Versions Compared

Old Version 15

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Clay Cooper

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

They ones that are active by default are included in the shibboleth.DefaultRelyingParty bean's profileConfigurations property, by reference. You can turn them on or off using comments or by deleting them.

...

Note

As with all relying party settings, an override does not inherit the profiles enabled by default. An override essentially turns everything off unless its own profileConfigurations property enables it.

Localtabgroup
tabStyleflat
Localtab live
activetrue
Expand
titleStatic Overrides

To statically override a default profile option, you can replace a <ref> element pointing to a profile with a new bean definition like so:

Code Block
<bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />

The parent attribute lets you pull in the pre-defined bean definition for a profile and just override what you want to. You can mix these beans with <ref> elements that rely on default behavior with other profiles.

localtab-live
In many, if not most cases, it

All of the profile settings that can be set statically can also be computed via functions or predicates/conditions that execute at runtime. It's a better idea to look into MetadataDrivenConfiguration then to explore this feature. This is the low-level feature that makes metadata-driven settings possible but using metadata is usually more elegant and the system does all the fancy wiring for you.

In the most advanced cases, most all profile settings can be derived at runtime using Java functions or scripts, termed "lookup strategies", instead of declaring them statically. This can be done for default or overridden relying party configurations, and provides a powerful way of combining different kinds of rules.

This is a useful trick to use The use of this feature helps if you want to apply "cross-cutting" conditions to get around the limitation that overrides don't get merged. For example, consider the following use cases:

  • You want to enable consent for attribute release for a specific set of relying parties.

  • You want to downgrade to the use of SHA-1 for a specific set of relying parties.

Of course, if these two sets don't overlap, and you have nothing else unusual to specify, you could create two overrides for each set individually. But what if the two sets overlap, with some relying parties in one, some in the other, and some in both? Now you need three overrides. Now consider that a third set requires an additional non-default setting and overlaps with some of the first two sets. The number of overrides will get out of hand quickly and start to get very confusing to manage.

As an example, let's tackle the cases above by using scripts to derive the settings involved. This can potentially be done with no overrides at all, as below, though that's a matter of style.

Use of scripts to derive profile settings
Expand
titleDynamic Overrides
Note
Code Block
languagexml
<!-- Whether to run attribute release interceptor. -->
<bean id="InterceptorScript" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript">
    <constructor-arg>
        <value>
		<![CDATA[
		interceptors = null;
		rpid = "";
		rpCtx = input.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext");
		if (rpCtx != null) {
			rpid = rpCtx.getRelyingPartyId();
        }

		if (rpid.equals("https://sp1.example.org/sp") ||
			rpid.equals("https://sp2.example.org/sp") ||
			rpid.equals("https://sp3.example.org/sp")) {

			listType =  Java.type("java.util.ArrayList");
			interceptors = new listType(1);
			interceptors.add("attribute-release");
		}

		interceptors;
		]]>
        </value>
    </constructor-arg>
</bean>

<!-- Map of security configurations for use by next script. -->
<util:map id="SecurityConfigMap">
	<entry key="SHA2" value-ref="shibboleth.DefaultSecurityConfiguration"/>
	<entry key="SHA1" value-ref="shibboleth.SecurityConfiguration.SHA1" />
</util:map>

<!-- Whether to use SHA-1. -->
<bean id="SecurityConfigScript" parent="shibboleth.ContextFunctions.Scripted"
	factory-method="inlineScript"
	p:customObject-ref="SecurityConfigMap">
    <constructor-arg>
        <value>
		<![CDATA[
		rpid = "";
		rpCtx = input.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext");
		if (rpCtx != null) {
			rpid = rpCtx.getRelyingPartyId();
        }

		securityConfig = custom["SHA2"];

		if (rpid.equals("https://sp2.example.org/sp") ||
			rpid.equals("https://sp3.example.org/sp") ||
			rpid.equals("https://sp4.example.org/sp")) {

			securityConfig = custom["SHA1"];
		}

		securityConfig;
		]]>
        </value>
    </constructor-arg>
</bean>

<!-- Apply the scripts to derive settings. -->
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
	<property name="profileConfigurations">
		<list>
			<bean parent="Shibboleth.SSO"
				p:postAuthenticationFlowsLookupStrategy-ref="InterceptorScript"
				p:securityConfigurationLookupStrategy-ref="SecurityConfigScript" />
			<bean parent="SAML2.SSO"
				p:postAuthenticationFlowsLookupStrategy-ref="InterceptorScript"
				p:securityConfigurationLookupStrategy-ref="SecurityConfigScript" />
			<ref bean="SAML2.ECP"
				p:securityConfigurationLookupStrategy-ref="SecurityConfigScript" />
			<ref bean="SAML2.Logout"
				p:securityConfigurationLookupStrategy-ref="SecurityConfigScript" />
		</list>
	</property>
</bean>

Obviously the example above is somewhat contrived. It's longer than just creating three overrides, but it illustrates the general idea and once you get comfortable using scripts, it isn't as bad as it looks. It's also possible to put scripts in separate files, which makes the XML much shorter.

