Versions Compared

Old Version 19

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 20

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For example, if you would like to enable tag-driven configuration for SAML 2.0 Browser SSO, you can replace any reference to the SAML2.SSO bean with SAML2.SSO.MDDriven, as in this example:

Enable tag-driven features in relying-party.xml
Expand
titleEnable tag-driven features in relying-party.xml
Code Block
languagexml
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
  	<property name="profileConfigurations">
		<list>
			    <list>
      <ref bean="Shibboleth.SSO" />
			      <ref bean="SAML1.AttributeQuery" />
			      <ref bean="SAML1.ArtifactResolution" />
 			     
      <ref bean="SAML2.SSO.MDDriven" /> <!-- enables metadata-driven settings -->
      			
      <ref bean="SAML2.ECP" />
			
      <ref bean="SAML2.Logout" />
			
      <ref bean="SAML2.AttributeQuery" />
			      <ref bean="SAML2.ArtifactResolution" />
		    </list>
 	 </property>
</bean>

Attribute / Property Convention

...

Localtabgroup
tabStyleflat
Localtab live
activetrue
titleSAML Attribute NameFormat Usage

While the SAML Attribute Name is handled as above, the NameFormat of all supported properties is presumed to be urn:oasis:names:tc:SAML:2.0:attrname-format:uri to prevent conflicts. However, the system was in fact "lax" about this particular check in V3.

As Of of V4, there is a property in conf/services.xml that is shipped enabled, but internally off by default for compatibility on upgrades. When idp.service.relyingparty.ignoreUnmappedEntityAttributes is true, which is suggested, the system will ignore any tags that have an improper NameFormat unless they are explicitly decoded with a custom rule in the AttributeRegistryConfiguration.

A side effect of this setting is that the IdP will operate much faster in locating (or not locating) tags for all of its settings using decoded and indexed data instead of having to inefficiently search the native XML-wrapping based data structures for a match. As a result, it is strongly advised that the proper NameFormat be used and the property enabled.

Localtab live
titleType Conversion

The supplied implementations support various built-in type conversions supporting a natural mapping between simple XML syntax and Java data types. Different kinds of settings support particular XML syntaxes as described below.

The only XML syntaxes supported are "simple content" models involving an <AttributeValue> containing only text content, but it is possible to apply specific xsi:type designations that trigger more precise handling (such as enforcing numeric or boolean data). Note that using xsi:type in this fashion requires declaring an appropriate namespace and prefix for the XSD namespace, http://www.w3.org/2001/XMLSchema, which is conventionally bound to the xsd or xs prefixes.

Setting Data Type

Supported XML Conversions

Notes

String

Untyped, string, boolean, integer, dateTime, base64binary

Booleans are mapped to the strings "0" or "1".

Dates are mapped into the Unix epoch, then converted to String.

Boolean

Untyped, string, boolean, integer

Strings are processed as a valid XML boolean value (0, 1, true, false) or treated as false.

Non-zero integers are true, zero is false.

Integer

Untyped, string, boolean, integer

Strings are decoded via Integer.decode() method.

Booleans are mapped to 0 or 1.

Long

Untyped, string, boolean, integer, dateTime

Strings are decoded via Long.decode() method.

Booleans are mapped to 0 or 1.

Dates are mapped to the Unix epoch, then converted to a Long.

Double

Untyped, string, boolean, integer

Strings are decoded via Double.valueOf() method.

Booleans are mapped to 0.0 or 1.0.

Duration

Untyped, string, integer

Strings are converted from the ISO Duration notation used throughout the software.

Integers are treated as a millisecond duration.

List<?>

Untyped, string, boolean, integer, dateTime, base64binary

Supports multiple <AttributeValue> elements, and each value is converted to a String and then used to construct an object of the type specified for the property via a String-based single-argument constructor.

Set<?>

Untyped, string, boolean, integer, dateTime, base64binary

Supports multiple <AttributeValue> elements, and each value is converted to a String and then used to construct an object of the type specified for the property via a String-based single-argument constructor.

Bean

Untyped, string

Converted to a String used as a name of a Spring bean to build or access

...

The direct method applies to cases in which you control the metadata or when the source of the metadata supports the inclusion of the necessary extensions. The tags simply appear within the metadata being loaded into the IdP using an <mdattr:EntityAttributes> extension element:

...

