overridden relying party configurations, and provides a powerful way of combining different kinds of rules. This is a useful trick to use if you want to apply "cross-cutting" conditions to get around the limitation that overrides don't get merged. For example, consider the following use cases:
Of course, if these two sets don't overlap, and you have nothing else unusual to specify, you could create two overrides for each set individually. But what if the two sets overlap, with some relying parties in one, some in the other, and some in both? Now you need three overrides. Now consider that a third set requires an additional non-default setting and overlaps with some of the first two sets. The number of overrides will get out of hand quickly and start to get very confusing to manage. As an example, let's tackle the cases above by using scripts to derive the settings involved. This can potentially be done with no overrides at all, as below, though that's a matter of style. Code Block | | ||||||||||||||
| language | xml | title |
| Code Block | ||
|---|---|---|
| ||
<!-- Whether to run attribute release interceptor. -->
<bean id="InterceptorScript" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
interceptors = null;
rpid = "";
rpCtx = input.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext");
if (rpCtx != null) {
rpid = rpCtx.getRelyingPartyId();
}
if (rpid.equals("https://sp1.example.org/sp") ||
rpid.equals("https://sp2.example.org/sp") ||
rpid.equals("https://sp3.example.org/sp")) {
listType = Java.type("java.util.ArrayList");
interceptors = new listType(1);
interceptors.add("attribute-release");
}
interceptors;
]]>
</value>
</constructor-arg>
</bean>
<!-- Map of security configurations for use by next script. -->
<util:map id="SecurityConfigMap">
<entry key="SHA2" value-ref="shibboleth.DefaultSecurityConfiguration"/>
<entry key="SHA1" value-ref="shibboleth.SecurityConfiguration.SHA1" />
</util:map>
<!-- Whether to use SHA-1. -->
<bean id="SecurityConfigScript" parent="shibboleth.ContextFunctions.Scripted"
factory-method="inlineScript"
p:customObject-ref="SecurityConfigMap">
<constructor-arg>
<value>
<![CDATA[
rpid = "";
rpCtx = input.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext");
if (rpCtx != null) {
rpid = rpCtx.getRelyingPartyId();
}
securityConfig = custom["SHA2"];
if (rpid.equals("https://sp2.example.org/sp") ||
rpid.equals("https://sp3.example.org/sp") ||
rpid.equals("https://sp4.example.org/sp")) {
securityConfig = custom["SHA1"];
}
securityConfig;
]]>
</value>
</constructor-arg>
</bean>
<!-- Apply the scripts to derive settings. -->
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO"
p:postAuthenticationFlowsLookupStrategy-ref="InterceptorScript"
p:securityConfigurationLookupStrategy-ref="SecurityConfigScript" />
<bean parent="SAML2.SSO"
p:postAuthenticationFlowsLookupStrategy-ref="InterceptorScript"
p:securityConfigurationLookupStrategy-ref="SecurityConfigScript" />
<ref bean="SAML2.ECP"
p:securityConfigurationLookupStrategy-ref="SecurityConfigScript" />
<ref bean="SAML2.Logout"
p:securityConfigurationLookupStrategy-ref="SecurityConfigScript" />
</list>
</property>
</bean> |
Obviously the example above is somewhat contrived. It's longer than just creating three overrides, but it illustrates the general idea and once you get comfortable using scripts, it isn't as bad as it looks. It's also possible to put scripts in separate files, which makes the XML much shorter.
This becomes much more powerful when combined with other techniques, particularly the use of tag-based conditions based on <EntityAttribute> extensions in SAML metadata, which can be applied by metadata registrars or locally using a metadata filter.
A built-in way of doing this is described in the MetadataDrivenConfiguration topic, and this is the generally-advisable means of handling complex configuration of behavior now.
| Localtab live | ||
|---|---|---|
|
If custom profile defaults are needed for several categories of relying party, it is helpful to define top-level profile beans and reference them in the relying parties instead of the system default beans. This approach reduces duplication and produces a more readable configuration. A concrete example is instructive: suppose that an IdP needs to declare custom NameID precedence for SSO profiles for the default relying party and several overrides. The following configuration excerpt demonstrates the approach applied to that case.
codeCustom Profile Default Beans Example
| Code Block | ||
|---|---|---|
| ||
<bean id="Shibboleth.SSO.custom" parent="Shibboleth.SSO"
p:nameIDFormatPrecedence="#{{
'urn:mace:shibboleth:1.0:nameIdentifier',
'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'}}" />
<bean id="SAML2.SSO.custom" parent="SAML2.SSO"
p:nameIDFormatPrecedence="#{{
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'}}" />
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<util:list>
<ref bean="Shibboleth.SSO.custom" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<ref bean="SAML2.SSO.custom" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="SAML2.AttributeQuery" />
<ref bean="SAML2.ArtifactResolution" />
</util:list>
</property>
</bean>
<util:list id="shibboleth.RelyingPartyOverrides">
<bean parent="RelyingPartyByName"
c:relyingPartyIds="#{{'https://a.example.com/shibboleth', 'https://b.example.com/shibboleth'}}">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO.custom" p:encryptAssertions="false" />
</list>
</property>
</bean>
<bean parent="RelyingPartyByName"
c:relyingPartyIds="#{{'https://x.example.com/shibboleth', 'https://y.example.com/shibboleth'}}">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO.custom"
p:signAssertions="true"
p:signResponses="false" />
<bean parent="SAML2.SSO.custom"
p:signAssertions="true"
p:signResponses="false" />
</list>
</property>
</bean>
</util:list> |
Reference
| Localtabgroup | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Properties defined in idp.properties directly related to this configuration area follow:
Beans defined in relying-party.xml and related system configuration follow:
Without stepping fully into the SecurityConfiguration topic, the following defaults are used when enabling individual profiles. In addition, an appropriate "security policy" flow is enabled during request processing to enforce appropriate security guarantees.
|