This becomes much more powerful when combined with other techniques, particularly the use of tag-based conditions based on <EntityAttribute> extensions in SAML metadata, which can be applied by metadata registrars or locally using a metadata filter.

A built-in way of doing this is described in the MetadataDrivenConfiguration topic, and this is the generally-advisable means of handling complex configuration of behavior now.

Reference

localtab-live

If custom profile defaults are needed for several categories of relying party, it is helpful to define top-level profile beans and reference them in the relying parties instead of the system default beans. This approach reduces duplication and produces a more readable configuration. A concrete example is instructive: suppose that an IdP needs to declare custom NameID precedence for SSO profiles for the default relying party and several overrides. The following configuration excerpt demonstrates the approach applied to that case.

Custom Profile Default Beans Example
Expand
title
Changing Profile Defaults
Code Block
languagexml
    <bean id="Shibboleth.SSO.custom" parent="Shibboleth.SSO"
          p:nameIDFormatPrecedence="#{{
            'urn:mace:shibboleth:1.0:nameIdentifier',
            'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'}}" />
    <bean id="SAML2.SSO.custom" parent="SAML2.SSO"
          p:nameIDFormatPrecedence="#{{
            'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
            'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
            'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'}}" />
 
    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <util:list>
                <ref bean="Shibboleth.SSO.custom" />
                <ref bean="SAML1.AttributeQuery" />
                <ref bean="SAML1.ArtifactResolution" />
                <ref bean="SAML2.SSO.custom" />
                <ref bean="SAML2.ECP" />
                <ref bean="SAML2.Logout" />
                <ref bean="SAML2.AttributeQuery" />
                <ref bean="SAML2.ArtifactResolution" />
            </util:list>
        </property>
    </bean>
 
    <util:list id="shibboleth.RelyingPartyOverrides">
        <bean parent="RelyingPartyByName"
              c:relyingPartyIds="#{{'https://a.example.com/shibboleth', 'https://b.example.com/shibboleth'}}">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO.custom" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>
        <bean parent="RelyingPartyByName"
              c:relyingPartyIds="#{{'https://x.example.com/shibboleth', 'https://y.example.com/shibboleth'}}">
            <property name="profileConfigurations">
                <list>
                    <bean parent="Shibboleth.SSO.custom"
                          p:signAssertions="true"
                          p:signResponses="false" />
                    <bean parent="SAML2.SSO.custom"
                          p:signAssertions="true"
                          p:signResponses="false" />
                </list>
            </property>
        </bean>
    </util:list>

Reference

Localtabgroup
Localtab live
activetrue
titleProperties
Properties
Properties

Properties defined in idp.properties directly related to this configuration area follow:

Property

Type

Default

Function

idp.entityID

URI

None

The unique name of the IdP, used as the "issuer" in all SAML profiles

idp.artifact.enabled

Boolean

true

Whether to allow use of the SAML artifact bindings when sending messages

idp.artifact.secureChannel

Boolean

true

Whether preparation of messages to be communicated via SAML artifact should assume use of a secure channel (allowing signing and encryption to be skipped)

idp.artifact.endpointIndex              

Integer

2

Identifies the <ArtifactResolutionService> endpoint in SAML metadata associated with artifacts issued by a server node

idp.bindings.inMetadataOrder 4.1

Boolean

true

Controls whether the outbound binding selection is ordered by the SP's metadata or the IdP's preferred bindings

; turn this off

(the inbuilt default order is Redirect -> POST -> Artifact -> SOAP). Set to false to leave artifact support on, but

favor use of POST
localtab-live

favor use of POST. Set also to false to favor the front channel over back channel for Logout.

Expand
titleBeans

Beans defined in relying-party.xml and related system configuration follow:

Bean ID

Type

Function

shibboleth.UnverifiedRelyingParty

RelyingPartyConfiguration

Configures IdP behavior for unauthenticated/unverifiable requests

shibboleth.DefaultRelyingParty

RelyingPartyConfiguration

Configures default IdP behavior for authenticated/verified requests

shibboleth.RelyingPartyOverrides

List<RelyingPartyConfiguration>

Configures non-default IdP behavior for requests that meet activation conditions attached to overrides

RelyingParty

RelyingPartyConfiguration

A template bean for use in defining RelyingParty overrides by hand

RelyingPartyByName

RelyingPartyConfiguration

A template bean for defining RelyingParty overrides based on matching by name

RelyingPartyByGroup

RelyingPartyConfiguration

A template bean for defining RelyingParty overrides based on matching by <EntitiesDescriptor> groups or SAML metadata-based <AffiliationDescriptor> groups