Expand
titleDirect embedding of configuration tags
Code Block
languagexml
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
                  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                  xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
                  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  entityID="https://sp.example.org/sp">
    <Extensions>
        <mdattr:EntityAttributes>
            <saml:Attribute Name="http://shibboleth.net/ns/profiles/defaultAuthenticationMethods"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>http://example.org/ac/classes/mfa</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>false</saml:AttributeValue>
            </saml:Attribute>
        </mdattr:EntityAttributes>
    </Extensions>
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
	<!-- Content omitted -->        
    </SPSSODescriptor>
</EntityDescriptor>

The indirect method uses the EntityAttributesFilter to attach the tags at runtime after loading and verifying the metadata. This is useful for cases in which you want to rely on externally supplied metadata but still organize parts of your configuration around the metadata. One use for this is simply consistency: if you have both external and local metadata, you can drive the configuration with both.

...

Expand
titleIndirect example of applying tags using a filter
Code Block
languagexml
<MetadataProvider id="InCommonMD" xsi:type="FileBackedHTTPMetadataProvider"
	metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
	backingFile="%{idp.home}/metadata/InCommon-metadata.xml"
	failFastInitialization="false">
	<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />
	<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
		certificateFile="%{idp.home}/credentials/incommon.pem" />
	<MetadataFilter xsi:type="EntityRoleWhiteList">
		<RetainedRole>md:SPSSODescriptor</RetainedRole>
	</MetadataFilter>
	<MetadataFilter xsi:type="EntityAttributes">
		<saml:Attribute Name="http://shibboleth.net/ns/profiles/defaultAuthenticationMethods"
			NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
			<saml:AttributeValue>http://example.org/ac/classes/mfa</saml:AttributeValue>
		</saml:Attribute>
		<saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses"
			NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
			<saml:AttributeValue>false</saml:AttributeValue>
		</saml:Attribute>
		<Entity>https://sp.example.org/sp</Entity>
	</MetadataFilter>
</MetadataProvider>

...

Enabling signed assertions for a particular SP is advisedly handled by setting the WantAssertionsSigned XML attribute in metadata, but isn't always possible and sometimes has to be combined with disabling signed responses (or just for efficiency).

SAML 2 Browser SSO: Sign assertions and not responses
Expand
titleSAML 2 Browser SSO: Sign assertions and not responses
Code Block
languagexml
<saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>false</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>true</saml:AttributeValue>
</saml:Attribute>

...

Note that it may be helpful to make sure encryption also doesn't get used during logout, so the second tag may be useful.

All profiles: turn off encryption
Expand
titleAll profiles: turn off encryption
Code Block
languagexml
<saml:Attribute Name="http://shibboleth.net/ns/profiles/encryptAssertions"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>false</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://shibboleth.net/ns/profiles/encryptNameIDs"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>false</saml:AttributeValue>
</saml:Attribute>

...

Using <NameIDFormat> elements in metadata (which can also be added at runtime with the NameIDFormatFilter) is the normal way to use metadata to select the Format to use, but the "unspecified" Format has to be triggered with a profile setting. That's not commonly needed, but it's easy to define a tag for in such cases (and if you prefer you can obviously designate any Format this way).

...

designate any Format this way).

Expand
titleAll profiles: use the "unspecified" NameID Format
Code Block
languagexml
<saml:Attribute Name="http://shibboleth.net/ns/profiles/nameIDFormatPrecedence"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</saml:AttributeValue>
</saml:Attribute>

...

Some of the other profile settings are workarounds for bugs, e.g., omitting the NotBefore attribute. This is not very common but easily tag-driven.

All profiles: omit the NotBefore attribute
Expand
titleAll profiles: omit the NotBefore attribute
Code Block
languagexml
<saml:Attribute Name="http://shibboleth.net/ns/profiles/includeConditionsNotBefore"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>false</saml:AttributeValue>
</saml:Attribute>

A more obscure example would be an SP that requires additional <Audience> values in addition to its own entityID. This mainly demonstrates that some settings may be multi-valued.

All profiles: add additional Audience values
Expand
titleAll profiles: add additional Audience values
Code Block
languagexml
<saml:Attribute Name="http://shibboleth.net/ns/profiles/assertionAudiences"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>https://example.org/bogusAudience1</saml:AttributeValue>
	<saml:AttributeValue>https://example.org/bogusAudience2</saml:AttributeValue>
</saml:Attribute>

...

