Shibboleth: XACML-ARPs
--
This page provides a patch that is extending Shibboleth by a new ARP-architecture, i.e.:
...
Apply the attached patch-file 'shibPatch' (view and download it at the end of this site) to the source code of Shibboleth 1.3.c to achieve the new class files of shibboleth
- change directory to '.../shibboleth/src/'
- copy the patch-file to this directory
- type in the linux-command 'patch -p1 < shibPatch'
- compile the new source code
- replace all class files in your working shibboleth
Code Block
2) Configure openLDAP
...
- set up one (or more) ldap-server(s) (e.g. located at your IdP)
- configure the
Arp Repository in idp.xml like this:Code Block ArpRepositoryCode Block <ReleasePolicyEngine> <ArpRepository implementation="edu.internet2.middleware. shibboleth.aa.arp.provider.LdapArpRepository"> <Path>ldap://ecample.com:389/dc=example,dc=com </Path> <Path> ...more LDAP-servers... </Path> </ArpRepository> </ReleasePolicyEngine>
...
Entry for describing a group (stored under subtree 'ou=groups'):
| Code Block |
|---|
dn: XACMLgroupName=testGroup, ou=groups, dc=example, dc=com objectclass: XACMLgroup XACMLgroupName: testGroup XACMLmembers: user1 XACMLmembers: user2 |
Entry for describing a policy, valid for the group stated above (stored under subtree 'ou=sitearps,ou=policies'):
| Code Block |
|---|
dn: XACMLpolicyId=exampleArp, ou=sitearps, ou=policies, dc=example, dc=com objectclass: XACMLpolicy XACMLpolicyId: exampleArp XACMLpolicy: ou=groups, dc=example, dc=com objectclass: XACMLgroup XACMLgroupName: testGroup XACMLmembers: user1 XACMLmembers: user2 |
Entry for describing a policy, valid for the group stated above (stored under subtree 'ou=sitearps,ou=policies'):
| Code Block |
|---|
dn: XACMLpolicyId=exampleArp, ou=sitearps, ou=policies, dc=example, dc=com objectclass: XACMLpolicy XACMLpolicyId: exampleArp XACMLpolicy: <Policy> ...see Example ARP... </Policy> XACMLgroupNames: testGroup XACMLroles: defaultrole |
Example ARP
Here is an example XACML-ARP. For description see the tag 'Description'.
| Code Block |
|---|
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="urn:oasis:names:tc:xacml:1.0:context" xmlns:condition="urn:mace:dir:attribute-def" PolicyId="exampleArp" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0: rule-combining-algorithm:ordered-permit-overrides"> <Description> Attribute to release: EduPersonNickname Condition: only release eduPersonNickname, if eduPersonPrincipalName has the value of foo.bar Purpose: authorization Action: read Target: SP1 or SP2 or SP3 Obligation: delete data after end of term Combination: - ARPpriority: combines all found applicable policies based on priority (parameter set in tag 'CombinerParameter') - ordered-permit-overrides: combines rules within this policy Role: defaultrole </Description> <PolicyDefaults> <XPathVersion> http://www.w3.org/TR/1999/Rec-xpath-19991116 </XPathVersion> </PolicyDefaults> <CombinerParameters> <CombinerParameter ParameterName="ARPpriority"> 100 </CombinerParameter> </CombinerParameters> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> SP1|SP2|SP3 </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:service-provider"/> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"> urn:mace:dir:attribute-def:eduPersonNickname </AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch> </Resource> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="Rule1" Effect="Permit"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> read </AttributeValue> <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/> </ActionMatch> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> authorization </AttributeValue> <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:purpose"/> </ActionMatch> </Action> </Actions> </Target> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0: function:regexp-string-match"/> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> foo.bar </AttributeValue> </Apply> <AttributeSelector RequestContextPath="//context:ResourceContent/ condition:eduPersonPrincipalName/text()" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Condition> </Rule> <!-- ... nothing more to release ... --> <Rule RuleId="releaseNothingMore" Effect="Deny"/> <Obligations> <Obligation ObligationId="data-has-to-be-deleted-after-end-of-term" FulfillOn="Permit"> <AttributeAssignment AttributeId="resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> urn:oasis:names:tc:xacml:1.0:resource:resource-id </AttributeAssignment> </Obligation> </Obligations> </Policy> |
...
For errors or additional information see the "shib-error.log" after authentication with Shibboleth.
...