RelyingPartyByEntitiesDescriptor 4.1

RelyingPartyConfiguration

A template bean for defining RelyingParty overrides based on matching by <EntitiesDescriptor> groups only

RelyingPartyByTag

RelyingPartyConfiguration

A template bean for defining RelyingParty overrides based on matching <EntityAttributes> extension content

RelyingPartyByMappedTag

RelyingPartyConfiguration

A template bean for defining RelyingParty overrides based on matching <EntityAttributes> extension content that has been mapped via the AttributeRegistryConfiguration

TagCandidate

EntityAttributesPredicate.Candidate

A template bean for defining EntityAttribute matching rules for injection into beans based on RelyingPartyByTag

Shibboleth.SSO

BrowserSSOProfileConfiguration

Default configuration for SAML 1.1 SSO profile

SAML1.AttributeQuery

AttributeQueryProfileConfiguration

Default configuration for SAML 1.1 Attribute Query profile

SAML1.ArtifactResolution

ArtifactResolutionProfileConfiguration

Default configuration for SAML 1.1 Artifact Resolution profile

SAML2.SSO

BrowserSSOProfileConfiguration

Default configuration for SAML 2.0 SSO profile

SAML2.ECP

ECPProfileConfiguration

Default configuration for SAML 2.0 Enhanced Client/Proxy profile

SAML2.Logout

SingleLogoutProfileConfiguration

Default configuration for SAML 2.0 Single Logout profile

SAML2.AttributeQuery

AttributeQueryProfileConfiguration

Default configuration for SAML 2.0 Attribute Query profile

SAML2.ArtifactResolution

ArtifactResolutionProfileConfiguration

Default configuration for SAML 2.0 Artifact Resolution profile

Liberty.SSOS

SSOSProfileConfiguration

(DEPRECATED) Default configuration for Liberty ID-WSF Delegated SSO profile

CAS.LoginConfiguration

LoginConfiguration

Default configuration for CAS login prototol

CAS.ProxyConfiguration

ProxyConfiguration

Default configuration for CAS proxy login protocol

CAS.ValidateConfiguration

ValidateConfiguration

Default configuration for CAS ticket validation protocol

shibboleth.DefaultArtifactConfiguration

BasicSAMLArtifactConfiguration

Default configuration for SAML Artifact usage, injected into artifact-supporting SAML profile beans

localtab-live
Expand
titleProfile Defaults

Without stepping fully into the SecurityConfiguration topic, the following defaults are used when enabling individual profiles. In addition, an appropriate "security policy" flow is enabled during request processing to enforce appropriate security guarantees.

  • All SAML Profiles

    • includeConditionsNotBefore = true

    • assertionLifetime = PT5M

    • signedRequestsPredicate signedRequests = alwaysFalsefalsesignAssertionsPredicate

    • signAssertions = alwaysFalsefalse

  • Shibboleth.SSO

    • includeAttributeStatement = false

    • signResponsesPredicate signResponses = alwaysTruetrue

    • use of type 1 SAML artifacts where required

  • SAML1.AttributeQuery and SAML1.ArtifactResolution

    • signResponsesPredicate signResponses = true if TLS isn't used or port 443 is used

  • SAML2.SSO and SAML2.ECP

    • includeAttributeStatement = true

    • skipEndpointValidationWhenSigned = false

    • maximumSPSessionLifetime = 0

    • signResponsesPredicate signResponses = alwaysTruetrueencryptAssertionsPredicate

    • encryptAssertions = alwaysTruetrue

    • encryptNameIDsPredicate encryptNameIDs = alwaysFalsefalseencryptAttributesPredicate

    • encryptAttributes = alwaysFalsefalse

    • use of type 4 SAML artifacts where required with an endpoint index of %{idp.artifact.endpointIndex:2}

  • SAML2.Logout

    • signRequestsPredicate signRequests = alwaysTrue true on front channel, if TLS isn't used or port 443 is used on back channelsignResponsesPredicate

    • signResponses = alwaysTrue true on front channel, if TLS isn't used or port 443 is used on back channelencryptNameIDsPredicate

    • encryptNameIDs = alwaysTrue true on front channel, if TLS isn't used or port 443 is used on back channel

    • use of type 4 SAML artifacts where required with an endpoint index of %{idp.artifact.endpointIndex:2}

  • SAML2.AttributeQuery and SAML2.ArtifactResolution

    • signResponsesPredicate signResponses = true if TLS isn't used or port 443 is used

    • encryptAssertionsPredicate encryptAssertions = true if TLS isn't used or port 443 is used

...