Versions Compared

Version Old Version 6 New Version Current
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Apply the attached patch-file 'shibPatch' (view and download it at the end of this site) to the source code of Shibboleth 1.3.c to achieve the new class files of shibboleth

...

Entry for describing a group (stored under subtree 'ou=groups'):

Code Block
dn:									                     XACMLgroupName=testGroup,
										  ou=groups,
										  dc=example,
										  dc=com
objectclass:						  XACMLgroup
XACMLgroupName:					  testGroup
XACMLmembers:						 user1
XACMLmembers:						 user2

Entry for describing a policy, valid for the group stated above (stored under subtree 'ou=sitearps,ou=policies'):

Code Block

dn:									  XACMLpolicyId=exampleArp,
										  ou=sitearps,
										  ou=policies,
										  dc=example,
										  dc=com
objectclass:						  XACMLpolicy
XACMLpolicyId:						exampleArp
XACMLpolicy:						
                        ou=groups,
                        dc=example,
                        dc=com
objectclass:            XACMLgroup
XACMLgroupName:         testGroup
XACMLmembers:           user1
XACMLmembers:           user2

Entry for describing a policy, valid for the group stated above (stored under subtree 'ou=sitearps,ou=policies'):

Code Block

dn:                     XACMLpolicyId=exampleArp,
                        ou=sitearps,
                        ou=policies,
                        dc=example,
                        dc=com
objectclass:            XACMLpolicy
XACMLpolicyId:          exampleArp
XACMLpolicy:            <Policy> 
 ...see Example ARP... 
 </Policy> 
XACMLgroupNames:					        testGroup
XACMLroles:							             defaultrole

Example ARP

Here is an example XACML-ARP. For description see the tag 'Description'.

Code Block
 <Policy 
 xmlns="urn:oasis:names:tc:xacml:1.0:policy" 
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:context="urn:oasis:names:tc:xacml:1.0:context" 
 xmlns:condition="urn:mace:dir:attribute-def" 
 PolicyId="exampleArp" 
 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:
 rule-combining-algorithm:ordered-permit-overrides"> 
 <Description>  
 Attribute to release: EduPersonNickname 
 Condition: only release eduPersonNickname, if
 eduPersonPrincipalName has the value of foo.bar
 Purpose: authorization 
 Action: read 
 Target: SP1 or SP2 or SP3
 Obligation: delete data after end of term
 Combination:
 - ARPpriority: combines all found applicable policies based on priority (parameter set in tag 'CombinerParameter')
 - ordered-permit-overrides: combines rules within this policy 
 Role: defaultrole
 </Description>
 <PolicyDefaults>
 <XPathVersion>
 http://www.w3.org/TR/1999/Rec-xpath-19991116
 </XPathVersion>
 </PolicyDefaults>
 <CombinerParameters>
 <CombinerParameter ParameterName="ARPpriority">
 100
 </CombinerParameter>
 </CombinerParameters>
 <Target>
 <Subjects> 
 <Subject> 
 <SubjectMatch 
 MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"> 
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
 SP1|SP2|SP3
 </AttributeValue> 
 <SubjectAttributeDesignator 
 DataType="http://www.w3.org/2001/XMLSchema#string" 
 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:service-provider"/> 
 </SubjectMatch> 
 </Subject> 
 </Subjects> 
 <Resources> 
 <Resource> 
 <ResourceMatch 
 MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-equal"> 
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
 urn:mace:dir:attribute-def:eduPersonNickname
 </AttributeValue> 
 <ResourceAttributeDesignator 
 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 
 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> 
 </ResourceMatch> 
 </Resource> 
 </Resources> 
 <Actions> 
 <AnyAction/> 
 </Actions> 
 </Target> 
 <Rule RuleId="Rule1" Effect="Permit"> 
 <Target> 
 <Subjects> 
 <AnySubject/> 
 </Subjects> 
 <Resources> 
 <AnyResource/> 
 </Resources> 
 <Actions> 
 <Action> 
 <ActionMatch 
 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
 read
 </AttributeValue> 
 <ActionAttributeDesignator 
 DataType="http://www.w3.org/2001/XMLSchema#string" 
 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/> 
 </ActionMatch> 
 <ActionMatch 
 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
 authorization
 </AttributeValue> 
 <ActionAttributeDesignator 
 DataType="http://www.w3.org/2001/XMLSchema#string" 
 AttributeId="urn:oasis:names:tc:xacml:1.0:action:purpose"/> 
 </ActionMatch> 
 </Action> 
 </Actions> 
 </Target>
 <Condition 
 FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
 <Function 
 FunctionId="urn:oasis:names:tc:xacml:1.0:
 function:regexp-string-match"/>
 <Apply 
 FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
 foo.bar
 </AttributeValue>
 </Apply>
 <AttributeSelector 
 RequestContextPath="//context:ResourceContent/
 condition:eduPersonPrincipalName/text()" 
 DataType="http://www.w3.org/2001/XMLSchema#string"/>
 </Condition>
 </Rule> 
 <!-- ... nothing more to release ... --> 
 <Rule RuleId="releaseNothingMore" Effect="Deny"/> 
 <Obligations>
 <Obligation 
 ObligationId="data-has-to-be-deleted-after-end-of-term" 
 FulfillOn="Permit">
 <AttributeAssignment AttributeId="resource" 
 DataType="http://www.w3.org/2001/XMLSchema#anyURI">
 urn:oasis:names:tc:xacml:1.0:resource:resource-id
 </AttributeAssignment>
 </Obligation>
 </Obligations>
 </Policy>

...

For errors or additional information see the "shib-error.log" after authentication with Shibboleth.
...