Handling SPs that require MFA but can't request it requires IdP-side configuration, usually involving a couple of settings. The URL below is just an example, it has to be replaced by whatever <AuthnContextClassRef> constant is used in a deployment to signal MFA, or possibly more than one.

...

Expand
titleAll profiles: forcing MFA
Code Block
languagexml
<saml:Attribute Name="http://shibboleth.net/ns/profiles/defaultAuthenticationMethods"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>http://example.org/ac/classes/mfa</saml:AttributeValue>
</saml:Attribute>
<!-- The disallowedFeatures setting is a bitmask, and 0x1 blocks SPs requesting authentication types. -->
<saml:Attribute Name="http://shibboleth.net/ns/profiles/disallowedFeatures"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>0x1</saml:AttributeValue>
</saml:Attribute

...

Triggering consent based on the SP is pretty common.

...

Expand
titleSAML and CAS SSO: enable attribute consent
Code Block
languagexml
<saml:Attribute Name="http://shibboleth.net/ns/profiles/postAuthenticationFlows"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>attribute-release</saml:AttributeValue>
</saml:Attribute>

The authorization intereptor flow is another case, though the checking logic would have to be extended for each different service/scenario. In the example, both flows are enabled.

...

Expand
titleSAML and CAS SSO: enable authorization checking and attribute consent
Code Block
languagexml
<saml:Attribute Name="http://shibboleth.net/ns/profiles/postAuthenticationFlows"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>context-check</saml:AttributeValue>
	<saml:AttributeValue>attribute-release</saml:AttributeValue>
</saml:Attribute

...

Therefore, the built-in wiring cannot accomodate this use case, but it's possible to do this with an activation condition. This is the same wiring that is provided by the system configuration for many of the other properties but is supplied here "by hand" in order to adjust the default value of the condition to "false" instead of "true".

Enabling SAML 1.1 SSO conditionally using a tag
Expand
titleEnabling SAML 1.1 SSO conditionally using a tag
Code Block
languagexml
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty.MDDriven">
    <property name="profileConfigurations">
        <list>
            <bean parent="Shibboleth.SSO.MDDriven">
                <property name="activationCondition">
                    <bean class="net.shibboleth.utilities.java.support.logic.PredicateSupport" factory-method="fromFunction">
                        <constructor-arg>
                            <bean parent="shibboleth.MDDrivenBoolProperty" p:propertyName="activationCondition" />
                        </constructor-arg>
                        <constructor-arg value="false" />
                    </bean>
                </property>
            </bean>
            <ref bean="SAML2.SSO.MDDriven" />
            <ref bean="SAML2.ECP.MDDriven" />
            <ref bean="SAML2.Logout.MDDriven" />
            <ref bean="SAML2.AttributeQuery.MDDriven" />
            <ref bean="SAML2.ArtifactResolution.MDDriven" />
        </list>
    </property>
</bean>
Attribute to enable SAML 1.1
Expand
titleAttribute to enable SAML 1.1
Code Block
languagexml
<saml:Attribute Name="http://shibboleth.net/ns/profiles/saml1/sso/browser/activationCondition"
	NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
	<saml:AttributeValue>true</saml:AttributeValue>
</saml:Attribute

...

Values: Each value is an internal IdPAttribute ID whose values should be released to an SP whose metadata contains the relevant tag/value.

Example

Here's an example policy (more or less matching an example in the default file) that applies this tag test to a couple of attributes. A couple of subtle points here.

...

Code Block
<AttributeFilterPolicy id="Per-Attribute-singleValued">
	<PolicyRequirementRule xsi:type="ANY"/>

	<AttributeRule attributeID="eduPersonPrincipalName">
		<PermitValueRule xsi:type="EntityAttributeExactMatch"
			attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
			attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
			attributeValue="eduPersonPrincipalName" />
	</AttributeRule>

	<AttributeRule attributeID="mail">
		<PermitValueRule xsi:type="EntityAttributeExactMatch"
			attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
			attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
			attributeValue="mail" />
	</AttributeRule>
</AttributeFilterPolicy>

Reference

Localtabgroup
Localtab live
activetrue
titleBeans

Bean ID

Type

Function

RelyingParty.MDDriven                                          

RelyingPartyConfiguration

A template bean for use in defining metadata-driven RelyingParty overrides by hand

RelyingPartyByName.MDDriven

RelyingPartyConfiguration

A template bean for defining metadata-driven RelyingParty overrides based on matching by name

RelyingPartyByGroup.MDDriven

RelyingPartyConfiguration

A template bean for defining metadata-driven RelyingParty overrides based on matching by <EntitiesDescriptor> groups or SAML metadata-based <AffiliationDescriptor> groups

RelyingPartyByEntitiesDescriptor.MDDriven 4.1

RelyingPartyConfiguration

A template bean for defining metadata-driven RelyingParty overrides based on matching by <EntitiesDescriptor> groups only

RelyingPartyByTag.MDDriven

RelyingPartyConfiguration

A template bean for defining metadata-driven RelyingParty overrides based on matching <EntityAttributes> extension content

RelyingPartyByMappedTag.MDDriven

RelyingPartyConfiguration

A template bean for defining metadata-driven RelyingParty overrides based on matching <EntityAttributes> extension content mapped via the AttributeRegistryConfiguration

Shibboleth.SSO.MDDriven

BrowserSSOProfileConfiguration

Default metadata-driven configuration for SAML 1.1 SSO profile

SAML1.AttributeQuery.MDDriven

AttributeQueryProfileConfiguration

Default metadata-driven configuration for SAML 1.1 Attribute Query profile

SAML1.ArtifactResolution.MDDriven

ArtifactResolutionProfileConfiguration

Default metadata-driven configuration for SAML 1.1 Artifact Resolution profile

SAML2.SSO.MDDriven

BrowserSSOProfileConfiguration

Default metadata-driven configuration for SAML 2.0 SSO profile

SAML2.ECP.MDDriven

ECPProfileConfiguration

Default metadata-driven configuration for SAML 2.0 Enhanced Client/Proxy profile

SAML2.Logout.MDDriven

SingleLogoutProfileConfiguration

Default metadata-driven configuration for SAML 2.0 Single Logout profile

SAML2.AttributeQuery.MDDriven

AttributeQueryProfileConfiguration

Default metadata-driven configuration for SAML 2.0 Attribute Query profile

SAML2.ArtifactResolution.MDDriven

ArtifactResolutionProfileConfiguration

Default metadata-driven configuration for SAML 2.0 Artifact Resolution profile

Liberty.SSOS.MDDriven

SSOSProfileConfiguration

Default metadata-driven configuration for Liberty ID-WSF Delegated SSO profile

CAS.LoginConfiguration.MDDriven

LoginConfiguration

Default metadata-driven configuration for CAS login prototol

CAS.ProxyConfiguration.MDDriven

ProxyConfiguration

Default metadata-driven configuration for CAS proxy login protocol

CAS.ValidateConfiguration.MDDriven

ValidateConfiguration

Default metadata-driven configuration for CAS ticket validation protocol

shibboleth.DefaultMDProfileAliases

List<String>

A built-in list of alternate URL "prefixes" to property names, this is used to automate the generation of property tag names that apply to all profiles at the same time.

shibboleth.MDProfileAliases

List<String>

An optional user-supplied list of additional URL prefixes to support custom property tag names

shibboleth.MDDrivenStringProperty

StringConfigurationLookupStrategy

Parent bean for defining new lookup strategies for string settings

shibboleth.MDDrivenBoolProperty

BooleanConfigurationLookupStrategy

Parent bean for defining new lookup strategies for boolean settings

shibboleth.MDDrivenIntProperty

IntegerConfigurationLookupStrategy

Parent bean for defining new lookup strategies for integer settings

shibboleth.MDDrivenLongProperty

LongConfigurationLookupStrategy

Parent bean for defining new lookup strategies for long integer settings

shibboleth.MDDrivenDoubleProperty

DoubleConfigurationLookupStrategy

Parent bean for defining new lookup strategies for double settings

shibboleth.MDDrivenDurationProperty

DurationConfigurationLookupStrategy

Parent bean for defining new lookup strategies for Duration settings

shibboleth.MDDrivenListProperty

ListConfigurationLookupStrategy

Parent bean for defining new lookup strategies for List settings

shibboleth.MDDrivenSetProperty

SetConfigurationLookupStrategy

Parent bean for defining new lookup strategies for Set settings

shibboleth.MDDrivenBeanProperty

BeanConfigurationLookupStrategy

Parent bean for defining new lookup strategies for arbitrary Spring bean settings